DO NOT REPLY [Bug 47758] New: Signature validation failure

https://issues.apache.org/bugzilla/show_bug.cgi?id=47758

           Summary: Signature validation failure
           Product: Security
           Version: unspecified
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Signature
        AssignedTo: security-dev@...
        ReportedBy: bhupinder.saini@...


--- Comment #0 from bhupinder <bhupinder.saini@...> 2009-08-28 06:06:30 PDT ---
Created an attachment (id=24184)
base64 Encoded file

Hi

Can you please help to find the reason that why XMLSec lib is failing to
validate the Signature, which can passes test successfully with JDK 6 inbuilt
Signature verification.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47758



--- Comment #1 from bhupinder <bhupinder.saini@...> 2009-08-28 06:10:49 PDT ---
Below is code used with JDK 6 testing
Document doc =
                 dbf.newDocumentBuilder().parse(byteArrayInputStream);

        NodeList nl =
                 doc.getElementsByTagNameNS(XMLSignature.XMLNS,
                                            "Signature");
        if (nl.getLength() == 0) {
            System.out.println("0");
            return;
        }

        String providerName = System.getProperty(
                "jsr105Provider",
                "org.jcp.xml.dsig.internal.dom.XMLDSigRI");
        XMLSignatureFactory fac =
                            XMLSignatureFactory.getInstance("DOM",
                                                            (Provider)
Class.forName(providerName).newInstance());
        DOMValidateContext valContext = new DOMValidateContext(new
KeyValueKeySelector(), nl.item(0));

        XMLSignature signature =
                     fac.unmarshalXMLSignature(valContext);
        signature.getSignatureValue().validate(valContext);
        boolean coreValidity = signature.validate(valContext);

        if (coreValidity == false) {
            System.err.println("Signature failed");
        } else {
            System.out.println("Signature passed");
        }

******************************************************************

When I try to validate this signature with xmlsecurity jar I tried latest 1.4.3
it give me error

 XMLSignature [WARN] Signature verification failed

code snippet used for this

XMLSignature sig = null;

public void verify(Key k)
            throws SAMLException {
        if (!isSigned()) {
            throw new InvalidCryptoException("SAMLSignedObject.verify() can't
verify unsigned object");
        }

        try {
            // Validate the signature content by checking for specific
Transforms.
            boolean valid = false;
            SignedInfo si = sig.getSignedInfo();
            if (si.getLength() == 1) {
                Reference ref = si.item(0);
                if (ref.getURI() == null || ref.getURI().equals("") ||
ref.getURI().equals("#" + getId())) {
                    Transforms trans = ref.getTransforms();
                    for (int i = 0; i < trans.getLength(); i++) {
                        if
(trans.item(i).getURI().equals(Transforms.TRANSFORM_ENVELOPED_SIGNATURE)) {
                            valid = true;
                        } else if (!trans.item(i).getURI().equals(
                                Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS))
{
                            valid = false;
                            break;
                        }
                    }
                }
            }

            if (!valid) {
                throw new InvalidCryptoException(
                        "SAMLSignedObject.verify() detected an invalid
signature profile");
            } else {
                log.debug("\n SAMLSignedObject is Valid for Id - " + getId());
            }
            // If k is null, try and find a key inside the signature.
            if (k == null) {
                if (sig_from_parse) {
                    k = sig.getKeyInfo().getPublicKey();
                } else {
                    // This is really, ugly, but when the signature hasn't been
fully built from a DOM,
                    // none of the interesting bits of keying material are
reachable via the API.
                    // We have to serialize out the KeyInfo piece, and reparse
it.
                    ByteArrayOutputStream out = new ByteArrayOutputStream();
                    Canonicalizer c =
Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS);
                   
out.write(c.canonicalizeSubtree(sig.getElement().getLastChild()));
                    ByteArrayInputStream in = new
ByteArrayInputStream(out.toByteArray());
                    KeyInfo temp = new
KeyInfo(XML.parserPool.parse(in).getDocumentElement(), "");
                    k = temp.getPublicKey();
                }
            }
     ---------------->       if (!sig.checkSignatureValue(k)) {
                throw new InvalidCryptoException(
                        "SAMLSignedObject.verify() failed to validate signature
value");
            }
        } catch (XMLSecurityException e) {
            throw new InvalidCryptoException("SAMLSignedObject.verify()
detected an XML security exception: " +
                                             e.getMessage(), e);
        } catch (java.io.IOException e) {
            throw new InvalidCryptoException("SAMLSignedObject.verify()
detected an I/O exception: " +
                                             e.getMessage(), e);
        } catch (SAXException e) {
            throw new InvalidCryptoException("SAMLSignedObject.verify()
detected a XML parsing exception: " +
                                             e.getMessage(), e);
        }
    }


verification fails here
 ---------------->       if (!sig.checkSignatureValue(k))

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47758



--- Comment #2 from bhupinder <bhupinder.saini@...> 2009-08-28 06:26:07 PDT ---
debug logs for XMLSec

2009-08-28 12:58:27 XMLSignature [DEBUG] SignatureMethodURI =
http://www.w3.org/2000/09/xmldsig#rsa-sha1
2009-08-28 12:58:27 SignatureAlgorithm [DEBUG] Create URI
"http://www.w3.org/2000/09/xmldsig#rsa-sha1" class "class
org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1"
2009-08-28 12:58:27 JCEMapper [DEBUG] Request for URI
http://www.w3.org/2000/09/xmldsig#rsa-sha1
2009-08-28 12:58:27 SignatureBaseRSA [DEBUG] Created SignatureRSA using
SHA1withRSA
2009-08-28 12:58:27 XMLSignature [DEBUG] jceSigAlgorithm    = SHA1withRSA
2009-08-28 12:58:27 XMLSignature [DEBUG] jceSigProvider     = SunRsaSign
2009-08-28 12:58:27 XMLSignature [DEBUG] PublicKey = Sun RSA public key, 2048
bits
  modulus:
25918416882175605177216009726174837316441550828262042204378729573762219256687210251207638298581492791783901925937674819569676189835913463082888950035087140493036515406315054017897863839176877251865992061599674312550362120395818500256745539648051487177355629956843315369742534134646813352152646639953693900612620621197131734341673384743806408779269116272369176371943198756046320523429088308460618442218611336570361829340741104996601445346137166853233642642880297617656502996279597254682668023118574695616838314939925813076224299383401792388720966918690719270245047899588505041531857897977050932365566174686817838760379
  public exponent: 65537
2009-08-28 12:58:27 SignerOutputStream [DEBUG] Canonicalized SignedInfo:
2009-08-28 12:58:27 SignerOutputStream [DEBUG] <SignedInfo
xmlns="http://www.w3.org/2000/09/xmldsig#"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"></CanonicalizationMethod><SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod><Reference
URI=""><Transforms><Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform></Transforms><DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><DigestValue>O2feqgh4rXIaLmVujT3ZJfSsIUg=</DigestValue></Reference></SignedInfo>
2009-08-28 12:58:27 XMLSignature [WARN] Signature verification failed.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47758



--- Comment #3 from coheigea <coheigea@...> 2009-08-31 04:12:41 PDT ---
Can you attach a complete test-case for this?

Colm.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47758



--- Comment #4 from bhupinder <bhupinder.saini@...> 2009-09-01 01:27:41 PDT ---
(In reply to comment #3)
> Can you attach a complete test-case for this?
>
> Colm.

******************************************************************
Hi Colm

This SAML response is posted to my application which tries to validate the
Digital Signature in the SAML. I am using Opensaml 1.1 toolkit which in turn
uses
xmlsec jar for validating the signatures.

I am getting signature failure error in the logs.
What when I take the same base64 encoded response and store it in file and use
JDK 6 security / Signature verfication as per the above code it works just
fine.

Can you please let me know what exactly you are looking from test case ?

thanks
bhupinder

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47758



--- Comment #5 from coheigea <coheigea@...> 2009-09-02 03:38:05 PDT ---
I don't get it. You're using the basic JSR 105 API functionality via JDK 1.6 to
validate the signature, but comparing this to doing some custom validation code
built around XML Security? Why are you doing this? The following XML Security
code works fine with your test-case:

        org.w3c.dom.Document doc = this.db.parse(is);

        Element nscontext = XMLUtils.createDSctx(doc,
"ds",Constants.SignatureSpecNS);
        Element sigElement = (Element)
XPathAPI.selectSingleNode(doc,"//ds:Signature[1]", nscontext);
        XMLSignature signature = new XMLSignature(sigElement, "");

        signature.addResourceResolver(new
XPointerResourceResolver(sigElement));

        KeyInfo ki = signature.getKeyInfo();

        java.security.PublicKey publicKey = ki.getPublicKey();

        assertTrue(signature.checkSignatureValue(publicKey));

Colm.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47758

coheigea <coheigea@...> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX

--- Comment #6 from coheigea <coheigea@...> 2009-10-08 03:06:38 PDT ---
Marking this as won't fix as per my comment.

Colm.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.