Re: Help validating XML signature

Wed, 20 Feb 2008 11:07:09 -0800

The signature looks a bit odd. Some of the XML Signature elements are defined in the dsig namespace bound by a 'ds' prefix, while others don't have a 'ds' prefix (see CanonicalizationMethod, SignatureValue and the DigestValue elements).
When I validated the signature, the cryptographic signature itself was invalid, so I'm wondering if the SignedInfo contents have been modified since the signature was generated. How did you generate this signature and why the inconsistency in namespaces? 

--Sean

Ian Hummel wrote:

Hi there,



I am having some issues validating the signature on the following XML 
file using both xmlsec-1.4.0 and xmlsec-1.4.1:



<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" 
AssertionID="urn:uuid:44FFFE2742C5DBB6311203096718823" 
IssueInstant="2008-02-15T17:31:58.817Z" 
Issuer="https://rh150.sohosmart.net/TokenService/services/Trust"; 
MajorVersion="1" MinorVersion="1">
    <saml:Conditions NotBefore="2008-02-15T17:31:58.817Z" 
NotOnOrAfter="2008-02-22T17:31:58.817Z"/>

    <saml:AttributeStatement>
        <saml:Subject>
            <saml:SubjectConfirmation>

                
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod> 


            </saml:SubjectConfirmation>
        </saml:Subject>

        <saml:Attribute AttributeName="privatepersonalidentifier" 
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
            
<saml:AttributeValue>NBkhyg1zm4UTqbpjkQg7LhXFlS8EpMpDtnphO1SvASA=</saml:AttributeValue> 


        </saml:Attribute>

        <saml:Attribute AttributeName="emailaddress" 
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>

            <saml:AttributeValue>[EMAIL PROTECTED]</saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
        <ds:SignedInfo>

            <CanonicalizationMethod 
xmlns="http://www.w3.org/2000/09/xmldsig#"; 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

            <ds:Reference URI="#urn:uuid:44FFFE2742C5DBB6311203096718823">
                <ds:Transforms>

                    <ds:Transform 
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

                </ds:Transforms>

                <ds:DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <DigestValue 
xmlns="http://www.w3.org/2000/09/xmldsig#";>IjaxSnB43LryrBM25gCeFFEoaMc=</DigestValue> 


            </ds:Reference>
        </ds:SignedInfo>

        <SignatureValue 
xmlns="http://www.w3.org/2000/09/xmldsig#";>BQadvf3/JZquVfzTGVa0OSGkmddVwMWdn30JEHTKYZvT26Goxg62iYg9xkB527dphU2bHBd2KICyo2cliivKsOxFqKpOPcIxgft/y+vv+RqE5cTn2BDsVZ6WfWWfiXHgEUAkzF+BUBoGG7mJ1Gs8ycZoIl/9pYgCzeUjSJXYNSU=</SignatureValue> 


        <ds:KeyInfo>
            <ds:KeyValue>
                <ds:RSAKeyValue>
                    <Modulus xmlns="http://www.w3.org/2000/09/xmldsig#";>

imhZHVDvtboiubhWbcNFyIDOamOaOVWIdD6QpDq8i/D3MltwgBTDorX+/prqfj8RMWxbmYlmbuts 

q9ZBHlaCz8eKdXqZQJ3bUmqDtAXU6PnAM0J4UsW/S1ikTEVgcpV6mGpjsEF8UojhcNOJkwMyDipk 


xmtcY+YknWkiJ5sl+LE=
</Modulus>

                    <Exponent 
xmlns="http://www.w3.org/2000/09/xmldsig#";>AQAB</Exponent>

                </ds:RSAKeyValue>
            </ds:KeyValue>
        </ds:KeyInfo>
    </ds:Signature>
</saml:Assertion>


The code I am using to verify the signature is the following:

    public static boolean verifyXmlSignature(Document doc) {

        Element signatureElement = (Element) 
doc.getElementsByTagNameNS(Constants.SignatureSpecNS, "Signature").item(0);

        logger.debug("signatureElement? " + signatureElement);
        XMLSignature signature;
        try {

            signature = new XMLSignature(signatureElement, 
System.getProperty("java.io.tmpdir"));

        } catch (XMLSecurityException e) {
            logger.warn("error verifying digital signature", e);
            return false;
        }

        SignedInfo signedInfo = signature.getSignedInfo();
        logger.info("signedInfo? " + signedInfo);
        signature.setFollowNestedManifests(true);
        KeyInfo ki = signature.getKeyInfo();
        logger.info("keyInfo is: " + ki);
        PublicKey pk;
        try {
            pk = signature.getKeyInfo().getPublicKey();
            logger.info("public key is: " + pk);

        } catch (KeyResolverException e) {
            logger.warn("Signature did not contain public key data", e);
            return false;
        }
        try {
            System.out.println("KEY The XML signature in file "

                                         + 
(signature.checkSignatureValue(pk)

                                            ? "valid (good)"
                                            : "invalid !!!!! (bad)"));
        } catch (XMLSignatureException e) {
            logger.warn("Signature was invalid", e);
            return false;
        }
        return true;
    }



it always says the signature is invalid... I wonder if I am even setting 
everything up correctly?  I got most of the code above from the sample 
files included in the 1.4.0 dist...


Am I missing something fundamental?


Thank you for any insight!

- ian.

























					Reply via email to