You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by bu...@apache.org on 2009/08/28 15:06:31 UTC
DO NOT REPLY [Bug 47758] New: Signature validation failure
https://issues.apache.org/bugzilla/show_bug.cgi?id=47758
Summary: Signature validation failure
Product: Security
Version: unspecified
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Signature
AssignedTo: security-dev@xml.apache.org
ReportedBy: bhupinder.saini@gmail.com
--- Comment #0 from bhupinder <bh...@gmail.com> 2009-08-28 06:06:30 PDT ---
Created an attachment (id=24184)
base64 Encoded file
Hi
Can you please help to find the reason that why XMLSec lib is failing to
validate the Signature, which can passes test successfully with JDK 6 inbuilt
Signature verification.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 47758] Signature validation failure
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47758
--- Comment #5 from coheigea <co...@apache.org> 2009-09-02 03:38:05 PDT ---
I don't get it. You're using the basic JSR 105 API functionality via JDK 1.6 to
validate the signature, but comparing this to doing some custom validation code
built around XML Security? Why are you doing this? The following XML Security
code works fine with your test-case:
org.w3c.dom.Document doc = this.db.parse(is);
Element nscontext = XMLUtils.createDSctx(doc,
"ds",Constants.SignatureSpecNS);
Element sigElement = (Element)
XPathAPI.selectSingleNode(doc,"//ds:Signature[1]", nscontext);
XMLSignature signature = new XMLSignature(sigElement, "");
signature.addResourceResolver(new
XPointerResourceResolver(sigElement));
KeyInfo ki = signature.getKeyInfo();
java.security.PublicKey publicKey = ki.getPublicKey();
assertTrue(signature.checkSignatureValue(publicKey));
Colm.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 47758] Signature validation failure
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47758
--- Comment #3 from coheigea <co...@apache.org> 2009-08-31 04:12:41 PDT ---
Can you attach a complete test-case for this?
Colm.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 47758] Signature validation failure
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47758
--- Comment #2 from bhupinder <bh...@gmail.com> 2009-08-28 06:26:07 PDT ---
debug logs for XMLSec
2009-08-28 12:58:27 XMLSignature [DEBUG] SignatureMethodURI =
http://www.w3.org/2000/09/xmldsig#rsa-sha1
2009-08-28 12:58:27 SignatureAlgorithm [DEBUG] Create URI
"http://www.w3.org/2000/09/xmldsig#rsa-sha1" class "class
org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1"
2009-08-28 12:58:27 JCEMapper [DEBUG] Request for URI
http://www.w3.org/2000/09/xmldsig#rsa-sha1
2009-08-28 12:58:27 SignatureBaseRSA [DEBUG] Created SignatureRSA using
SHA1withRSA
2009-08-28 12:58:27 XMLSignature [DEBUG] jceSigAlgorithm = SHA1withRSA
2009-08-28 12:58:27 XMLSignature [DEBUG] jceSigProvider = SunRsaSign
2009-08-28 12:58:27 XMLSignature [DEBUG] PublicKey = Sun RSA public key, 2048
bits
modulus:
25918416882175605177216009726174837316441550828262042204378729573762219256687210251207638298581492791783901925937674819569676189835913463082888950035087140493036515406315054017897863839176877251865992061599674312550362120395818500256745539648051487177355629956843315369742534134646813352152646639953693900612620621197131734341673384743806408779269116272369176371943198756046320523429088308460618442218611336570361829340741104996601445346137166853233642642880297617656502996279597254682668023118574695616838314939925813076224299383401792388720966918690719270245047899588505041531857897977050932365566174686817838760379
public exponent: 65537
2009-08-28 12:58:27 SignerOutputStream [DEBUG] Canonicalized SignedInfo:
2009-08-28 12:58:27 SignerOutputStream [DEBUG] <SignedInfo
xmlns="http://www.w3.org/2000/09/xmldsig#"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"></CanonicalizationMethod><SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod><Reference
URI=""><Transforms><Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform></Transforms><DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><DigestValue>O2feqgh4rXIaLmVujT3ZJfSsIUg=</DigestValue></Reference></SignedInfo>
2009-08-28 12:58:27 XMLSignature [WARN] Signature verification failed.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 47758] Signature validation failure
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47758
coheigea <co...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WONTFIX
--- Comment #6 from coheigea <co...@apache.org> 2009-10-08 03:06:38 PDT ---
Marking this as won't fix as per my comment.
Colm.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 47758] Signature validation failure
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47758
--- Comment #1 from bhupinder <bh...@gmail.com> 2009-08-28 06:10:49 PDT ---
Below is code used with JDK 6 testing
Document doc =
dbf.newDocumentBuilder().parse(byteArrayInputStream);
NodeList nl =
doc.getElementsByTagNameNS(XMLSignature.XMLNS,
"Signature");
if (nl.getLength() == 0) {
System.out.println("0");
return;
}
String providerName = System.getProperty(
"jsr105Provider",
"org.jcp.xml.dsig.internal.dom.XMLDSigRI");
XMLSignatureFactory fac =
XMLSignatureFactory.getInstance("DOM",
(Provider)
Class.forName(providerName).newInstance());
DOMValidateContext valContext = new DOMValidateContext(new
KeyValueKeySelector(), nl.item(0));
XMLSignature signature =
fac.unmarshalXMLSignature(valContext);
signature.getSignatureValue().validate(valContext);
boolean coreValidity = signature.validate(valContext);
if (coreValidity == false) {
System.err.println("Signature failed");
} else {
System.out.println("Signature passed");
}
******************************************************************
When I try to validate this signature with xmlsecurity jar I tried latest 1.4.3
it give me error
XMLSignature [WARN] Signature verification failed
code snippet used for this
XMLSignature sig = null;
public void verify(Key k)
throws SAMLException {
if (!isSigned()) {
throw new InvalidCryptoException("SAMLSignedObject.verify() can't
verify unsigned object");
}
try {
// Validate the signature content by checking for specific
Transforms.
boolean valid = false;
SignedInfo si = sig.getSignedInfo();
if (si.getLength() == 1) {
Reference ref = si.item(0);
if (ref.getURI() == null || ref.getURI().equals("") ||
ref.getURI().equals("#" + getId())) {
Transforms trans = ref.getTransforms();
for (int i = 0; i < trans.getLength(); i++) {
if
(trans.item(i).getURI().equals(Transforms.TRANSFORM_ENVELOPED_SIGNATURE)) {
valid = true;
} else if (!trans.item(i).getURI().equals(
Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS))
{
valid = false;
break;
}
}
}
}
if (!valid) {
throw new InvalidCryptoException(
"SAMLSignedObject.verify() detected an invalid
signature profile");
} else {
log.debug("\n SAMLSignedObject is Valid for Id - " + getId());
}
// If k is null, try and find a key inside the signature.
if (k == null) {
if (sig_from_parse) {
k = sig.getKeyInfo().getPublicKey();
} else {
// This is really, ugly, but when the signature hasn't been
fully built from a DOM,
// none of the interesting bits of keying material are
reachable via the API.
// We have to serialize out the KeyInfo piece, and reparse
it.
ByteArrayOutputStream out = new ByteArrayOutputStream();
Canonicalizer c =
Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS);
out.write(c.canonicalizeSubtree(sig.getElement().getLastChild()));
ByteArrayInputStream in = new
ByteArrayInputStream(out.toByteArray());
KeyInfo temp = new
KeyInfo(XML.parserPool.parse(in).getDocumentElement(), "");
k = temp.getPublicKey();
}
}
----------------> if (!sig.checkSignatureValue(k)) {
throw new InvalidCryptoException(
"SAMLSignedObject.verify() failed to validate signature
value");
}
} catch (XMLSecurityException e) {
throw new InvalidCryptoException("SAMLSignedObject.verify()
detected an XML security exception: " +
e.getMessage(), e);
} catch (java.io.IOException e) {
throw new InvalidCryptoException("SAMLSignedObject.verify()
detected an I/O exception: " +
e.getMessage(), e);
} catch (SAXException e) {
throw new InvalidCryptoException("SAMLSignedObject.verify()
detected a XML parsing exception: " +
e.getMessage(), e);
}
}
verification fails here
----------------> if (!sig.checkSignatureValue(k))
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 47758] Signature validation failure
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47758
--- Comment #4 from bhupinder <bh...@gmail.com> 2009-09-01 01:27:41 PDT ---
(In reply to comment #3)
> Can you attach a complete test-case for this?
>
> Colm.
******************************************************************
Hi Colm
This SAML response is posted to my application which tries to validate the
Digital Signature in the SAML. I am using Opensaml 1.1 toolkit which in turn
uses
xmlsec jar for validating the signatures.
I am getting signature failure error in the logs.
What when I take the same base64 encoded response and store it in file and use
JDK 6 security / Signature verfication as per the above code it works just
fine.
Can you please let me know what exactly you are looking from test case ?
thanks
bhupinder
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.