Frederic JEAN wrote: > Hello, > I'm trying to verify an XML signature I generated, and the > Reference.verify() method finds that digests don't match on a reference. > That reference is for an XML element inside a ds:Object inside the XML > signature (see reference with URI = #XAdESSignedProperties in the > signature at the end of the message) > > When I debug , placing a breakpoint in > /Reference.dereferenceURIandPerformTransforms(OutputStream os)/, I can > see that a call to i/nput.toString()/ gives exactly the same result > when generating the signature and when generating it, here's what I get : > > XMLSignatureInput/Element/<?xml version="1.0" encoding="UTF-16"?> > > <SignedProperties xmlns="http://uri.etsi.org/01903/v1.1.1#"; > Id="XAdESSignedProperties"><SignedSignatureProperties><SigningTime>2007-06-27T19:37:41.033+02:00</SigningTime><SigningCertificate><Cert><CertDigest><DigestMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>fr3QDtOni3g5c/1+W3sJMJmyFhk=</DigestValue></CertDigest><IssuerSerial><ds:X509IssuerName > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>CN="CA ROOT SNR,OU=Centre > Organisationnel Integration & > Technologies,O=AQL,ST=Bretagne,C=FR"</ds:X509IssuerName><ds:X509SerialNumber > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>1</ds:X509SerialNumber></IssuerSerial></Cert></SigningCertificate><SignaturePolicyIdentifier><SignaturePolicyImplied/></SignaturePolicyIdentifier></SignedSignatureProperties></SignedProperties> > exclude null comments:true/#XAdESSignedProperties > > . > Now, if instead of this I do a /new String(output.getBytes(),"UTF-8")/ > in the method /Reference.calculateDigest()/, I get different results at > signing time and at verifying time. I get one more xmlns attribute on my > node at verifying time. > Here what I get when signing : > > <SignedProperties xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; > Id="XAdESSignedProperties"><SignedSignatureProperties><SigningTime>2007-06-27T19:33:14.236+02:00</SigningTime><SigningCertificate><Cert><CertDigest><DigestMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod><DigestValue>fr3QDtOni3g5c/1+W3sJMJmyFhk=</DigestValue></CertDigest><IssuerSerial><ds:X509IssuerName>CN="CA > ROOT SNR,OU=Centre Organisationnel Integration & > Technologies,O=AQL,ST=Bretagne,C=FR"</ds:X509IssuerName><ds:X509SerialNumber>1</ds:X509SerialNumber></IssuerSerial></Cert></SigningCertificate><SignaturePolicyIdentifier><SignaturePolicyImpli > ed></SignaturePolicyImplied></SignaturePolicyIdentifier></SignedSignatureProperties></SignedProperties> > > > And when verifying : > > <SignedProperties xmlns="http://uri.etsi.org/01903/v1.1.1#"; > *xmlns:ds="http://www.w3.org/2000/09/xmldsig#"* > Id="XAdESSignedProperties"><SignedSignatureProperties><SigningTime>2007-06-27T19:33:14.236+02:00</SigningTime><SigningCertificate><Cert><CertDigest><DigestMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod><DigestValue>fr3QDtOni3g5c/1+W3sJMJmyFhk=</DigestValue></CertDigest><IssuerSerial><ds:X509IssuerName>CN="CA > ROOT SNR,OU=Centre Organisationnel Integration & > Technologies,O=AQL,ST=Bretagne,C=FR"</ds:X509IssuerName><ds:X509SerialNumber>1</ds:X509SerialN > umber></IssuerSerial></Cert></SigningCertificate><SignaturePolicyIdentifier><SignaturePolicyImplied></SignaturePolicyImplied></SignaturePolicyIdentifier></SignedSignatureProperties></SignedProperties> > > When creating my signedProperties element I don't actual specify a xmlns > attribute on it. the "http://uri.etsi.org/01903/v1.1.1"; namespace is > specified on a parent element (ds:Object actually).
This is a guess but I have seen problems like this before... for example - see http://issues.apache.org/bugzilla/show_bug.cgi?id=41821 How did you specify the xmlns attribute on the Object element? You must specifically add the attribute using the DOM Element.setAttributeNS (and not setAttribute) method, otherwise it won't be visible at signing time. --Sean
