santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Luc Cooke <jlco...@certainkey.com>
Subject Re: Microsoft Office12 Postmark will not verify
Date Wed, 28 Feb 2007 15:47:09 GMT
EGG ON MY FACE!

I feel like such a tool.

Attached is the XML doc that verifies correctly.  You guys had everything
working as of 1.4.0 and I don't know how to update JARs.  For shame on me.

I'll still open a bug to have more information come back froma failed verify
than true/false.  XML signatures are way too complex to only have pass/fail.

Cheers,

JLC

On Tue, Feb 27, 2007 at 02:32:37PM -0500, Sean Mullan wrote:
> Hi Jean,
> 
> I could not reproduce your reference validation failures ... when I
> validate the signature, all of the references pass (but the signature
> fails which is ok). Here is the log output:
> 
> [VerifySignature] Try to verify
> file:/home/mullan/tmp/Word-plugin-signature.xml
> [VerifySignature] Could find a X509Data element in the KeyInfo
> [VerifySignature] Feb 27, 2007 2:28:56 PM
> org.apache.xml.security.signature.Reference verify
> [VerifySignature] INFO: Verification successful for URI "#idPackageObject"
> [VerifySignature] Feb 27, 2007 2:28:56 PM
> org.apache.xml.security.signature.Reference verify
> [VerifySignature] INFO: Verification successful for URI "#idOfficeObject"
> [VerifySignature] Feb 27, 2007 2:28:56 PM
> org.apache.xml.security.signature.Reference verify
> [VerifySignature] INFO: Verification successful for URI "#idsigInvalidImage"
> [VerifySignature] Feb 27, 2007 2:28:56 PM
> org.apache.xml.security.signature.Reference verify
> [VerifySignature] INFO: Verification successful for URI "#idsigValidImage"
> [VerifySignature] The XML signature in file
> file:/home/mullan/tmp/Word-plugin-signature.xml is invalid !!!!! (bad)
> 
> What JDK version are you using?
> 
> --Sean
> 
> Jean-Luc Cooke wrote:
> > Thank you, Raul.
> > 
> > I've tried in v1.3.0 and v1.4.0, both complain the same way.
> > 
> > Attached is:
> >  (1) VerifySignature.java taken from
> >      xml-security-bin-1.3.0 zip, in directory
> >      src_samples/org/apache/xml/security/samples/signature
> >      I added ability to specify signature file to verify on the
> >      command line
> >  (2) sig1.xml (verifies correctly)
> >  (3) Word-plugin-signature.xml (do not verify due to hash failures
> >      on Objects "#idsigInvalidImage" and "#idsigValidImage")
> >  (4) Output from Aleksey's xmlsec1 command-line tool trying to verify
> >      Word-plugin-signature.xml and getting the correct hash where
> >      Apache-XMLSec does not. (Word-plugin-signature_xmlsec1output.txt)
> > 
> > Cheers,
> > 
> > JLC
> > 
> > 
> > On Mon, Feb 26, 2007 at 04:33:18PM +0000, Raul Benito wrote:
> >>    Hi Jean-Luc,
> >>    I will try to take a look to the issue, but can you send us the
> >>    document and the code you are using?
> >>    And thanks for telling.
> >>    Regards,
> >>    Raul,
> >>
> >>    On 2/26/07, Jean-Luc Cooke <[1]jlcooke@certainkey.com> wrote:
> >>
> >>      To help things along,
> >>      Here's the output from Aleksey's tool.  Notice how it verifies
> >>      "#idsigInvalidImage" and "#idsigValidImage" but ApacheXMLSec
> >>      cannot.
> >>      The overall signature status fails with Aleksey's tool, but that's
> >>      not
> >>      what I'm focusing on.
> >>      Is the fact that ApacheXMLSec cannot verify idsigInvalidImage and
> >>      idsigValidImage a bug?
> >>      JLC
> >>      On Mon, Feb 26, 2007 at 09:54:15AM -0500, Jean-Luc Cooke wrote:
> >>      > Sorry to ping here.
> >>      >
> >>      > Can anyone point me in the direction of "If this a bug with
> >>      Apache XMLSec?"
> >>      >
> >>      > I'd really exect the evil empire of Microsoft and Apache to
> >>      interoperate.
> >>      >
> >>      > JLC
> >>      >
> >>      > On Wed, Feb 21, 2007 at 02:37:47PM -0500, Jean-Luc Cooke wrote:
> >>      > > Hello team,
> >>      > >
> >>      > > I tried to verify the following XML file (not a root'd web
> >>      cert, sorry):
> >>      > >
> >>      [2]https://216.191.58.251/apache-xmlsec-help/Word-plugin-signature.
> >>      xml
> >>      > >
> >>      > > Using the
> >>      org.apache.xml.security.samples.signature.VerifySignature class
> >>      that is found in src_samples directory and got this:
> >>      > >
> >>      > > java -cp
> >>      .:../libs/xmlsec-1.3.0.jar:../libs/xalan.jar:../libs/commons-loggin
> >>      g.jar org.apache.xml.security.samples.signature.VerifySignature
> >>      Word-plugin-signature.xml
> >>      > > Try to verify file: Word-plugin-signature.xml
> >>      > > Could find a X509Data element in the KeyInfo
> >>      > > Feb 21, 2007 2:20:17 PM
> >>      org.apache.xml.security.signature.Reference verify
> >>      > > INFO: Verification successful for URI "#idPackageObject"
> >>      > > Feb 21, 2007 2:20:17 PM
> >>      org.apache.xml.security.signature.Reference verify
> >>      > > INFO: Verification successful for URI "#idOfficeObject"
> >>      > > Feb 21, 2007 2:20:17 PM
> >>      org.apache.xml.security.signature.Reference verify
> >>      > > WARNING: Verification failed for URI "#idsigInvalidImage"
> >>      > > Feb 21, 2007 2:20:17 PM
> >>      org.apache.xml.security.signature.Reference verify
> >>      > > WARNING: Verification failed for URI "#idsigValidImage"
> >>      > > The XML signature in file
> >>      file:/home/jlcooke/crypt_map/sc_data/sc/xmlsec/2007-02-21/Word-plug
> >>      in-signature.xml is invalid !!!!! (bad)
> >>      > > Object=
> >>      > >
> >>      > > It is clear the two Objects "#idsigInvalidImage"
> >>      "#idsigValidImage" are failing.
> >>      > >
> >>      > > I have two questions:
> >>      > >  1) How can I pragmatically find out why the signature failed
> >>      verification?
> >>      > >     From what I can see the only way is to look at the log4j
> >>      output.
> >>      > >  2) Passing the XML file above into Aleksey's xmlsec1 app it
> >>      passes.  What's
> >>      > >     different?
> >>      > >
> >>      > > Thanks
> >>      > >
> >>      > > JLC
> >>
> >>    --
> >>    [3]http://r-bg.com
> >>
> >> References
> >>
> >>    1. mailto:jlcooke@certainkey.com
> >>    2. https://216.191.58.251/apache-xmlsec-help/Word-plugin-signature.xml
> >>    3. http://r-bg.com/
> >>
> >> ------------------------------------------------------------------------
> >>
> >> /*
> >>  * Copyright  1999-2004 The Apache Software Foundation.
> >>  *
> >>  *  Licensed under the Apache License, Version 2.0 (the "License");
> >>  *  you may not use this file except in compliance with the License.
> >>  *  You may obtain a copy of the License at
> >>  *
> >>  *      http://www.apache.org/licenses/LICENSE-2.0
> >>  *
> >>  *  Unless required by applicable law or agreed to in writing, software
> >>  *  distributed under the License is distributed on an "AS IS" BASIS,
> >>  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> >>  *  See the License for the specific language governing permissions and
> >>  *  limitations under the License.
> >>  *
> >>  */
> >> package org.apache.xml.security.samples.signature;
> >>
> >>
> >>
> >> import java.io.File;
> >> import java.io.FileInputStream;
> >> import java.io.FileNotFoundException;
> >> import java.security.PublicKey;
> >> import java.security.cert.X509Certificate;
> >>
> >> import org.apache.xml.security.keys.KeyInfo;
> >> import org.apache.xml.security.samples.utils.resolver.OfflineResolver;
> >> import org.apache.xml.security.signature.XMLSignature;
> >> import org.apache.xml.security.utils.Constants;
> >> import org.apache.xml.security.utils.XMLUtils;
> >> import org.apache.xpath.XPathAPI;
> >> import org.w3c.dom.Element;
> >>
> >>
> >> /**
> >>  *
> >>  *
> >>  *
> >>  *
> >>  * @author $Author: blautenb $
> >>  *
> >>  */
> >> public class VerifySignature {
> >>
> >>    /**
> >>     * Method main
> >>     *
> >>     * @param unused
> >>     */
> >> //   public static void main(String unused[]) {
> >>    public static void main(String arg[]) {
> >>
> >>       boolean schemaValidate = false;
> >>       final String signatureSchemaFile = "data/xmldsig-core-schema.xsd";
> >> //      String signatureFileName = "data/ie/baltimore/merlin-examples/merlin-xmldsig-fifteen/signature-enveloping-rsa.xml";
> >>       String signatureFileName = arg[0];
> >>
> >>       if (schemaValidate) {
> >>          System.out.println("We do schema-validation");
> >>       }
> >>
> >>       javax.xml.parsers.DocumentBuilderFactory dbf =
> >>          javax.xml.parsers.DocumentBuilderFactory.newInstance();
> >>
> >>       if (schemaValidate) {
> >>          dbf.setAttribute("http://apache.org/xml/features/validation/schema",
> >>                           Boolean.TRUE);
> >>          dbf.setAttribute(
> >>             "http://apache.org/xml/features/dom/defer-node-expansion",
> >>             Boolean.TRUE);
> >>          dbf.setValidating(true);
> >>          dbf.setAttribute("http://xml.org/sax/features/validation",
> >>                           Boolean.TRUE);
> >>       }
> >>
> >>       dbf.setNamespaceAware(true);
> >>       dbf.setAttribute("http://xml.org/sax/features/namespaces", Boolean.TRUE);
> >>
> >>       if (schemaValidate) {
> >>          dbf.setAttribute(
> >>             "http://apache.org/xml/properties/schema/external-schemaLocation",
> >>             Constants.SignatureSpecNS + " " + signatureSchemaFile);
> >>       }
> >>
> >>       try {
> >>
> >>          // File f = new File("signature.xml");
> >>          File f = new File(signatureFileName);
> >>
> >>          System.out.println("Try to verify " + f.toURL().toString());
> >>
> >>          javax.xml.parsers.DocumentBuilder db = dbf.newDocumentBuilder();
> >>
> >>          db.setErrorHandler(new org.apache.xml.security.utils
> >>             .IgnoreAllErrorHandler());
> >>
> >>          if (schemaValidate) {
> >>             db.setEntityResolver(new org.xml.sax.EntityResolver() {
> >>
> >>                public org.xml.sax.InputSource resolveEntity(
> >>                        String publicId, String systemId)
> >>                           throws org.xml.sax.SAXException {
> >>
> >>                   if (systemId.endsWith("xmldsig-core-schema.xsd")) {
> >>                      try {
> >>                         return new org.xml.sax.InputSource(
> >>                            new FileInputStream(signatureSchemaFile));
> >>                      } catch (FileNotFoundException ex) {
> >>                         throw new org.xml.sax.SAXException(ex);
> >>                      }
> >>                   } else {
> >>                      return null;
> >>                   }
> >>                }
> >>             });
> >>          }
> >>
> >>          org.w3c.dom.Document doc = db.parse(new java.io.FileInputStream(f));
> >>          Element nscontext = XMLUtils.createDSctx(doc, "ds",
> >>                                                   Constants.SignatureSpecNS);
> >>          Element sigElement = (Element) XPathAPI.selectSingleNode(doc,
> >>                                  "//ds:Signature[1]", nscontext);
> >>          XMLSignature signature = new XMLSignature(sigElement,
> >>                                                    f.toURL().toString());
> >>
> >>          signature.addResourceResolver(new OfflineResolver());
> >>
> >>          // XMLUtils.outputDOMc14nWithComments(signature.getElement(), System.out);
> >>          KeyInfo ki = signature.getKeyInfo();
> >>
> >>          if (ki != null) {
> >>             if (ki.containsX509Data()) {
> >>                System.out
> >>                   .println("Could find a X509Data element in the KeyInfo");
> >>             }
> >>
> >>             X509Certificate cert = signature.getKeyInfo().getX509Certificate();
> >>
> >>             if (cert != null) {
> >>                /*
> >>                System.out.println(
> >>                   "I try to verify the signature using the X509 Certificate:
"
> >>                   + cert);
> >>                */
> >>                System.out.println("The XML signature in file "
> >>                                   + f.toURL().toString() + " is "
> >>                                   + (signature.checkSignatureValue(cert)
> >>                                      ? "valid (good)"
> >>                                      : "invalid !!!!! (bad)"));
> >>                System.out.println("Object="+ (new String(signature.getBytesFromChildElement("Object","http://www.w3.org/2000/09/xmldsig#")))
);
> >>             } else {
> >>                System.out.println("Did not find a Certificate");
> >>
> >>                PublicKey pk = signature.getKeyInfo().getPublicKey();
> >>
> >>                if (pk != null) {
> >>                   /*
> >>                   System.out.println(
> >>                      "I try to verify the signature using the public key: "
> >>                      + pk);
> >>                   */
> >>                   System.out.println("The XML signature in file "
> >>                                      + f.toURL().toString() + " is "
> >>                                      + (signature.checkSignatureValue(pk)
> >>                                         ? "valid (good)"
> >>                                         : "invalid !!!!! (bad)"));
> >>                } else {
> >>                   System.out.println(
> >>                      "Did not find a public key, so I can't check the signature");
> >>                }
> >>             }
> >>          } else {
> >>             System.out.println("Did not find a KeyInfo");
> >>          }
> >>       } catch (Exception ex) {
> >>          ex.printStackTrace();
> >>       }
> >>    }
> >>
> >>    static {
> >>       org.apache.xml.security.Init.init();
> >>    }
> >> }
> >>
> >> ------------------------------------------------------------------------
> >>
> >> = VERIFICATION CONTEXT
> >> == Status: invalid
> >> == flags: 0x00000001
> >> == flags2: 0x00000000
> >> == Id: "idPackageSignature"
> >> == Key Info Read Ctx:
> >> = KEY INFO READ CONTEXT
> >> == flags: 0x00000000
> >> == flags2: 0x00000000
> >> == enabled key data: all
> >> == RetrievalMethod level (cur/max): 0/1
> >> == TRANSFORMS CTX (status=0)
> >> == flags: 0x00000000
> >> == flags2: 0x00000000
> >> == enabled transforms: all
> >> === uri: NULL
> >> === uri xpointer expr: NULL
> >> == EncryptedKey level (cur/max): 0/1
> >> === KeyReq:
> >> ==== keyId: rsa
> >> ==== keyType: 0x00000001
> >> ==== keyUsage: 0x00000002
> >> ==== keyBitsSize: 0
> >> === list size: 0
> >> == Key Info Write Ctx:
> >> = KEY INFO WRITE CONTEXT
> >> == flags: 0x00000000
> >> == flags2: 0x00000000
> >> == enabled key data: all
> >> == RetrievalMethod level (cur/max): 0/1
> >> == TRANSFORMS CTX (status=0)
> >> == flags: 0x00000000
> >> == flags2: 0x00000000
> >> == enabled transforms: all
> >> === uri: NULL
> >> === uri xpointer expr: NULL
> >> == EncryptedKey level (cur/max): 0/1
> >> === KeyReq:
> >> ==== keyId: NULL
> >> ==== keyType: 0x00000001
> >> ==== keyUsage: 0xffffffff
> >> ==== keyBitsSize: 0
> >> === list size: 0
> >> == Signature Transform Ctx:
> >> == TRANSFORMS CTX (status=2)
> >> == flags: 0x00000000
> >> == flags2: 0x00000000
> >> == enabled transforms: all
> >> === uri: NULL
> >> === uri xpointer expr: NULL
> >> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> >> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> >> === Transform: membuf-transform (href=NULL)
> >> == Signature Method:
> >> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
> >> == Signature Key:
> >> == KEY
> >> === method: RSAKeyValue
> >> === key type: Public
> >> === key usage: -1
> >> === rsa key: size = 1024
> >> == SignedInfo References List:
> >> === list size: 4
> >> = REFERENCE VERIFICATION CONTEXT
> >> == Status: succeeded
> >> == URI: "#idPackageObject"
> >> == Type: "http://www.w3.org/2000/09/xmldsig#Object"
> >> == Reference Transform Ctx:
> >> == TRANSFORMS CTX (status=2)
> >> == flags: 0x00000000
> >> == flags2: 0x00000000
> >> == enabled transforms: all
> >> === uri: 
> >> === uri xpointer expr: #idPackageObject
> >> === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
> >> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> >> === Transform: membuf-transform (href=NULL)
> >> == Digest Method:
> >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> >> = REFERENCE VERIFICATION CONTEXT
> >> == Status: succeeded
> >> == URI: "#idOfficeObject"
> >> == Type: "http://www.w3.org/2000/09/xmldsig#Object"
> >> == Reference Transform Ctx:
> >> == TRANSFORMS CTX (status=2)
> >> == flags: 0x00000000
> >> == flags2: 0x00000000
> >> == enabled transforms: all
> >> === uri: 
> >> === uri xpointer expr: #idOfficeObject
> >> === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
> >> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> >> === Transform: membuf-transform (href=NULL)
> >> == Digest Method:
> >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> >> = REFERENCE VERIFICATION CONTEXT
> >> == Status: succeeded
> >> == URI: "#idsigInvalidImage"
> >> == Type: "http://www.w3.org/2000/09/xmldsig#Object"
> >> == Reference Transform Ctx:
> >> == TRANSFORMS CTX (status=2)
> >> == flags: 0x00000000
> >> == flags2: 0x00000000
> >> == enabled transforms: all
> >> === uri: 
> >> === uri xpointer expr: #idsigInvalidImage
> >> === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
> >> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> >> === Transform: membuf-transform (href=NULL)
> >> == Digest Method:
> >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> >> = REFERENCE VERIFICATION CONTEXT
> >> == Status: succeeded
> >> == URI: "#idsigValidImage"
> >> == Type: "http://www.w3.org/2000/09/xmldsig#Object"
> >> == Reference Transform Ctx:
> >> == TRANSFORMS CTX (status=2)
> >> == flags: 0x00000000
> >> == flags2: 0x00000000
> >> == enabled transforms: all
> >> === uri: 
> >> === uri xpointer expr: #idsigValidImage
> >> === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
> >> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
> >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> >> === Transform: membuf-transform (href=NULL)
> >> == Digest Method:
> >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
> >> == Manifest References List:
> >> === list size: 0
> 

Mime
View raw message