santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sean Mullan <Sean.Mul...@Sun.COM>
Subject Re: Core Validation Failing .. now what?
Date Fri, 29 Feb 2008 20:53:22 GMT
Nayan Hajratwala wrote:
> Quoting Sean Mullan <Sean.Mullan@Sun.COM>:
> 
>> Scott Cantor wrote:
>>>> The output of my debugging shows the SignedInfo as:
>>>
>>> Using email for this is pointless. Any whitespace will throw off the 
>>> result,
>>> so you'd need to compare them byte for byte on your own.
>>>
>>
>> Also, you are comparing it to what is in the Signature, this is wrong,
>> because that is the pre-canonicalized representation of SignedInfo. You
>> need to modify your signature generation application and dump the
>> canonicalized bytes (which is cached by the implementation) after you
>> generate the signature. Then do the same in your validation application
>> and compare the bytes.
>>
>> --Sean
> 
> Unfortunately, the signature is being generated by a third party, and 
> after talking with them today, it turns out that the documents are 
> signed by an IBM xi50 appliance, so they don't have access to generate 
> the canonicalized SignedInfo.
> 
> Any other approaches that you can think of that I might take?

Not really, you will need to find out what is being done with the 
signature from the time it is generated until you validate it. Are you 
moving it to a different document where new namespaces may leak into the 
signature, or are you converting it to/from DOM? The slightest change 
can break the signature. Pretty printing or formatting the signature 
(ex, adding whitespace, newlines) will break the signature.

--Sean

Mime
View raw message