EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Signature of xml documents with prefixes

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#34871
Posted: 10/22/2015 12:50:45
by Andrés Ernesto Guevara (Basic support level)
Joined: 10/22/2015
Posts: 1

Hi.

Currently I’m evaluating SecureBlackbox for Java to digital sign XmlDocuments using XmlDigitalSignature.

I have found a problem signing documents that use namespaces with prefix. The calculated DigestValue is correct but the SignatureValue is incorrect.

For documents without prefixes the generated signature is always correct.

For this sample document:

Code
<Test xmlns:pfx="http://www.w3.org"></Test>


The generated signature with SecureBlackbox is:
Code
<Signature Id="SignatureSP" xmlns="http://www.w3.org/2000/09/xmldsig#">
  <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <Reference URI="">
      <Transforms>
        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
      </Transforms>
      <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <DigestValue>NAqT9FkAssc5v9sm1KM8doYYiW8=</DigestValue>
    </Reference>
  </SignedInfo>
  <SignatureValue>hwAe5dvmgfMqCXudfKEvc4uIvp8YsLePudwWPbkt46g5It+EVDp9/KwoDdSfs2FsYkq507+4oJuo69V8zIeP529PybzKKq63TpUNf6+aaFG8cgqeOm/d0/R7vcG/1SdHFQvSvEiVzga6WzLEKoCttLx3qFyXWqlu57/hfdgCqYMA7+llFzpS5cNJA7Utf9gg2f8r8wvtVhjLf+X63IvzmP7Z2CI0ZSc9lZkvIMwbhSdPiiIcYZBKxwVye7m7FL0WailVp/6ygF9NtyC/z6kyxHeuG+tvbFNVSZsJ9Y7ed+PgSzit09Dpu5pp/z88sz+ErdsUrSyZGa8i0kVJjZePovduxajoYeMq4aQRWJby86A/U/cVPO4jKPSACASDYgAi3HjA0gdwYNGAuIGu3ZedO84/JENuwE7XIWtIVlUFIsVHp4ELV3KL86qSUVBrRP/Y2bZqK/iTq+4q9W9/slGo...T77u/NfKzzxobc3o4TGVeHhFaaJnGAYowBzY+QNDDMcdGDQdZADMbkgI7UBbfBV1mVWmotfyef49QygW9t5w4d97hL2l5TnHW8hv/Vpk381jIVUoMKqibTCT1fmCYp7xpF+RV10SIHO80FKUoIPt+Ig2zkU=</SignatureValue>
</Signature>


But the expected signature is:

Code
<Signature Id="SignatureSP" xmlns="http://www.w3.org/2000/09/xmldsig#">
  <SignedInfo>
    <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
    <Reference URI="">
      <Transforms>
        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
      </Transforms>
      <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
      <DigestValue>NAqT9FkAssc5v9sm1KM8doYYiW8=</DigestValue>
    </Reference>
  </SignedInfo>
  <SignatureValue>mrpw59LrD0PQZlccAqO2aGpJpKOv+V7EYt89mTgfFwdI/GcA+H38c1GzzENDEXLpRvwmXR5CfjB6XyS+Xy2XLGvQ8AVqJejtCtijYNzMmAheniUuV+f+Gu+9XmB...eHsS/ORWVDLohvx+PW6kzsb9+tZqgC/QcCn63AWIN+2D7Fh0Jbno+NRP0SZI0h7t5a8/i9v83dd6Hted/qxTV9AAPgMtTfI+AHh0...uGIN+iCYclszgFNkFY42agQ6lDw83TjZoAHxcQ1t8iO3cpl+X1+f0LCtVfsHgRq1DQTKq7OLyeHVlZ6zArlZuGwjw5GEqY/PZs0Wb2hiz2sxwcCLB5yyJz1ur6Zda36ItWC+D7ArAzldZozCkEYnjizegxbASyaNORmyESWaRuWMH8OOCnu7+JyvD4XqSaavBIQVQSlwp3vg0gttdMSrl+CBjEcX/TilyyPVqtLELRZoBasO+r9dtwHfkk3Tc40SBdt9L6AKwntaM0PAs3EQnWApN+C4wVvM1l7iGk3twxAVnTSNiwvopr0u4P7rAllP87N3We6jGSuTiI52m6snU=</SignatureValue>
</Signature>


Is there any option that I need to set on the TElXMLSigner object to be able to handle the namespaces prefixes?

Thanks in advance
#34873
Posted: 10/22/2015 13:20:03
by Dmytro Bogatskyy (EldoS Corp.)

Thank you for contacting us.

Quote
I have found a problem signing documents that use namespaces with prefix. The calculated DigestValue is correct but the SignatureValue is incorrect.

The SignatureValue depends on the signing certificate, signed data (SignedInfo element contents, also whitespace formatting of this element is important) and where the signature is placed. Without matching those criteria you should not compare SignatureValue.
If signatures are exactly the same, then could you please attach those signed XML files and your sample code for signing that we could use to reproduce the issue locally. Please use Helpdesk ( https://www.eldos.com/helpdesk/ ) to post the documents to us privately.

Reply

Statistics

Topic viewed 973 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!