RE: JDOM - Sign validation
Your signature elements appear to have
identical canonical form. Canonicalization should remove the superfluous
namespace declarations that appear in the DOM serialization, so I don't think
that's the problem.
These are enveloped signatures. It's possible (probable, in
fact) that the enveloping documents differ. Note that if you introduce
whitespace into element content after signing (as could happen if you indent
when serializing), you may break the signature because you've altered the signed
document. We may be able to get a better sense of whether this is the
case if you attach examples of the enveloping documents. (Attach them rather
than embedding them in the message body so we can see exactly what bytes are in
the documents.)
From: chirsmail sapl
[mailto:[EMAIL PROTECTED] Sent: Friday, April 07, 2006 4:25
PMTo: security-dev@xml.apache.orgSubject: RE: JDOM - Sign
validation
I am using the following code to serialize
OutputFormat format = new
OutputFormat(signDocument); format.setLineSeparator(LineSeparator.Windows); format.setIndenting(true); format.setLineWidth(0);
format.setPreserveSpace(true); XMLSerializer
serializer = new XMLSerializer ( new
FileWriter("output_DOM.xml"),
format); //serializer.asDOMSerializer(); serializer.serialize(signDocument); chirsmail
sapl <[EMAIL PROTECTED]> wrote:
Yes, you are correct.Here is what i did
1)Converted JDOM to DOM and then signed.
2)Serialized the signed DOM and send it to O/P stream - Attached the file
output_DOM.xml
3)Then converted the singed DOM to JDOM
4)Then again covnerted JDOM to DOM Attached file
output_DOMFromJDOM.xml
I can see the different that the singed DOM contains
and the DOM converted from JDOM after
signing contains
URI="">
The name space is missing
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
I have attached the signed DOM
below:
-
-
8LzJf7lSdxcPiyeb2ApFOPEHVZE=ds:DigestValue>
ds:Reference>
ds:SignedInfo>
VnLYodjEkycbfrkEnbsIjureVSIRCppJLonEf1Bt4Gh2n8DibSF5icHYqWfRU5LjyNifskOyWhzK
Ua1s/NfNoS9xeuo3skiQHkGG83eDEcz8/mB+Vot35bR4FL2QGjztDbaEBrzR+4/iD0IUPy3YjiHS
Zl3c9jtb/mM1LjYV8oI=ds:SignatureValue>
-
-
MIICNDCCAZ0CBEQki2AwDQYJKoZIhvcNAQEEBQAwYTELMAkGA1UEBhMCREUxHTAbBgNVBAoTFFVu
aXZlcnNpdHkgb2YgU2llZ2VuMRAwDgYDVQQLEwdGQjEyTlVFMSEwHwYDVQQDExhDaHJpc3RpYW4g
R2V1ZXItUG9sbG1hbm4wHhcNMDYwMzI1MDAxNDI0WhcNMTEwOTE1MDAxNDI0WjBhMQswCQYDVQQG
EwJERTEdMBsGA1UEChMUVW5pdmVyc2l0eSBvZiBTaWVnZW4xEDAOBgNVBAsTB0ZCMTJOVUUxITAf
BgNVBAMTGENocmlzdGlhbiBHZXVlci1Qb2xsbWFubjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAiMyPaBtjyD45i3iNi/ijObw+XrmiMgADOSUAo62MjBK6A1qZb4uwhrF+vSkWfrdpmW1yfH0H
UTOAT4pgNc8UWn8WH61LRlj5MBnVF5f32DBqxgXs7K3i42W3xWeMr7cPwuD00qOeisbiLuTSKg8a
xsmf+ATnZWBMTpH7O5NtxFsCAwEAATANBgkqhkiG9w0BAQQFAAOBgQB0ZO7ZSvIbtWLKtUrypyEp
P+Q5Ly1Fd2++/K+Fr8d6tPxBD0LS0QGmLd2jHHzkf0XX0XanMPpEzW/nDtHJkszRlu9jis/m1VLf
2B91o7arMGpW9M2AhmrNqI5AGnb4m96AsGJr0ZEy4+BfXbx4A4bnhxUlfh5p/7jrCBSQAexU7A==ds:X509Certificate>
ds:X509Data>
-
-
iMyPaBtjyD45i3iNi/ijObw+XrmiMgADOSUAo62MjBK6A1qZb4uwhrF+vSkWfrdpmW1yfH0HUTOA
T4pgNc8UWn8WH61LRlj5MBnVF5f32DBqxgXs7K3i42W3xWeMr7cPwuD00qOeisbiLuTSKg8axsmf
+ATnZWBMTpH7O5NtxFs=ds:Modulus>
AQABds:
Re: JDOM - Sign validation
I have seen this problem before in another context, but I cannot
remember if/how I resolved it. It has something to do with the
serialization to DOM in that it removes the xmlns:ds namespace
attributes which breaks the signature. You might try to invoke
org.apache.xml.security.utils.XMLUtils.circumventBug2650(Document) on
the Document after converting it back to DOM.
If I get some more time, I'll try to see if I can figure out what the
problem is. BTW, what version of XMLSec are you using?
--Sean
chirsmail sapl wrote:
I am using the following code to serialize
OutputFormat format = new OutputFormat(signDocument);
format.setLineSeparator(LineSeparator.Windows);
format.setIndenting(true);
format.setLineWidth(0);
format.setPreserveSpace(true);
XMLSerializer serializer = new XMLSerializer (
new FileWriter("output_DOM.xml"), format);
//serializer.asDOMSerializer();
serializer.serialize(signDocument);
*/chirsmail sapl <[EMAIL PROTECTED]>/* wrote:
Yes, you are correct.Here is what i did
1)Converted JDOM to DOM and then signed.
2)Serialized the signed DOM and send it to O/P stream - Attached the
file output_DOM.xml
3)Then converted the singed DOM to JDOM
4)Then again covnerted JDOM to DOM Attached file output_DOMFromJDOM.xml
I can see the different that the singed DOM contains
http://www.w3.org/2000/09/xmldsig#*";>
and the DOM converted from JDOM after signing contains
The name space is missing
xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*";>
I have attached the signed DOM below:
http://www.w3.org/2000/09/xmldsig#*";>
*-*
http://www.w3.org/2000/09/xmldsig#*";>
* * http://www.w3.org/TR/2001/REC-xml-c14n-20010315*";
xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*"; />
* * http://www.w3.org/2000/09/xmldsig#rsa-sha1*";
xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*"; />
*-*
http://www.w3.org/2000/09/xmldsig#*";>
*-*
http://www.w3.org/2000/09/xmldsig#*";>
* * http://www.w3.org/2000/09/xmldsig#enveloped-signature*";
xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*"; />
* * http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments*";
xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*"; />
* *
* * http://www.w3.org/2000/09/xmldsig#sha1*";
xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*"; />
* * http://www.w3.org/2000/09/xmldsig#*";>*8LzJf7lSdxcPiyeb2ApFOPEHVZE=*
* *
* *
* * http://www.w3.org/2000/09/xmldsig#*";>*VnLYodjEkycbfrkEnbsIjureVSIRCppJLonEf1Bt4Gh2n8DibSF5icHYqWfRU5LjyNifskOyWhzK
Ua1s/NfNoS9xeuo3skiQHkGG83eDEcz8/mB+Vot35bR4FL2QGjztDbaEBrzR+4/iD0IUPy3YjiHS
Zl3c9jtb/mM1LjYV8oI=*
*-*
http://www.w3.org/2000/09/xmldsig#*";>
*-*
http://www.w3.org/2000/09/xmldsig#*";>
* * http://www.w3.org/2000/09/xmldsig#*";>*MIICNDCCAZ0CBEQki2AwDQYJKoZIhvcNAQEEBQAwYTELMAkGA1UEBhMCREUxHTAbBgNVBAoTFFVu
aXZlcnNpdHkgb2YgU2llZ2VuMRAwDgYDVQQLEwdGQjEyTlVFMSEwHwYDVQQDExhDaHJpc3RpYW4g
R2V1ZXItUG9sbG1hbm4wHhcNMDYwMzI1MDAxNDI0WhcNMTEwOTE1MDAxNDI0WjBhMQswCQYDVQQG
EwJERTEdMBsGA1UEChMUVW5pdmVyc2l0eSBvZiBTaWVnZW4xEDAOBgNVBAsTB0ZCMTJOVUUxITAf
BgNVBAMTGENocmlzdGlhbiBHZXVlci1Qb2xsbWFubjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAiMyPaBtjyD45i3iNi/ijObw+XrmiMgADOSUAo62MjBK6A1qZb4uwhrF+vSkWfrdpmW1yfH0H
UTOAT4pgNc8UWn8WH61LRlj5MBnVF5f32DBqxgXs7K3i42W3xWeMr7cPwuD00qOeisbiLuTSKg8a
xsmf+ATnZWBMTpH7O5NtxFsCAwEAATANBgkqhkiG9w0BAQQFAAOBgQB0ZO7ZSvIbtWLKtUrypyEp
P+Q5Ly1Fd2++/K+Fr8d6tPxBD0LS0QGmLd2jHHzkf0XX0XanMPpEzW/nDtHJkszRlu9jis/m1VLf
2B91o7arMGpW9M2AhmrNqI5AGnb4m96AsGJr0ZEy4+BfXbx4A4bnhxUlfh5p/7jrCBSQAexU7A==*
* *
*-*
http://www.w3.org/2000/09/xmldsig#*";>
*-*
http://www.w3.org/2000/09/xmldsig#*";>
* * http://www.w3.org/2000/09/xmldsig#*";>*iMyPaBtjyD45i3iNi/ijObw+XrmiMgADOSUAo62MjBK6A1qZb4uwhrF+vSkWfrdpmW1yfH0HUTOA
T4pgNc8UWn8WH61LRlj5MBnVF5f32DBqxgXs7K3i42W3xWeMr7cPwuD00qOeisbiLuTSKg8axsmf
+ATnZWBMTpH7O5NtxFs=*
* * http://www.w3.org/2000/09/xmldsig#*";>*AQAB*
* *
* *
* *
* *
I have attached the signed DOM from JDOM for validation below:
http://www.w3.org/2000/09/xmldsig#*";>
*-*
* * http://www.w3.org/TR/2001/REC-xml-c14n-20010315*"; />
* * http://www.w3.org/2000/09/xmldsig#rsa-sha1*"; />
*-*
*-*
* * http://www.w3.org/2000/09/xmldsig#enveloped-signature*"; />
* * http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments*";
/>
* *
* * http://www.w3.org/2000/09/xmldsig#sha1*"; />
* * *8LzJf7lSdxcPiyeb2ApFOPEHVZE=*
* *
* *
* *
*VnLYodjEkycbfrkEnbsIjureVSIRCppJLonEf1Bt4Gh2n8DibSF5icHYqWfRU5LjyNifskOyWhzK
Ua1s/NfNoS9xeuo3skiQHkGG83eDEcz8/mB+Vot35bR4FL2QGjztDbaEBrzR+4/iD0IUPy3YjiHS
Zl3c9jtb/mM1LjYV8oI=*
*-*
*-*
* *
*MIICNDCCAZ0CBEQki2AwDQYJKoZIhvcNAQEEBQAwYTELMAkGA1UEBhMCREUxHTAb
