santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jesse Pelton" <...@PKC.com>
Subject RE: Verify signature: bad for enveloped, ok for enveloping and detached.
Date Wed, 02 Feb 2005 15:43:20 GMT
While I'm familiar with the XML Signature standard, I'm new to this particular implementation,
so I hope someone else can help you out with the particulars.  I'm still wrestling with getting
it to build in my environment. 

> -----Original Message-----
> From: def abc [mailto:anon742000@yahoo.fr] 
> Sent: Wednesday, February 02, 2005 10:25 AM
> To: security-dev@xml.apache.org
> Subject: RE: Verify signature: bad for enveloped, ok for 
> enveloping and detached.
> 
>  --- Jesse Pelton <jsp@PKC.com> a écrit : 
> > You need to include the enveloped signature
> > transformation specifically.  This serves to remove
> > the signature element from the document before
> > signing and verification.  This is required because
> > the signature element changes during signing; if the
> > original signature element were part of the signed
> > content, the final signature would be invalid,
> > because part of the signed content (the signature)
> > would be different.  See
> >
> http://www.w3.org/TR/xmldsig-core/#sec-EnvelopedSignature
> > and
> > http://www.w3.org/TR/xmldsig-core/#sec-Transforms.
> 
> Yep. You're right. 
> The transform is within the Reference element, isn't
> it ? And I get a different signature value, because
> now the Transform element gets signed too, right ?
> 
> I've added the transform, but my signature still does
> not validate...
> 
> I now have: 
> 
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>  <ds:Reference 
> URI="file:/G:/prog/xml-security-1_2_0/misc.xml">
>    <ds:Transforms>
>      <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>    </ds:Transforms>
>    <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>7uZSWomZ8W6sa3GI+e/XCygny2I=</ds:DigestValue>
>  </ds:Reference>
> </ds:SignedInfo>
> 
> ******************
> This is how I sign it:
> XMLSignature signature;
> 		
> signature = new XMLSignature(input,
> inputURI.toString(),
> XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1);
> 		
> Transforms transforms = new Transforms(input);
>        
> transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
>         
> signature.addDocument(inputURI.toString(),
> transforms);
> signature.sign(prvkey);
> 
> **************
> This is how I verify it:
> NodeList dsNodeList =
> doc.getElementsByTagName("ds:Signature");
> if (dsNodeList.getLength() == 0)
> 	throw new IOException("No signature in file");
> 		
> Element dsElement = (Element) dsNodeList.item(0);
> 				
> XMLSignature signature = new XMLSignature(dsElement,
> outputURI.toString());
> return signature.checkSignatureValue(pubkey);
> 
> -- Axelle. 

Mime
View raw message