Re: Verifying a sibling referenced by id

[Caroline Foster <ca...@runbox.com>]

Thanks, I can now verify my references OK using the SignedInfo.verify 
method.
However I still have a problem in that my checkSignatureValue is still 
returning false.

On further investigation I find that if I sign 2 indentical xml files with 
the same private key, the SignedInfo elements are identical, but the 
signature values are different. I don't understand how this can be, I was 
expecting them to be the same - can you help?

Caroline.

On Sat, 31 May 2003 22:06:39 +0200, Christian Geuer-Pollmann <geuer- 
pollmann@nue.et-inf.uni-siegen.de> wrote:

>
> On an XMLSignatureInput, there are methods to get the octets which are 
> signed. You can use this to 'debug' your signature.
>
> On the SignedInfo, fetch the input and the result of the transforms (what 
> your ResourceResolvers fetch and what your transforms make of it).
>
> before = signedInfo.getReferencedContentBeforeTransformsItem(i)
> after = signedInfogetReferencedContentAfterTransformsItem
>
> String htmlI = before.getHTMLRepresentation()
> String htmlO = after.getHTMLRepresentation()
>
> Write these Strings to an HTML file and see via your web browser what 
> nodes in the node set are being signed...
>
> Christian
>
>
>
> --On Samstag, 31. Mai 2003 12:17 +0200 Caroline Foster 
> <ca...@runbox.com> wrote:
>
>> I've been having trouble verifying the signature on a document that I
>> have signed.
>>
>> My document is of the form
>> <root>
>> <envelope id="myref"/>
>> <ds:Signature ...>
>> <ds:Reference URI="#myref"...>
>> ...
>> </ds:Signature>
>> </root>
>>
>> After working my way through a number of errors where no 
>> ResourceResolver
>> could be found to reolve the reference, I now suspect my problem is that
>> the signature is a sibling of the signed element, and as such is treated
>> as a detached signature.
>>
>> However when I create a custom resolver which creates an
>> XMLSignatureInput object from my referenced element, the
>> checkSignatureValue (I supply the Public Key from an externally held
>> certificate) method still returns false.
>>
>> Can anyone shed any light on where I might be going wrong?
>>
>> thx,
>> Caroline.
>
>
>



-- 
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

Re: Verifying a sibling referenced by id

[Christian Geuer-Pollmann <ge...@nue.et-inf.uni-siegen.de>]

--On Mittwoch, 4. Juni 2003 17:40 +0200 Caroline Foster 
<ca...@runbox.com> wrote:

> A couple of extra things I had to do:
> 1. When serializing the xml to file after signing, the serializer must be
> set to preserve whitespace.

Whitespace is important ;-)) If you change/beautify/indent signed 
whitespace, signatures break.

> 2. When signing a document with a namespace,
> I had to add the signature element to the document *before* signing. For
> all other documents it doesn't seem to matter whether you add it before
> or afterwards.

This is true if the signed contents are in the same document. For instance, 
if you make <Reference URI=""> or use enveloped-signature or the here() 
function, then the Signature must be right in it's final destination before 
signing.

> I mention these points in case they help anyone else with similar
> problems.

Thanks,
Christian

Re: Verifying a sibling referenced by id

[Caroline Foster <ca...@runbox.com>]

Thanks for all your help, I now have my signatures verifying with no 
complaints.

A couple of extra things I had to do:
1. When serializing the xml to file after signing, the serializer must be 
set to preserve whitespace.
2. When signing a document with a namespace, I had to add the signature 
element to the document *before* signing. For all other documents it 
doesn't seem to matter whether you add it before or afterwards.

I mention these points in case they help anyone else with similar problems.

rgz,
Caroline.

On Wed, 04 Jun 2003 10:27:04 +0200, Christian Geuer-Pollmann <geuer- 
pollmann@nue.et-inf.uni-siegen.de> wrote:

>
>
> --On Mittwoch, 4. Juni 2003 10:20 +0200 Caroline Foster 
> <ca...@runbox.com> wrote:
>
>> Thanks, I can now verify my references OK using the SignedInfo.verify
>> method. However I still have a problem in that my checkSignatureValue is
>> still returning false.
>
> Check the signed octets and the verified octets and find the difference -- 
>
>
>
> and use that to debug your signature.
>
>> On further investigation I find that if I sign 2 indentical xml files
>> with the same private key, the SignedInfo elements are identical, but 
>> the
>> signature values are different. I don't understand how this can be, I 
>> was
>> expecting them to be the same - can you help?
>
> DSA signatures use a time-variant parameter. When you sign the same 
> octets multiple times, each signature MUST look different, but all MUST 
> be valid
>
>
> Chrstian
>
>



-- 
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

Re: Verifying a sibling referenced by id

[Christian Geuer-Pollmann <ge...@nue.et-inf.uni-siegen.de>]

--On Mittwoch, 4. Juni 2003 10:20 +0200 Caroline Foster 
<ca...@runbox.com> wrote:

> Thanks, I can now verify my references OK using the SignedInfo.verify
> method. However I still have a problem in that my checkSignatureValue is
> still returning false.

Check the signed octets and the verified octets and find the difference -- 
and use that to debug your signature.

> On further investigation I find that if I sign 2 indentical xml files
> with the same private key, the SignedInfo elements are identical, but the
> signature values are different. I don't understand how this can be, I was
> expecting them to be the same - can you help?

DSA signatures use a time-variant parameter. When you sign the same octets 
multiple times, each signature MUST look different, but all MUST be valid


Chrstian