CODEWITHSUNDEEP
javaxmlsignature
yogsma
yogsma

Reputation: 10586

XML Signature validations fails

Here is my code that I am trying to work on to validate xml signature. For one xml file which contains xml that is signed with certificate of signing algorithm md2RSA , it works perfectly fine. But another xml which contains xml that is signed with certificate of signing algorithm SHA256withRSA, it fails.

Here is my code that I am trying to use to verify signature validation:

 public static void main(String[] args)
            throws ParserConfigurationException, SAXException, IOException, XMLSignatureException, XMLSecurityException
    {
        File f = new File("F:\\workspace\\signeddocument2.xml");
        DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
        dbFactory.setNamespaceAware(true);
        DocumentBuilder dBuilder = dbFactory.newDocumentBuilder();
        org.w3c.dom.Document doc = dBuilder.parse(f);
        doc.getDocumentElement().normalize();

        Element sigElement = (Element) doc.getElementsByTagNameNS(Constants.SignatureSpecNS, Constants._TAG_SIGNATURE)
                .item(0);

        XMLSignature signature = new XMLSignature(sigElement, f.toURI().toURL().toString());
        boolean verified = false;

        verified = signature.checkSignatureValue(signature.getKeyInfo().getPublicKey());

        if (verified)
        {
            System.out.println("Signature verified successfully");
        }
        else
        {
            System.out.println("Signature verification failed.");
        }

    }

And here is the successful xml file that works:

<DocumentToSign ID="signme">
    <SubElement>
    </SubElement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#signme">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>pt/SfGyAXhfkEwmQUqlg5Dsczp8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
baPXBiRO+S96Fb6J1zllCe2SsjmUgkEMnGOVNkTAFa/97Dv365uVrHzfnekoAVgCojWXdQIMVBqi
+uJKjK9JmEH738ob0vkrSJiZgLqjnCnPxM0yDwGRHXrnVVLuKhfdDkp9Pevo/e8+X5wIiPaXHb/C
r1/5ZFk3raFdD6b72X/MsMp4m2894UOTw0jo/FHIYpOHib4P21aK/kIFGROJEXU7sKv+GswOFbuH
7zcmXldNV7z/mrqd3XZROGy3jFpp0C2pu3PSYUS8BQCabQQfaS97nh20TL1pFVDSi3UvG3TYa21d
aQZncnzKZsbXPy+642KgeXF71H7rQrmkhQKi+g==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICpjCCAY6gAwIBAgIEUYrX0DANBgkqhkiG9w0BAQIFADAVMRMwEQYDVQQDDApkZWZhdWx0a2V5
MB4XDTEzMDUwODIyNTYxMloXDTQzMDUwODIyNTYxMlowFTETMBEGA1UEAwwKZGVmYXVsdGtleTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJHzhGGL5JqZyMMuh09HJCWU4uNbOb10icw4
VuqgpHBc3A8v4sFOmiEQIf+CxWpPXhY+8THf+HWsXlrQ/UDUAQMOYQ998Mw1Er1fKrBosa0n0FRJ
+y8VVFc+uViykbGeLTjxkFJinLuQ1yBWuW+XCHXKP5HgFo9YnhPr/DZ/dF3wFRMQKzmJhp2j18VD
x20MNSWMyfL2hZRg1HnCES8ar/P4Qu7m2qn2YRLFdGMqs6OUrjbhLSgFX6sbmvbFVuNcmndQECoY
KLxJFcvW5fD430NbMsXeOXNqfGnTXE8Z5CGZNQxPe0KUtvQNSvb+hozj6AFeP/iOO1PZwD3h7wGY
1t0CAwEAATANBgkqhkiG9w0BAQIFAAOCAQEAg5ZyHyNFH6KIbSLRx67sHYS+rWCXoJogXFI7NyBx
ynZijN8tLjmZcQQPp94z9vSyx9U90EwfRtVMl632aD1ntc1LBMUKdZoz6hBubKrr7gB38aBh+VMY
iQ6c9BfbD6XqxMS9Vv3w58Mfpgi9Cqr3P6AXJz490LA6t+etgmzqOz3V6piiFwysaAeYQ3GQTaAI
mmsyj6++AlcJXHsOMc63oaKnziG3al/gfheUtp/KG0GT8X9UZdRNsWrfcpopp7+wHTaTO6U863FJ
WuNuk5ljTo5xk+DQQQfKmnGUO3y6Sb0IE7sgZn6/TvnoF4Es+xb8V6bL9q24lkm4mCdp3m7PhA==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature></DocumentToSign>

And here is the xml file that is fails with signature validation:

<DocumentToSign ID="signme">
    <SubElement>
    </SubElement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#signme">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xsd" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>iG7dOuXItysItp3EXjvWcXssDgtidn/dX9ZSlBc96+s=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
NiZcgh4DNGAkGPX3BKrBbkew7b8PitNArw4gRGU/7603pQRe+So31u3pSmuqLPerQ/gp6SqkSzmA
8pbldKYodf6cNHeO+rSTIS0dOJvqduhfYDDSLaXOGMeeiJG3en1mu4/ZajdYAtQd7YuwHNR4XgIA
O4DKltY4nHH/TKMe/8cr0boz+D8ttldX5CjcSCYqmmlG6sM/fbUgNT832Mwqp3N6dRr/OrKvl1Lt
JRioJ4+JOdw6mZkRvxl3ga5/CWGvCaBxNbuZKBFdrHf+SVrXpeg0/E1/E2Sd1L5bVWYR2M1q3eXr
RkutToCkHzRTQARS+90lx8pNaxiR8bcbfD4Oag==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
**Some Certificate Value**
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature></DocumentToSign>

Not sure what I am doing wrong in second case. This is the error message I get for second case:

org.apache.xml.security.signature.Reference verify
WARNING: Verification failed for URI "#signme"
Signature verification failed.

Does anyone see anything I am missing?

Upvotes: 1

Views: 7456

Answers (2)

yogsma
yogsma

Reputation: 10586

@JosemyAB - Thanks for your answer.

I figured out the issue why signature validation was failing. The XML I was signing had different namespaces compared to XML I was trying to validate the signature for. That transformation was causing signature failure. Once I figured out the transformation, signature validation worked.

Upvotes: 0

JosemyAB
JosemyAB

Reputation: 407

Seems that a tag is missing in your xml.

I found some information here: https://www.w3.org/TR/2009/WD-xmldsig-core2-20091022/

If you search for "signame" you will see that the specification needs a tag: <C ID="signme" xmlns="&baz;"/> There is the full specification:

<A xmlns:n1="&foo;">
     <B xmlns:n2="&bar;">
       <Signature xmlns="&dsig;">   ...
         <Reference URI="#signme"/> ...
       </Signature>
       <C ID="signme" xmlns="&baz;"/>
     </B>
   </A>

Your XML do not has this tag. Could be the reason.

Upvotes: 1

Related Questions