Re: Invalid Signature problem through Empty elements are converted to start-end tag pairs

Wed, 28 Jan 2009 06:37:20 -0800 

Harakiri wrote:
(this is my xml doc created by the SUN XML API) 
<?xml version="1.0" encoding="UTF-8"?><tbone>
    <license>
        <param name="myparam">Test</param>
    </license>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/><SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";><XPath 
xmlns="http://www.w3.org/2002/06/xmldsig-filter2"; Filter="union">/tbone/license</XPath></Transform></Transforms><DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>cp68+Em7EAO6X62j+kw7a8T08qU=</DigestValue></Reference></SignedInfo><SignatureValue>TH3tGkUs0Pnzgzb74OjVjqkrZA/9LqBaC4ZzrPrFevsdPBl94XFKg3hPdofLBdFkvb+vkYb9T9TT
0436m+aQOnC6Y9pwk7lCKYPvbPeZcwCwUCFa7ccGh0jGSyp83QgBI6eqomWkaI8xq56WjgcvXKiv
JvZ4sh7QsdQp3dw2q84=</SignatureValue><KeyInfo><KeyName>My 
Keyname</KeyName></KeyInfo></Signature></tbone>



This is a very strange signature. If you just want to sign the contents of the 
document (the tbone element) without the signature, you should just use the 
enveloped transform: http://www.w3.org/TR/xmldsig-core/#sec-EnvelopedSignature



I don't understand what you are trying to sign above with the XPath Filter 2 
union transform. In particular the XPath Filter 2 specification says this about 
the union filter, http://www.w3.org/TR/xmldsig-filter2/#sec-Examples (5th 
paragraph down):



"Union filters, by themselves are of no particular use: The initial filter 
node-set consists of the entire input document; any union with this will have no 
effect, so the output of the transform will be identical to the input. The union 
operation is intended to follow a subtract operation, to allow a subtree to be 
removed, with the exception of a lower subtree which is still included in the 
output."



It is quite likely that this transform above is including the signature element 
itself as part of the reference digest which definitely would explain why you 
are getting a validation failure.



This forum post hinted at a possible namespace problem 
http://forums.java.net/jive/message.jspa?messageID=37326


but im not sure - because i dont see the suggested 2 pre-digests output.



You need to also dump out the same pre-digested input when generating the 
signature and then compare them.


--Sean






















					Reply via email to