santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sean Mullan <Sean.Mul...@Sun.COM>
Subject Re: Microsoft Office12 Postmark will not verify
Date Tue, 27 Feb 2007 19:32:37 GMT
Hi Jean,

I could not reproduce your reference validation failures ... when I
validate the signature, all of the references pass (but the signature
fails which is ok). Here is the log output:

[VerifySignature] Try to verify
file:/home/mullan/tmp/Word-plugin-signature.xml
[VerifySignature] Could find a X509Data element in the KeyInfo
[VerifySignature] Feb 27, 2007 2:28:56 PM
org.apache.xml.security.signature.Reference verify
[VerifySignature] INFO: Verification successful for URI "#idPackageObject"
[VerifySignature] Feb 27, 2007 2:28:56 PM
org.apache.xml.security.signature.Reference verify
[VerifySignature] INFO: Verification successful for URI "#idOfficeObject"
[VerifySignature] Feb 27, 2007 2:28:56 PM
org.apache.xml.security.signature.Reference verify
[VerifySignature] INFO: Verification successful for URI "#idsigInvalidImage"
[VerifySignature] Feb 27, 2007 2:28:56 PM
org.apache.xml.security.signature.Reference verify
[VerifySignature] INFO: Verification successful for URI "#idsigValidImage"
[VerifySignature] The XML signature in file
file:/home/mullan/tmp/Word-plugin-signature.xml is invalid !!!!! (bad)

What JDK version are you using?

--Sean

Jean-Luc Cooke wrote:
> Thank you, Raul.
> 
> I've tried in v1.3.0 and v1.4.0, both complain the same way.
> 
> Attached is:
>  (1) VerifySignature.java taken from
>      xml-security-bin-1.3.0 zip, in directory
>      src_samples/org/apache/xml/security/samples/signature
>      I added ability to specify signature file to verify on the
>      command line
>  (2) sig1.xml (verifies correctly)
>  (3) Word-plugin-signature.xml (do not verify due to hash failures
>      on Objects "#idsigInvalidImage" and "#idsigValidImage")
>  (4) Output from Aleksey's xmlsec1 command-line tool trying to verify
>      Word-plugin-signature.xml and getting the correct hash where
>      Apache-XMLSec does not. (Word-plugin-signature_xmlsec1output.txt)
> 
> Cheers,
> 
> JLC
> 
> 
> On Mon, Feb 26, 2007 at 04:33:18PM +0000, Raul Benito wrote:
>>    Hi Jean-Luc,
>>    I will try to take a look to the issue, but can you send us the
>>    document and the code you are using?
>>    And thanks for telling.
>>    Regards,
>>    Raul,
>>
>>    On 2/26/07, Jean-Luc Cooke <[1]jlcooke@certainkey.com> wrote:
>>
>>      To help things along,
>>      Here's the output from Aleksey's tool.  Notice how it verifies
>>      "#idsigInvalidImage" and "#idsigValidImage" but ApacheXMLSec
>>      cannot.
>>      The overall signature status fails with Aleksey's tool, but that's
>>      not
>>      what I'm focusing on.
>>      Is the fact that ApacheXMLSec cannot verify idsigInvalidImage and
>>      idsigValidImage a bug?
>>      JLC
>>      On Mon, Feb 26, 2007 at 09:54:15AM -0500, Jean-Luc Cooke wrote:
>>      > Sorry to ping here.
>>      >
>>      > Can anyone point me in the direction of "If this a bug with
>>      Apache XMLSec?"
>>      >
>>      > I'd really exect the evil empire of Microsoft and Apache to
>>      interoperate.
>>      >
>>      > JLC
>>      >
>>      > On Wed, Feb 21, 2007 at 02:37:47PM -0500, Jean-Luc Cooke wrote:
>>      > > Hello team,
>>      > >
>>      > > I tried to verify the following XML file (not a root'd web
>>      cert, sorry):
>>      > >
>>      [2]https://216.191.58.251/apache-xmlsec-help/Word-plugin-signature.
>>      xml
>>      > >
>>      > > Using the
>>      org.apache.xml.security.samples.signature.VerifySignature class
>>      that is found in src_samples directory and got this:
>>      > >
>>      > > java -cp
>>      .:../libs/xmlsec-1.3.0.jar:../libs/xalan.jar:../libs/commons-loggin
>>      g.jar org.apache.xml.security.samples.signature.VerifySignature
>>      Word-plugin-signature.xml
>>      > > Try to verify file: Word-plugin-signature.xml
>>      > > Could find a X509Data element in the KeyInfo
>>      > > Feb 21, 2007 2:20:17 PM
>>      org.apache.xml.security.signature.Reference verify
>>      > > INFO: Verification successful for URI "#idPackageObject"
>>      > > Feb 21, 2007 2:20:17 PM
>>      org.apache.xml.security.signature.Reference verify
>>      > > INFO: Verification successful for URI "#idOfficeObject"
>>      > > Feb 21, 2007 2:20:17 PM
>>      org.apache.xml.security.signature.Reference verify
>>      > > WARNING: Verification failed for URI "#idsigInvalidImage"
>>      > > Feb 21, 2007 2:20:17 PM
>>      org.apache.xml.security.signature.Reference verify
>>      > > WARNING: Verification failed for URI "#idsigValidImage"
>>      > > The XML signature in file
>>      file:/home/jlcooke/crypt_map/sc_data/sc/xmlsec/2007-02-21/Word-plug
>>      in-signature.xml is invalid !!!!! (bad)
>>      > > Object=
>>      > >
>>      > > It is clear the two Objects "#idsigInvalidImage"
>>      "#idsigValidImage" are failing.
>>      > >
>>      > > I have two questions:
>>      > >  1) How can I pragmatically find out why the signature failed
>>      verification?
>>      > >     From what I can see the only way is to look at the log4j
>>      output.
>>      > >  2) Passing the XML file above into Aleksey's xmlsec1 app it
>>      passes.  What's
>>      > >     different?
>>      > >
>>      > > Thanks
>>      > >
>>      > > JLC
>>
>>    --
>>    [3]http://r-bg.com
>>
>> References
>>
>>    1. mailto:jlcooke@certainkey.com
>>    2. https://216.191.58.251/apache-xmlsec-help/Word-plugin-signature.xml
>>    3. http://r-bg.com/
>>
>> ------------------------------------------------------------------------
>>
>> /*
>>  * Copyright  1999-2004 The Apache Software Foundation.
>>  *
>>  *  Licensed under the Apache License, Version 2.0 (the "License");
>>  *  you may not use this file except in compliance with the License.
>>  *  You may obtain a copy of the License at
>>  *
>>  *      http://www.apache.org/licenses/LICENSE-2.0
>>  *
>>  *  Unless required by applicable law or agreed to in writing, software
>>  *  distributed under the License is distributed on an "AS IS" BASIS,
>>  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
>>  *  See the License for the specific language governing permissions and
>>  *  limitations under the License.
>>  *
>>  */
>> package org.apache.xml.security.samples.signature;
>>
>>
>>
>> import java.io.File;
>> import java.io.FileInputStream;
>> import java.io.FileNotFoundException;
>> import java.security.PublicKey;
>> import java.security.cert.X509Certificate;
>>
>> import org.apache.xml.security.keys.KeyInfo;
>> import org.apache.xml.security.samples.utils.resolver.OfflineResolver;
>> import org.apache.xml.security.signature.XMLSignature;
>> import org.apache.xml.security.utils.Constants;
>> import org.apache.xml.security.utils.XMLUtils;
>> import org.apache.xpath.XPathAPI;
>> import org.w3c.dom.Element;
>>
>>
>> /**
>>  *
>>  *
>>  *
>>  *
>>  * @author $Author: blautenb $
>>  *
>>  */
>> public class VerifySignature {
>>
>>    /**
>>     * Method main
>>     *
>>     * @param unused
>>     */
>> //   public static void main(String unused[]) {
>>    public static void main(String arg[]) {
>>
>>       boolean schemaValidate = false;
>>       final String signatureSchemaFile = "data/xmldsig-core-schema.xsd";
>> //      String signatureFileName = "data/ie/baltimore/merlin-examples/merlin-xmldsig-fifteen/signature-enveloping-rsa.xml";
>>       String signatureFileName = arg[0];
>>
>>       if (schemaValidate) {
>>          System.out.println("We do schema-validation");
>>       }
>>
>>       javax.xml.parsers.DocumentBuilderFactory dbf =
>>          javax.xml.parsers.DocumentBuilderFactory.newInstance();
>>
>>       if (schemaValidate) {
>>          dbf.setAttribute("http://apache.org/xml/features/validation/schema",
>>                           Boolean.TRUE);
>>          dbf.setAttribute(
>>             "http://apache.org/xml/features/dom/defer-node-expansion",
>>             Boolean.TRUE);
>>          dbf.setValidating(true);
>>          dbf.setAttribute("http://xml.org/sax/features/validation",
>>                           Boolean.TRUE);
>>       }
>>
>>       dbf.setNamespaceAware(true);
>>       dbf.setAttribute("http://xml.org/sax/features/namespaces", Boolean.TRUE);
>>
>>       if (schemaValidate) {
>>          dbf.setAttribute(
>>             "http://apache.org/xml/properties/schema/external-schemaLocation",
>>             Constants.SignatureSpecNS + " " + signatureSchemaFile);
>>       }
>>
>>       try {
>>
>>          // File f = new File("signature.xml");
>>          File f = new File(signatureFileName);
>>
>>          System.out.println("Try to verify " + f.toURL().toString());
>>
>>          javax.xml.parsers.DocumentBuilder db = dbf.newDocumentBuilder();
>>
>>          db.setErrorHandler(new org.apache.xml.security.utils
>>             .IgnoreAllErrorHandler());
>>
>>          if (schemaValidate) {
>>             db.setEntityResolver(new org.xml.sax.EntityResolver() {
>>
>>                public org.xml.sax.InputSource resolveEntity(
>>                        String publicId, String systemId)
>>                           throws org.xml.sax.SAXException {
>>
>>                   if (systemId.endsWith("xmldsig-core-schema.xsd")) {
>>                      try {
>>                         return new org.xml.sax.InputSource(
>>                            new FileInputStream(signatureSchemaFile));
>>                      } catch (FileNotFoundException ex) {
>>                         throw new org.xml.sax.SAXException(ex);
>>                      }
>>                   } else {
>>                      return null;
>>                   }
>>                }
>>             });
>>          }
>>
>>          org.w3c.dom.Document doc = db.parse(new java.io.FileInputStream(f));
>>          Element nscontext = XMLUtils.createDSctx(doc, "ds",
>>                                                   Constants.SignatureSpecNS);
>>          Element sigElement = (Element) XPathAPI.selectSingleNode(doc,
>>                                  "//ds:Signature[1]", nscontext);
>>          XMLSignature signature = new XMLSignature(sigElement,
>>                                                    f.toURL().toString());
>>
>>          signature.addResourceResolver(new OfflineResolver());
>>
>>          // XMLUtils.outputDOMc14nWithComments(signature.getElement(), System.out);
>>          KeyInfo ki = signature.getKeyInfo();
>>
>>          if (ki != null) {
>>             if (ki.containsX509Data()) {
>>                System.out
>>                   .println("Could find a X509Data element in the KeyInfo");
>>             }
>>
>>             X509Certificate cert = signature.getKeyInfo().getX509Certificate();
>>
>>             if (cert != null) {
>>                /*
>>                System.out.println(
>>                   "I try to verify the signature using the X509 Certificate: "
>>                   + cert);
>>                */
>>                System.out.println("The XML signature in file "
>>                                   + f.toURL().toString() + " is "
>>                                   + (signature.checkSignatureValue(cert)
>>                                      ? "valid (good)"
>>                                      : "invalid !!!!! (bad)"));
>>                System.out.println("Object="+ (new String(signature.getBytesFromChildElement("Object","http://www.w3.org/2000/09/xmldsig#")))
);
>>             } else {
>>                System.out.println("Did not find a Certificate");
>>
>>                PublicKey pk = signature.getKeyInfo().getPublicKey();
>>
>>                if (pk != null) {
>>                   /*
>>                   System.out.println(
>>                      "I try to verify the signature using the public key: "
>>                      + pk);
>>                   */
>>                   System.out.println("The XML signature in file "
>>                                      + f.toURL().toString() + " is "
>>                                      + (signature.checkSignatureValue(pk)
>>                                         ? "valid (good)"
>>                                         : "invalid !!!!! (bad)"));
>>                } else {
>>                   System.out.println(
>>                      "Did not find a public key, so I can't check the signature");
>>                }
>>             }
>>          } else {
>>             System.out.println("Did not find a KeyInfo");
>>          }
>>       } catch (Exception ex) {
>>          ex.printStackTrace();
>>       }
>>    }
>>
>>    static {
>>       org.apache.xml.security.Init.init();
>>    }
>> }
>>
>> ------------------------------------------------------------------------
>>
>> = VERIFICATION CONTEXT
>> == Status: invalid
>> == flags: 0x00000001
>> == flags2: 0x00000000
>> == Id: "idPackageSignature"
>> == Key Info Read Ctx:
>> = KEY INFO READ CONTEXT
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled key data: all
>> == RetrievalMethod level (cur/max): 0/1
>> == TRANSFORMS CTX (status=0)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: NULL
>> === uri xpointer expr: NULL
>> == EncryptedKey level (cur/max): 0/1
>> === KeyReq:
>> ==== keyId: rsa
>> ==== keyType: 0x00000001
>> ==== keyUsage: 0x00000002
>> ==== keyBitsSize: 0
>> === list size: 0
>> == Key Info Write Ctx:
>> = KEY INFO WRITE CONTEXT
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled key data: all
>> == RetrievalMethod level (cur/max): 0/1
>> == TRANSFORMS CTX (status=0)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: NULL
>> === uri xpointer expr: NULL
>> == EncryptedKey level (cur/max): 0/1
>> === KeyReq:
>> ==== keyId: NULL
>> ==== keyType: 0x00000001
>> ==== keyUsage: 0xffffffff
>> ==== keyBitsSize: 0
>> === list size: 0
>> == Signature Transform Ctx:
>> == TRANSFORMS CTX (status=2)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: NULL
>> === uri xpointer expr: NULL
>> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>> === Transform: membuf-transform (href=NULL)
>> == Signature Method:
>> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>> == Signature Key:
>> == KEY
>> === method: RSAKeyValue
>> === key type: Public
>> === key usage: -1
>> === rsa key: size = 1024
>> == SignedInfo References List:
>> === list size: 4
>> = REFERENCE VERIFICATION CONTEXT
>> == Status: succeeded
>> == URI: "#idPackageObject"
>> == Type: "http://www.w3.org/2000/09/xmldsig#Object"
>> == Reference Transform Ctx:
>> == TRANSFORMS CTX (status=2)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: 
>> === uri xpointer expr: #idPackageObject
>> === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>> === Transform: membuf-transform (href=NULL)
>> == Digest Method:
>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>> = REFERENCE VERIFICATION CONTEXT
>> == Status: succeeded
>> == URI: "#idOfficeObject"
>> == Type: "http://www.w3.org/2000/09/xmldsig#Object"
>> == Reference Transform Ctx:
>> == TRANSFORMS CTX (status=2)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: 
>> === uri xpointer expr: #idOfficeObject
>> === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>> === Transform: membuf-transform (href=NULL)
>> == Digest Method:
>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>> = REFERENCE VERIFICATION CONTEXT
>> == Status: succeeded
>> == URI: "#idsigInvalidImage"
>> == Type: "http://www.w3.org/2000/09/xmldsig#Object"
>> == Reference Transform Ctx:
>> == TRANSFORMS CTX (status=2)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: 
>> === uri xpointer expr: #idsigInvalidImage
>> === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>> === Transform: membuf-transform (href=NULL)
>> == Digest Method:
>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>> = REFERENCE VERIFICATION CONTEXT
>> == Status: succeeded
>> == URI: "#idsigValidImage"
>> == Type: "http://www.w3.org/2000/09/xmldsig#Object"
>> == Reference Transform Ctx:
>> == TRANSFORMS CTX (status=2)
>> == flags: 0x00000000
>> == flags2: 0x00000000
>> == enabled transforms: all
>> === uri: 
>> === uri xpointer expr: #idsigValidImage
>> === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>> === Transform: membuf-transform (href=NULL)
>> == Digest Method:
>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>> == Manifest References List:
>> === list size: 0


Mime
View raw message