On Feb 27, 2008, at 2:44 PM, Sean Mullan wrote:
Scott Cantor wrote:
So what does this mean? There are no References? That seems odd,
but
i'm not sure what to do about it.
It means the corruption is inside the Signature element itself, not
the
digest over the single reference that exists (ref[0]).
-- Scott
And make sure you are using the right key to validate the signature.
Also, try dumping the canonicalized bytes of the SignedInfo element
after signing and validation. You can do this by calling
signature.getSignedInfo().getCanonicalizedData(). This returns an
InputStream and you can use an InputStreamReader to read the bytes
and write them out. Look for subtle differences in the data from the
signing and the validating code. You should see something that is
different and this should hopefully give you some clue as to what is
wrong.
Also, see http://weblogs.java.net/blog/mullan/archive/2007/08/index.html
--Sean
The info you provided is very helpful in getting me to understand what
is going on, but it has not solved my problem unfortunately.
The output of my debugging shows the SignedInfo as:
<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#
"></CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1
"></SignatureMethod>
<Reference URI="#Body">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-
c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#sha1"></DigestMethod>
<DigestValue>LX03AylPkCsAK4y06v3SgrqERs0=</DigestValue>
</Reference>
</SignedInfo>
which seems to match what I have in the document.
The full Signature element is as follows:
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext
">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#
"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1
"/>
<Reference URI="#Body">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>LX03AylPkCsAK4y06v3SgrqERs0=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>pl
+
1ACIa55o9Ci6mSbKvoF9NJsNb4vrTlvqN99WjJpPU56O4nZULHbzmh0IxA08jCJ2D0bmivZiuiak21t3VegkY2N3p26B7hwfgi29ZAeEpw7
+jmbP+ggl5wTJAbbB/qlgZptyPzLRgDN4ak/nr8gezAEJO3S0zrvW13bwqi8aRmZ
+
M5YxgCAatrV4MIpfegRaQIFVAdxql5zorI0MEY5akhEFYFEwcPQoQfdye0lQLvfPA3zWCIR2tt2FOaghiz6iCS92MZXEOhrcHjA4yAcgkjKauOIe8T
/fuRsQ+WyqrwBl6a8LpDQVO2bH+vuNOc2deRUwHt1llhM5ONNFFLg==</
SignatureValue><KeyInfo><X509Data><X509Certificate/
><X509IssuerSerial><X509IssuerName>OU=www.verisign.com/CPS Incorp.by
Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA
- Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network</
X509IssuerName
><X509SerialNumber>24106646020319917464201195001108908780</
X509SerialNumber></X509IssuerSerial></X509Data></KeyInfo></Signature>
What occurs to me is that there is an empty X509Certificate element. I
get a "DerInputStream.getLength(): lengthTag=127, too big." error if I
leave it in, and I get the validation failure if i take it out.
Perhaps this is the root of the problem?
