DO NOT REPLY [Bug 45586] Signature verification fails, C14N transform returns null

Tue, 16 Sep 2008 04:59:05 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=45586


Satish Burnwal <[EMAIL PROTECTED]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[EMAIL PROTECTED]
             Status|NEEDINFO                    |ASSIGNED




--- Comment #3 from Satish Burnwal <[EMAIL PROTECTED]>  2008-09-16 04:58:11 PST 
---
As suggested, I am dumping the pre-digested input just before signing. I did
debug the signing code as well. Actually during signing itself, while applying
the all the transforms, in my case which is
http://www.w3.org/2000/09/xmldsig#enveloped-signature 
followed by ex-C14N, it returns null. Thus digest seems to be computed for null
content. Below is the input that is being signed. You can verify that after
signing, signature verification fails. 

<?xml version="1.0"?>
<saml:Assertion AssertionID="b5b4e2ec57d9fb038ec1f45637bc8799" Id="id-6074555"
IssueInstant="2008-09-16T11:48:21.160Z" Issuer="SmartInternetTechnology"
MajorVersion="1" MinorVersion="1" xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"><Conditions
NotBefore="2008-09-16T11:48:20.800Z"
NotOnOrAfter="2008-09-16T12:48:20.800Z"/><AuthenticationStatement
AuthenticationInstant="2008-09-16T11:48:20.800Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><Subject><NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">arun</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement><AttributeStatement><Subject><NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">arun</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</ConfirmationMethod></SubjectConfirmation></Subject><Attribute
AttributeName="telephone"
AttributeNamespace="telephoneNumber"><AttributeValue>a</AttributeValue></Attribute></AttributeStatement><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Reference URI="#id-6074555" xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
MIIDdjCCAl6gAwIBAgIKUp60agACAAAA0zANBgkqhkiG9w0BAQUFADAuMRYwFAYDVQQKEw1DaXNj
byBTeXN0ZW1zMRQwEgYDVQQDEwtDQVAtUlRQLTAwMzAeFw0wNTAzMDIxNzUzMDJaFw0xNTAzMDIx
ODAzMDJaMBQxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
yiU+P4QcZzOcoF2gmCEomDppV+oOJ7I+RJyk+SUiuhxO50o3KiNtLBFEpDKlHJe8552gH0BWOB3f
Dd1DS/+fT0DXo3aixtvMp/Z6MNPxXHqZFA+9BKDvlNvFFI0xReve2DDq4Na2wP+6+fPZxp2Cwt0f
pXUeZTaFz50oo4ydXqcCAwEAAaOCATIwggEuMA4GA1UdDwEB/wQEAwIFoDAdBgNVHQ4EFgQUKwPh
YnELbDtH0lRZWds8+kwgVIQwHwYDVR0jBBgwFoAUEBevY1HgigL/os3QrD36oRawm0gwRgYDVR0f
BD8wPTA7oDmgN4Y1aHR0cDovL3d3dy5jaXNjby5jb20vc2VjdXJpdHkvcGtpL2NybC9DQVAtUlRQ
LTAwMy5jcmwwUwYIKwYBBQUHAQEERzBFMEMGCCsGAQUFBzAChjdodHRwOi8vd3d3LmNpc2NvLmNv
bS9zZWN1cml0eS9wa2kvY2VydHMvQ0FQLVJUUC0wMDMuY2VyMD8GCSsGAQQBgjcUAgQyHjAASQBQ
AFMARQBDAEkAbgB0AGUAcgBtAGUAZABpAGEAdABlAE8AZgBmAGwAaQBuAGUwDQYJKoZIhvcNAQEF
BQADggEBADckYVldCRW6MYtN9hmdH7GnROo/0o9LE70qXyGn1vrGtyW06ceePLq6v3svjPp70Emg
hFoFc+/tX5i1vx9teI8HnfjGEx9BhNbumkXNgrWR8ELB7oozLQ4YRE2BgEklJEhwed4MBSEEQ+3x
DStNrXzj7F8QLLYHy8vKWMoGqnPptmjB7x6LvBCkGa11rEsS8bQs7ShGciily/8Hu5DT0ssFwxCg
psJYjjNuF4MwNLP0u6SFpKDWNH2FUFMrvPB/1pkY/GnRFR0/P+WP3Jw45+Hw6WPxfAS6Fy1Vp9un
CbFIOHt4qotRJu/ArdzP2N5oIRu4uKSTH2un+42StzlrYOA=
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:RSAKeyValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:Modulus xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
yiU+P4QcZzOcoF2gmCEomDppV+oOJ7I+RJyk+SUiuhxO50o3KiNtLBFEpDKlHJe8552gH0BWOB3f
Dd1DS/+fT0DXo3aixtvMp/Z6MNPxXHqZFA+9BKDvlNvFFI0xReve2DDq4Na2wP+6+fPZxp2Cwt0f
pXUeZTaFz50oo4ydXqc=
</ds:Modulus>
<ds:Exponent xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
</saml:Assertion>

-----------------------
Thanks in adv,
Satish.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

Reply via email to