0 Replies Latest reply: Mar 27, 2012 12:15 AM by 799301 RSS

    XML Signature validation failing

    799301
      My Signature validation is failing. I am using the below code


      public Boolean isValidSignedXML(String fileName) {

      try {
      DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
      dbf.setNamespaceAware(true);
      org.w3c.dom.Document doc =
      dbf.newDocumentBuilder().parse(new FileInputStream(fileName));

      // NodeList nl = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
      NodeList nl = doc.getElementsByTagName("Signature");
      if (nl.getLength() == 0) {
      validationBean.setMessage("Signature not found in uploaded XML.");
      msg = false;
      }

      // Create a DOMValidateContext and specify a KeySelector
      // and document context.
      System.out.println("Before KeySelector");
      KeySelector keySelector = new KeySelector() {
      KeySelectorResult ksResult;
      @Override
      public KeySelectorResult select(KeyInfo keyInfo,
      Purpose purpose,
      AlgorithmMethod method,
      XMLCryptoContext context) throws KeySelectorException {
      Iterator ki = keyInfo.getContent().iterator();
      while (ki.hasNext()) {
      XMLStructure info = (XMLStructure)ki.next();
      if (!(info instanceof X509Data)) {
      continue;
      }
      X509Data x509Data = (X509Data)info;
      Iterator xi = x509Data.getContent().iterator();
      while (xi.hasNext()) {
      Object o = xi.next();
      if (!(o instanceof X509Certificate)) {
      continue;
      }
      final PublicKey key =
      ((X509Certificate)o).getPublicKey();
      notAfter = ((X509Certificate)o).getNotAfter();
      serialNo =
      ((X509Certificate)o).getSerialNumber();
      validationBean.setSerialNo(serialNo);
      System.out.println(serialNo);
      // Make sure the algorithm is compatible
      // with the method.
      if (algEquals(method.getAlgorithm(),
      key.getAlgorithm())) {
      ksResult = new KeySelectorResult() {
      public Key getKey() {
      return key;
      }
      };
      }
      }
      }
      //throw new KeySelectorException("No key found!");
      return ksResult;
      }

      private boolean algEquals(String algURI, String algName) {
      if ((algName.equalsIgnoreCase("DSA") &&
      algURI.equalsIgnoreCase(SignatureMethod.DSA_SHA1)) ||
      (algName.equalsIgnoreCase("RSA") &&
      algURI.equalsIgnoreCase(SignatureMethod.RSA_SHA1))) {
      return true;
      } else {
      return false;
      }
      }
      };

      DOMValidateContext valContext =
      new DOMValidateContext(keySelector, nl.item(0));
      // Unmarshal the XMLSignature.
      //XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
      XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM", new org.jcp.xml.dsig.internal.dom.XMLDSigRI());

      valContext.setProperty("javax.xml.crypto.dsig.cacheReference",
      Boolean.TRUE);
      // Unmarshal the XMLSignature.
      XMLSignature signature = fac.unmarshalXMLSignature(valContext);
      // Validate the XMLSignature.
      boolean coreValidity = signature.validate(valContext);

      Iterator i = signature.getSignedInfo().getReferences().iterator();
      /*for (int j = 0; i.hasNext(); j++) {
      InputStream is = ((Reference) i.next()).getDigestInputStream();
      // Display the data.
      System.out.println(is);
      }*/

      //XMLSignature signature = fac.unmarshalXMLSignature(valContext);

      // Validate the XMLSignature.
      //boolean coreValidity = signature.validate(valContext);
      if (coreValidity == false) {
      msg = false;
      validationBean.setMessage("Illegal change or modification performed over the uploaded XML.");
      boolean sv =
      signature.getSignatureValue().validate(valContext);
      String msg1 = "signature validation status: " + sv;
      if (sv == false) {
      // Check the validation status of each Reference.
      Iterator i1 =
      signature.getSignedInfo().getReferences().iterator();
      for (int j = 0; i1.hasNext(); j++) {
      boolean refValid =
      ((Reference)i1.next()).validate(valContext);
      msg1 = msg1 + "ref[" + j + "] validity status: " + refValid;
      }
      } else {
      Iterator i1 =
      signature.getSignedInfo().getReferences().iterator();
      for (int j = 0; i1.hasNext(); j++) {
      boolean refValid =
      ((Reference)i1.next()).validate(valContext);
      msg1 = msg1 + " ref[" + j + "] validity status: " + refValid;
      }
      }
      System.out.println(msg1);
      } else {
      /*
      * Check the serialNo with registered Serial No of the certificate and
      * notAfter with current system date.
      * notAfter should not be before the current system date and serialNo
      * should be same with registered serial number.
      */
      if (notAfter.after(new Date())) {
      msg = true;
      validationBean.setMessage("Validation passed.");
      } else {
      msg = false;
      validationBean.setMessage("XML signed by an expired certificate.");
      }

      }
      } catch(Exception exception){
      exception.printStackTrace();
      }
      finally {
      return msg;
      }
      }



      The XML signature it is validating is below:


      - <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
      - <SignedInfo>
      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      - <Reference URI="">
      - <Transforms>
      <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
      </Transforms>
      <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
      <DigestValue>f0imgY9rVeoa5yPIQTXSP8SMmiM=</DigestValue>
      </Reference>
      </SignedInfo>
      <SignatureValue>jkZYV7mtB34L1JpU8YpPhSZ5mIKKLFZ8t09e2RRFT36P62XDVySSG84QVMC2CMcg8pW1jlgKxWy9 ZAOglzPXdDj/ucNN5HFfdOVlaGkl/IIldYeVA1ibPA48YBLmoA0FyQae3No/8f3bxWe4NdElzuyr SWCtlnE5yrU/CT8qEnw82/joJEGLy8LvwYx7tiO4swBVz5WANZHYb2Y8bVyMWtMFHQdqjDo6jxiT iuJ7n+ygLAa1YouoqNzgXi03ZQKjNWbCFXt3uvtOgWtTydmXO13jtuWgU2yXd+VENWVYwyn64iyv PXLpLDbS08HYsWwG/n4q4nc6onjACkDdkACHFw==</SignatureValue>
      - <KeyInfo>
      - <X509Data>
      <X509SubjectName>CN=TESTDSC CLASSTWO,ST=Gujarat,2.5.4.17=#1306333932303135,OU=CID - 1326328,OU=Marketing,O=Gujarat Narmada Valley Fertilizers Company Limited,C=IN</X509SubjectName>
      <X509Certificate>MIIGKTCCBRGgAwIBAgIERpuYkzANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGEwJJTjESMBAGA1UE ChMJSW5kaWEgUEtJMS8wLQYDVQQLEyYobilDb2RlIFNvbHV0aW9ucyBDZXJ0aWZ5aW5nIEF1dGhv cml0eTEaMBgGA1UEAxMRKG4pQ29kZSBTb2x1dGlvbnMwHhcNMTEwOTA2MTE1NjEzWhcNMTIwOTA2 MTIyNjEzWjCBtDELMAkGA1UEBhMCSU4xOzA5BgNVBAoTMkd1amFyYXQgTmFybWFkYSBWYWxsZXkg RmVydGlsaXplcnMgQ29tcGFueSBMaW1pdGVkMRIwEAYDVQQLEwlNYXJrZXRpbmcxFjAUBgNVBAsT DUNJRCAtIDEzMjYzMjgxDzANBgNVBBETBjM5MjAxNTEQMA4GA1UECBMHR3VqYXJhdDEZMBcGA1UE AxMQVEVTVERTQyBDTEFTU1RXTzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMzn8SR2 gGijrvlrfuvF1VXw20D0guw7toeq4HEErWaLq5xL+ETaJ7fpwjWRGCMXgxDCgeymPT3lpOXBMVQg qy1qpn97Ci0Zl1vh/vLMcddpa8zY2jdgKtxGYotQtMWqMgDrN7AxJ6LswYovw3otuqTdREM7D/3Q ocDzVNt4ocPCt2jO5pKizfHiLw/e4CpGpvw85eg7BrbkkQU/uyJUsdQjSnB2HXhOd8pILjUESCvh SJ6Dzub63ja4n996/b41PjMlbdFPnRjyrdY0+1ktkBrB2GIPN7ShJTiEKKXa8vjQ2+wv6i34uZmX j05WvSZYwsvIRBxkOtPDLtcDN3lH9H8CAwEAAaOCAoYwggKCMA4GA1UdDwEB/wQEAwIGwDArBgNV HRAEJDAigA8yMDExMDkwNjExNTYxM1qBDzIwMTIwOTA2MTIyNjEzWjCBmQYDVR0gBIGRMIGOMIGL BgZggmRkAgIwgYAwfgYIKwYBBQUHAgIwchpwQ2xhc3MgSUkgY2VydGlmaWNhdGVzIHVzZWQgZm9y IHdlYiBmb3JtIHNpZ25pbmcsIHdlYiBmb3JtIGF1dGhlbnRpY2F0aW9uIGFuZCBzaWduaW5nIG90 aGVyIGxvdyByaXNrIHRyYW5zYWN0aW9uczApBgNVHSUEIjAgBggrBgEFBQcDAgYIKwYBBQUHAwQG CisGAQQBgjcKAwwwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdvY3NwLm5jb2Rlc29sdXRp b25zLmNvbTAdBgNVHREEFjAUgRJuZ3RyaXZlZGlAbmNvZGUuaW4wgdgGA1UdHwSB0DCBzTCBiqCB h6CBhKSBgTB/MQswCQYDVQQGEwJJTjESMBAGA1UEChMJSW5kaWEgUEtJMS8wLQYDVQQLEyYobilD b2RlIFNvbHV0aW9ucyBDZXJ0aWZ5aW5nIEF1dGhvcml0eTEaMBgGA1UEAxMRKG4pQ29kZSBTb2x1 dGlvbnMxDzANBgNVBAMTBkNSTDg4MjA+oDygOoY4aHR0cHM6Ly93d3cubmNvZGVzb2x1dGlvbnMu Y29tL3JlcG9zaXRvcnkvbmNvZGVjcmxjMS5jcmwwEwYDVR0jBAwwCoAITMKCwl4UqDYwHQYDVR0O BBYEFOhJSB4i2PN4fhHEuRzo7kN2m/frMBkGCSqGSIb2fQdBAAQMMAobBFY3LjEDAgOoMA0GCSqG SIb3DQEBBQUAA4IBAQA4Zyp0A1cEQd6m2ZV5hD51U26ayh0Bmzn33sbmHwvmKbyE/biQyJusuuRO axcNx8uy8F3pjD7wIunfKy2vaeSswqjwUqY/o1ZItFcAoz8hVPTZWnvQ494yerlurqp7WazMKY/T Ad0r0ozAhhR7DNZ6U7OUzx6NfE2nSb6qlneV/RwsZfJ195XCYpUm8Tz9EuIcu8Q+VTmYftYK2UA6 CmR3oLUGHQHecSHqB/gFSgaEu/Q7Ux2Fw2icdV2sGPoF56NhJ8EqRaD/Hb2/x4c+T/UuUfojB+1b rr0uSAnIajZQOYHHdlgjTsrow/KQ9eJt7UdzOSeQa75gd5luKyAW0CEI</X509Certificate>
      </X509Data>
      </KeyInfo>
      </Signature>

      boolean coreValidity = signature.validate(valContext);

      The coreValidity value is comming as false

      Could any one help.

      Thanks in advance.

      !! It is little urgent....