You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2020/05/12 07:03:00 UTC
[jira] [Commented] (SANTUARIO-545) Getting issue while validating
the signature with single transform and Canonicalization Algorithm
xml-exc-c14n#
[ https://issues.apache.org/jira/browse/SANTUARIO-545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17105149#comment-17105149 ]
Colm O hEigeartaigh commented on SANTUARIO-545:
-----------------------------------------------
Could you add or link to a test-case to help reproduce the problem?
> Getting issue while validating the signature with single transform and Canonicalization Algorithm xml-exc-c14n#
> ---------------------------------------------------------------------------------------------------------------
>
> Key: SANTUARIO-545
> URL: https://issues.apache.org/jira/browse/SANTUARIO-545
> Project: Santuario
> Issue Type: Wish
> Components: Java
> Affects Versions: Java 2.0.8
> Reporter: Rajan kumar
> Assignee: Colm O hEigeartaigh
> Priority: Critical
>
> Hi Team,
> I am getting "digest value comparison" issue while validating the digital signature when we remove the second transform i.e. the normalization-algorithm.
> *Existing code* :-
> We are already signing the message with below CanonicalizationMethod and two Transforms:-
> {code:java}
> <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
> <dsig:SignedInfo>
> <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> <dsig:Reference URI="">
> <dsig:Transforms>
> <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <dsig:Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
> </dsig:Transforms>
> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <dsig:DigestValue></dsig:DigestValue>
> </dsig:Reference>
> </dsig:SignedInfo>
> <dsig:SignatureValue></dsig:SignatureValue>
> <dsig:KeyInfo>
> <dsig:X509Data>
> <dsig:X509SubjectName></dsig:X509SubjectName>
> </dsig:X509Data>
> </dsig:KeyInfo>
> </dsig:Signature>{code}
> Now, the client's requirement is changed and we want to have only *single transform*, so we removed the second transformation i.e. <dsig:Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/> from our digital signature configuration.
> {code:java}
> {code}
> And Now we are able to generate the signature with single transform as below:-
> {code:java}
> <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
> <dsig:SignedInfo>
> <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> <dsig:Reference URI="">
> <dsig:Transforms>
> <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> </dsig:Transforms>
> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <dsig:DigestValue></dsig:DigestValue>
> </dsig:Reference>
> </dsig:SignedInfo>
> <dsig:SignatureValue></dsig:SignatureValue>
> <dsig:KeyInfo>
> <dsig:X509Data>
> <dsig:X509SubjectName></dsig:X509SubjectName>
> </dsig:X509Data>
> </dsig:KeyInfo>
> </dsig:Signature>{code}
>
> However, while validating, one more Transform type is added in method *buildTransformerChain*() in class *AbstractSignatureReferenceVerifyInputProcessor.java* Below is the code snippet:-
> {code:java}
> if (transformTypeList.size() == 1 && XMLSecurityConstants.NS_XMLDSIG_ENVELOPED_SIGNATURE.equals(transformTypeList.get(0).getAlgorithm())) {
> TransformType transformType = new TransformType(); transformType.setAlgorithm(XMLSecurityConstants.NS_C14N_OMIT_COMMENTS); transformTypeList.add(transformType);
> }{code}
> And It fails while comparing digest values in *compareDigest()* method.
> +Below is the error stack:-+
> {code:java}
> !org.apache.xml.security.exceptions.XMLSecurityException: Invalid digest of reference .! at org.apache.xml.security.stax.impl.processor.input.AbstractSignatureReferenceVerifyInputProcessor.compareDigest(AbstractSignatureReferenceVerifyInputProcessor.java:394)!
> org.apache.xml.security.stax.impl.processor.input.AbstractSignatureReferenceVerifyInputProcessor$InternalSignatureReferenceVerifier.processEvent(AbstractSignatureReferenceVerifyInputProcessor.java:460)!
> org.apache.xml.security.stax.impl.processor.input.AbstractSignatureReferenceVerifyInputProcessor$InternalSignatureReferenceVerifier.processNextEvent(AbstractSignatureReferenceVerifyInputProcessor.java:436)!
> org.apache.xml.security.stax.impl.InputProcessorChainImpl.processEvent(InputProcessorChainImpl.java:188)!
> org.apache.xml.security.stax.impl.processor.input.XMLSecurityInputProcessor.processNextEvent(XMLSecurityInputProcessor.java:76)!
> org.apache.xml.security.stax.impl.InputProcessorChainImpl.processEvent(InputProcessorChainImpl.java:188)!
> org.apache.xml.security.stax.impl.XMLSecurityStreamReader.next(XMLSecurityStreamReader.java:81)!
> com.clear2pay.bph.ips.digitalsignature.impl.XMLDigitalSignatureValidator.traverseSecuritystreamReader(XMLDigitalSignatureValidator.java:170)
> {code}
>
> So, Is the second transform mandatory to have when we use the CanonicalizationMethod Algorithm "http://www.w3.org/2001/10/xml-exc-c14n#" ?
> or Is there any workaround so that we get pass the validation with single Transform in the digital signature?
> Request you to please respond on an urgent basis.
> *Note :-* We are using 2.0.8 version of xmlSec jar.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)