Hi Brent, thanks for the reply.
I made the two changes you suggested but the signature is still not
validating. I have been adding println's all throughout the 1.4.0
code to better understand why, and it seems that the C14N transform is
returning null at one point.
The Reference object loops through all the configured transforms, the http://www.w3.org/2000/09/xmldsig#enveloped-signature
transform returns a (modified, i assume) XMLSignatureInput, then we
run through the C14N and it returns null!
The block of code is in CanonicalizerBase.java in method
engineCanonicalizeXPathNodeSetInternal.
this.canonicalizeXPathNodeSet(doc,doc);
System.out.println("canonicalizeXPathNodeSet is ok i
guess...");
this._writer.close();
if (this._writer instanceof ByteArrayOutputStream) {
byte []
sol=((ByteArrayOutputStream)this._writer).toByteArray();
if (reset) {
((ByteArrayOutputStream)this._writer).reset();
}
return sol;
} else if (this._writer instanceof
UnsyncByteArrayOutputStream) {
byte
[]result=((UnsyncByteArrayOutputStream)this._writer).toByteArray();
if (reset) {
((UnsyncByteArrayOutputStream)this._writer).reset();
}
return result;
}
return null; <------ returns this null!
The _writer instance in this case was created in Reference.java method
calculateDigest
MessageDigestAlgorithm mda = this.getMessageDigestAlgorithm();
mda.reset();
DigesterOutputStream diOs=new DigesterOutputStream(mda);
OutputStream os=new UnsyncBufferedOutputStream(diOs); <---
not check via instanceof in CanonicalizerBase
XMLSignatureInput
output=this.dereferenceURIandPerformTransforms(os);
output.updateOutputStream(os);
os.flush();
Do you (or anyone) think this could be a bug? I 1.4.1 mentioned some
bug in C14N, but I have tried that version as well without success....
thanks for the help!
- ian.
On Feb 15, 2008, at 5:50 PM, Brent Putman wrote:
Ian Hummel wrote:
signature = new XMLSignature(signatureElement,
System.getProperty("java.io.tmpdir"));
That second arg doesn't look right, it's the base URI for resolving
relative URI references. The examples you saw may have that because
they were signing files that lived in that directory or something
(so a
detached signature). For this kind of enveloped signature with a same
document fragment URI, just pass an "" (empty string) there. May or
may
not be the actual problem.
SignedInfo signedInfo = signature.getSignedInfo();
logger.info("signedInfo? " + signedInfo);
signature.setFollowNestedManifests(true);
You don't need to set that flag. You don't have any Manifests in an
enveloped SAML Assertion signature like this. Probably is not doing
anything bad, so I doubt is the problem.
Everything else looks good off-hand.
--Brent
