Please check the examples in the code, you will find some way of
outputing the DOM tree. And sadly spaces are important
is not the same <amount>100000000</amount> that <amount>10000
00000</amount>
Or some more funny things that can happen in text nodes. But you get
the picture.
And also doing doc.normalize() I think it is not a good idea. So i
will check this two things.
Regards,
Raul
On Tue, Aug 5, 2008 at 8:35 AM, <[EMAIL PROTECTED]> wrote:
>
>> transformer.setOutputProperty(OutputKeys.INDENT, "no");
> Hmmm, I had indent set to no
>
> So I tried removing this:
>> transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount";,
>> "4");
>
> Same results.
>
> Also, isn't the Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS supposed to
> account for the differences in spaces?
>
>
> Edward Thompson
>
> (704) 383-9933
> 401 South Tryon Street
> Three Wachovia Center, Sixth floor
> Charlotte, NC 28202
>
> Authentication & Entitlements
>
>
>
> "Raul Benito" <[EMAIL PROTECTED]>
> Sent by: [EMAIL PROTECTED]
>
> 08/05/2008 11:19 AM
>
> Please respond to
> security-dev@xml.apache.org
> To
> security-dev@xml.apache.org
> cc
> Subject
> Re: Signature verification issue
>
>
>
>
> Ok what are you doing is adding spaces as you are indenting the
> result, as space is a relevant content you are destroying the
> signature in the process. You have to output it as pure as possible,
> in xml-sec there some of them but any that don't add spaces will work.
>
> Regards,
> Raul
>
> On Tue, Aug 5, 2008 at 7:26 AM, <[EMAIL PROTECTED]> wrote:
>>
>> OK, so I have tried serializing and (re)parsing the XML message first, but
>> still fail the verification:
>>
>> Document doc = assertion.getOwnerDocument();
>> doc.normalize();
>> // somehow the ID attribute is not yet really in the doc
>> // so we regsiter the id of interest so the Resolver
>> called
>> by sign can
>> // find it
>> String assertionId =
>> assertion.getAttributeNode("ID").toString().substring(4,37);
>> IdResolver.registerElementById(assertion, assertionId);
>>
>> XMLSignature sig = new XMLSignature(doc, "",
>>
>>
>> XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
>>
>> assertion.insertBefore(sig.getElement(),assertion.getFirstChild());
>>
>> // create the transforms object for the Document/Reference
>> Transforms transforms = new Transforms(doc);
>>
>> // First we have to strip away the signature element (it's
>> not part of
>> // the signature calculations). The enveloped transform
>> can
>> be used.
>>
>> transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
>> // Part of the signature element needs to be
>> canonicalized.
>> It is a kind
>> // of normalizing algorithm for XML. For more information
>> please take a
>> // look at the W3C XML Digital Signature webpage.
>> InclusiveNamespaces incNS = new
>> InclusiveNamespaces(doc, "ds saml xenc xs");
>>
>>
>>
>> transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS,incNS.getElement());
>> // Add the above Document/Reference
>> sig.addDocument("#"+assertionId, transforms,
>> Constants.ALGO_ID_DIGEST_SHA1);
>>
>> Key privKey = (Key) cred.get("privateKey");
>> sig.sign(privKey);
>>
>> try {
>> // /
>> TEST!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> StringWriter writer = new StringWriter();
>>
>> TransformerFactory transformerFactory =
>> TransformerFactory
>> .newInstance();
>> Transformer transformer = null;
>>
>> transformer = transformerFactory.newTransformer();
>>
>> transformer.setOutputProperty(OutputKeys.METHOD,
>> "xml");
>> transformer.setOutputProperty(OutputKeys.VERSION,
>> "2.0");
>>
>> transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION,"yes");
>> transformer.setOutputProperty(OutputKeys.ENCODING,
>> "ISO-8859-1");
>>
>> transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount";,
>> "4");
>> transformer.setOutputProperty(OutputKeys.INDENT,
>> "no");
>>
>>
>> transformer.transform(new DOMSource(doc), new
>> StreamResult(writer));
>>
>>
>> DOMParser parser = new DOMParser();
>> InputSource input = new InputSource(new
>> BufferedInputStream(
>> new
>> ByteArrayInputStream(writer.toString().getBytes())));
>> input.setEncoding("ISO-8859-1");
>> parser.parse(input);
>>
>> Document doc2 = parser.getDocument();
>>
>> XPathFactory xFact = XPathFactory.newInstance();
>> XPath xpath = xFact.newXPath();
>> SimpleNamespaceContext snc = new
>> SimpleNamespaceContext();
>> snc.addNamespace("SOAP-ENV",
>>
>> "http://schemas.xmlsoap.org/soap/envelope/";);
>> snc.addNamespace("ws",
>>
>> "http://schemas.xmlsoap.org/ws/2005/02/trust";);
>> snc.addNamespace("saml",
>> "urn:oasis:names:tc:SAML:2.0:assertion");
>> snc.addNamespace("ds",
>> "http://www.w3.org/2000/09/xmldsig#";);
>> xpath.setNamespaceContext(snc);
>> XPathExpression expr = null;
>>
>> expr = xpath
>>
>> .compile("//saml:Assertion/ds:Signature");
>>
>> Element sigElement = null;
>>
>> sigElement = (Element) expr.evaluate(doc2,
>> XPathConstants.NODE);
>>
>> XMLSignature signature = null;
>>
>> signature = new XMLSignature(sigElement, "");
>>
>> boolean isSuccess =
>> signature.checkSignatureValue((Key) cred
>> .get("publicKey"));
>> LogManager.debug("First verification = " +
>> isSuccess);
>> } catch (Exception e) {
>> e.printStackTrace();
>> throw e;
>> }
>>
>> Is anything wrong with how I am doing that that would impact the results?
>>
>>
>>
>> "Raul Benito" <[EMAIL PROTECTED]>
>> Sent by: [EMAIL PROTECTED]
>>
>> 08/05/2008 06:33 AM
>>
>> Please respond to
>> security-dev@xml.apache.org
>> To
>> security-dev@xml.apache.org
>> cc
>> Subject
>> Re: Signature verification issue
>>
>>
>>
>>
>> You have to serialize the signature and deserialize it sadly the
>> internal structures doesn't manage signing and verifying and the same
>> time.
>>
>> On Mon, Aug 4, 2008 at 1:42 PM, <[EMAIL PROTECTED]> wrote:
>>>
>>> I am trying to create, then verify a signature, without much success. I
>>> assume something I am doing is corrupting the XML, so I chnaged the code
>>> to
>>> call checkSignatureValue() immediately after calling sign():
>>>
>>> Document doc = assertion.getOwnerDocument();
>>> doc.normalize();
>>> // somehow the ID attribute is not yet really in the doc
>>> // so we regsiter the id of interest so the Resolver
>>> called
>>> by sign can
>>> // find it
>>> String assertionId =
>>> assertion.getAttributeNode("ID").toString().substring(4,37);
>>> IdResolver.registerElementById(assertion, assertionId);
>>>
>>> XMLSignature sig = new XMLSignature(doc, "",
>>>
>>>
>>>
>>> XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
>>>
>>> assertion.insertBefore(sig.getElement(),assertion.getFirstChild());
>>>
>>> // create the transforms object for the
>>> Document/Reference
>>> Transforms transforms = new Transforms(doc);
>>>
>>> // First we have to strip away the signature element
>>> (it's
>>> not part of
>>> // the signature calculations). The enveloped transform
>>> can
>>> be used.
>>>
>>> transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
>>> // Part of the signature element needs to be
>>> canonicalized.
>>> It is a kind
>>> // of normalizing algorithm for XML. For more information
>>> please take a
>>> // look at the W3C XML Digital Signature webpage.
>>> InclusiveNamespaces incNS = new
>>> InclusiveNamespaces(doc,
>>> "ds saml xenc xs");
>>>
>>>
>>>
>>>
>>> transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS,incNS.getElement());
>>> // Add the above Document/Reference
>>> sig.addDocument("#"+assertionId, transforms,
>>> Constants.ALGO_ID_DIGEST_SHA1);
>>>
>>> Key privKey = (Key) cred.get("privateKey");
>>> sig.sign(privKey);
>>>
>>> boolean isSuccess = sig.checkSignatureValue(<public
>>> key>);
>>> LogManager.debug("First verification = " + isSuccess);
>>>
>>> The call to sig.checkSignatureValue () fails. Can anyone help
>>> explain
>>> why? If I understand this, I am hoping I will better understand how to
>>> make
>>> the the rest work.
>>>
>>> Ed
>>
>>
>
>
