santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Berin Lautenbach <be...@wingsofhermes.org>
Subject Re: Verification problems
Date Sat, 23 Apr 2005 00:00:02 GMT
Pushya,

Couple of quick questions -

1.  When you sign, do you then embed your signature back into the 
originaly document?

2.  You cannot import *just* the signature into your new document and 
expect it to work.  You have to copy the entire document as what has 
been signed is also in the original doc.

As an aside - the attached Signature file still fails both Ref and Sig 
checks for me.

Cheers,
	Berin

Pushyamitra Navare wrote:

> Hi Berin,
> Thanks for replying.
> 
> I feel that when dom document which holds signature element
> is changed , signature becomes invalid.
> 
> I tested it like this -
> 
> --
> Element e1 = sign ( somedom ) ;
> Verify(e1);      // signature is verified.
> 
> Document doc = documentBuilder.newDocument();
> // Now i import signed Signature element  into another document.
> org.w3c.dom.Element e2 = (Element)doc.importNode((org.w3c.dom.Node)e1,true);
> 
> Verify(e2);      // verification fails now . :(
> --
> 
> Is this normal ?  Should two documents (w3c.dom.documents)  on sending , 
> receiving sides be same ?
> and shouldn't verification result be same for both e2 and e1 ?
> 
> 
> Also , I have attached the whole document i am trying to verify.
> While verifying , i isolate the Signature element from parsed docuement and 
> then just call Verify () on it.
> Isn't that right ?
> 
> Do reply,
> 
> thanks,
> -Pushya.
> 
> 
> On Thursday 21 Apr 2005 3:38 pm, Berin Lautenbach wrote:
> 
>>Pushya,
>>Also the actual signature itself fails.  Are you "pretty printing" the
>>XML after the signature operation itself?  It almost reads like line
>>feeds have been added post signing.
> 
> 
> I ran java program which serialises documents using 
> 'stringWriter' and redirected its output to file,
> and attached the file.
> May be using the stringWriter automatically adds the line feeds.
> 
> --
> 
> These are the code fragments i use,
> 
> // Verify method.
> public boolean Verify(Element e) throws Exception
> {
>     XMLSignature xmlSignature =
>         = new XMLSignature( (Element)e , "" );
>          KeyInfo ki = xmlSignature.getKeyInfo();
>          X509Certificate cert =
>  xmlSignature.getKeyInfo().getX509Certificate(); cert.checkValidity();
>         boolean Result = xmlSignature.checkSignatureValue(cert);
>         return Result;
>    }
> 
> 
> 
> ------------------------------------------------------------------------
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <lib:AuthnResponse xmlns:lib="urn:liberty:iff:2003-08" InResponseTo="R21322323232"
IssueInstant="2005-04-22T04:25:33.084Z" MajorVersion="1" MinorVersion="2" ResponseID="P1641971398955428227"><samlp:Status
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"><samlp:StatusCode Value="samlp:Success"/></samlp:Status><lib:ProviderID>www.IDP.com</lib:ProviderID><saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="P9126123448599142335" IssueInstant="2005-04-22T04:25:32.944Z"
Issuer="www.IDP.com" MajorVersion="1" MinorVersion="1"><lib:AuthenticationStatement
AuthenticationInstant="2005-04-22T04:25:32.863Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><saml:Subject><saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" NameQualifier="Blitz.co.in/NameQualifiers#">userName</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMet
hod></saml:SubjectConfirmation></saml:Subject></lib:AuthenticationStatement></saml:Assertion><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> <ds:Reference URI="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">9QV9N9WFOFC92LOoFy89NTFHr1k=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">CMZjDxA6J7LaSiTB0eV7jcAawEOQxGMJ/qX+zVRZNyPp73uqn5ZCPw==</ds:SignatureValue>
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> MIIFMjCCBBqgAwIBAgIBBTANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCSU4xCzAJBgNVBAgT
> Ak1IMQ0wCwYDVQQHEwRQdW5lMRIwEAYDVQQKEwlCbGl0ei5vcmcxCzAJBgNVBAsTAkNBMRswGQYD
> VQQDExJQdXNoeWFtaXRyYSBOYXZhcmUxKzApBgkqhkiG9w0BCQEWHHB1c2h5YW1pdHJhLm5hdmFy
> ZUBnbWFpbC5jb20wHhcNMDUwMzE2MTM1NzA0WhcNMDYwMzE2MTM1NzA0WjBjMQswCQYDVQQGEwJJ
> TjELMAkGA1UECBMCTUgxDTALBgNVBAcTBFB1bmUxEDAOBgNVBAoTB0lEUC5vcmcxEDAOBgNVBAsT
> B0lEUCBJTkMxFDASBgNVBAMTC3d3dy5pZHAuY29tMIIBtzCCASwGByqGSM44BAEwggEfAoGBAP1/
> U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00
> b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith
> 1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+GghdabPd7LvKtcNrhXuXmU
> r7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOu
> HiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYQA
> AoGABYzBvi2HAaG5KYvlGbxabr9oeS5egJd/lkJost/NhBRt0mTowzA17+nTPiWZUpU2gArlNQFa
> fb1rCZQRcbknvHuLxxyRTekVl9m9xItygqQQz1PfcLQXSt8EJU8gzVRO+DcPN/+XK+GJBxRYmgwc
> aaLEyJ8fjw998TrY7rrbwV6jggEoMIIBJDAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVu
> U1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUOKOL14TNJerSJFkA9bJ7e+YJen8w
> gckGA1UdIwSBwTCBvoAUZQIV2LORTCjOPmIcBwbPTa7NueKhgZqkgZcwgZQxCzAJBgNVBAYTAklO
> MQswCQYDVQQIEwJNSDENMAsGA1UEBxMEUHVuZTESMBAGA1UEChMJQmxpdHoub3JnMQswCQYDVQQL
> EwJDQTEbMBkGA1UEAxMSUHVzaHlhbWl0cmEgTmF2YXJlMSswKQYJKoZIhvcNAQkBFhxwdXNoeWFt
> aXRyYS5uYXZhcmVAZ21haWwuY29tggkAuOPJOxtwTVMwDQYJKoZIhvcNAQEEBQADggEBABtnzzVr
> v4f7PCu+sLdbHISXf781s3yyF/Ya7tPDkWOBl0j8iNt0sWxi2gR9lhbktBSn5Q6qDrTNQ7iBaRmz
> PpJxj8fTkIY2jNkwekoZ6jVTIweeJ6Wz4yM4c/lHjbSQ1xTjf8/t67NY8JYlEotOY6OLGfQTucU0
> WiLbMzV26JOeM81gcLBW2dqyW+foXLyn34xtH9AEIgZr7guEfDWXzNFRgSjA3er7CeolKf7ZK+dx
> NVeqwzRsZ1hXQXv5KLDPQfQuWeh+dpH8BrZM/wo42IPmuigfIv9gbcbjpkvrRfCpfiC+lZ/ogu2n
> C+R1+vK1gBmhVDgyqHcDULwRlwwR/AY=
> </ds:X509Certificate>
> </ds:X509Data>
> <ds:KeyValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:DSAKeyValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:P xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> /X9TgR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuA
> HTRv8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOu
> K2HXKu/yIgMZndFIAcc=
> </ds:P>
> <ds:Q xmlns:ds="http://www.w3.org/2000/09/xmldsig#">l2BQjxUjC8yykrmCouuEC/BYHPU=</ds:Q>
> <ds:G xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> 9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3
> zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKL
> Zl6Ae1UlZAFMO/7PSSo=
> </ds:G>
> <ds:Y xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> BYzBvi2HAaG5KYvlGbxabr9oeS5egJd/lkJost/NhBRt0mTowzA17+nTPiWZUpU2gArlNQFafb1r
> CZQRcbknvHuLxxyRTekVl9m9xItygqQQz1PfcLQXSt8EJU8gzVRO+DcPN/+XK+GJBxRYmgwcaaLE
> yJ8fjw998TrY7rrbwV4=
> </ds:Y>
> </ds:DSAKeyValue>
> </ds:KeyValue>
> </ds:KeyInfo>
> </ds:Signature></lib:AuthnResponse>

Mime
View raw message