This discussion is archived
1 2 Previous Next 16 Replies Latest reply: Aug 23, 2013 1:40 AM by user12855384 RSS

validation of xml signature

974599 Newbie
Currently Being Moderated
Hello to all,
I have a Java application which does a verification of xml signature using standard Java libraries, XML documents come from 3-rd parties.
This application works properly with Java 6 but it fails with Java 7.
Returned exception is
Exception: javax.xml.crypto.dsig.XMLSignatureException Message: java.security.SignatureException: Signature length not correct: got 128 but was expecting 256
Example of <Signature> element below, certificate is included in XML document.
Knows anybody a reason or any solution of this incompatibility ?
Thanks
Pavel

<Signature xmlns='http://www.w3.org/2000/09/xmldsig#'>
<SignedInfo xmlns='http://www.w3.org/2000/09/xmldsig#'>
<CanonicalizationMethod Algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315'/>
<SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>
<Reference URI='#9e9d906b-fd9d-46a8-bc02-cd5f51520f41'>
<DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
<DigestValue>eQ3tygBwApTPgtOqXcZlmKe8Bng=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>IcfckRDIVE/vC5JmEi87It3erSe8ShkXl9QK0UTxPDd4CzVDnBTmGFlrQipxEGHReqj4bZ9/
E021iGJq3mBqxLDCK11/Mv3BTEEHCaxgiR+mKpwgz7BTlVX1QkaFkq/AhhFYJBrYlBfURb86
nTKfDfC+DYn2ig8ewOwsMC5TPrg=</SignatureValue>
  • 1. Re: validation of xml signature
    smullan Newbie
    Currently Being Moderated
    See http://joinup.ec.europa.eu/software/sd-dss/issue/lotl-signer-has-changed-dss-unable-verify-and-crashes-w/java-17 for a similar issue. It sounds like you may have to update the certificate you are using to validate the signature.
  • 2. Re: validation of xml signature
    EJP Guru
    Currently Being Moderated
    That doesn't even begin to make sense. The certificate used to verify the signature is embedded in the XML document.
  • 3. Re: validation of xml signature
    974599 Newbie
    Currently Being Moderated
    Exactly, any update of the certificate does not make a sense. The certificate comes with the XML document.
  • 4. Re: validation of xml signature
    EJP Guru
    Currently Being Moderated
    Thanks for repeating what I said almost verbatim. Did you have a contribution of your own to make?
  • 5. Re: validation of xml signature
    sabre150 Expert
    Currently Being Moderated
    What am I missing? Even if the certificate comes as part of the XML signature document the certificates signature needs to be checked for validity. It looks to me like that's the signature validation that is failing.
  • 6. Re: validation of xml signature
    974599 Newbie
    Currently Being Moderated
    No idea. I lost a lot of time with this problem already - tested on windows and linux OS under both Java 6 and Java 7. Always the same result - it works with Java 6 and does not work with Java 7 (1.7_09).
    If is anybody interesting for it then I can send the relevant code and a file with xml document.
  • 7. Re: validation of xml signature
    EJP Guru
    Currently Being Moderated
    I was referring to @user9162512's contribution.
  • 8. Re: validation of xml signature
    davigp Newbie
    Currently Being Moderated
    This error occurs because the signature algorithm specified in the signer's digital certificate is different from the algorithm used in the XML signature (xmldsig # rsa-sha1).In the implementation of native provider SunRsaSign distributed with the JRE 7 was added this check.

    JDK6 - http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/6-b14/sun/security/rsa/RSASignature.java#186
    JDK7 - http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/7-b147/sun/security/rsa/RSASignature.java#187

    The recommended solution is to re-sign the files with the same signature algorithm associated with the key of the signer. Another solution is to use other cryptographic provider, such as BouncyCastle, which does not perform this check, but this way is likely that other signature verifiers identify this same inconsistency.

    Sample code to register the provider BouncyCastle: Security.insertProviderAt (new BouncyCastleProvider (), 1);.

    I hope I helped, if there is interest I can look at the code responsible for generating the signature and suggest solutions.

    Mod:Link removed.

    Best regards,
    Davi Garcia Pereira.

    Edited by: PhHein on 23.04.2013 16:10
  • 9. Re: validation of xml signature
    PhHein Guru Moderator
    Currently Being Moderated
    Davi, don't draw discussion away from the forums, please, and refrain from personal requests. Next time you post to a thread make sure to check the original post date, to avoid zombie resurrections. Thanks.
  • 10. Re: validation of xml signature
    davigp Newbie
    Currently Being Moderated
    I replied to this thread because I know people who are still blocked with this same problem in different continents.

    Sorry about my request, I believe it would be very interesting that through the forum of the oracle was possible to evaluate the abilities of users by their collaborations.
  • 11. Re: validation of xml signature
    PhHein Guru Moderator
    Currently Being Moderated
    davigp wrote:
    I replied to this thread because I know people who are still blocked with this same problem in different continents.
    That's why I havent removed your reply.
    I believe it would be very interesting that through the forum of the oracle was possible to evaluate the abilities of users by their collaborations.
    Nope, sorry.
  • 12. Re: validation of xml signature
    gimbal2 Guru
    Currently Being Moderated
    davigp wrote:
    Sorry about my request, I believe it would be very interesting that through the forum of the oracle was possible to evaluate the abilities of users by their collaborations.
    What collaborations exactly? That would imply working together, which you generally don't do.
  • 13. Re: validation of xml signature
    1005278 Newbie
    Currently Being Moderated
    Hi davigp. I have the same problem but I can't change version of java (1.6 for 1.7)
    and I need catch this inconsistency using java 1.6, but I don't know how.
    Thanks for help!
  • 14. Re: validation of xml signature
    davigp Newbie
    Currently Being Moderated
    gimbal2 wrote:
    What collaborations exactly? That would imply working together, which you generally don't do.
    I wanted to mention the contributions given in replies from forum users.
1 2 Previous Next

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points