Reputation: 11
Signature verification of xml signature in Java with Apache Santuario does not work if xml is encrypted - how to disable decryption?
I am using Apache Santuarion for decryption and validating using StAX. The thing is that when my xml file is encrypted and I want to only check the signature, it seems that it is being decrypted and therefore the signature does not match.
I came to this conclusion because if I write to a FileOutputstream using my XMLStreamReader the file contains the decrypted data of the xml file but the program ends with an error as the validation of the signature is unsuccessful
Caused by: org.apache.xml.security.exceptions.XMLSecurityException: Invalid digest of reference
Another thing that points to this is that if I set no decryption key I get the error that the key was null, but I do not even want it to decrypt the file, I just want to check the signature
TransformerFactory tf = TransformerFactory.newInstance();
Transformer t = tf.newTransformer();
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(new FileInputStream("path/to/store.jks"), "secret".toCharArray());
Key k = ks.getKey("test.name", "secret".toCharArray());
XMLInputFactory xmlInputFactory = XMLInputFactory.newInstance();
final XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(is);
XMLSecurityProperties properties = new XMLSecurityProperties();
// i hoped that setting action to signature would result in only checking signature
properties.addAction(XMLSecurityConstants.SIGNATURE);
// have to set this, so I dont get error that key is null
properties.setDecryptionKey(k);
properties.setSignatureVerificationKey(key);
InboundXMLSec inboundXMLSec = XMLSec.getInboundWSSec(properties);
TestSecurityEventListener listener = new TestSecurityEventListener();
XMLStreamReader securityStreamReader =
inboundXMLSec.processInMessage(xmlStreamReader, null, listener);
StAXSource source = new StAXSource(securityStreamReader);
// result file is decrypted but signature verification failed
StreamResult result = new StreamResult(new FileOutputStream("path/to/result"));
t.transform(source, result);
I hoped only adding XMLSecurityConstants.SIGNATURE to actions of my properties would result in only signature verification but that is not the case.
Also just not adding a decryption key results in an exception complaining that key is null.
EDIT:
After a bit of debugging I found that infact the code for decrypting content is hit even though I set the action to SIGNATURE. This confirms my suspicion that the content is being decrypted even though I did not want it to be decrypted.
Upvotes: 1
Views: 154
Answers (0)
Related Questions
- Signature validation failed after formatting an XML with SignatureValue on it
- How does the "final" keyword in Java work? (I can still modify an object.)
- How to pretty print XML from Java?
- In detail, how does the 'for each' loop work in Java?
- Trouble with HMAC Signature Verification Between Go and PHP for Encrypted URL
- How does Spring achieve IOC with autowiring?
- Normalization in DOM parsing with java - how does it work?
- How to handle BadPaddingException During AES256 encryption in C# and decryption in Java
- Decryption of Encrypted Secret Key and Encrypted String
- How to use StaX