santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From edward.thomp...@wachovia.com
Subject Re: Signature verification issue
Date Tue, 05 Aug 2008 14:26:08 GMT
OK, so I have tried serializing and (re)parsing the XML message first, but 
still fail the verification:

                Document doc = assertion.getOwnerDocument();
                doc.normalize();
                // somehow the ID attribute is not yet really in the doc
                // so we regsiter the id of interest so the Resolver 
called by sign can
                // find it
                String assertionId = 
assertion.getAttributeNode("ID").toString().substring(4,37);
                IdResolver.registerElementById(assertion, assertionId);

                XMLSignature sig = new XMLSignature(doc, "",
 
XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
 assertion.insertBefore(sig.getElement(),assertion.getFirstChild());
 
                // create the transforms object for the Document/Reference
                Transforms transforms = new Transforms(doc);

                // First we have to strip away the signature element (it's 
not part of
                // the signature calculations). The enveloped transform 
can be used.
 transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
                // Part of the signature element needs to be 
canonicalized. It is a kind
                // of normalizing algorithm for XML. For more information 
please take a
                // look at the W3C XML Digital Signature webpage.
                                 InclusiveNamespaces incNS = new 
InclusiveNamespaces(doc, "ds saml xenc xs");

 
transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS,incNS.getElement());
                // Add the above Document/Reference
                sig.addDocument("#"+assertionId, transforms, 
Constants.ALGO_ID_DIGEST_SHA1);

                Key privKey = (Key) cred.get("privateKey");
                sig.sign(privKey);
 
                try {
                        // / 
TEST!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
                        StringWriter writer = new StringWriter();

                        TransformerFactory transformerFactory = 
TransformerFactory
                                        .newInstance();
                        Transformer transformer = null;

                        transformer = transformerFactory.newTransformer();

                        transformer.setOutputProperty(OutputKeys.METHOD, 
"xml");
                        transformer.setOutputProperty(OutputKeys.VERSION, 
"2.0");
 transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION,"yes");
                        transformer.setOutputProperty(OutputKeys.ENCODING, 
"ISO-8859-1");
 
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", 
"4");
                        transformer.setOutputProperty(OutputKeys.INDENT, 
"no");


                        transformer.transform(new DOMSource(doc), new 
StreamResult(writer));


                        DOMParser parser = new DOMParser();
                        InputSource input = new InputSource(new 
BufferedInputStream(
                                        new 
ByteArrayInputStream(writer.toString().getBytes())));
                        input.setEncoding("ISO-8859-1");
                        parser.parse(input);

                        Document doc2 = parser.getDocument();
 
                        XPathFactory xFact = XPathFactory.newInstance();
                        XPath xpath = xFact.newXPath();
                        SimpleNamespaceContext snc = new 
SimpleNamespaceContext();
                        snc.addNamespace("SOAP-ENV",
 "http://schemas.xmlsoap.org/soap/envelope/");
                        snc.addNamespace("ws",
 "http://schemas.xmlsoap.org/ws/2005/02/trust");
                        snc.addNamespace("saml", 
"urn:oasis:names:tc:SAML:2.0:assertion");
                        snc.addNamespace("ds", 
"http://www.w3.org/2000/09/xmldsig#");
                        xpath.setNamespaceContext(snc);
                        XPathExpression expr = null;

                        expr = xpath
 .compile("//saml:Assertion/ds:Signature");

                        Element sigElement = null;

                        sigElement = (Element) expr.evaluate(doc2, 
XPathConstants.NODE);

                        XMLSignature signature = null;

                        signature = new XMLSignature(sigElement, "");

                        boolean isSuccess = 
signature.checkSignatureValue((Key) cred
                                        .get("publicKey"));
                        LogManager.debug("First verification = " + 
isSuccess);
                } catch (Exception e) {
                        e.printStackTrace();
                        throw e;
                } 

Is anything wrong with how I am doing that that would impact the results?




"Raul Benito" <raul@apache.org> 
Sent by: raul.benito.garcia@gmail.com
08/05/2008 06:33 AM
Please respond to
security-dev@xml.apache.org


To
security-dev@xml.apache.org
cc

Subject
Re: Signature verification issue






You have to serialize the signature and deserialize it sadly the
internal structures doesn't manage signing and verifying and the same
time.

On Mon, Aug 4, 2008 at 1:42 PM,  <edward.thompson@wachovia.com> wrote:
>
> I am trying to create, then verify a signature, without much success.  I
> assume something I am doing is corrupting the XML, so I chnaged the code 
to
> call checkSignatureValue() immediately after calling sign():
>
>                 Document doc = assertion.getOwnerDocument();
>                 doc.normalize();
>                 // somehow the ID attribute is not yet really in the doc
>                 // so we regsiter the id of interest so the Resolver 
called
> by sign can
>                 // find it
>                 String assertionId =
> assertion.getAttributeNode("ID").toString().substring(4,37);
>                 IdResolver.registerElementById(assertion, assertionId);
>
>                 XMLSignature sig = new XMLSignature(doc, "",
>
> 
XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
>
> assertion.insertBefore(sig.getElement(),assertion.getFirstChild());
>
>                 // create the transforms object for the 
Document/Reference
>                 Transforms transforms = new Transforms(doc);
>
>                 // First we have to strip away the signature element 
(it's
> not part of
>                 // the signature calculations). The enveloped transform 
can
> be used.
>
> transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
>                 // Part of the signature element needs to be 
canonicalized.
> It is a kind
>                 // of normalizing algorithm for XML. For more 
information
> please take a
>                 // look at the W3C XML Digital Signature webpage.
>                     InclusiveNamespaces incNS = new 
InclusiveNamespaces(doc,
> "ds saml xenc xs");
>
>
> 
transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS,incNS.getElement());
>                 // Add the above Document/Reference
>                 sig.addDocument("#"+assertionId, transforms,
> Constants.ALGO_ID_DIGEST_SHA1);
>
>                 Key privKey = (Key) cred.get("privateKey");
>                 sig.sign(privKey);
>
>                     boolean isSuccess =  sig.checkSignatureValue(<public
> key>);
>                    LogManager.debug("First verification = " + 
isSuccess);
>
>       The call to sig.checkSignatureValue () fails.  Can anyone help 
explain
> why?  If I understand this, I am hoping I will better understand how to 
make
> the the rest work.
>
> Ed


Mime
View raw message