santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Digest Mismatch Exceptions and Enveloped Signatures
Date Fri, 27 Jul 2018 16:35:45 GMT
Hi,

Those examples are from my personal github repo and have nothing to do
really with the Apache Santuario project.

I'm not sure what you mean by "seem to produce invalid XML signatures by
default"? The examples produce valid (detached) XML Signatures and verify
just fine. For example, this test uses both those methods in SignatureUtils:

https://github.com/coheigea/testcases/blob/master/apache/santuario/santuario-xml-signature/src/test/java/org/apache/coheigea/santuario/xmlsignature/SignatureStAXTest.java

> Used as is you will get XML Signatures that do not include the
EnvelopedSignature Transform

This is not a requirement for XML Signatures - the test code in
SignatureUtils does not use it.

Colm.

On Fri, Jul 27, 2018 at 2:53 AM, buko <buko.obele@gmail.com> wrote:

>
>
> Not sure if others have encountered this but I thought I’d report this
> since I ran into this issue and spent quite a while trying to figure out
> what’s going on. The issue:
>
>
>
> The signUsingStax and verifyUsingStax methods from the Example Code (see
> https://github.com/coheigea/testcases/blob/master/apache/
> santuario/santuario-xml-signature/src/test/java/org/
> apache/coheigea/santuario/xmlsignature/SignatureUtils.java#L162 and
> https://github.com/coheigea/testcases/blob/master/apache/
> santuario/santuario-xml-signature/src/test/java/org/
> apache/coheigea/santuario/xmlsignature/SignatureUtils.java#L203) seem to
> produce invalid XML signatures by default. Used as is you will get XML
> Signatures that do not include the EnvelopedSignature Transform (
> http://www.w3.org/2000/09/xmldsig#enveloped-signature).
>
>
>
> The code will sign documents but when you verify the signed documents
> you’ll get invalid digest errors like:
>
>
>
> org.apache.xml.security.exceptions.XMLSecurityException: Invalid digest
> of reference #Ge7a73177-7aad-4fe8-bed8-d26ef9cfaeed
>
>
>
> To make the code work you’ll need to add the EnvelopedSignature Transform
> like:
>
>            private static final String[] ENVELOPED_SIGNATURE_TRANSFORMS =
>
>                       { "http://www.w3.org/2000/09/
> xmldsig#enveloped-signature",  "http://www.w3.org/2001/10/xml-exc-c14n#"};
>
>            signatureSpec.getElementsToSign().forEach(
>
>                                             qname -> {
>
>                                                        final SecurePart
> securePart = new SecurePart(qname, SecurePart.Modifier.Content);
>
>
> securePart.setTransforms(ENVELOPED_SIGNATURE_TRANSFORMS);
>
>                                                        securityProperties.addSignaturePart(securePart);
> });
>
>
>
>
>
> Perhaps it would be helpful to include two separate examples, one using
> stax signature verification with an enveloped signature and another one
> with an enveloping signature?
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message