[EMAIL PROTECTED] wrote:
Hi,
I create a signature with a C14N transform applied. Signing works. The
signature is valid if I apply the checkSignatureValue() method directly on
the result Document object.
However, if I write the Document out to the file system and parse it in back
again later, the signature is invalid.
You need to dump the reference's pre-digested, canonicalized input
during the signing and validating. Then it is a matter of comparing them
to see what is different.
I can't tell what your problem is without seeing the Document contents,
but one problem I have seen a few times are due to signing legacy XML
that has no namespace information, i.e:
<ds:Object>
<Foo>
</Foo>
</ds:Object>
When you canonicalize this, it doesn't see any namespace attributes on
the Foo element and so it inherits the xmldsig namespace. But when you
serialize the Document and deserialize it, xerces or other parsing
software may add an xmlns attribute set to the empty string indicating
that it has no namespace, ex:
<ds:Object>
<Foo xmlns="">
</Foo>
</ds:Object>
which will break the signature.
I don't really know what the proper way to fix this is, but one solution
(if possible) is to always make sure every Element is defined in some
namespace (ex: add an xmlns="" attribute to the Foo element before signing):
<Foo xmlns="">
</Foo>
--Sean
