tags:

views:

326

answers:

2
Q: 

XML Digital Signature validation

I was trying to validate an XML signature.

The validation according to this tutorial works fine.

But I also tried to a second approach. To verify it with the verify method of the Signature class I extracted the signature and the certificate from the xml file, and I did the following:

    public static boolean checkSignedFile(byte[] data, byte[] sigToVerify,
  byte[] cert, String algorithm) throws CertificateException,
  NoSuchAlgorithmException, InvalidKeyException, SignatureException {
 CertificateFactory cf = CertificateFactory.getInstance("X.509");
 Certificate c = (Certificate) cf
   .generateCertificate(new ByteArrayInputStream(cert));
 PublicKey pk = c.getPublicKey();
 Signature sig;
 boolean verifies = false;
 sig = Signature.getInstance(algorithm);
 sig.initVerify(pk);
 sig.update(data);
 verifies = sig.verify(sigToVerify);
 return verifies;
}

the result was false. The signature did not verify. What could be the reason for that?

A: 

You can't verify XMLDsig like this. It wouldn't work. The signature is not calculated over the raw XML. It has to go through canonicalization, digest etc.

What do you use for data[]? To get it right, you almost have to rewrite the XMLDsig library.

ZZ Coder  2009-09-09 14:44:36
the data[] is actually the file that is signed. I have checked it has the same digest as the digest in the xml signature. So the digests are the same. And that's why I am curious why the verification does not work
iffi  2009-09-09 14:50:00
So the file is XMLDsig signed XML file? Then you would have the signature inside the file, right? Would it be a chicken-egg issue if you can just verify the whole file :)
ZZ Coder  2009-09-09 15:20:49
A: 

If data[] is the content of the signed XML file, what is sigToVerify?

XMLSig creates a Signature-Element (SignedInfo) that contains the digest of each Element to be signed and meta-information like used canonicalization/transformation algorithms. Then the digest of this SignedInfo-Elemnt is calculated and signed.

Hence, if sigToVerify is the signature created by a XMLSignature implementation it must not be equal to the signature of the complete XML file.

Here is a more complete explanation. And if your interested, take a look at the specification.

wierob  2009-09-09 16:54:30

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java