1 2 Previous Next 16 Replies Latest reply: Aug 23, 2013 3:40 AM by user12855384 RSS

    validation of xml signature

    974599
      Hello to all,
      I have a Java application which does a verification of xml signature using standard Java libraries, XML documents come from 3-rd parties.
      This application works properly with Java 6 but it fails with Java 7.
      Returned exception is
      Exception: javax.xml.crypto.dsig.XMLSignatureException Message: java.security.SignatureException: Signature length not correct: got 128 but was expecting 256
      Example of <Signature> element below, certificate is included in XML document.
      Knows anybody a reason or any solution of this incompatibility ?
      Thanks
      Pavel

      <Signature xmlns='http://www.w3.org/2000/09/xmldsig#'>
      <SignedInfo xmlns='http://www.w3.org/2000/09/xmldsig#'>
      <CanonicalizationMethod Algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315'/>
      <SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>
      <Reference URI='#9e9d906b-fd9d-46a8-bc02-cd5f51520f41'>
      <DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
      <DigestValue>eQ3tygBwApTPgtOqXcZlmKe8Bng=</DigestValue>
      </Reference>
      </SignedInfo>
      <SignatureValue>IcfckRDIVE/vC5JmEi87It3erSe8ShkXl9QK0UTxPDd4CzVDnBTmGFlrQipxEGHReqj4bZ9/
      E021iGJq3mBqxLDCK11/Mv3BTEEHCaxgiR+mKpwgz7BTlVX1QkaFkq/AhhFYJBrYlBfURb86
      nTKfDfC+DYn2ig8ewOwsMC5TPrg=</SignatureValue>
        • 1. Re: validation of xml signature
          smullan
          See http://joinup.ec.europa.eu/software/sd-dss/issue/lotl-signer-has-changed-dss-unable-verify-and-crashes-w/java-17 for a similar issue. It sounds like you may have to update the certificate you are using to validate the signature.
          • 2. Re: validation of xml signature
            EJP
            That doesn't even begin to make sense. The certificate used to verify the signature is embedded in the XML document.
            • 3. Re: validation of xml signature
              974599
              Exactly, any update of the certificate does not make a sense. The certificate comes with the XML document.
              • 4. Re: validation of xml signature
                EJP
                Thanks for repeating what I said almost verbatim. Did you have a contribution of your own to make?
                • 5. Re: validation of xml signature
                  sabre150
                  What am I missing? Even if the certificate comes as part of the XML signature document the certificates signature needs to be checked for validity. It looks to me like that's the signature validation that is failing.
                  • 6. Re: validation of xml signature
                    974599
                    No idea. I lost a lot of time with this problem already - tested on windows and linux OS under both Java 6 and Java 7. Always the same result - it works with Java 6 and does not work with Java 7 (1.7_09).
                    If is anybody interesting for it then I can send the relevant code and a file with xml document.
                    • 7. Re: validation of xml signature
                      EJP
                      I was referring to @user9162512's contribution.
                      • 8. Re: validation of xml signature
                        davigp
                        This error occurs because the signature algorithm specified in the signer's digital certificate is different from the algorithm used in the XML signature (xmldsig # rsa-sha1).In the implementation of native provider SunRsaSign distributed with the JRE 7 was added this check.

                        JDK6 - http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/6-b14/sun/security/rsa/RSASignature.java#186
                        JDK7 - http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/7-b147/sun/security/rsa/RSASignature.java#187

                        The recommended solution is to re-sign the files with the same signature algorithm associated with the key of the signer. Another solution is to use other cryptographic provider, such as BouncyCastle, which does not perform this check, but this way is likely that other signature verifiers identify this same inconsistency.

                        Sample code to register the provider BouncyCastle: Security.insertProviderAt (new BouncyCastleProvider (), 1);.

                        I hope I helped, if there is interest I can look at the code responsible for generating the signature and suggest solutions.

                        Mod:Link removed.

                        Best regards,
                        Davi Garcia Pereira.

                        Edited by: PhHein on 23.04.2013 16:10
                        • 9. Re: validation of xml signature
                          PhHein
                          Davi, don't draw discussion away from the forums, please, and refrain from personal requests. Next time you post to a thread make sure to check the original post date, to avoid zombie resurrections. Thanks.
                          • 10. Re: validation of xml signature
                            davigp
                            I replied to this thread because I know people who are still blocked with this same problem in different continents.

                            Sorry about my request, I believe it would be very interesting that through the forum of the oracle was possible to evaluate the abilities of users by their collaborations.
                            • 11. Re: validation of xml signature
                              PhHein
                              davigp wrote:
                              I replied to this thread because I know people who are still blocked with this same problem in different continents.
                              That's why I havent removed your reply.
                              I believe it would be very interesting that through the forum of the oracle was possible to evaluate the abilities of users by their collaborations.
                              Nope, sorry.
                              • 12. Re: validation of xml signature
                                gimbal2
                                davigp wrote:
                                Sorry about my request, I believe it would be very interesting that through the forum of the oracle was possible to evaluate the abilities of users by their collaborations.
                                What collaborations exactly? That would imply working together, which you generally don't do.
                                • 13. Re: validation of xml signature
                                  1005278
                                  Hi davigp. I have the same problem but I can't change version of java (1.6 for 1.7)
                                  and I need catch this inconsistency using java 1.6, but I don't know how.
                                  Thanks for help!
                                  • 14. Re: validation of xml signature
                                    davigp
                                    gimbal2 wrote:
                                    What collaborations exactly? That would imply working together, which you generally don't do.
                                    I wanted to mention the contributions given in replies from forum users.
                                    1 2 Previous Next