1 Reply Latest reply: Feb 22, 2012 2:46 AM by 805963 RSS

    Signature verficiation fails

    805963
      Hi everybody,

      I have an issue that my XML signature cannot be verified with an external (e-government) tool. The XML document contains an <xml-stylesheet> directive and this causes a problem. if I remove it, an XML is signed and verified correctly as well. The signature can be, however, verified with a simple Java application I wrote (I don't know what's difference between those two tools - but normally it must be verifiable with any tool - right?). Can someone help me pls? Thanks in advance.

      Here is my code:

      -----
      org.apache.xml.security.Init.init();
                ElementProxy.setDefaultPrefix(Constants.SignatureSpecNS, "ds");

                XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
                Document signedDocument = signRequest.getDocument();

                Reference ref = fac.newReference("", fac.newDigestMethod(
                          DigestMethod.SHA1, null), Collections.singletonList(fac
                          .newTransform(Transform.ENVELOPED,
                                    (TransformParameterSpec) null)), null, null);

                SignedInfo si = fac
                          .newSignedInfo(fac.newCanonicalizationMethod(
                                    CanonicalizationMethod.INCLUSIVE,
                                    (C14NMethodParameterSpec) null), fac
                                    .newSignatureMethod(SignatureMethod.RSA_SHA1, null),
                                    Collections.singletonList(ref));

                X509Certificate cert = (X509Certificate) signRequest.getCertificate();

                KeyInfoFactory kif = fac.getKeyInfoFactory();
                List x509Content = new ArrayList();
                x509Content.add(cert.getSubjectX500Principal().getName());
                x509Content.add(cert);
                X509Data xd = kif.newX509Data(x509Content);
                KeyInfo ki = kif.newKeyInfo(Collections.singletonList(xd));

                DOMSignContext dsc = new DOMSignContext(signRequest.getPrivateKey(),
                          signedDocument.getDocumentElement());

                XMLSignature signature = fac.newXMLSignature(si, ki);

                signature.sign(dsc);
      -----

      I found this code on Oracle Java. Before it I tried to use the Apache Santuario but I used XmlSiganture object directly (no Factory is used) - the same effect.

      I tried to use Reference in order to sign only root element but the only way I know is to use element id -> #my_id to access an element. And this doesn't work as well :-(.

      Thanks for any help.

      Regard,
      erno

      Edited by: user5845341 on 21.02.2012 08:02
        • 1. Re: Signature verficiation fails
          805963
          Maybe one detail more: signing the same document with and without xslt-stylesheet directive gives me different digest values and signature values as well. If I say that my root node should be signed how is it possible that those changes are relevant? Is whole document always signed? I really don't get it... Any tips? Thnx for any help.

          regards