You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Caroline Foster <ca...@runbox.com> on 2003/06/04 10:20:53 UTC
Re: Verifying a sibling referenced by id
Thanks, I can now verify my references OK using the SignedInfo.verify
method.
However I still have a problem in that my checkSignatureValue is still
returning false.
On further investigation I find that if I sign 2 indentical xml files with
the same private key, the SignedInfo elements are identical, but the
signature values are different. I don't understand how this can be, I was
expecting them to be the same - can you help?
Caroline.
On Sat, 31 May 2003 22:06:39 +0200, Christian Geuer-Pollmann <geuer-
pollmann@nue.et-inf.uni-siegen.de> wrote:
>
> On an XMLSignatureInput, there are methods to get the octets which are
> signed. You can use this to 'debug' your signature.
>
> On the SignedInfo, fetch the input and the result of the transforms (what
> your ResourceResolvers fetch and what your transforms make of it).
>
> before = signedInfo.getReferencedContentBeforeTransformsItem(i)
> after = signedInfogetReferencedContentAfterTransformsItem
>
> String htmlI = before.getHTMLRepresentation()
> String htmlO = after.getHTMLRepresentation()
>
> Write these Strings to an HTML file and see via your web browser what
> nodes in the node set are being signed...
>
> Christian
>
>
>
> --On Samstag, 31. Mai 2003 12:17 +0200 Caroline Foster
> <ca...@runbox.com> wrote:
>
>> I've been having trouble verifying the signature on a document that I
>> have signed.
>>
>> My document is of the form
>> <root>
>> <envelope id="myref"/>
>> <ds:Signature ...>
>> <ds:Reference URI="#myref"...>
>> ...
>> </ds:Signature>
>> </root>
>>
>> After working my way through a number of errors where no
>> ResourceResolver
>> could be found to reolve the reference, I now suspect my problem is that
>> the signature is a sibling of the signed element, and as such is treated
>> as a detached signature.
>>
>> However when I create a custom resolver which creates an
>> XMLSignatureInput object from my referenced element, the
>> checkSignatureValue (I supply the Public Key from an externally held
>> certificate) method still returns false.
>>
>> Can anyone shed any light on where I might be going wrong?
>>
>> thx,
>> Caroline.
>
>
>
--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
Re: Verifying a sibling referenced by id
Posted by Christian Geuer-Pollmann <ge...@nue.et-inf.uni-siegen.de>.
--On Mittwoch, 4. Juni 2003 17:40 +0200 Caroline Foster
<ca...@runbox.com> wrote:
> A couple of extra things I had to do:
> 1. When serializing the xml to file after signing, the serializer must be
> set to preserve whitespace.
Whitespace is important ;-)) If you change/beautify/indent signed
whitespace, signatures break.
> 2. When signing a document with a namespace,
> I had to add the signature element to the document *before* signing. For
> all other documents it doesn't seem to matter whether you add it before
> or afterwards.
This is true if the signed contents are in the same document. For instance,
if you make <Reference URI=""> or use enveloped-signature or the here()
function, then the Signature must be right in it's final destination before
signing.
> I mention these points in case they help anyone else with similar
> problems.
Thanks,
Christian
Re: Verifying a sibling referenced by id
Posted by Caroline Foster <ca...@runbox.com>.
Thanks for all your help, I now have my signatures verifying with no
complaints.
A couple of extra things I had to do:
1. When serializing the xml to file after signing, the serializer must be
set to preserve whitespace.
2. When signing a document with a namespace, I had to add the signature
element to the document *before* signing. For all other documents it
doesn't seem to matter whether you add it before or afterwards.
I mention these points in case they help anyone else with similar problems.
rgz,
Caroline.
On Wed, 04 Jun 2003 10:27:04 +0200, Christian Geuer-Pollmann <geuer-
pollmann@nue.et-inf.uni-siegen.de> wrote:
>
>
> --On Mittwoch, 4. Juni 2003 10:20 +0200 Caroline Foster
> <ca...@runbox.com> wrote:
>
>> Thanks, I can now verify my references OK using the SignedInfo.verify
>> method. However I still have a problem in that my checkSignatureValue is
>> still returning false.
>
> Check the signed octets and the verified octets and find the difference --
>
>
>
> and use that to debug your signature.
>
>> On further investigation I find that if I sign 2 indentical xml files
>> with the same private key, the SignedInfo elements are identical, but
>> the
>> signature values are different. I don't understand how this can be, I
>> was
>> expecting them to be the same - can you help?
>
> DSA signatures use a time-variant parameter. When you sign the same
> octets multiple times, each signature MUST look different, but all MUST
> be valid
>
>
> Chrstian
>
>
--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
Re: Verifying a sibling referenced by id
Posted by Christian Geuer-Pollmann <ge...@nue.et-inf.uni-siegen.de>.
--On Mittwoch, 4. Juni 2003 10:20 +0200 Caroline Foster
<ca...@runbox.com> wrote:
> Thanks, I can now verify my references OK using the SignedInfo.verify
> method. However I still have a problem in that my checkSignatureValue is
> still returning false.
Check the signed octets and the verified octets and find the difference --
and use that to debug your signature.
> On further investigation I find that if I sign 2 indentical xml files
> with the same private key, the SignedInfo elements are identical, but the
> signature values are different. I don't understand how this can be, I was
> expecting them to be the same - can you help?
DSA signatures use a time-variant parameter. When you sign the same octets
multiple times, each signature MUST look different, but all MUST be valid
Chrstian