Sean Mullan a écrit : > Frederic JEAN wrote: > >> Hello, >> I'm trying to verify an XML signature I generated, and the >> Reference.verify() method finds that digests don't match on a reference. >> That reference is for an XML element inside a ds:Object inside the XML >> signature (see reference with URI = #XAdESSignedProperties in the >> signature at the end of the message) >> >> When I debug , placing a breakpoint in >> /Reference.dereferenceURIandPerformTransforms(OutputStream os)/, I can >> see that a call to i/nput.toString()/ gives exactly the same result >> when generating the signature and when generating it, here's what I get : >> >> XMLSignatureInput/Element/<?xml version="1.0" encoding="UTF-16"?> >> >> <SignedProperties xmlns="http://uri.etsi.org/01903/v1.1.1#"; >> Id="XAdESSignedProperties"><SignedSignatureProperties><SigningTime>2007-06-27T19:37:41.033+02:00</SigningTime><SigningCertificate><Cert><CertDigest><DigestMethod >> >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>fr3QDtOni3g5c/1+W3sJMJmyFhk=</DigestValue></CertDigest><IssuerSerial><ds:X509IssuerName >> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>CN="CA ROOT SNR,OU=Centre >> Organisationnel Integration & >> Technologies,O=AQL,ST=Bretagne,C=FR"</ds:X509IssuerName><ds:X509SerialNumber >> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>1</ds:X509SerialNumber></IssuerSerial></Cert></SigningCertificate><SignaturePolicyIdentifier><SignaturePolicyImplied/></SignaturePolicyIdentifier></SignedSignatureProperties></SignedProperties> >> exclude null comments:true/#XAdESSignedProperties >> >> . >> Now, if instead of this I do a /new String(output.getBytes(),"UTF-8")/ >> in the method /Reference.calculateDigest()/, I get different results at >> signing time and at verifying time. I get one more xmlns attribute on my >> node at verifying time. >> Here what I get when signing : >> >> <SignedProperties xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; >> Id="XAdESSignedProperties"><SignedSignatureProperties><SigningTime>2007-06-27T19:33:14.236+02:00</SigningTime><SigningCertificate><Cert><CertDigest><DigestMethod >> >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod><DigestValue>fr3QDtOni3g5c/1+W3sJMJmyFhk=</DigestValue></CertDigest><IssuerSerial><ds:X509IssuerName>CN="CA >> ROOT SNR,OU=Centre Organisationnel Integration & >> Technologies,O=AQL,ST=Bretagne,C=FR"</ds:X509IssuerName><ds:X509SerialNumber>1</ds:X509SerialNumber></IssuerSerial></Cert></SigningCertificate><SignaturePolicyIdentifier><SignaturePolicyImpli >> ed></SignaturePolicyImplied></SignaturePolicyIdentifier></SignedSignatureProperties></SignedProperties> >> >> >> And when verifying : >> >> <SignedProperties xmlns="http://uri.etsi.org/01903/v1.1.1#"; >> *xmlns:ds="http://www.w3.org/2000/09/xmldsig#"* >> Id="XAdESSignedProperties"><SignedSignatureProperties><SigningTime>2007-06-27T19:33:14.236+02:00</SigningTime><SigningCertificate><Cert><CertDigest><DigestMethod >> >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod><DigestValue>fr3QDtOni3g5c/1+W3sJMJmyFhk=</DigestValue></CertDigest><IssuerSerial><ds:X509IssuerName>CN="CA >> ROOT SNR,OU=Centre Organisationnel Integration & >> Technologies,O=AQL,ST=Bretagne,C=FR"</ds:X509IssuerName><ds:X509SerialNumber>1</ds:X509SerialN >> umber></IssuerSerial></Cert></SigningCertificate><SignaturePolicyIdentifier><SignaturePolicyImplied></SignaturePolicyImplied></SignaturePolicyIdentifier></SignedSignatureProperties></SignedProperties> >> >> When creating my signedProperties element I don't actual specify a xmlns >> attribute on it. the "http://uri.etsi.org/01903/v1.1.1"; namespace is >> specified on a parent element (ds:Object actually). >> > > This is a guess but I have seen problems like this before... for example > - see http://issues.apache.org/bugzilla/show_bug.cgi?id=41821 > > How did you specify the xmlns attribute on the Object element? You must > specifically add the attribute using the DOM Element.setAttributeNS (and > not setAttribute) method, otherwise it won't be visible at signing time. > > --Sean > > You are absolutely right Sean, I used setAttribute, now it works much better with setAttributeNS. Thanks a lot.
-- ^~^~^~^~^~^~ Frederic JEAN
