I will get back on this. I am on something other imp work. Thanks for cooperation.
-satish -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2008 2:49 AM To: security-dev@xml.apache.org Subject: Re: Signature validation problem - C14N transform returns null I agree. Returning null is intentional and is a performance optimization as Raul mentions. The c14ned bytes are still being written to the output stream. I validated the signature with the JSR 105 API, and it is invalid. The reference digests don't match. Here's some debugging info: Expected digest: SVUf+cO2NKZpSOHHhPfQjLQNhiE= Actual digest: Us20IPzJot+nTKMGap+rv81TVOo= Pre-digested input (likely skewed by the email app): <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="c63cc59337d833aeb06186e4d19556b2" Id="id-23761097" IssueInstant="2008-08-01T08:28:40.298Z" Issuer="SmartInternetTechnology" MajorVersion="1" MinorVersion="0"><Conditions xmlns="urn:oasis:names:tc:SAML:1.0:assertion" NotBefore="2008-08-01T08:27:58.688Z" NotOnOrAfter="2008-08-01T09:27:58.688Z"></Conditions><AuthenticationStatemen t xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AuthenticationInstant="2008-08-01T08:27:58.688Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><Subject><Nam eIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">arun</NameIde ntifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0 :cm:holder-of-key</ConfirmationMethod></SubjectConfirmation></Subject></Auth enticationStatement><AttributeStatement xmlns="urn:oasis:names:tc:SAML:1.0:assertion"><Subject><NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">arun</NameIde ntifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0 :cm:holder-of-key</ConfirmationMethod></SubjectConfirmation></Subject><Attri bute AttributeName="telephoneNumber" AttributeNamespace="telephoneNumber"><AttributeValue>a</AttributeValue></Att ribute></AttributeStatement></saml:Assertion> I suggest you dump the pre-digested input when signing and compare byte for byte to see what broke the signature. --Sean Raul Benito wrote: > Sathis, > I think that particular code is correct, it is strange because the > api, that the transformation and the c14n is using looks like a > pipeline one, but after profiling it I change it to a visitor one, the > problem is that in some parts of the code there are some users as > pipeline that is why I can deprecated the several if instanceof, that > I will love to. > Can you post the sighnature that is giving you the problem with the > code that is making a problem. Also take into account that envelope > and exc-c14n transformation was my base case and the default for all > optimizations, so I'm 98% sure that part is working > > Regards, > > Raul > On Wed, Aug 6, 2008 at 5:04 PM, Satish Burnwal <[EMAIL PROTECTED]> wrote: >> I am facing a issue with validating the xml signature. I have >> enveloped transform followed by ex-C14N. I did search xmlsec mail >> archive but to no success. Then I tried with debugging the xmlsec src code: >> >> >> The Reference object loops through all the configured transforms, >> the http://www.w3.org/2000/09/xmldsig#enveloped-signature >> transform returns a (modified, i assume) XMLSignatureInput, then >> we run through the C14N and it returns null! >> >> The block of code is in CanonicalizerBase.java in method >> engineCanonicalizeXPathNodeSetInternal. >> >> this.canonicalizeXPathNodeSet(doc,doc); >> System.out.println("canonicalizeXPathNodeSet is ok i >> guess..."); >> this._writer.close(); >> if (this._writer instanceof ByteArrayOutputStream) { >> byte [] >> sol=((ByteArrayOutputStream)this._writer).toByteArray(); >> if (reset) { >> ((ByteArrayOutputStream)this._writer).reset(); >> } >> return sol; >> } else if (this._writer instanceof >> UnsyncByteArrayOutputStream) { >> byte >> []result=((UnsyncByteArrayOutputStream)this._writer).toByteArray(); >> if (reset) { >> ((UnsyncByteArrayOutputStream)this._writer).reset(); >> } >> return result; >> } >> return null; <------ returns this null! >> >> The _writer instance in this case was created in Reference.java >> method calculateDigest. Thus the ByteArrayOutputStreams of >> CanonicalizeBase do not match with the BufferedOutputStreams of >> Reference class, causing it to return null. >> >> MessageDigestAlgorithm mda = >> this.getMessageDigestAlgorithm(); >> >> mda.reset(); >> DigesterOutputStream diOs=new DigesterOutputStream(mda); >> OutputStream os=new UnsyncBufferedOutputStream(diOs); <--- >> not check via instanceof in CanonicalizerBase >> XMLSignatureInput >> output=this.dereferenceURIandPerformTransforms(os); >> output.updateOutputStream(os); >> os.flush(); >> >> Pls help me in resolving this. The signedInfo element is this: >> >> <ds:SignedInfo> >> <ds:CanonicalizationMethod >> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> >> <ds:SignatureMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> >> >> <ds:Reference URI="#id-23761097"> >> >> <ds:Transforms> >> <ds:Transform >> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> >> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> >> </ds:Transforms> >> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >> <ds:DigestValue>SVUf+cO2NKZpSOHHhPfQjLQNhiE=</ds:DigestValue> >> </ds:Reference> >> </ds:SignedInfo> >> >>
