'Re: XML Sig verification using xmlsecurity.org'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xml-security-dev
Subject:    Re: XML Sig verification using xmlsecurity.org
From:       Christian Geuer-Pollmann <geuer-pollmann () nue ! et-inf ! uni-siegen ! de>
Date:       2001-10-04 6:20:52
[Download RAW message or body]


Hi Peter,

at the moment I have some problems to commit to the CVS, so here is another 
tweak to find attributes...

Simply put in the respective directories.  ( Hope I get my CVS probs managed today ;-)

src/.../utils/Idresolver.java
sec_samples/.../samples/signature/CreateSignature.java

Christian

--On Mittwoch, 3. Oktober 2001 15:06 +0200 Peter Tornberg <tberg@x-obi.com> 
wrote:

> Thanks Christian,
>
> I didn't realize that xsi:... was moved down during canonicalization, but
> this must of course be the case.
>
> I rewrote the VerifySignature once again, and now it works with the
> original signature-enveloping-rsa.xml file.
>
> /Peter
>
> ----- Original Message -----
> From: "Christian Geuer-Pollmann" <geuer-pollmann@nue.et-inf.uni-siegen.de>
> To: "Peter Tornberg" <tberg@x-obi.com>
> Cc: <security-dev@xml.apache.org>
> Sent: Wednesday, October 03, 2001 1:18 PM
> Subject: Re: XML Sig verification using xmlsecurity.org
>
>
>> Hi Peter
>>
>> --On Mittwoch, 3. Oktober 2001 11:40 +0200 Peter Tornberg
> <tberg@x-obi.com>
>> wrote:
>>
>> > I rewrote the VerifySignature.java and the signature-enveloping-rsa.xml
> to
>> > validate the xml and hence get a hold of the ID object. Still I get:
>>
>> What happend: You took the signature-enveloping-rsa.xml from Merlins
>> merlin-xmldsig-fifteen.tgz and changed
>>
>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>>
>> to
>>
>> <Signature
>> xmlns="http://www.w3.org/2000/09/xmldsig#"
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig#
>> c:\cvs\xml-security\src_samples\xmldsig-core-schema.xsd"
>> >
>>
>> _but_ you did not re-created the SignatureValue. The problem is that the
>> <ds:SignatureValue> is calculated over the canonicalized form of the
>> <ds:SignedInfo>. But the canonicalized SignedInfo has changed because you
>> added namespaces in an ancestor of SignedInfo. Before your modification,
>> the canonicalized SignedInfo was:
>>
>> <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>>     <CanonicalizationMethod
>>
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></Canonicaliz
> at
>> ionMethod>
>>     <SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
>>     <Reference URI="#object">
>>       <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>>       <DigestValue>7/XTsHaBSOnJ/jXD5v0zL6VKYsk=</DigestValue>
>>     </Reference>
>>   </SignedInfo>
>>
>> but after you modification SignedInfo looks like:
>>
>> <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#"
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>>     <CanonicalizationMethod
>>
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></Canonicaliz
> at
>> ionMethod>
>>     <SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
>>     <Reference URI="#object">
>>       <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>>       <DigestValue>7/XTsHaBSOnJ/jXD5v0zL6VKYsk=</DigestValue>
>>     </Reference>
>>   </SignedInfo>
>>
>> (You see the xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> namespace decl. in the ds:SignedInfo Element), so the SignatureValue was
>> created from the first version but verified against the second version -
>> and that fails.
>>
>> ------------------
>>
>> If you wanna see what the SignedInfo looks like, in
>> XMLSignature.checkSignatureValue(X509..) there is a statement
>>
>> JavaUtils.writeBytesToFilename("signedInfo", inputBytes);
>>
>> which can be used to write the canonicalized SigendInfo to a file for
>> debugging purposes. (You have to copy it to the checkSig(PubKey)).
>>
>> ------------------
>>
>> Same game in Reference.calculateDigest(), these is some (outcommented)
>>
>> String tmp = new Long(System.currentTimeMillis()).toString() + ".txt";
>> cat.info("Wrote \"" + this.getURI() + "\" to file " + tmp);
>> JavaUtils.writeBytesToFilename(tmp, data);
>>
>> Which you can use to write the results from dereferencing to files (named
>> by time)...
>>
>> ------------------
>>
>> Another way that I have not checked yet is that you pre-configure Xerces
> to
>> tell the parser where to find the Schema:
>>
>> String externalSchemaLocation = Constants.SignatureSpecNS + " " +
>> "data/xmldsig-core-schema.xsd";
>>
> dbf.setAttribute("http://apache.org/xml/properties/schema/external-schema
> Lo
>> cation",
>>                  externalSchemaLocation);
>> dbf.setAttribute("http://apache.org/xml/features/validation/schema",
>>                  Boolean.TRUE);
>> javax.xml.parsers.DocumentBuilder db = dbf.newDocumentBuilder();
>> org.w3c.dom.Document doc = db.parse(new java.io.FileInputStream(f));
>>
>>
>> I am not a Schema crack, but I think this is the way to check against the
>> ds Schema without modifying the Signature.xml
>>
>> I hope this helps,
>>
>> Christian
>>
>>






Mit freundlichen Grüßen,

Christian Geuer-Pollmann


--------------------------------------------------------------------------
Institute for Data Communications Systems             University of Siegen
Hoelderlinstrasse 3                 D-57068 Siegen                 Germany

mail:  mailto:geuer-pollmann@nue.et-inf.uni-siegen.de
web:  <http://www.nue.et-inf.uni-siegen.de/~geuer-pollmann/>

["IdResolver.java" (application/octet-stream)]
["CreateSignature.java" (application/octet-stream)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic