This discussion is archived
1 2 Previous Next 16 Replies Latest reply: Aug 23, 2013 1:40 AM by user12855384 Go to original post RSS
  • 15. Re: validation of xml signature
    davigp Newbie
    Currently Being Moderated
    As said the signature is not valid because the signature algorithm is not compatible with the digital certificate used.

    The change in the distribution of JRE 7 is correct.

    The alternative of using the BouncyCastle Provider allows to verify the signature without detecting this problem using JRE 7.
    To add the Provider just add the library "bcprov.jar" to the classpath and the line "Security.insertProviderAt (new BouncyCastleProvider (), 1);" before the cryptographic verification.

    To perform the verification correctly with JRE 6 is a bit more complicated, but will study a solution to this

    Edited by: davigp on 24/04/2013 13:38
  • 16. Re: validation of xml signature
    user12855384 Newbie
    Currently Being Moderated

    Hi --

    A comment regarding: "This error occurs because the signature algorithm specified in the signer's digital certificate is different from the algorithm used in the XML signature (xmldsig # rsa-sha1)".

     

    The signature algorithm specified in the signer's digital certificate refers to the algorithm used by the CA to sign the signer's digital certificate. That signature algorithm has nothing to do with the algorithm specified in the SignedInfo of a XMLDSig. What should be checked is that the "type" of the public key contained on the signer's digital certificate matches the "signature part" of the signature algorithm specified in SignedInfo, e.g. if we have '<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1">', then we should check that the used certificate for verification contains a RSA public key, which is the usual case. Moreover, other checks are normally necessary in order to be able to choose the right certificate out of the XML signature, e.g., if the certificate chain is included. These checks are e.g., that IssuerSerial and/or SubjectName and/or SKI matches.

     

    Regards.

1 2 Previous Next

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points