Return-Path: Delivered-To: apmail-xml-security-dev-archive@www.apache.org Received: (qmail 66525 invoked from network); 28 Feb 2007 15:22:57 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 28 Feb 2007 15:22:57 -0000 Received: (qmail 45384 invoked by uid 500); 28 Feb 2007 15:23:05 -0000 Delivered-To: apmail-xml-security-dev-archive@xml.apache.org Received: (qmail 45359 invoked by uid 500); 28 Feb 2007 15:23:05 -0000 Mailing-List: contact security-dev-help@xml.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: security-dev@xml.apache.org List-Id: Delivered-To: mailing list security-dev@xml.apache.org Received: (qmail 45348 invoked by uid 99); 28 Feb 2007 15:23:05 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 28 Feb 2007 07:23:05 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of jlcooke@certainkey.com designates 134.117.69.104 as permitted sender) Received: from [134.117.69.104] (HELO certainkey.com) (134.117.69.104) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 28 Feb 2007 07:22:53 -0800 Received: from jlcooke by certainkey.com with local (Exim 4.50) id 1HMQdN-0006oP-Qh for security-dev@xml.apache.org; Wed, 28 Feb 2007 10:22:25 -0500 Date: Wed, 28 Feb 2007 10:22:25 -0500 From: Jean-Luc Cooke To: security-dev@xml.apache.org Subject: Re: Microsoft Office12 Postmark will not verify Message-ID: <20070228152225.GY9039@certainkey.com> References: <20070221193747.GT9039@certainkey.com> <20070226145415.GV9039@certainkey.com> <20070226160747.GW9039@certainkey.com> <949ac9410702260833g5a06d65fwb4ef8929387e2a38@mail.gmail.com> <20070226201359.GX9039@certainkey.com> <45E48755.8040404@sun.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <45E48755.8040404@sun.com> User-Agent: Mutt/1.5.9i X-Virus-Checked: Checked by ClamAV on apache.org Woh. You're right, I missed it! 1.3.0 gave the results I mentioned: Try to verify file:/home/jlcooke/crypt_map/sc_data/sc/xmlsec_j/xml-security-1_3_0/src_samples/../../../xmlsec/2007-02-21/Word-plugin-signature.xml Could find a X509Data element in the KeyInfo Feb 28, 2007 10:17:19 AM org.apache.xml.security.signature.Reference verify INFO: Verification successful for URI "#idPackageObject" Feb 28, 2007 10:17:19 AM org.apache.xml.security.signature.Reference verify INFO: Verification successful for URI "#idOfficeObject" Feb 28, 2007 10:17:19 AM org.apache.xml.security.signature.Reference verify WARNING: Verification failed for URI "#idsigInvalidImage" Feb 28, 2007 10:17:19 AM org.apache.xml.security.signature.Reference verify WARNING: Verification failed for URI "#idsigValidImage" The XML signature in file file:/home/jlcooke/crypt_map/sc_data/sc/xmlsec_j/xml-security-1_3_0/src_samples/../../../xmlsec/2007-02-21/Word-plugin-signature.xml is invalid !!!!! (bad) Object= HOWEVER! Is there any way to know *why* the signature failed? Is there something I can query in the API to find out? JLC On Tue, Feb 27, 2007 at 02:32:37PM -0500, Sean Mullan wrote: > Hi Jean, > > I could not reproduce your reference validation failures ... when I > validate the signature, all of the references pass (but the signature > fails which is ok). Here is the log output: > > [VerifySignature] Try to verify > file:/home/mullan/tmp/Word-plugin-signature.xml > [VerifySignature] Could find a X509Data element in the KeyInfo > [VerifySignature] Feb 27, 2007 2:28:56 PM > org.apache.xml.security.signature.Reference verify > [VerifySignature] INFO: Verification successful for URI "#idPackageObject" > [VerifySignature] Feb 27, 2007 2:28:56 PM > org.apache.xml.security.signature.Reference verify > [VerifySignature] INFO: Verification successful for URI "#idOfficeObject" > [VerifySignature] Feb 27, 2007 2:28:56 PM > org.apache.xml.security.signature.Reference verify > [VerifySignature] INFO: Verification successful for URI "#idsigInvalidImage" > [VerifySignature] Feb 27, 2007 2:28:56 PM > org.apache.xml.security.signature.Reference verify > [VerifySignature] INFO: Verification successful for URI "#idsigValidImage" > [VerifySignature] The XML signature in file > file:/home/mullan/tmp/Word-plugin-signature.xml is invalid !!!!! (bad) > > What JDK version are you using? > > --Sean > > Jean-Luc Cooke wrote: > > Thank you, Raul. > > > > I've tried in v1.3.0 and v1.4.0, both complain the same way. > > > > Attached is: > > (1) VerifySignature.java taken from > > xml-security-bin-1.3.0 zip, in directory > > src_samples/org/apache/xml/security/samples/signature > > I added ability to specify signature file to verify on the > > command line > > (2) sig1.xml (verifies correctly) > > (3) Word-plugin-signature.xml (do not verify due to hash failures > > on Objects "#idsigInvalidImage" and "#idsigValidImage") > > (4) Output from Aleksey's xmlsec1 command-line tool trying to verify > > Word-plugin-signature.xml and getting the correct hash where > > Apache-XMLSec does not. (Word-plugin-signature_xmlsec1output.txt) > > > > Cheers, > > > > JLC > > > > > > On Mon, Feb 26, 2007 at 04:33:18PM +0000, Raul Benito wrote: > >> Hi Jean-Luc, > >> I will try to take a look to the issue, but can you send us the > >> document and the code you are using? > >> And thanks for telling. > >> Regards, > >> Raul, > >> > >> On 2/26/07, Jean-Luc Cooke <[1]jlcooke@certainkey.com> wrote: > >> > >> To help things along, > >> Here's the output from Aleksey's tool. Notice how it verifies > >> "#idsigInvalidImage" and "#idsigValidImage" but ApacheXMLSec > >> cannot. > >> The overall signature status fails with Aleksey's tool, but that's > >> not > >> what I'm focusing on. > >> Is the fact that ApacheXMLSec cannot verify idsigInvalidImage and > >> idsigValidImage a bug? > >> JLC > >> On Mon, Feb 26, 2007 at 09:54:15AM -0500, Jean-Luc Cooke wrote: > >> > Sorry to ping here. > >> > > >> > Can anyone point me in the direction of "If this a bug with > >> Apache XMLSec?" > >> > > >> > I'd really exect the evil empire of Microsoft and Apache to > >> interoperate. > >> > > >> > JLC > >> > > >> > On Wed, Feb 21, 2007 at 02:37:47PM -0500, Jean-Luc Cooke wrote: > >> > > Hello team, > >> > > > >> > > I tried to verify the following XML file (not a root'd web > >> cert, sorry): > >> > > > >> [2]https://216.191.58.251/apache-xmlsec-help/Word-plugin-signature. > >> xml > >> > > > >> > > Using the > >> org.apache.xml.security.samples.signature.VerifySignature class > >> that is found in src_samples directory and got this: > >> > > > >> > > java -cp > >> .:../libs/xmlsec-1.3.0.jar:../libs/xalan.jar:../libs/commons-loggin > >> g.jar org.apache.xml.security.samples.signature.VerifySignature > >> Word-plugin-signature.xml > >> > > Try to verify file: Word-plugin-signature.xml > >> > > Could find a X509Data element in the KeyInfo > >> > > Feb 21, 2007 2:20:17 PM > >> org.apache.xml.security.signature.Reference verify > >> > > INFO: Verification successful for URI "#idPackageObject" > >> > > Feb 21, 2007 2:20:17 PM > >> org.apache.xml.security.signature.Reference verify > >> > > INFO: Verification successful for URI "#idOfficeObject" > >> > > Feb 21, 2007 2:20:17 PM > >> org.apache.xml.security.signature.Reference verify > >> > > WARNING: Verification failed for URI "#idsigInvalidImage" > >> > > Feb 21, 2007 2:20:17 PM > >> org.apache.xml.security.signature.Reference verify > >> > > WARNING: Verification failed for URI "#idsigValidImage" > >> > > The XML signature in file > >> file:/home/jlcooke/crypt_map/sc_data/sc/xmlsec/2007-02-21/Word-plug > >> in-signature.xml is invalid !!!!! (bad) > >> > > Object= > >> > > > >> > > It is clear the two Objects "#idsigInvalidImage" > >> "#idsigValidImage" are failing. > >> > > > >> > > I have two questions: > >> > > 1) How can I pragmatically find out why the signature failed > >> verification? > >> > > From what I can see the only way is to look at the log4j > >> output. > >> > > 2) Passing the XML file above into Aleksey's xmlsec1 app it > >> passes. What's > >> > > different? > >> > > > >> > > Thanks > >> > > > >> > > JLC > >> > >> -- > >> [3]http://r-bg.com > >> > >> References > >> > >> 1. mailto:jlcooke@certainkey.com > >> 2. https://216.191.58.251/apache-xmlsec-help/Word-plugin-signature.xml > >> 3. http://r-bg.com/ > >> > >> ------------------------------------------------------------------------ > >> > >> /* > >> * Copyright 1999-2004 The Apache Software Foundation. > >> * > >> * Licensed under the Apache License, Version 2.0 (the "License"); > >> * you may not use this file except in compliance with the License. > >> * You may obtain a copy of the License at > >> * > >> * http://www.apache.org/licenses/LICENSE-2.0 > >> * > >> * Unless required by applicable law or agreed to in writing, software > >> * distributed under the License is distributed on an "AS IS" BASIS, > >> * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. > >> * See the License for the specific language governing permissions and > >> * limitations under the License. > >> * > >> */ > >> package org.apache.xml.security.samples.signature; > >> > >> > >> > >> import java.io.File; > >> import java.io.FileInputStream; > >> import java.io.FileNotFoundException; > >> import java.security.PublicKey; > >> import java.security.cert.X509Certificate; > >> > >> import org.apache.xml.security.keys.KeyInfo; > >> import org.apache.xml.security.samples.utils.resolver.OfflineResolver; > >> import org.apache.xml.security.signature.XMLSignature; > >> import org.apache.xml.security.utils.Constants; > >> import org.apache.xml.security.utils.XMLUtils; > >> import org.apache.xpath.XPathAPI; > >> import org.w3c.dom.Element; > >> > >> > >> /** > >> * > >> * > >> * > >> * > >> * @author $Author: blautenb $ > >> * > >> */ > >> public class VerifySignature { > >> > >> /** > >> * Method main > >> * > >> * @param unused > >> */ > >> // public static void main(String unused[]) { > >> public static void main(String arg[]) { > >> > >> boolean schemaValidate = false; > >> final String signatureSchemaFile = "data/xmldsig-core-schema.xsd"; > >> // String signatureFileName = "data/ie/baltimore/merlin-examples/merlin-xmldsig-fifteen/signature-enveloping-rsa.xml"; > >> String signatureFileName = arg[0]; > >> > >> if (schemaValidate) { > >> System.out.println("We do schema-validation"); > >> } > >> > >> javax.xml.parsers.DocumentBuilderFactory dbf = > >> javax.xml.parsers.DocumentBuilderFactory.newInstance(); > >> > >> if (schemaValidate) { > >> dbf.setAttribute("http://apache.org/xml/features/validation/schema", > >> Boolean.TRUE); > >> dbf.setAttribute( > >> "http://apache.org/xml/features/dom/defer-node-expansion", > >> Boolean.TRUE); > >> dbf.setValidating(true); > >> dbf.setAttribute("http://xml.org/sax/features/validation", > >> Boolean.TRUE); > >> } > >> > >> dbf.setNamespaceAware(true); > >> dbf.setAttribute("http://xml.org/sax/features/namespaces", Boolean.TRUE); > >> > >> if (schemaValidate) { > >> dbf.setAttribute( > >> "http://apache.org/xml/properties/schema/external-schemaLocation", > >> Constants.SignatureSpecNS + " " + signatureSchemaFile); > >> } > >> > >> try { > >> > >> // File f = new File("signature.xml"); > >> File f = new File(signatureFileName); > >> > >> System.out.println("Try to verify " + f.toURL().toString()); > >> > >> javax.xml.parsers.DocumentBuilder db = dbf.newDocumentBuilder(); > >> > >> db.setErrorHandler(new org.apache.xml.security.utils > >> .IgnoreAllErrorHandler()); > >> > >> if (schemaValidate) { > >> db.setEntityResolver(new org.xml.sax.EntityResolver() { > >> > >> public org.xml.sax.InputSource resolveEntity( > >> String publicId, String systemId) > >> throws org.xml.sax.SAXException { > >> > >> if (systemId.endsWith("xmldsig-core-schema.xsd")) { > >> try { > >> return new org.xml.sax.InputSource( > >> new FileInputStream(signatureSchemaFile)); > >> } catch (FileNotFoundException ex) { > >> throw new org.xml.sax.SAXException(ex); > >> } > >> } else { > >> return null; > >> } > >> } > >> }); > >> } > >> > >> org.w3c.dom.Document doc = db.parse(new java.io.FileInputStream(f)); > >> Element nscontext = XMLUtils.createDSctx(doc, "ds", > >> Constants.SignatureSpecNS); > >> Element sigElement = (Element) XPathAPI.selectSingleNode(doc, > >> "//ds:Signature[1]", nscontext); > >> XMLSignature signature = new XMLSignature(sigElement, > >> f.toURL().toString()); > >> > >> signature.addResourceResolver(new OfflineResolver()); > >> > >> // XMLUtils.outputDOMc14nWithComments(signature.getElement(), System.out); > >> KeyInfo ki = signature.getKeyInfo(); > >> > >> if (ki != null) { > >> if (ki.containsX509Data()) { > >> System.out > >> .println("Could find a X509Data element in the KeyInfo"); > >> } > >> > >> X509Certificate cert = signature.getKeyInfo().getX509Certificate(); > >> > >> if (cert != null) { > >> /* > >> System.out.println( > >> "I try to verify the signature using the X509 Certificate: " > >> + cert); > >> */ > >> System.out.println("The XML signature in file " > >> + f.toURL().toString() + " is " > >> + (signature.checkSignatureValue(cert) > >> ? "valid (good)" > >> : "invalid !!!!! (bad)")); > >> System.out.println("Object="+ (new String(signature.getBytesFromChildElement("Object","http://www.w3.org/2000/09/xmldsig#"))) ); > >> } else { > >> System.out.println("Did not find a Certificate"); > >> > >> PublicKey pk = signature.getKeyInfo().getPublicKey(); > >> > >> if (pk != null) { > >> /* > >> System.out.println( > >> "I try to verify the signature using the public key: " > >> + pk); > >> */ > >> System.out.println("The XML signature in file " > >> + f.toURL().toString() + " is " > >> + (signature.checkSignatureValue(pk) > >> ? "valid (good)" > >> : "invalid !!!!! (bad)")); > >> } else { > >> System.out.println( > >> "Did not find a public key, so I can't check the signature"); > >> } > >> } > >> } else { > >> System.out.println("Did not find a KeyInfo"); > >> } > >> } catch (Exception ex) { > >> ex.printStackTrace(); > >> } > >> } > >> > >> static { > >> org.apache.xml.security.Init.init(); > >> } > >> } > >> > >> ------------------------------------------------------------------------ > >> > >> = VERIFICATION CONTEXT > >> == Status: invalid > >> == flags: 0x00000001 > >> == flags2: 0x00000000 > >> == Id: "idPackageSignature" > >> == Key Info Read Ctx: > >> = KEY INFO READ CONTEXT > >> == flags: 0x00000000 > >> == flags2: 0x00000000 > >> == enabled key data: all > >> == RetrievalMethod level (cur/max): 0/1 > >> == TRANSFORMS CTX (status=0) > >> == flags: 0x00000000 > >> == flags2: 0x00000000 > >> == enabled transforms: all > >> === uri: NULL > >> === uri xpointer expr: NULL > >> == EncryptedKey level (cur/max): 0/1 > >> === KeyReq: > >> ==== keyId: rsa > >> ==== keyType: 0x00000001 > >> ==== keyUsage: 0x00000002 > >> ==== keyBitsSize: 0 > >> === list size: 0 > >> == Key Info Write Ctx: > >> = KEY INFO WRITE CONTEXT > >> == flags: 0x00000000 > >> == flags2: 0x00000000 > >> == enabled key data: all > >> == RetrievalMethod level (cur/max): 0/1 > >> == TRANSFORMS CTX (status=0) > >> == flags: 0x00000000 > >> == flags2: 0x00000000 > >> == enabled transforms: all > >> === uri: NULL > >> === uri xpointer expr: NULL > >> == EncryptedKey level (cur/max): 0/1 > >> === KeyReq: > >> ==== keyId: NULL > >> ==== keyType: 0x00000001 > >> ==== keyUsage: 0xffffffff > >> ==== keyBitsSize: 0 > >> === list size: 0 > >> == Signature Transform Ctx: > >> == TRANSFORMS CTX (status=2) > >> == flags: 0x00000000 > >> == flags2: 0x00000000 > >> == enabled transforms: all > >> === uri: NULL > >> === uri xpointer expr: NULL > >> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) > >> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) > >> === Transform: membuf-transform (href=NULL) > >> == Signature Method: > >> === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) > >> == Signature Key: > >> == KEY > >> === method: RSAKeyValue > >> === key type: Public > >> === key usage: -1 > >> === rsa key: size = 1024 > >> == SignedInfo References List: > >> === list size: 4 > >> = REFERENCE VERIFICATION CONTEXT > >> == Status: succeeded > >> == URI: "#idPackageObject" > >> == Type: "http://www.w3.org/2000/09/xmldsig#Object" > >> == Reference Transform Ctx: > >> == TRANSFORMS CTX (status=2) > >> == flags: 0x00000000 > >> == flags2: 0x00000000 > >> == enabled transforms: all > >> === uri: > >> === uri xpointer expr: #idPackageObject > >> === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr) > >> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) > >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) > >> === Transform: membuf-transform (href=NULL) > >> == Digest Method: > >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) > >> = REFERENCE VERIFICATION CONTEXT > >> == Status: succeeded > >> == URI: "#idOfficeObject" > >> == Type: "http://www.w3.org/2000/09/xmldsig#Object" > >> == Reference Transform Ctx: > >> == TRANSFORMS CTX (status=2) > >> == flags: 0x00000000 > >> == flags2: 0x00000000 > >> == enabled transforms: all > >> === uri: > >> === uri xpointer expr: #idOfficeObject > >> === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr) > >> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) > >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) > >> === Transform: membuf-transform (href=NULL) > >> == Digest Method: > >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) > >> = REFERENCE VERIFICATION CONTEXT > >> == Status: succeeded > >> == URI: "#idsigInvalidImage" > >> == Type: "http://www.w3.org/2000/09/xmldsig#Object" > >> == Reference Transform Ctx: > >> == TRANSFORMS CTX (status=2) > >> == flags: 0x00000000 > >> == flags2: 0x00000000 > >> == enabled transforms: all > >> === uri: > >> === uri xpointer expr: #idsigInvalidImage > >> === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr) > >> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) > >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) > >> === Transform: membuf-transform (href=NULL) > >> == Digest Method: > >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) > >> = REFERENCE VERIFICATION CONTEXT > >> == Status: succeeded > >> == URI: "#idsigValidImage" > >> == Type: "http://www.w3.org/2000/09/xmldsig#Object" > >> == Reference Transform Ctx: > >> == TRANSFORMS CTX (status=2) > >> == flags: 0x00000000 > >> == flags2: 0x00000000 > >> == enabled transforms: all > >> === uri: > >> === uri xpointer expr: #idsigValidImage > >> === Transform: xpointer (href=http://www.w3.org/2001/04/xmldsig-more/xptr) > >> === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315) > >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) > >> === Transform: membuf-transform (href=NULL) > >> == Digest Method: > >> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) > >> == Manifest References List: > >> === list size: 0 >