You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by bu...@apache.org on 2006/11/08 01:38:42 UTC
DO NOT REPLY [Bug 40921] New: - XML contents modified and signature normallly validated.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921
Summary: XML <X509Certificate> contents modified and signature
normallly validated.
Product: Security
Version: unspecified
Platform: Other
OS/Version: other
Status: NEW
Severity: normal
Priority: P2
Component: Signature
AssignedTo: security-dev@xml.apache.org
ReportedBy: fillipelima@gmail.com
Hello
I am using the XML Signature API ( javax.xml.crypto ) in order to generate and
verify signatures in xml documents (Enveloped type).
When verifying the signature, if i have changed some data, the signature is
invalidated (That�s Ok and Correctly). But if have changed the content of
<x509Certificate> tag by putting a different certificate, the signature is
normally validated.
I defined the <reference uri=""> indicating that the whole document must be
signed (according to w3 especifications)
Is there something wrong ?
Here is my xml before sign:
=======================================
<?xml version="1.0" encoding="UTF-8" ?>
- <NotasFaltas>
<ano>2006</ano>
<semestre>2</semestre>
<turma>52A</turma>
<idtProf>15</idtProf>
<idtDisc>2</idtDisc>
<unidade>3</unidade>
- <alunos class="linked-list">
- <Aluno>
<idtAlu>1</idtAlu>
<nota>1.0</nota>
<faltas>2</faltas>
</Aluno>
- <Aluno>
<idtAlu>2</idtAlu>
<nota>3.0</nota>
<faltas>4</faltas>
</Aluno>
- <Aluno>
<idtAlu>3</idtAlu>
<nota>5.0</nota>
<faltas>6</faltas>
</Aluno>
- <Aluno>
<idtAlu>4</idtAlu>
<nota>7.0</nota>
<faltas>8</faltas>
</Aluno>
</alunos>
</NotasFaltas>
Here is my xml after sign:
=======================================
<?xml version="1.0" encoding="UTF-8" ?>
- <NotasFaltas>
<ano>2006</ano>
<semestre>2</semestre>
<turma>52A</turma>
<idtProf>15</idtProf>
<idtDisc>2</idtDisc>
<unidade>3</unidade>
- <alunos class="linked-list">
- <Aluno>
<idtAlu>1</idtAlu>
<nota>1.0</nota>
<faltas>2</faltas>
</Aluno>
- <Aluno>
<idtAlu>2</idtAlu>
<nota>3.0</nota>
<faltas>4</faltas>
</Aluno>
- <Aluno>
<idtAlu>3</idtAlu>
<nota>5.0</nota>
<faltas>6</faltas>
</Aluno>
- <Aluno>
<idtAlu>4</idtAlu>
<nota>7.0</nota>
<faltas>8</faltas>
</Aluno>
</alunos>
- <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
- <SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
- <Reference URI="">
- <Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>ltbvesKBO+VTvcovJyJ0VVkSaJM=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>I0lQECSCl5ITnF8uK/uMDZO2dgo0eLWFz4GMrV6I+FZmN2TbCr6Nj4LF62I7s2DVVrXybEsJmn/i
00EPNyYflhQjbp2/EXFZ+pu8wu5mRtm2LmcRGXbJz6CBEkfOXzFdE8lmw3MPmDT/NsnM3KXavDJZ
Ah2xubknF/+Mjq7WDQE=</SignatureValue>
- <KeyInfo>
- <KeyValue>
- <RSAKeyValue>
<Modulus>unmSpz4AW43DBUeUtbGDxyEBOmKUiAM136ZrGOlJRzximnaFjABuQ7Ucix5Ru60DLlUH5Q3KHfDW
aimUe3ufnWUWSGkbNUGYtwdqv/54LvTvW3SMA0IuvfqUmdF+AJgHCWv0rEYizswKaeNgMak+/oWL
MBrOwE2+fhB6l87tBo8=</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
- <X509Data>
<X509Certificate>MIIE5TCCA82gAwIBAgIQMjAwNjA3MjgxNjQzMjMwMjANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UE
BhMCQlIxEzARBgNVBAoTCklDUC1CcmFzaWwxLDAqBgNVBAsTI1NlY3JldGFyaWEgZGEgUmVjZWl0
YSBGZWRlcmFsIC0gU1JGMTIwMAYDVQQDEylBdXRvcmlkYWRlIENlcnRpZmljYWRvcmEgZG8gU0VS
UFJPIFNSRiB2MTAeFw0wNjA4MDExOTE4MDZaFw0wOTA3MzExOTE4MDZaMIGoMQswCQYDVQQGEwJC
UjETMBEGA1UEChMKSUNQLUJyYXNpbDEqMCgGA1UECxMhU2VjcmV0YXJpYSBkYSBSZWNlaXRhIEZl
ZGVyYWwtU1JGMRUwEwYDVQQLEwxDT05UUklCVUlOVEUxFTATBgNVBAsTDFNSRiBlLUNQRiBBMzEq
MCgGA1UEAxMhRklMTElQRSBPTElWRUlSQSBMSU1BOjAwNjg0MDE5NTc0MIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQC6eZKnPgBbjcMFR5S1sYPHIQE6YpSIAzXfpmsY6UlHPGKadoWMAG5DtRyL
HlG7rQMuVQflDcod8NZqKZR7e5+dZRZIaRs1QZi3B2q//ngu9O9bdIwDQi69+pSZ0X4AmAcJa/Ss
RiLOzApp42AxqT7+hYswGs7ATb5+EHqXzu0GjwIDAQABo4IBrzCCAaswDwYDVR0TAQH/BAUwAwEB
ADAfBgNVHSMEGDAWgBRGeQZEgwLZ6nmND8SA/kG69vMScjAOBgNVHQ8BAf8EBAMCBeAwYAYDVR0g
BFkwVzBVBgZgTAECAwQwSzBJBggrBgEFBQcCARY9aHR0cHM6Ly9jY2Quc2VycHJvLmdvdi5ici9h
Y3NlcnByb3NyZi9kb2NzL2RwY2Fjc2VycHJvc3JmLnBkZjCBowYDVR0RBIGbMIGYoD0GBWBMAQMB
oDQEMjI3MDgxOTg0MDA2ODQwMTk1NzQwMDAwMDAwMDAwMDAwMDAwMDAzMDA5MTEwMVNTUFNFoCcG
BWBMAQMFoB4EHDAyMDk0ODcxMjE5NDAyNzAyNjhBUkFDQUpVU0WgFwYFYEwBAwagDgQMMDAwMDAw
MDAwMDAwgRVmaWxsaXBlbGltYUBnbWFpbC5jb20wIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwIGCCsG
AQUFBwMEMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9jY2Quc2VycHJvLmdvdi5ici9sY3IvYWNz
ZXJwcm9zcmYuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBliOTlViZNLJLUf2KlRobCtMmv7c7bkHqe
M4HAW/19AyuuljFtQGpUAB9jjAXzgXpd9Hyrz/1+5NHPJ9fPoB+fHIpDYJfyUEnGkDPve7JUHrTq
10MlPATIuiJhws+40O7sIaYftCK0Yn2V1LTFuEHLSD4T5kvXbpDbeMs6Hx9oiR3HFZxi/Cfhv/1X
KeEjLtsrV9xEeJwY7soKQ0Ds2UMu2LLw02T9o9wMcX9M3MU/QN7AirmWQsMxDfmNDRzXV/Axbh0o
s72mrHXvYpranXJhibh6aKW67LuhZM7Z5EDXWgioMXruk6ys8bm3EIBJ/+YtrUUrmTKA9BsIx3WD
4UOy</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</NotasFaltas>
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Re: DO NOT REPLY [Bug 40921] - XML contents modified
and signature normallly validated.
Posted by Sean Mullan <Se...@Sun.COM>.
jason marshall wrote:
> Okay. In the Apache XMLSec code, this happens more or less
> automatically (That is, you verify the signature with
> checkSignatureValue, which takes a key as an argument, and may or may
> not also check references depending on what other settings you've
> specified).
>
> I'm not really all that familiar with the JDK 1.6 API. In looking at
> it I see it changed quite considerably more than I expected, which
> probably explains most of my confusion. I assumed that the bug was
> against the apache implementation (this is the apache bug database,
> right?), not JDK code.
Well I don't think it is a bug in either implementation, but it would
probably help to explain the difference in the Apache and JDK 6 (1.6)
XML Signature APIs/implementation.
The API included in JDK 6 is based on JSR 105 which was a standard XML
Signature API defined via the Java Community Process. The reference
implementation of JSR 105 that is included in JDK 6 is based on the
Apache Java XML Security implementation.
The JSR 105 API and code was contributed back to the Apache Software
Foundation. It will be included in the next Apache XML Security release
(1.4) which should be available soon. You can download the source and
build it yourself now if you choose.
Don't worry though - we plan to continue to include both the JSR 105 API
and the current Apache XML Security API though I would encourage you to
transition over time to the standard JSR 105 API.
--Sean
Re: DO NOT REPLY [Bug 40921] - XML contents modified
and signature normallly validated.
Posted by Berin Lautenbach <be...@wingsofhermes.org>.
Scott Cantor wrote:
>>So out of curiosity, how does one verify the Signature/KeyInfo match
>>up in the JDK 1.6 code?
>
>
> I don't think that's how I would approach the question. In all cases, I
> think the application needs to supply the verification key. The application
> MAY choose to examine KeyInfo as part of determining what key to try, but
> that's up to it.
>
> In that light, KeyInfo is simply one of many inputs into the process of
> determining the key. The critical difference is that in my mind, you start
> by identifying the signer, usually based on the message itself, not based on
> KeyInfo. From there, you get keying material, or policy to control
> certificates that might be in KeyInfo.
+1.
I cannot think of any case where I would "trust" a message purely
because *the message* told me it was OK. That's effectively what you do
if you base a "trust" decision on a key info element.
The KeyInfo is like the keyid for a PGP/GPG signed message. It's a
pointer into your own keyring (or key management approach - whatever)
that lets *you* make a decision based on something outside the message
as to whether the message is signed by someone you know.
And FWIW - the match between key info and signature is trivial. If the
key that you determine from the keyinfo validates the signature then it
matches. Otherwise it doesn't. Incorporating the keyinfo into the
signed information tells you precisely nothing - if someone has inserted
their own key into KeyInfo, then they can obviously re-sign the message
and send it to you in its new form. So putting the KeyInfo inside the
signature tells you nothing about the validity of the key.
Given that fact - it would actually be dangerous for the spec to do it
by default as it would give a false sense of security to end users.
"The key info is included in the signature and the signature verified,
therefore the key is correct". Badness.
Cheers,
Berin
RE: DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by Scott Cantor <ca...@osu.edu>.
> I'm not really all that familiar with the JDK 1.6 API. In looking at
> it I see it changed quite considerably more than I expected, which
> probably explains most of my confusion. I assumed that the bug was
> against the apache implementation (this is the apache bug database,
> right?), not JDK code.
I've never looked at it. I mainly do C++ anyway, the Java's somebody else
now, mercifully for all the people who hated my Java code.
> So out of curiosity, how does one verify the Signature/KeyInfo match
> up in the JDK 1.6 code?
I don't think that's how I would approach the question. In all cases, I
think the application needs to supply the verification key. The application
MAY choose to examine KeyInfo as part of determining what key to try, but
that's up to it.
In that light, KeyInfo is simply one of many inputs into the process of
determining the key. The critical difference is that in my mind, you start
by identifying the signer, usually based on the message itself, not based on
KeyInfo. From there, you get keying material, or policy to control
certificates that might be in KeyInfo.
Just my two cents.
-- Scott
Re: DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by jason marshall <jd...@gmail.com>.
Okay. In the Apache XMLSec code, this happens more or less
automatically (That is, you verify the signature with
checkSignatureValue, which takes a key as an argument, and may or may
not also check references depending on what other settings you've
specified).
I'm not really all that familiar with the JDK 1.6 API. In looking at
it I see it changed quite considerably more than I expected, which
probably explains most of my confusion. I assumed that the bug was
against the apache implementation (this is the apache bug database,
right?), not JDK code.
So out of curiosity, how does one verify the Signature/KeyInfo match
up in the JDK 1.6 code?
Thanks,
Jason
On 11/8/06, Scott Cantor <ca...@osu.edu> wrote:
> > Yes, of course. My question is, if the KeyInfo in a valid signature
> > can be changed without failing the signature check, then what good
> > does it do me to check the chain of trust on the KeyInfo?
>
> By itself, nothing. You still also have to verify that the KeyInfo actually
> validates the Signature. There's no attack here, you can't just substitute
> an arbitrary key and actually make it validate the signature too. Not unless
> there's a broken encryption algorithm anyway.
>
> > I presume this behavior is implemented as specced by the W3C.
>
> The spec says nothing about it, unless you mean the part about whether
> KeyInfo is digested. That part is in the spec, yes.
>
> -- Scott
>
>
--
- Jason
RE: DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by Scott Cantor <ca...@osu.edu>.
> Yes, of course. My question is, if the KeyInfo in a valid signature
> can be changed without failing the signature check, then what good
> does it do me to check the chain of trust on the KeyInfo?
By itself, nothing. You still also have to verify that the KeyInfo actually
validates the Signature. There's no attack here, you can't just substitute
an arbitrary key and actually make it validate the signature too. Not unless
there's a broken encryption algorithm anyway.
> I presume this behavior is implemented as specced by the W3C.
The spec says nothing about it, unless you mean the part about whether
KeyInfo is digested. That part is in the spec, yes.
-- Scott
Re: DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by jason marshall <jd...@gmail.com>.
On 11/8/06, Sean Mullan <Se...@sun.com> wrote:
> jason marshall wrote:
> > Maybe I'm misunderstanding the commentary made so far in this bug report.
> >
> > If KeyInfo is indeed advisory, then how does one establish the
> > trustworthiness of an enveloped signature?
>
> The relying (validating) party still needs to determine the
> trustworthiness of the KeyInfo material, or the key that it used to
> validate the signature (does the signing key actually belong to someone
> I trust?). For example if KeyInfo contains an X509Certificate then you
> shouldn't blindly trust the certificate, you need to determine if you
> trust the CA that issued that certificate - for example by building a
> chain of certificates from a trust anchor and validating the certificate
> chain (checking if certs have not been revoked, etc). XML Signature does
> not define how this is done, it is up to the application. However, there
> are CertPath APIs in the JDK which already help you do this: see
> http://java.sun.com/j2se/1.5.0/docs/guide/security/certpath/CertPathProgGuide.html
> for more information.
>
Yes, of course. My question is, if the KeyInfo in a valid signature
can be changed without failing the signature check, then what good
does it do me to check the chain of trust on the KeyInfo?
I presume this behavior is implemented as specced by the W3C. I'm
just wondering what the solution was to this problem if the above
isn't actually sufficient.
-Jason
> --Sean
>
> >
> > Thanks,
> > Jason
> >
> > On 11/7/06, bugzilla@apache.org <bu...@apache.org> wrote:
> >> ------- Additional Comments From cantor.2@osu.edu 2006-11-07 21:18
> >> -------
> >> An enveloped signature omits anything inside the Signature element
> >> apart from
> >> SignedInfo. KeyInfo is not commonly signed. The only attack possible
> >> is against
> >> broken software that doesn't understand that KeyInfo is advisory, not
> >> trusted
> >> information.
> >>
> >>
> >> --
> >> Configure bugmail:
> >> http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
> >> ------- You are receiving this mail because: -------
> >> You are the assignee for the bug, or are watching the assignee.
> >>
> >
> >
>
>
--
- Jason
Re: DO NOT REPLY [Bug 40921] - XML contents modified
and signature normallly validated.
Posted by Sean Mullan <Se...@Sun.COM>.
jason marshall wrote:
> Maybe I'm misunderstanding the commentary made so far in this bug report.
>
> If KeyInfo is indeed advisory, then how does one establish the
> trustworthiness of an enveloped signature?
The relying (validating) party still needs to determine the
trustworthiness of the KeyInfo material, or the key that it used to
validate the signature (does the signing key actually belong to someone
I trust?). For example if KeyInfo contains an X509Certificate then you
shouldn't blindly trust the certificate, you need to determine if you
trust the CA that issued that certificate - for example by building a
chain of certificates from a trust anchor and validating the certificate
chain (checking if certs have not been revoked, etc). XML Signature does
not define how this is done, it is up to the application. However, there
are CertPath APIs in the JDK which already help you do this: see
http://java.sun.com/j2se/1.5.0/docs/guide/security/certpath/CertPathProgGuide.html
for more information.
--Sean
>
> Thanks,
> Jason
>
> On 11/7/06, bugzilla@apache.org <bu...@apache.org> wrote:
>> ------- Additional Comments From cantor.2@osu.edu 2006-11-07 21:18
>> -------
>> An enveloped signature omits anything inside the Signature element
>> apart from
>> SignedInfo. KeyInfo is not commonly signed. The only attack possible
>> is against
>> broken software that doesn't understand that KeyInfo is advisory, not
>> trusted
>> information.
>>
>>
>> --
>> Configure bugmail:
>> http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
>> ------- You are receiving this mail because: -------
>> You are the assignee for the bug, or are watching the assignee.
>>
>
>
RE: DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by Scott Cantor <ca...@osu.edu>.
> Maybe I'm misunderstanding the commentary made so far in this
> bug report.
>
> If KeyInfo is indeed advisory, then how does one establish the
> trustworthiness of an enveloped signature?
As Sean said, trust, whatever you believe that means, is outside the scope
of XML Signature and of the ds:KeyInfo element. The element is used to
transmit hints to the relying party to assist in efficiently verifying the
signature. After that, there's an entirely separate set of code that every
application has to have that evaluates the "legitimacy" of the signing key,
and you also have to verify that what's been signed is what you expected.
Both steps can be very complex.
I think it would be useful if the xmlsec Javadocs made this somewhat more
clear in the doc comment for any "verify" methods that exist. People need to
be very clear that that method does not mean "trust this message". It's a
drop in the bucket. I worry sometimes about the applications out there using
this stuff.
-- Scott
Re: DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by jason marshall <jd...@gmail.com>.
Maybe I'm misunderstanding the commentary made so far in this bug report.
If KeyInfo is indeed advisory, then how does one establish the
trustworthiness of an enveloped signature?
Thanks,
Jason
On 11/7/06, bugzilla@apache.org <bu...@apache.org> wrote:
> ------- Additional Comments From cantor.2@osu.edu 2006-11-07 21:18 -------
> An enveloped signature omits anything inside the Signature element apart from
> SignedInfo. KeyInfo is not commonly signed. The only attack possible is against
> broken software that doesn't understand that KeyInfo is advisory, not trusted
> information.
>
>
> --
> Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
> ------- You are receiving this mail because: -------
> You are the assignee for the bug, or are watching the assignee.
>
--
- Jason
DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921
------- Additional Comments From sean.mullan@sun.com 2006-11-13 13:54 -------
Can you bundle the files in a zip file and attach them using the
"Create a New Attachment" link.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921
------- Additional Comments From sean.mullan@sun.com 2006-11-08 08:29 -------
(In reply to comment #5)
> (In reply to comment #4)
> > That code looks fine, but it is still missing something. How do you modify
> > the X509Certificate?
> I modify the certificate by substituting it for one from an other xml that was
> signed with different certificate.
> >I would add a print statement in the KeySelector to print
> > out the key that you are using to validate the signature. Is it different
> after
> > you modify the X509Certificate?
> The key is the same. because i havent modified it. i think the key is that one
> inside the <KeyValue> tag:
>
> <KeyValue>
> - <RSAKeyValue>
>
> <Modulus>unmSpz4AW43DBUeUtbGDxyEBOmKUiAM136ZrGOlJRzximnaFjABuQ7Ucix5Ru60DLlUH5Q3
> KHfDW
> aimUe3ufnWUWSGkbNUGYtwdqv/54LvTvW3SMA0IuvfqUmdF+AJgHCWv0rEYizswKaeNgMak+/oWL
> MBrOwE2+fhB6l87tBo8=</Modulus>
> <Exponent>AQAB</Exponent>
>
> i could try using the key from the certificate in <x509data> tag...
Yes, if you change your KeySelector to check the X509Data before the KeyValue
then it will use the certificate's key and the signature validation will fail.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921
------- Additional Comments From sean.mullan@sun.com 2006-11-13 06:55 -------
> I would like so much that it was an instance of KeyInfo. however it is an
> instance of KeyValue. when i call keyInfo.getContent() it returns the content of
> the KeyValue...and when i call KeyInfo.getClass() it returns a DOMKeyValue
instance
Can you post the code that demonstrates this?
Thanks.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921
sean.mullan@sun.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |RESOLVED
Resolution| |INVALID
------- Additional Comments From sean.mullan@sun.com 2006-11-14 10:32 -------
> Please disconsider what i said....the keyinfo object has a DOMX509Data object
> and a DOMKeyValue.
Ok, I am closing this as not a bug.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921
------- Additional Comments From fillipelima@gmail.com 2006-11-10 04:48 -------
(In reply to comment #7)
> I would like to close this out as not a bug.
> Have you had a chance to try my suggestion yet?
No...not yet. Because im having a lot of other things here in my job. but i will
try two things:
1- Sign the <KeyInfo> too. Because the <Reference URI=""> means that all the
document will be signed, except the elemnts into <signature>. so..i will create
an id like this: <KeyInfo id="test"> and create a reference, indicating that i
want to sign the KeyInfo: <Reference URI="test">
2- Try What you said.
Thank you so much for your quick reponses!
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921
------- Additional Comments From fillipelima@gmail.com 2006-11-14 03:54 -------
Created an attachment (id=19129)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=19129&action=view)
signedxml
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921
------- Additional Comments From fillipelima@gmail.com 2006-11-08 06:52 -------
(In reply to comment #2)
> I agree with Scott's reply. I haven't seen your code (can you post it?) but
> this is most likely not a bug. However, I am curious as to what key you are
> using to validate the signature. It seems you are using the correct key each
> time. If you validated with a key from this different X.509 certificate that you
> have inserted then it should not validate (if indeed it was a different public
key).
here is my verifying code:
=======================================
import java.io.FileInputStream;
import java.security.Key;
import java.security.KeyException;
import java.security.Provider;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import javax.xml.crypto.AlgorithmMethod;
import javax.xml.crypto.KeySelector;
import javax.xml.crypto.KeySelectorException;
import javax.xml.crypto.KeySelectorResult;
import javax.xml.crypto.XMLCryptoContext;
import javax.xml.crypto.XMLStructure;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.SignatureMethod;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyValue;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
import org.w3c.dom.NodeList;
import org.w3c.dom.Element;
public class ValidacaoXmlEnveloped {
static public XMLSignature validar(Document documento) throws
ValidacaoXmlEnvelopedException {
boolean ok = false;
XMLSignature signature = null;
try {
NodeList listaNos = documento.getElementsByTagNameNS(XMLSignature.XMLNS,
"Signature");
if (listaNos.getLength() == 0) {
throw new ValidacaoXmlEnvelopedException("Assinatura n�o est� presente.");
}
String nomeProvider = System.getProperty("jsr105Provider",
"org.jcp.xml.dsig.internal.dom.XMLDSigRI");
XMLSignatureFactory xmlSigFac = XMLSignatureFactory.getInstance("DOM",
(Provider) Class.forName(nomeProvider).newInstance());
DOMValidateContext valCont = new DOMValidateContext(new
KeyValueKeySelector(), listaNos.item(0));
signature = xmlSigFac.unmarshalXMLSignature(valCont);
ok = signature.validate(valCont);
} catch( Exception ex ) {
ex.printStackTrace();
throw new ValidacaoXmlEnvelopedException(ex.getMessage());
}
if (ok) {
return signature;
} else
return null;
}
private static class KeyValueKeySelector extends KeySelector {
public KeySelectorResult select(KeyInfo keyInfo, KeySelector.Purpose
purpose, AlgorithmMethod method, XMLCryptoContext context) throws
KeySelectorException {
if (keyInfo == null) {
throw new KeySelectorException("Objeto KeyInfo null!");
}
SignatureMethod sm = (SignatureMethod) method;
List list = keyInfo.getContent();
for (int i = 0; i < list.size(); i++) {
PublicKey pk = null;
XMLStructure xmlStructure = (XMLStructure) list.get(i);
if (xmlStructure instanceof KeyValue) {
try {
pk = ((KeyValue)xmlStructure).getPublicKey();
} catch (KeyException ke) {
ke.printStackTrace();
throw new KeySelectorException(ke);
}
}
else if( xmlStructure instanceof X509Data) {
List lst = ((X509Data)xmlStructure).getContent();
X509Certificate cert = (X509Certificate)lst.get(0);
pk = cert.getPublicKey();
}
if (algEquals(sm.getAlgorithm(), pk.getAlgorithm())) {
return new SimpleKeySelectorResult(pk);
}
}
throw new KeySelectorException("Nenhum elemento KeyValue encontrado!");
}
static boolean algEquals(String algURI, String algName) {
if (algName.equalsIgnoreCase("DSA") &&
algURI.equalsIgnoreCase(SignatureMethod.DSA_SHA1)) {
return true;
} else if (algName.equalsIgnoreCase("RSA") &&
algURI.equalsIgnoreCase(SignatureMethod.RSA_SHA1)) {
return true;
} else {
return false;
}
}
}
private static class SimpleKeySelectorResult implements KeySelectorResult {
private PublicKey pk;
SimpleKeySelectorResult(PublicKey pk) {
this.pk = pk;
}
public Key getKey() {
return pk;
}
}
}
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921
------- Additional Comments From fillipelima@gmail.com 2006-11-11 03:28 -------
(In reply to comment #10)
> (In reply to comment #9)
> > (In reply to comment #8)
> >
> > Hello
> >
> > I tried to get the public key from the certificate. But the keyInfo object is
> > instance of KeyValue. I need that the KeyInfo Object was instance of
> > KeyInfo...so i could get x509Data and then x509Certificate. The method that i
> > recieve the KeyInfo object:
> >
> > public KeySelectorResult select(KeyInfo keyInfo, KeySelector.Purpose
> > purpose, AlgorithmMethod method, XMLCryptoContext context) throws
> > KeySelectorException {
> >
> > Is there anyway to get the keyinfo as instance of KeyInfo ?
>
> I'm afraid I don't understand the problem. keyInfo must be an instance of
> KeyInfo otherwise you will get a ClassCastException. You can call
> keyInfo.getContent() which will return a List of XMLStructure objects, each
> of which represents an element in the KeyInfo (KeyValue, X509Data, etc).
I would like so much that it was an instance of KeyInfo. however it is an
instance of KeyValue. when i call keyInfo.getContent() it returns the content of
the KeyValue...and when i call KeyInfo.getClass() it returns a DOMKeyValue instance
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921
------- Additional Comments From fillipelima@gmail.com 2006-11-14 08:26 -------
(In reply to comment #22)
> Created an attachment (id=19131)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=19131&action=view) [edit]
> xmlsec.jar
Hello
Please disconsider what i said....the keyinfo object has a DOMX509Data object
and a DOMKeyValue.
Tks!!
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921
------- Additional Comments From fillipelima@gmail.com 2006-11-14 03:55 -------
Created an attachment (id=19130)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=19130&action=view)
xmldsig.jar
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921
------- Additional Comments From sean.mullan@sun.com 2006-11-13 07:56 -------
I need more than this to reproduce the problem. Please post a simple test case
that I can compile and run without writing *any additional code* and also
include the signature you are validating.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921
------- Additional Comments From fillipelima@gmail.com 2006-11-14 03:53 -------
Created an attachment (id=19126)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=19126&action=view)
Main class
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921
------- Additional Comments From fillipelima@gmail.com 2006-11-13 07:02 -------
(In reply to comment #12)
> > I would like so much that it was an instance of KeyInfo. however it is an
> > instance of KeyValue. when i call keyInfo.getContent() it returns the content of
> > the KeyValue...and when i call KeyInfo.getClass() it returns a DOMKeyValue
> instance
>
> Can you post the code that demonstrates this?
>
> Thanks.
The code:
package br.unit.certificacao;
import java.io.FileInputStream;
import java.security.Key;
import java.security.KeyException;
import java.security.Provider;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import javax.xml.crypto.AlgorithmMethod;
import javax.xml.crypto.KeySelector;
import javax.xml.crypto.KeySelectorException;
import javax.xml.crypto.KeySelectorResult;
import javax.xml.crypto.XMLCryptoContext;
import javax.xml.crypto.XMLStructure;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.SignatureMethod;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyValue;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
import org.w3c.dom.NodeList;
import org.w3c.dom.Element;
public class ValidacaoXmlEnveloped {
static public XMLSignature validar(Document documento) throws
ValidacaoXmlEnvelopedException {
boolean ok = false;
XMLSignature signature = null;
try {
NodeList listaNos = documento.getElementsByTagNameNS(XMLSignature.XMLNS,
"Signature");
if (listaNos.getLength() == 0) {
throw new ValidacaoXmlEnvelopedException("Assinatura n�o est� presente.");
}
String nomeProvider = System.getProperty("jsr105Provider",
"org.jcp.xml.dsig.internal.dom.XMLDSigRI");
XMLSignatureFactory xmlSigFac = XMLSignatureFactory.getInstance("DOM",
(Provider) Class.forName(nomeProvider).newInstance());
// Cria o DOMValidateContext, especifica o Selector que
// ser� usado e o contexto do documento.
DOMValidateContext valCont = new DOMValidateContext(new
KeyValueKeySelector(), listaNos.item(0));
// Instancia o XMLSignature para verifica��o.
signature = xmlSigFac.unmarshalXMLSignature(valCont);
// Valida o XMLSignature
ok = signature.validate(valCont);
} catch( Exception ex ) {
ex.printStackTrace();
throw new ValidacaoXmlEnvelopedException(ex.getMessage());
}
if (ok) {
return signature;
} else
return null;
}
//===================================================
// HERE IS WHERE I RECEIVE THE KEYINFO OBJECT
//===================================================
private static class KeyValueKeySelector extends KeySelector {
public KeySelectorResult select(KeyInfo keyInfo, KeySelector.Purpose
purpose, AlgorithmMethod method, XMLCryptoContext context) throws
KeySelectorException {
if (keyInfo == null) {
throw new KeySelectorException("Objeto KeyInfo null!");
}
SignatureMethod sm = (SignatureMethod) method;
List list = keyInfo.getContent();
for (int i = 0; i < list.size(); i++) {
PublicKey pk = null;
XMLStructure xmlStructure = (XMLStructure) list.get(i);
if( xmlStructure instanceof X509Data) {
List lst = ((X509Data)xmlStructure).getContent();
X509Certificate cert = (X509Certificate)lst.get(0);
pk = cert.getPublicKey();
}
if (algEquals(sm.getAlgorithm(), pk.getAlgorithm())) {
return new SimpleKeySelectorResult(pk);
}
}
throw new KeySelectorException("Nenhum elemento KeyValue encontrado!");
}
static boolean algEquals(String algURI, String algName) {
if (algName.equalsIgnoreCase("DSA") &&
algURI.equalsIgnoreCase(SignatureMethod.DSA_SHA1)) {
return true;
} else if (algName.equalsIgnoreCase("RSA") &&
algURI.equalsIgnoreCase(SignatureMethod.RSA_SHA1)) {
return true;
} else {
return false;
}
}
}
private static class SimpleKeySelectorResult implements KeySelectorResult {
private PublicKey pk;
SimpleKeySelectorResult(PublicKey pk) {
this.pk = pk;
}
public Key getKey() {
return pk;
}
}
}
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921
------- Additional Comments From sean.mullan@sun.com 2006-11-08 07:33 -------
That code looks fine, but it is still missing something. How do you modify
the X509Certificate? I would add a print statement in the KeySelector to print
out the key that you are using to validate the signature. Is it different after
you modify the X509Certificate?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921
------- Additional Comments From fillipelima@gmail.com 2006-11-14 03:53 -------
Created an attachment (id=19127)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=19127&action=view)
ValidacaoXmlEnveloped class
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921
------- Additional Comments From fillipelima@gmail.com 2006-11-14 03:55 -------
Created an attachment (id=19131)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=19131&action=view)
xmlsec.jar
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921
------- Additional Comments From fillipelima@gmail.com 2006-11-10 10:53 -------
(In reply to comment #8)
Hello
I tried to get the public key from the certificate. But the keyInfo object is
instance of KeyValue. I need that the KeyInfo Object was instance of
KeyInfo...so i could get x509Data and then x509Certificate. The method that i
recieve the KeyInfo object:
public KeySelectorResult select(KeyInfo keyInfo, KeySelector.Purpose
purpose, AlgorithmMethod method, XMLCryptoContext context) throws
KeySelectorException {
Is there anyway to get the keyinfo as instance of KeyInfo ?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921
------- Additional Comments From sean.mullan@sun.com 2006-11-10 11:49 -------
(In reply to comment #9)
> (In reply to comment #8)
>
> Hello
>
> I tried to get the public key from the certificate. But the keyInfo object is
> instance of KeyValue. I need that the KeyInfo Object was instance of
> KeyInfo...so i could get x509Data and then x509Certificate. The method that i
> recieve the KeyInfo object:
>
> public KeySelectorResult select(KeyInfo keyInfo, KeySelector.Purpose
> purpose, AlgorithmMethod method, XMLCryptoContext context) throws
> KeySelectorException {
>
> Is there anyway to get the keyinfo as instance of KeyInfo ?
I'm afraid I don't understand the problem. keyInfo must be an instance of
KeyInfo otherwise you will get a ClassCastException. You can call
keyInfo.getContent() which will return a List of XMLStructure objects, each
of which represents an element in the KeyInfo (KeyValue, X509Data, etc).
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921
------- Additional Comments From sean.mullan@sun.com 2006-11-08 06:37 -------
I agree with Scott's reply. I haven't seen your code (can you post it?) but
this is most likely not a bug. However, I am curious as to what key you are
using to validate the signature. It seems you are using the correct key each
time. If you validated with a key from this different X.509 certificate that you
have inserted then it should not validate (if indeed it was a different public key).
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921
------- Additional Comments From fillipelima@gmail.com 2006-11-13 08:47 -------
(In reply to comment #14)
> I need more than this to reproduce the problem. Please post a simple test case
> that I can compile and run without writing *any additional code* and also
> include the signature you are validating.
You will have to add the xmldsig.jar and xmlsec.xml in your classpath from Java
Web Services Developer Pack 2.0
============================================================
Use this main class to test:
============================================================
import java.io.FileInputStream;
import javax.xml.crypto.dsig.XMLSignature;
public class Principal {
public void validate() {
try {
javax.xml.parsers.DocumentBuilderFactory dbf =
javax.xml.parsers.DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
javax.xml.parsers.DocumentBuilder db = dbf.newDocumentBuilder();
org.w3c.dom.Document docXML = db.parse(new FileInputStream
("c:\\signedxml.xml"));
XMLSignature assinatura = ValidacaoXmlEnveloped.validar(docXML);
if (assinatura != null) {
System.out.println("Signature ok!");
}else {
System.out.println("Invalid Signature!");
}
} catch (Exception ex){
ex.printStackTrace();
}
}
public static void main(String[] args) {
Principal p = new Principal();
p.validate();
}
}
===================================================
ValidacaoXmlEnveloped class
==================================================
import java.io.FileInputStream;
import java.security.Key;
import java.security.KeyException;
import java.security.Provider;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import javax.xml.crypto.AlgorithmMethod;
import javax.xml.crypto.KeySelector;
import javax.xml.crypto.KeySelectorException;
import javax.xml.crypto.KeySelectorResult;
import javax.xml.crypto.XMLCryptoContext;
import javax.xml.crypto.XMLStructure;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.SignatureMethod;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyValue;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
import org.w3c.dom.NodeList;
import org.w3c.dom.Element;
/**
* Classe para a verificacao de qualquer tipo de assinaturas XMLDSIG.
* @author bribeiro
*
*/
public class ValidacaoXmlEnveloped {
static public XMLSignature validar(Document documento) throws
ValidacaoXmlEnvelopedException {
boolean ok = false;
XMLSignature signature = null;
try {
// Obtem a tag "Signature" do documento
NodeList listaNos = documento.getElementsByTagNameNS
(XMLSignature.XMLNS, "Signature");
if (listaNos.getLength() == 0) {
throw new ValidacaoXmlEnvelopedException("Assinatura n�o est�
presente.");
}
String nomeProvider = System.getProperty
("jsr105Provider", "org.jcp.xml.dsig.internal.dom.XMLDSigRI");
XMLSignatureFactory xmlSigFac = XMLSignatureFactory.getInstance
("DOM", (Provider) Class.forName(nomeProvider).newInstance());
// Cria o DOMValidateContext, especifica o Selector que
// ser� usado e o contexto do documento.
DOMValidateContext valCont = new DOMValidateContext(new
KeyValueKeySelector(), listaNos.item(0));
// Instancia o XMLSignature para verifica��o.
signature = xmlSigFac.unmarshalXMLSignature(valCont);
// Valida o XMLSignature
ok = signature.validate(valCont);
} catch( Exception ex ) {
ex.printStackTrace();
throw new ValidacaoXmlEnvelopedException(ex.getMessage());
}
if (ok) {
return signature;
} else
return null;
}
/**
* KeySelector que retorna a chave p�blica de dentro do
* elemento KeyValue..
* NOTE: Caso o algoritmo da chave n�o bata com o da assinatura,
* a chave p�blica � ignorada.
*/
private static class KeyValueKeySelector extends KeySelector {
public KeySelectorResult select(KeyInfo keyInfo, KeySelector.Purpose
purpose, AlgorithmMethod method, XMLCryptoContext context) throws
KeySelectorException {
if (keyInfo == null) {
throw new KeySelectorException("Objeto KeyInfo null!");
}
SignatureMethod sm = (SignatureMethod) method;
List list = keyInfo.getContent();
for (int i = 0; i < list.size(); i++) {
PublicKey pk = null;
XMLStructure xmlStructure = (XMLStructure) list.get(i);
System.out.println("Class"+xmlStructure.getClass());
if( xmlStructure instanceof X509Data) {
System.out.print("dentro do x509data");
List lst = ((X509Data)xmlStructure).getContent();
X509Certificate cert = (X509Certificate)lst.get(0);
pk = cert.getPublicKey();
}
// garante que o algoritmo � compat�vel com o m�todo.
if (algEquals(sm.getAlgorithm(), pk.getAlgorithm())) {
return new SimpleKeySelectorResult(pk);
}
}
throw new KeySelectorException("Nenhum elemento KeyValue encontrado!");
}
static boolean algEquals(String algURI, String algName) {
if (algName.equalsIgnoreCase("DSA") && algURI.equalsIgnoreCase
(SignatureMethod.DSA_SHA1)) {
return true;
} else if (algName.equalsIgnoreCase("RSA") && algURI.equalsIgnoreCase
(SignatureMethod.RSA_SHA1)) {
return true;
} else {
return false;
}
}
}
private static class SimpleKeySelectorResult implements KeySelectorResult {
private PublicKey pk;
SimpleKeySelectorResult(PublicKey pk) {
this.pk = pk;
}
public Key getKey() {
return pk;
}
}
}
=======================================
ValidacaoXmlEnvelopedException class
=======================================
public class ValidacaoXmlEnvelopedException extends Exception {
public ValidacaoXmlEnvelopedException(String msg) {
super(msg);
}
}
=======================================
signedxml.xml:
=======================================
<?xml version="1.0" encoding="UTF-8"?><NotasFaltas>
<ano>2006</ano>
<semestre>2</semestre>
<turma>52A</turma>
<idtProf>15</idtProf>
<idtDisc>2</idtDisc>
<unidade>3</unidade>
<alunos class="linked-list">
<Aluno>
<idtAlu>1</idtAlu>
<nota>1.0</nota>
<faltas>2</faltas>
</Aluno>
<Aluno>
<idtAlu>2</idtAlu>
<nota>3.0</nota>
<faltas>4</faltas>
</Aluno>
<Aluno>
<idtAlu>3</idtAlu>
<nota>5.0</nota>
<faltas>6</faltas>
</Aluno>
<Aluno>
<idtAlu>4</idtAlu>
<nota>7.0</nota>
<faltas>8</faltas>
</Aluno>
</alunos>
<Signature
xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-
20010315#WithComments"/><SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference
URI=""><Transforms><Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-
signature"/></Transforms><DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>ltbvesKBO+VTvco
vJyJ0VVkSaJM=</DigestValue></Reference></SignedInfo><SignatureValue>r89mfZ7YkrQe
FOeniXbj5JZja09Kmva+6naBMSu8srlfduq3mbyO5IYOGoHnDXLR7Q5TPGbfZtJa
TpxBQQFJz6pcnO53IyVaymGw5/fx89rtthr2weHJRx8DSiFeA8mio5PsJnSISXy/1F+byDvA3B/a
NANqL76K+mPMlsc04z4=</SignatureValue><KeyInfo><KeyValue><RSAKeyValue><Modulus>sc
Ac0kZZ1Z+ldqz/OK9ZyNmHcNuy8U6fyk2OBvamkWyO3CU9NsWJ6pKZvpO3QAQwKakYbrB3joib
2THy0NEjNFRqdLWw4jaILqjpX0IgdGUY6TZzWq+oRCwTkm/JbG9M7Krl06c1ffMh30V0GnhcXWIC
bweBOvfh8jIFA2xvoN0=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></KeyValue>
<X509Data><X509Certificate>MIIFmjCCBIKgAwIBAgIIH1lD8vnjdaEwDQYJKoZIhvcNAQEFBQAwa
DELMAkGA1UEBhMCQlIxEzAR
BgNVBAoTCklDUC1CcmFzaWwxLDAqBgNVBAsTI1NlY3JldGFyaWEgZGEgUmVjZWl0YSBGZWRlcmFs
IC0gU1JGMRYwFAYDVQQDEw1BQyBTRVJBU0EgU1JGMB4XDTA2MTAyMzE4MDkwNVoXDTA5MTAyMjE4
MDkwNVowggE1MQswCQYDVQQGEwJCUjETMBEGA1UEChMKSUNQLUJyYXNpbDEsMCoGA1UECxMjU2Vj
cmV0YXJpYSBkYSBSZWNlaXRhIEZlZGVyYWwgLSBTUkYxEjAQBgNVBAsTCVNSRiBlLUNQRjEUMBIG
A1UECxMLKEVNIEJSQU5DTykxFDASBgNVBAsTCyhFTSBCUkFOQ08pMRQwEgYDVQQLEwsoRU0gQlJB
TkNPKTEUMBIGA1UECxMLKEVNIEJSQU5DTykxFDASBgNVBAsTCyhFTSBCUkFOQ08pMRQwEgYDVQQL
EwsoRU0gQlJBTkNPKTEUMBIGA1UECxMLKEVNIEJSQU5DTykxNTAzBgNVBAMTLERPTUlOR09TIFNB
VklPIEFMQ0FOVEFSQSBNQUNIQURPOjU4NDQyMTQ2NTA0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQCxwBzSRlnVn6V2rP84r1nI2Ydw27LxTp/KTY4G9qaRbI7cJT02xYnqkpm+k7dABDApqRhu
sHeOiJvZMfLQ0SM0VGp0tbDiNoguqOlfQiB0ZRjpNnNar6hELBOSb8lsb0zsquXTpzV98yHfRXQa
eFxdYgJvB4E69+HyMgUDbG+g3QIDAQABo4IB+zCCAfcwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMC
BeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB8GA1UdIwQYMBaAFLcyqiA9/1rttKzS
pxhVioyAKJUEMIGaBgNVHREEgZIwgY+BDERTQU1AVU5JVC5CUqA9BgVgTAEDAaA0EzIwODAxMTk3
MTU4NDQyMTQ2NTA0MDAwMDAwMDAwMDAwMDAwMDAwMDA3OTM4MjJTU1BTRaAXBgVgTAEDBqAOEwww
MDAwMDAwMDAwMDCgJwYFYEwBAwWgHhMcMDEwNjIxODUyMTc4MDM2MDI1MkFSQUNBSlVTRTBXBgNV
HSAEUDBOMEwGBmBMAQIDCjBCMEAGCCsGAQUFBwIBFjRodHRwOi8vd3d3LmNlcnRpZmljYWRvZGln
aXRhbC5jb20uYnIvcmVwb3NpdG9yaW8vZHBjMFMGA1UdHwRMMEowSKBGoESGQmh0dHA6Ly93d3cu
Y2VydGlmaWNhZG9kaWdpdGFsLmNvbS5ici9yZXBvc2l0b3Jpby9sY3IvU2VyYXNhU1JGLmNybDBP
BggrBgEFBQcBAQRDMEEwPwYIKwYBBQUHMAGGM2h0dHA6Ly9vY3NwLmNlcnRpZmljYWRvZGlnaXRh
bC5jb20uYnIvQUNfU2VyYXNhX1NSRjANBgkqhkiG9w0BAQUFAAOCAQEA04lF7He8qnNJYwk8kmyg
0EhdM+BrYirtWwcZcOxd5cRzzhElxk6lcxHNZf0gWyJn7Db1V0p7lhP9nZzA3a4xXOuzjWyncaZC
yoQiWeL+y249Snj+j4Y+XhHXj/TuLxEMdCIg5x/uiS/Zm95YZKsDRj0kkn6UJ3eYLHGvCl80M+Wt
BAQOg55PJYif4arbBpDBJU+H1B5C6iXsb9Xl9TdN23heAAOIbTxxfdaclVP0vTVogwA2EHaL1U04
5k9R3eMpgsXtTpfIXLMDewUHzRGH2COh//1DhXx/kkr7y/1IH2Ohg0m/pVT2Pj25sWWMWh5Ul3MO
6KUk5XSU/eSTcArBJg==</X509Certificate><X509Certificate>MIIFETCCA/mgAwIBAgISMjAwN
TAyMTYxNjU4MjEwMDAxMA0GCSqGSIb3DQEBBQUAMGkxCzAJBgNV
BAYTAkJSMRMwEQYDVQQKEwpJQ1AtQnJhc2lsMUUwQwYDVQQDEzxBdXRvcmlkYWRlIENlcnRpZmlj
YWRvcmEgZGEgU2VjcmV0YXJpYSBkYSBSZWNlaXRhIEZlZGVyYWwgdjEwHhcNMDUwMjE2MTcwODAy
WhcNMTExMDE3MTcwODAyWjBoMQswCQYDVQQGEwJCUjETMBEGA1UEChMKSUNQLUJyYXNpbDEsMCoG
A1UECxMjU2VjcmV0YXJpYSBkYSBSZWNlaXRhIEZlZGVyYWwgLSBTUkYxFjAUBgNVBAMTDUFDIFNF
UkFTQSBTUkYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWuxxWvObgcxJ4IugU3acc
837duwUKHTULdh1BFtsm/oe33L9I3omHplteUO3WHPjSwO/oHhQ5irA/AyYcoLt7Fi3Ot96tn62Y
V40QXDHL3C8AkSFo8A5nPNaL1l7ITDUWldVK2AzxhvOdOzEn55vEgh6TUWjSPB2T8SjeAmlbhr73
OGZnvrsKma+wiM2i1+n/mh5F8eYwGs5hubdAbYJRWDZN6/R9cXplwYFYCq7h2+K57yigYsailgn4
9DlMcoDWogWmGav3uFnbglX41ERYuaYlLnuTQxbZOqaktYUVat+cVQfHs42lbMfpDehjyn45qCVW
3TzW9vMVdzrjrzndAgMBAAGjggGyMIIBrjASBgNVHRMBAf8ECDAGAQH/AgEAMCIGA1UdIwEBAAQY
MBaAFPLn1gjPMUcSnbBOKMKXHJxi0640MCAGA1UdDgEBAAQWBBS3MqogPf9a7bSs0qcYVYqMgCiV
BDAOBgNVHQ8BAf8EBAMCAQYwgfgGA1UdIAEBAASB7TCB6jBMBgZgTAECAQ0wQjBABggrBgEFBQcC
ARY0aHR0cDovL3d3dy5yZWNlaXRhLmZhemVuZGEuZ292LmJyL2Fjc3JmL2RwY2Fjc3JmLnBkZjBM
BgZgTAECAgIwQjBABggrBgEFBQcCARY0aHR0cDovL3d3dy5yZWNlaXRhLmZhemVuZGEuZ292LmJy
L2Fjc3JmL2RwY2Fjc3JmLnBkZjBMBgZgTAECAwowQjBABggrBgEFBQcCARY0aHR0cDovL3d3dy5y
ZWNlaXRhLmZhemVuZGEuZ292LmJyL2Fjc3JmL2RwY2Fjc3JmLnBkZjBHBgNVHR8BAQAEPTA7MDmg
N6A1hjNodHRwOi8vd3d3LnJlY2VpdGEuZmF6ZW5kYS5nb3YuYnIvYWNzcmYvYWNzcmZ2MS5jcmww
DQYJKoZIhvcNAQEFBQADggEBAB+T/jLfNoie1YlYRj7Fxiwxssc82zDgRphtENSj3mXhmuJelWUH
SbORo/ABMTEjnuPnDDp6EnkwQs4oHgH+a2/js+gYxWx5iI3mj7XyrLNM5rBWe4yWdMOt09toGiPx
nehgwiA2/FL5qeKU5AsJ3QtOFWZ6FiR6GotfzZrZsqgf/oqV2bzcxt0LDuq++nU1bz+M6wWFmMSU
hdhYeaufBINJn4S6ezOeLWr77OrRala/X8clo1OKiTmioMpwFCILBrTmx6WO7l7Vz0HuRfQ149mu
S17v1QFxmZbhwZKqewH75vbVfHdcX3+sUIAqQSJ0A7fHzld67M+9h+c+5BEcs30=</X509Certificat
e><X509Certificate>MIIEUTCCAzmgAwIBAgIBETANBgkqhkiG9w0BAQUFADCBtDELMAkGA1UEBhMCQ
lIxEzARBgNVBAoT
CklDUC1CcmFzaWwxPTA7BgNVBAsTNEluc3RpdHV0byBOYWNpb25hbCBkZSBUZWNub2xvZ2lhIGRh
IEluZm9ybWFjYW8gLSBJVEkxETAPBgNVBAcTCEJyYXNpbGlhMQswCQYDVQQIEwJERjExMC8GA1UE
AxMoQXV0b3JpZGFkZSBDZXJ0aWZpY2Fkb3JhIFJhaXogQnJhc2lsZWlyYTAeFw0wNTAyMDIxMjU1
MDBaFw0xMTExMDIyMzU5MDBaMGkxCzAJBgNVBAYTAkJSMRMwEQYDVQQKEwpJQ1AtQnJhc2lsMUUw
QwYDVQQDEzxBdXRvcmlkYWRlIENlcnRpZmljYWRvcmEgZGEgU2VjcmV0YXJpYSBkYSBSZWNlaXRh
IEZlZGVyYWwgdjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0YeMzA5AcEl60DET0
CmVy7lbly2X5TL+IQV98LAW0tfyTe9U43TNqh0vHeg8B3opWG24pOTozbRtPWo1vC5aJYSbGKXBg
cqmOpZWrZn25Eqm7qiCD9swIQDpFs6GlrvYBKUArEaNXki6Rte5UOl0wcenYQi3LVGwfXK28xn4u
TwP706mrSIm2LhRjTfAtU+78ZeTcdm8wOtfGy2v3oFkyrzl5iLSqsL2n53NvMDuOs3Cv9BnTroNE
s4QJNqOogMkCHt2OjvxZ0MCp2wn465tV2/L+ykCIQjfTYGdRiuyXMZu6iKmreHVcORyr0X1QMd4+
PfnT21nwAoN0HaX7jrhfAgMA0yGjgbcwgbQwPQYDVR0fBDYwNDAyoDCgLoYsaHR0cDovL2FjcmFp
ei5pY3BicmFzaWwuZ292LmJyL0xDUmFjcmFpei5jcmwwEgYDVR0gBAswCTAHBgVgTAEBCDAdBgNV
HQ4EFgQU8ufWCM8xRxKdsE4owpccnGLTrjQwHwYDVR0jBBgwFoAUivrxV4QREzWQQvpXSVRpDaTE
8DcwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAK9P
G36ERhZZiKakn9Wg99L1MimhCNsNUwcpjSH2RhciX4xeWhlyvRLQOb8wGg23TAc+o4YdrkU0QR+2
DwCOQSN4ctfWsBKz1EpBW2JOeKx8juHHMsKxiPewBNrICC3RU9XVNIWqNsih9jZ8QBrcFS72wKk1
FjGVz5K9cuswmkwuu1KMp/RJdbkcps87VPUd9Y4dbHyTKz87+HggQ+nMdj2SQcz4UB1yVu9j+D+5
6ceMkZPlAm1bczi9nI5Uoj433bfIzR1bjjJtetqz9sjIr13xM2IfJPDw8jQVYOM59KDDx8IfTtM7
QMcd45x8xl4w4nFAm7ePxXboDyjZkNGJTDo=</X509Certificate><X509Certificate>MIIEuDCCA
6CgAwIBAgIBBDANBgkqhkiG9w0BAQUFADCBtDELMAkGA1UEBhMCQlIxEzARBgNVBAoT
CklDUC1CcmFzaWwxPTA7BgNVBAsTNEluc3RpdHV0byBOYWNpb25hbCBkZSBUZWNub2xvZ2lhIGRh
IEluZm9ybWFjYW8gLSBJVEkxETAPBgNVBAcTCEJyYXNpbGlhMQswCQYDVQQIEwJERjExMC8GA1UE
AxMoQXV0b3JpZGFkZSBDZXJ0aWZpY2Fkb3JhIFJhaXogQnJhc2lsZWlyYTAeFw0wMTExMzAxMjU4
MDBaFw0xMTExMzAyMzU5MDBaMIG0MQswCQYDVQQGEwJCUjETMBEGA1UEChMKSUNQLUJyYXNpbDE9
MDsGA1UECxM0SW5zdGl0dXRvIE5hY2lvbmFsIGRlIFRlY25vbG9naWEgZGEgSW5mb3JtYWNhbyAt
IElUSTERMA8GA1UEBxMIQnJhc2lsaWExCzAJBgNVBAgTAkRGMTEwLwYDVQQDEyhBdXRvcmlkYWRl
IENlcnRpZmljYWRvcmEgUmFpeiBCcmFzaWxlaXJhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAwPMudwX/hvm+Uh2b/lQAcHVAisamaLkWdkwP9/S/tOKIgRrL6Oy+ZIGlOUdd6uYtk9Ma
/3pUpgcfNAj0vYm5gsyjQo9emsc+x6m4VWwk9iqMZSCK5EQkAq/Ut4n7KuLE1+gdftwdIgxfUsPt
4CyNrY50QV57KM2UT8x5rrmzEjr7TICGpSUAl2gVqe6xaii+bmYR1QrmWaBSAG59LrkrjrYtbRhF
boUDe1DK+6T8s5L6k8c8okpbHpa9veMztDVC9sPJ60MWXh6anVKo1UcLcbURyEeNvZneVRKAAU6o
uwdjDvwlsaKydFKwed0ToQ47bmUKgcm+wV3eTRk36UOnTwIDAQABo4HSMIHPME4GA1UdIARHMEUw
QwYFYEwBAQAwOjA4BggrBgEFBQcCARYsaHR0cDovL2FjcmFpei5pY3BicmFzaWwuZ292LmJyL0RQ
Q2FjcmFpei5wZGYwPQYDVR0fBDYwNDAyoDCgLoYsaHR0cDovL2FjcmFpei5pY3BicmFzaWwuZ292
LmJyL0xDUmFjcmFpei5jcmwwHQYDVR0OBBYEFIr68VeEERM1kEL6V0lUaQ2kxPA3MA8GA1UdEwEB
/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQAZA5c1U/hgIh6OcgLA
fiJgFWpvmDZWqlV30/bHFpj8iBobJSm5uDpt7TirYh1Uxe3fQaGlYjJe+9zd+izPRbBqXPVQA34E
Xcwk4qpWuf1hHriWfdrx8AcqSqr6CuQFwSr75FosSzlwDADa70mT7wZjAmQhnZx2xJ6wfWlT9VQf
S//JYeIc7Fue2JNLd00UOSMMaiK/t79enKNHEA2fupH3vEigf5Eh4bVAN5VohrTm6MY53x7XQZZr
1ME7a55lFEnSeT0umlOAjR2mAbvSM5X5oSZNrmetdzyTj2flCM8CC7MLab0kkdngRIlUBGHF1/S5
nmPbK+9A46sd33oqK8n8</X509Certificate></X509Data></KeyInfo></Signature></NotasFa
ltas>
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921
------- Additional Comments From fillipelima@gmail.com 2006-11-08 08:19 -------
(In reply to comment #4)
> That code looks fine, but it is still missing something. How do you modify
> the X509Certificate?
I modify the certificate by substituting it for one from an other xml that was
signed with different certificate.
>I would add a print statement in the KeySelector to print
> out the key that you are using to validate the signature. Is it different
after
> you modify the X509Certificate?
The key is the same. because i havent modified it. i think the key is that one
inside the <KeyValue> tag:
<KeyValue>
- <RSAKeyValue>
<Modulus>unmSpz4AW43DBUeUtbGDxyEBOmKUiAM136ZrGOlJRzximnaFjABuQ7Ucix5Ru60DLlUH5Q3
KHfDW
aimUe3ufnWUWSGkbNUGYtwdqv/54LvTvW3SMA0IuvfqUmdF+AJgHCWv0rEYizswKaeNgMak+/oWL
MBrOwE2+fhB6l87tBo8=</Modulus>
<Exponent>AQAB</Exponent>
i could try using the key from the certificate in <x509data> tag...
</RSAKeyValue>
</KeyValue>
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921
sean.mullan@sun.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
------- Additional Comments From sean.mullan@sun.com 2007-09-19 12:23 -------
Closing old bugs.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921
------- Additional Comments From cantor.2@osu.edu 2006-11-07 21:18 -------
An enveloped signature omits anything inside the Signature element apart from
SignedInfo. KeyInfo is not commonly signed. The only attack possible is against
broken software that doesn't understand that KeyInfo is advisory, not trusted
information.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921
sean.mullan@sun.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
------- Additional Comments From sean.mullan@sun.com 2006-11-09 07:50 -------
I would like to close this out as not a bug.
Have you had a chance to try my suggestion yet?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40921>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40921
------- Additional Comments From fillipelima@gmail.com 2006-11-14 03:54 -------
Created an attachment (id=19128)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=19128&action=view)
ValidacaoXmlEnvelopedException class
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.