santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From buko <buko.ob...@gmail.com>
Subject Digest Mismatch Exceptions and Enveloped Signatures
Date Fri, 27 Jul 2018 01:53:13 GMT

Not sure if others have encountered this but I thought I’d report this since I ran into
this issue and spent quite a while trying to figure out what’s going on. The issue:

The signUsingStax and verifyUsingStax methods from the Example Code (see https://github.com/coheigea/testcases/blob/master/apache/santuario/santuario-xml-signature/src/test/java/org/apache/coheigea/santuario/xmlsignature/SignatureUtils.java#L162
and https://github.com/coheigea/testcases/blob/master/apache/santuario/santuario-xml-signature/src/test/java/org/apache/coheigea/santuario/xmlsignature/SignatureUtils.java#L203)
seem to produce invalid XML signatures by default. Used as is you will get XML Signatures
that do not include the EnvelopedSignature Transform (http://www.w3.org/2000/09/xmldsig#enveloped-signature).


The code will sign documents but when you verify the signed documents you’ll get invalid
digest errors like:

org.apache.xml.security.exceptions.XMLSecurityException: Invalid digest of reference #Ge7a73177-7aad-4fe8-bed8-d26ef9cfaeed

To make the code work you’ll need to add the EnvelopedSignature Transform like:
	private static final String[] ENVELOPED_SIGNATURE_TRANSFORMS = 
		{ "http://www.w3.org/2000/09/xmldsig#enveloped-signature",  "http://www.w3.org/2001/10/xml-exc-c14n#"};
	signatureSpec.getElementsToSign().forEach(
				qname -> { 
					final SecurePart securePart = new SecurePart(qname, SecurePart.Modifier.Content);
					securePart.setTransforms(ENVELOPED_SIGNATURE_TRANSFORMS);
					securityProperties.addSignaturePart(securePart); });


Perhaps it would be helpful to include two separate examples, one using stax signature verification
with an enveloped signature and another one with an enveloping signature? 

Mime
View raw message