santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Raul Benito" <r...@apache.org>
Subject Re: Signature verification issue
Date Tue, 05 Aug 2008 16:43:49 GMT
Please check the examples in the code, you will find some way of
outputing the DOM tree. And sadly spaces are important
is not the same <amount>100000000</amount> that <amount>10000
                                              00000</amount>
Or some more funny things that can happen in text nodes.  But you get
the picture.

And also doing doc.normalize() I think it is not a good idea. So i
will check this two things.

Regards,

Raul

On Tue, Aug 5, 2008 at 8:35 AM,  <edward.thompson@wachovia.com> wrote:
>
>> transformer.setOutputProperty(OutputKeys.INDENT, "no");
> Hmmm, I had indent set to no
>
> So I tried removing this:
>> transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount",
>> "4");
>
> Same results.
>
> Also, isn't the Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS supposed to
> account for the differences in spaces?
>
>
> Edward Thompson
>
> (704) 383-9933
> 401 South Tryon Street
> Three Wachovia Center, Sixth floor
> Charlotte, NC 28202
>
> Authentication & Entitlements
>
>
>
> "Raul Benito" <raul@apache.org>
> Sent by: raul.benito.garcia@gmail.com
>
> 08/05/2008 11:19 AM
>
> Please respond to
> security-dev@xml.apache.org
> To
> security-dev@xml.apache.org
> cc
> Subject
> Re: Signature verification issue
>
>
>
>
> Ok what are you doing is adding spaces as you are indenting the
> result, as space is a relevant content you are destroying the
> signature in the process. You have to output it as pure as possible,
> in xml-sec there some of them but any that don't add spaces will work.
>
> Regards,
> Raul
>
> On Tue, Aug 5, 2008 at 7:26 AM,  <edward.thompson@wachovia.com> wrote:
>>
>> OK, so I have tried serializing and (re)parsing the XML message first, but
>> still fail the verification:
>>
>>                 Document doc = assertion.getOwnerDocument();
>>                 doc.normalize();
>>                 // somehow the ID attribute is not yet really in the doc
>>                 // so we regsiter the id of interest so the Resolver
>> called
>> by sign can
>>                 // find it
>>                 String assertionId =
>> assertion.getAttributeNode("ID").toString().substring(4,37);
>>                 IdResolver.registerElementById(assertion, assertionId);
>>
>>                 XMLSignature sig = new XMLSignature(doc, "",
>>
>>
>> XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
>>
>> assertion.insertBefore(sig.getElement(),assertion.getFirstChild());
>>
>>                 // create the transforms object for the Document/Reference
>>                 Transforms transforms = new Transforms(doc);
>>
>>                 // First we have to strip away the signature element (it's
>> not part of
>>                 // the signature calculations). The enveloped transform
>> can
>> be used.
>>
>> transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
>>                 // Part of the signature element needs to be
>> canonicalized.
>> It is a kind
>>                 // of normalizing algorithm for XML. For more information
>> please take a
>>                 // look at the W3C XML Digital Signature webpage.
>>                                  InclusiveNamespaces incNS = new
>> InclusiveNamespaces(doc, "ds saml xenc xs");
>>
>>
>>
>> transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS,incNS.getElement());
>>                 // Add the above Document/Reference
>>                 sig.addDocument("#"+assertionId, transforms,
>> Constants.ALGO_ID_DIGEST_SHA1);
>>
>>                 Key privKey = (Key) cred.get("privateKey");
>>                 sig.sign(privKey);
>>
>>                 try {
>>                         // /
>> TEST!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>>                         StringWriter writer = new StringWriter();
>>
>>                         TransformerFactory transformerFactory =
>> TransformerFactory
>>                                         .newInstance();
>>                         Transformer transformer = null;
>>
>>                         transformer = transformerFactory.newTransformer();
>>
>>                         transformer.setOutputProperty(OutputKeys.METHOD,
>> "xml");
>>                         transformer.setOutputProperty(OutputKeys.VERSION,
>> "2.0");
>>
>> transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION,"yes");
>>                         transformer.setOutputProperty(OutputKeys.ENCODING,
>> "ISO-8859-1");
>>
>> transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount",
>> "4");
>>                         transformer.setOutputProperty(OutputKeys.INDENT,
>> "no");
>>
>>
>>                         transformer.transform(new DOMSource(doc), new
>> StreamResult(writer));
>>
>>
>>                         DOMParser parser = new DOMParser();
>>                         InputSource input = new InputSource(new
>> BufferedInputStream(
>>                                         new
>> ByteArrayInputStream(writer.toString().getBytes())));
>>                         input.setEncoding("ISO-8859-1");
>>                         parser.parse(input);
>>
>>                         Document doc2 = parser.getDocument();
>>
>>                         XPathFactory xFact = XPathFactory.newInstance();
>>                         XPath xpath = xFact.newXPath();
>>                         SimpleNamespaceContext snc = new
>> SimpleNamespaceContext();
>>                         snc.addNamespace("SOAP-ENV",
>>
>> "http://schemas.xmlsoap.org/soap/envelope/");
>>                         snc.addNamespace("ws",
>>
>> "http://schemas.xmlsoap.org/ws/2005/02/trust");
>>                         snc.addNamespace("saml",
>> "urn:oasis:names:tc:SAML:2.0:assertion");
>>                         snc.addNamespace("ds",
>> "http://www.w3.org/2000/09/xmldsig#");
>>                         xpath.setNamespaceContext(snc);
>>                         XPathExpression expr = null;
>>
>>                         expr = xpath
>>
>> .compile("//saml:Assertion/ds:Signature");
>>
>>                         Element sigElement = null;
>>
>>                         sigElement = (Element) expr.evaluate(doc2,
>> XPathConstants.NODE);
>>
>>                         XMLSignature signature = null;
>>
>>                         signature = new XMLSignature(sigElement, "");
>>
>>                         boolean isSuccess =
>> signature.checkSignatureValue((Key) cred
>>                                         .get("publicKey"));
>>                         LogManager.debug("First verification = " +
>> isSuccess);
>>                 } catch (Exception e) {
>>                         e.printStackTrace();
>>                         throw e;
>>                 }
>>
>> Is anything wrong with how I am doing that that would impact the results?
>>
>>
>>
>> "Raul Benito" <raul@apache.org>
>> Sent by: raul.benito.garcia@gmail.com
>>
>> 08/05/2008 06:33 AM
>>
>> Please respond to
>> security-dev@xml.apache.org
>> To
>> security-dev@xml.apache.org
>> cc
>> Subject
>> Re: Signature verification issue
>>
>>
>>
>>
>> You have to serialize the signature and deserialize it sadly the
>> internal structures doesn't manage signing and verifying and the same
>> time.
>>
>> On Mon, Aug 4, 2008 at 1:42 PM,  <edward.thompson@wachovia.com> wrote:
>>>
>>> I am trying to create, then verify a signature, without much success.  I
>>> assume something I am doing is corrupting the XML, so I chnaged the code
>>> to
>>> call checkSignatureValue() immediately after calling sign():
>>>
>>>                 Document doc = assertion.getOwnerDocument();
>>>                 doc.normalize();
>>>                 // somehow the ID attribute is not yet really in the doc
>>>                 // so we regsiter the id of interest so the Resolver
>>> called
>>> by sign can
>>>                 // find it
>>>                 String assertionId =
>>> assertion.getAttributeNode("ID").toString().substring(4,37);
>>>                 IdResolver.registerElementById(assertion, assertionId);
>>>
>>>                 XMLSignature sig = new XMLSignature(doc, "",
>>>
>>>
>>>
>>> XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
>>>
>>> assertion.insertBefore(sig.getElement(),assertion.getFirstChild());
>>>
>>>                 // create the transforms object for the
>>> Document/Reference
>>>                 Transforms transforms = new Transforms(doc);
>>>
>>>                 // First we have to strip away the signature element
>>> (it's
>>> not part of
>>>                 // the signature calculations). The enveloped transform
>>> can
>>> be used.
>>>
>>> transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
>>>                 // Part of the signature element needs to be
>>> canonicalized.
>>> It is a kind
>>>                 // of normalizing algorithm for XML. For more information
>>> please take a
>>>                 // look at the W3C XML Digital Signature webpage.
>>>                     InclusiveNamespaces incNS = new
>>> InclusiveNamespaces(doc,
>>> "ds saml xenc xs");
>>>
>>>
>>>
>>>
>>> transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS,incNS.getElement());
>>>                 // Add the above Document/Reference
>>>                 sig.addDocument("#"+assertionId, transforms,
>>> Constants.ALGO_ID_DIGEST_SHA1);
>>>
>>>                 Key privKey = (Key) cred.get("privateKey");
>>>                 sig.sign(privKey);
>>>
>>>                     boolean isSuccess =  sig.checkSignatureValue(<public
>>> key>);
>>>                    LogManager.debug("First verification = " + isSuccess);
>>>
>>>       The call to sig.checkSignatureValue () fails.  Can anyone help
>>> explain
>>> why?  If I understand this, I am hoping I will better understand how to
>>> make
>>> the the rest work.
>>>
>>> Ed
>>
>>
>
>

Mime
View raw message