[xmlsec] problem verifying a signature created by .net framework

Shihai Wei swei at ebsquared.com.au
Wed Nov 17 17:21:39 PST 2004


The code I use did not give any error message other then telling me
verification is failed, following is the code segment I used to verify the
signature:

avax.xml.parsers.DocumentBuilderFactory dbf =
 
javax.xml.parsers.DocumentBuilderFactory.newInstance();

dbf.setNamespaceAware(true);
 
dbf.setAttribute("http://xml.org/sax/features/namespaces", Boolean.TRUE);

javax.xml.parsers.DocumentBuilder db = dbf.newDocumentBuilder();
db.setErrorHandler(new
org.apache.xml.security.utils.IgnoreAllErrorHandler());

//org.w3c.dom.Document doc = envelope.getAsDocument();
CachedXPathAPI xpathAPI = new CachedXPathAPI();
Element nsctx = doc.createElement("nsctx");
nsctx.setAttribute("xmlns:ds",
org.apache.xml.security.utils.Constants.SignatureSpecNS);

Element sigElement = (Element) xpathAPI.selectSingleNode(doc,
                                               "//ds:Signature", nsctx);
Init.init();
XMLSignature signature = new XMLSignature(sigElement,
"http://service.ws.eb2.com");

 
org.apache.xml.security.utils.XMLUtils.outputDOMc14nWithComments(signature.g
etElement(), System.out);
                    //X509Certificate cert =
(X509Certificate)ks.getCertificate(Constants.CERTIFICATEALIAS);
CertificateStore cStore = new CertificateStore();
X509Certificate cert = cStore.getCertificate(alias);
if (cert == null) {
    throw new ServiceSecurityException("Certificate is not found");
}
else if(!signature.checkSignatureValue(cert)) {
    throw new ServiceSecurityException("Verification of signature is
failed");
}

The code throws 'ServiceSecurityException' with message says ("Verification
of signature is failed".

The output I get from on-line verifier
(http://www.dotnet247.com/247reference/a.aspx?u=http://www.aleksey.com/xmlse
c/xmldsig-verifier.html) for .net request is following:

func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=164:obj=sha1:subj=unkn
own:error=12:invalid data:data and digest do not match
RESULT: Signature is INVALID
---------------------------------------------------
= VERIFICATION CONTEXT
== Status: invalid
== flags: 0x00000000
== flags2: 0x00000000
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000000
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000001
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Signature Transform Ctx:
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== Signature Method:
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== SignedInfo References List:
=== list size: 1
= REFERENCE VERIFICATION CONTEXT
== Status: invalid
== URI: ""
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: enveloped-signature
(href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
=== Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
== Manifest References List:
=== list size: 0

I did not code a .net web service so not sure whether it can be verified by
.net itself, following is the .net code segment used to sign the request:

XmlDocument doc = new XmlDocument();
newStream.Position = 0;
doc.Load(newStream);
					
SignedXml signer = new SignedXml(doc);

log.Debug("Find RSA key");
PfxKeyStore keyStore = new PfxKeyStore();
string pfxfilename = "C:\\Inetpub\\wwwroot\\web\\eb2.p12";
string pswd = "soptfe";
if(!keyStore.LoadPfx(pfxfilename, ref pswd))
{
	throw new EB2Exception("Failed to load the key store file:
"+pfxfilename);
}
//log.Debug("Certificate: "+keyStore.cert.ToString(true));
log.Debug("Key store info: "+keyStore.ToString());
CspParameters csp = keyStore.getCryptoServiceProvider();
RSA key = new RSACryptoServiceProvider(csp);
signer.KeyInfo = new KeyInfo();
signer.KeyInfo.AddClause(new RSAKeyValue(key));
signer.SigningKey = key;

log.Debug("Create reference");
Reference bodyRef = new Reference();
bodyRef.Uri = "";
bodyRef.AddTransform(new XmlDsigEnvelopedSignatureTransform());
signer.AddReference(bodyRef);

log.Debug("Compute sgnature");
signer.ComputeSignature();
doc.DocumentElement.AppendChild(signer.GetXml());
newStream = new MemoryStream();
doc.Save(newStream);

Regards,
Shihai

-----Original Message-----
From: Aleksey Sanin [mailto:aleksey at aleksey.com] 
Sent: Thursday, 18 November 2004 12:03 PM
To: Shihai Wei
Cc: xmlsec at aleksey.com
Subject: Re: [xmlsec] problem verifying a signature created by .net
framework

It's very hard to say something w/o more details:
1) What is the error message from xmlsec for .NET requests?
2) Can you verify the .NET request with .NET itself?

Aleksey






More information about the xmlsec mailing list