OK, so I have tried serializing and (re)parsing the XML message first, but
still fail the verification:
Document doc = assertion.getOwnerDocument();
doc.normalize();
// somehow the ID attribute is not yet really in the doc
// so we regsiter the id of interest so the Resolver
called by sign can
// find it
String assertionId =
assertion.getAttributeNode("ID").toString().substring(4,37);
IdResolver.registerElementById(assertion, assertionId);
XMLSignature sig = new XMLSignature(doc, "",
XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
assertion.insertBefore(sig.getElement(),assertion.getFirstChild());
// create the transforms object for the Document/Reference
Transforms transforms = new Transforms(doc);
// First we have to strip away the signature element (it's
not part of
// the signature calculations). The enveloped transform
can be used.
transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
// Part of the signature element needs to be
canonicalized. It is a kind
// of normalizing algorithm for XML. For more information
please take a
// look at the W3C XML Digital Signature webpage.
InclusiveNamespaces incNS = new
InclusiveNamespaces(doc, "ds saml xenc xs");
transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS,incNS.getElement());
// Add the above Document/Reference
sig.addDocument("#"+assertionId, transforms,
Constants.ALGO_ID_DIGEST_SHA1);
Key privKey = (Key) cred.get("privateKey");
sig.sign(privKey);
try {
// /
TEST!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
StringWriter writer = new StringWriter();
TransformerFactory transformerFactory =
TransformerFactory
.newInstance();
Transformer transformer = null;
transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.METHOD,
"xml");
transformer.setOutputProperty(OutputKeys.VERSION,
"2.0");
transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION,"yes");
transformer.setOutputProperty(OutputKeys.ENCODING,
"ISO-8859-1");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount";,
"4");
transformer.setOutputProperty(OutputKeys.INDENT,
"no");
transformer.transform(new DOMSource(doc), new
StreamResult(writer));
DOMParser parser = new DOMParser();
InputSource input = new InputSource(new
BufferedInputStream(
new
ByteArrayInputStream(writer.toString().getBytes())));
input.setEncoding("ISO-8859-1");
parser.parse(input);
Document doc2 = parser.getDocument();
XPathFactory xFact = XPathFactory.newInstance();
XPath xpath = xFact.newXPath();
SimpleNamespaceContext snc = new
SimpleNamespaceContext();
snc.addNamespace("SOAP-ENV",
"http://schemas.xmlsoap.org/soap/envelope/";);
snc.addNamespace("ws",
"http://schemas.xmlsoap.org/ws/2005/02/trust";);
snc.addNamespace("saml",
"urn:oasis:names:tc:SAML:2.0:assertion");
snc.addNamespace("ds",
"http://www.w3.org/2000/09/xmldsig#";);
xpath.setNamespaceContext(snc);
XPathExpression expr = null;
expr = xpath
.compile("//saml:Assertion/ds:Signature");
Element sigElement = null;
sigElement = (Element) expr.evaluate(doc2,
XPathConstants.NODE);
XMLSignature signature = null;
signature = new XMLSignature(sigElement, "");
boolean isSuccess =
signature.checkSignatureValue((Key) cred
.get("publicKey"));
LogManager.debug("First verification = " +
isSuccess);
} catch (Exception e) {
e.printStackTrace();
throw e;
}
Is anything wrong with how I am doing that that would impact the results?
"Raul Benito" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
08/05/2008 06:33 AM
Please respond to
security-dev@xml.apache.org
To
security-dev@xml.apache.org
cc
Subject
Re: Signature verification issue
You have to serialize the signature and deserialize it sadly the
internal structures doesn't manage signing and verifying and the same
time.
On Mon, Aug 4, 2008 at 1:42 PM, <[EMAIL PROTECTED]> wrote:
>
> I am trying to create, then verify a signature, without much success. I
> assume something I am doing is corrupting the XML, so I chnaged the code
to
> call checkSignatureValue() immediately after calling sign():
>
> Document doc = assertion.getOwnerDocument();
> doc.normalize();
> // somehow the ID attribute is not yet really in the doc
> // so we regsiter the id of interest so the Resolver
called
> by sign can
> // find it
> String assertionId =
> assertion.getAttributeNode("ID").toString().substring(4,37);
> IdResolver.registerElementById(assertion, assertionId);
>
> XMLSignature sig = new XMLSignature(doc, "",
>
>
XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
>
> assertion.insertBefore(sig.getElement(),assertion.getFirstChild());
>
> // create the transforms object for the
Document/Reference
> Transforms transforms = new Transforms(doc);
>
> // First we have to strip away the signature element
(it's
> not part of
> // the signature calculations). The enveloped transform
can
> be used.
>
> transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
> // Part of the signature element needs to be
canonicalized.
> It is a kind
> // of normalizing algorithm for XML. For more
information
> please take a
> // look at the W3C XML Digital Signature webpage.
> InclusiveNamespaces incNS = new
InclusiveNamespaces(doc,
> "ds saml xenc xs");
>
>
>
transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS,incNS.getElement());
> // Add the above Document/Reference
> sig.addDocument("#"+assertionId, transforms,
> Constants.ALGO_ID_DIGEST_SHA1);
>
> Key privKey = (Key) cred.get("privateKey");
> sig.sign(privKey);
>
> boolean isSuccess = sig.checkSignatureValue(<public
> key>);
> LogManager.debug("First verification = " +
isSuccess);
>
> The call to sig.checkSignatureValue () fails. Can anyone help
explain
> why? If I understand this, I am hoping I will better understand how to
make
> the the rest work.
>
> Ed
