You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2020/05/12 07:03:00 UTC

[jira] [Commented] (SANTUARIO-545) Getting issue while validating the signature with single transform and Canonicalization Algorithm xml-exc-c14n#

    [ https://issues.apache.org/jira/browse/SANTUARIO-545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17105149#comment-17105149 ] 

Colm O hEigeartaigh commented on SANTUARIO-545:
-----------------------------------------------

Could you add or link to a test-case to help reproduce the problem?

> Getting issue while validating the signature with single transform and Canonicalization Algorithm xml-exc-c14n#
> ---------------------------------------------------------------------------------------------------------------
>
>                 Key: SANTUARIO-545
>                 URL: https://issues.apache.org/jira/browse/SANTUARIO-545
>             Project: Santuario
>          Issue Type: Wish
>          Components: Java
>    Affects Versions: Java 2.0.8
>            Reporter: Rajan kumar
>            Assignee: Colm O hEigeartaigh
>            Priority: Critical
>
> Hi Team,
> I am getting "digest value comparison" issue while validating the digital signature when we remove the second transform i.e. the normalization-algorithm.
>  *Existing code* :-
> We are already signing the message with below CanonicalizationMethod and two Transforms:-
> {code:java}
> <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
>  <dsig:SignedInfo>
>  <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>  <dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
>  <dsig:Reference URI="">
>  <dsig:Transforms>
>  <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>  <dsig:Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
>  </dsig:Transforms>
>  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>  <dsig:DigestValue></dsig:DigestValue>
>  </dsig:Reference>
>  </dsig:SignedInfo>
>  <dsig:SignatureValue></dsig:SignatureValue>
>  <dsig:KeyInfo>
>  <dsig:X509Data>
>  <dsig:X509SubjectName></dsig:X509SubjectName>
>  </dsig:X509Data>
>  </dsig:KeyInfo>
>  </dsig:Signature>{code}
> Now, the client's requirement is changed and we want to have only *single transform*, so we removed the second transformation i.e. <dsig:Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/> from our digital signature configuration.
> {code:java}
>  {code}
> And Now we are able to generate the signature with single transform as below:- 
> {code:java}
> <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
>  <dsig:SignedInfo>
>  <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>  <dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
>  <dsig:Reference URI="">
>  <dsig:Transforms>
>  <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>  </dsig:Transforms>
>  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>  <dsig:DigestValue></dsig:DigestValue>
>  </dsig:Reference>
>  </dsig:SignedInfo>
>  <dsig:SignatureValue></dsig:SignatureValue>
>  <dsig:KeyInfo>
>  <dsig:X509Data>
>  <dsig:X509SubjectName></dsig:X509SubjectName>
>  </dsig:X509Data>
>  </dsig:KeyInfo>
>  </dsig:Signature>{code}
>  
> However, while validating, one more Transform type is added in method *buildTransformerChain*() in class *AbstractSignatureReferenceVerifyInputProcessor.java*     Below is the code snippet:-
> {code:java}
>  if (transformTypeList.size() == 1 &&                XMLSecurityConstants.NS_XMLDSIG_ENVELOPED_SIGNATURE.equals(transformTypeList.get(0).getAlgorithm())) {            
> TransformType transformType = new TransformType();            transformType.setAlgorithm(XMLSecurityConstants.NS_C14N_OMIT_COMMENTS);            transformTypeList.add(transformType);        
> }{code}
> And It fails while comparing digest values in *compareDigest()* method.
> +Below is the error stack:-+
> {code:java}
> !org.apache.xml.security.exceptions.XMLSecurityException: Invalid digest of reference .!        at org.apache.xml.security.stax.impl.processor.input.AbstractSignatureReferenceVerifyInputProcessor.compareDigest(AbstractSignatureReferenceVerifyInputProcessor.java:394)!      
> org.apache.xml.security.stax.impl.processor.input.AbstractSignatureReferenceVerifyInputProcessor$InternalSignatureReferenceVerifier.processEvent(AbstractSignatureReferenceVerifyInputProcessor.java:460)!
> org.apache.xml.security.stax.impl.processor.input.AbstractSignatureReferenceVerifyInputProcessor$InternalSignatureReferenceVerifier.processNextEvent(AbstractSignatureReferenceVerifyInputProcessor.java:436)!
> org.apache.xml.security.stax.impl.InputProcessorChainImpl.processEvent(InputProcessorChainImpl.java:188)!       
> org.apache.xml.security.stax.impl.processor.input.XMLSecurityInputProcessor.processNextEvent(XMLSecurityInputProcessor.java:76)!       
> org.apache.xml.security.stax.impl.InputProcessorChainImpl.processEvent(InputProcessorChainImpl.java:188)!       
> org.apache.xml.security.stax.impl.XMLSecurityStreamReader.next(XMLSecurityStreamReader.java:81)!       
> com.clear2pay.bph.ips.digitalsignature.impl.XMLDigitalSignatureValidator.traverseSecuritystreamReader(XMLDigitalSignatureValidator.java:170)
> {code}
>  
> So, Is the second transform mandatory to have when we use the CanonicalizationMethod Algorithm "http://www.w3.org/2001/10/xml-exc-c14n#" ?
> or Is there any workaround so that we get pass the validation with single Transform in the digital signature?
> Request you to please respond on an urgent basis.
> *Note :-* We are using 2.0.8 version of xmlSec jar.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)