There are lots of known problem associated with exsiting XML
signature/encryption specs... w3c is
currently revising those specs to improve usability and performance
----- Original Message -----
From: [EMAIL PROTECTED]
To: security-dev@xml.apache.org
Sent: Tuesday, August 05, 2008 8:35 AM
Subject: Re: Signature verification issue
> transformer.setOutputProperty(OutputKeys.INDENT, "no");
Hmmm, I had indent set to no
So I tried removing this:
> transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount";,
"4");
Same results.
Also, isn't the Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS supposed to
account for the differences in spaces?
Edward Thompson
(704) 383-9933
401 South Tryon Street
Three Wachovia Center, Sixth floor
Charlotte, NC 28202
Authentication & Entitlements
"Raul Benito" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
08/05/2008 11:19 AM Please respond to
security-dev@xml.apache.org
To security-dev@xml.apache.org
cc
Subject Re: Signature verification issue
Ok what are you doing is adding spaces as you are indenting the
result, as space is a relevant content you are destroying the
signature in the process. You have to output it as pure as possible,
in xml-sec there some of them but any that don't add spaces will work.
Regards,
Raul
On Tue, Aug 5, 2008 at 7:26 AM, <[EMAIL PROTECTED]> wrote:
>
> OK, so I have tried serializing and (re)parsing the XML message first, but
> still fail the verification:
>
> Document doc = assertion.getOwnerDocument();
> doc.normalize();
> // somehow the ID attribute is not yet really in the doc
> // so we regsiter the id of interest so the Resolver called
> by sign can
> // find it
> String assertionId =
> assertion.getAttributeNode("ID").toString().substring(4,37);
> IdResolver.registerElementById(assertion, assertionId);
>
> XMLSignature sig = new XMLSignature(doc, "",
>
>
XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
>
> assertion.insertBefore(sig.getElement(),assertion.getFirstChild());
>
> // create the transforms object for the Document/Reference
> Transforms transforms = new Transforms(doc);
>
> // First we have to strip away the signature element (it's
> not part of
> // the signature calculations). The enveloped transform can
> be used.
>
> transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
> // Part of the signature element needs to be canonicalized.
> It is a kind
> // of normalizing algorithm for XML. For more information
> please take a
> // look at the W3C XML Digital Signature webpage.
> InclusiveNamespaces incNS = new
> InclusiveNamespaces(doc, "ds saml xenc xs");
>
>
>
transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS,incNS.getElement());
> // Add the above Document/Reference
> sig.addDocument("#"+assertionId, transforms,
> Constants.ALGO_ID_DIGEST_SHA1);
>
> Key privKey = (Key) cred.get("privateKey");
> sig.sign(privKey);
>
> try {
> // /
> TEST!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> StringWriter writer = new StringWriter();
>
> TransformerFactory transformerFactory =
> TransformerFactory
> .newInstance();
> Transformer transformer = null;
>
> transformer = transformerFactory.newTransformer();
>
> transformer.setOutputProperty(OutputKeys.METHOD,
> "xml");
> transformer.setOutputProperty(OutputKeys.VERSION,
> "2.0");
>
> transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION,"yes");
> transformer.setOutputProperty(OutputKeys.ENCODING,
> "ISO-8859-1");
>
> transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount";,
> "4");
> transformer.setOutputProperty(OutputKeys.INDENT,
> "no");
>
>
> transformer.transform(new DOMSource(doc), new
> StreamResult(writer));
>
>
> DOMParser parser = new DOMParser();
> InputSource input = new InputSource(new
> BufferedInputStream(
> new
> ByteArrayInputStream(writer.toString().getBytes())));
> input.setEncoding("ISO-8859-1");
> parser.parse(input);
>
> Document doc2 = parser.getDocument();
>
> XPathFactory xFact = XPathFactory.newInstance();
> XPath xpath = xFact.newXPath();
> SimpleNamespaceContext snc = new
> SimpleNamespaceContext();
> snc.addNamespace("SOAP-ENV",
>
> "http://schemas.xmlsoap.org/soap/envelope/";);
> snc.addNamespace("ws",
>
> "http://schemas.xmlsoap.org/ws/2005/02/trust";);
> snc.addNamespace("saml",
> "urn:oasis:names:tc:SAML:2.0:assertion");
> snc.addNamespace("ds",
> "http://www.w3.org/2000/09/xmldsig#";);
> xpath.setNamespaceContext(snc);
> XPathExpression expr = null;
>
> expr = xpath
>
> .compile("//saml:Assertion/ds:Signature");
>
> Element sigElement = null;
>
> sigElement = (Element) expr.evaluate(doc2,
> XPathConstants.NODE);
>
> XMLSignature signature = null;
>
> signature = new XMLSignature(sigElement, "");
>
> boolean isSuccess =
> signature.checkSignatureValue((Key) cred
> .get("publicKey"));
> LogManager.debug("First verification = " +
> isSuccess);
> } catch (Exception e) {
> e.printStackTrace();
> throw e;
> }
>
> Is anything wrong with how I am doing that that would impact the results?
>
>
>
> "Raul Benito" <[EMAIL PROTECTED]>
> Sent by: [EMAIL PROTECTED]
>
> 08/05/2008 06:33 AM
>
> Please respond to
> security-dev@xml.apache.org
> To
> security-dev@xml.apache.org
> cc
> Subject
> Re: Signature verification issue
>
>
>
>
> You have to serialize the signature and deserialize it sadly the
> internal structures doesn't manage signing and verifying and the same
> time.
>
> On Mon, Aug 4, 2008 at 1:42 PM, <[EMAIL PROTECTED]> wrote:
>>
>> I am trying to create, then verify a signature, without much success. I
>> assume something I am doing is corrupting the XML, so I chnaged the code
>> to
>> call checkSignatureValue() immediately after calling sign():
>>
>> Document doc = assertion.getOwnerDocument();
>> doc.normalize();
>> // somehow the ID attribute is not yet really in the doc
>> // so we regsiter the id of interest so the Resolver
>> called
>> by sign can
>> // find it
>> String assertionId =
>> assertion.getAttributeNode("ID").toString().substring(4,37);
>> IdResolver.registerElementById(assertion, assertionId);
>>
>> XMLSignature sig = new XMLSignature(doc, "",
>>
>>
>>
XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
>>
>> assertion.insertBefore(sig.getElement(),assertion.getFirstChild());
>>
>> // create the transforms object for the Document/Reference
>> Transforms transforms = new Transforms(doc);
>>
>> // First we have to strip away the signature element (it's
>> not part of
>> // the signature calculations). The enveloped transform
>> can
>> be used.
>>
>> transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
>> // Part of the signature element needs to be
>> canonicalized.
>> It is a kind
>> // of normalizing algorithm for XML. For more information
>> please take a
>> // look at the W3C XML Digital Signature webpage.
>> InclusiveNamespaces incNS = new
>> InclusiveNamespaces(doc,
>> "ds saml xenc xs");
>>
>>
>>
>>
transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS,incNS.getElement());
>> // Add the above Document/Reference
>> sig.addDocument("#"+assertionId, transforms,
>> Constants.ALGO_ID_DIGEST_SHA1);
>>
>> Key privKey = (Key) cred.get("privateKey");
>> sig.sign(privKey);
>>
>> boolean isSuccess = sig.checkSignatureValue(<public
>> key>);
>> LogManager.debug("First verification = " + isSuccess);
>>
>> The call to sig.checkSignatureValue () fails. Can anyone help
>> explain
>> why? If I understand this, I am hoping I will better understand how to
>> make
>> the the rest work.
>>
>> Ed
>
>
