verify referenced xml digital signature


A

alan_sec

Hi.
I would like to verify referenced xml digital signature:

this is xml document that I want to verify:
######################################################################################
<ThreeDSecure>
<Message id="xfm5_3_0.4133">
<PARes id="PARes52524142080316501023">
<version>1.0.2</version>
<Merchant>
<acqBIN>11111111111</acqBIN>
<merID>MasterCard</merID>
</Merchant>
<Purchase>
<xid>0CG3gS6kQReTBLwGfBloSwkBAwU=</xid>
<date>20070319 12:22:16</date>
<purchAmount>19999</purchAmount>
<currency>840</currency>
<exponent>2</exponent>
</Purchase>
<pan>0000000000009135</pan>
<TX>
<time>20070319 12:24:40</time>
<status>Y</status>
<cavv>jNtsxQ7pHyUFCBEAAAAIA0kAAAA=</cavv>
<eci>02</eci>
<cavvAlgorithm>3</cavvAlgorithm>
</TX>
</PARes>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/
REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#rsa-sha1"/>
<Reference URI="#PARes52524142080316501023">
<DigestMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#sha1"/>
<DigestValue>1cORuvyMSRdY0BgIJ98PV9KDAsg=</DigestValue>
</Reference>
</SignedInfo>

<SignatureValue>YNK4Q7wu6Rj83TAmyOFPsEj4uvbuw6NBuFUAhI3Sc73rBplpK/
JvF6Jsk06JgEaciYp032DUwrPS
lbpxftvZNVJ0UBQr0SaGKYi2M60YpJxcUU8bdAOYM0PQu/W23CSG5K7ldksw2m
+DMqLLITatvGdc
3KpS1ui40ayZXrrC8tc=
</SignatureValue>
<KeyInfo>
<X509Data>
<X509SubjectName>CN=testdigsig, OU=acs, O=logos, C=HR</
X509SubjectName>

<X509Certificate>MIID8jCCAtqgAwIBAgICSvcwDQYJKoZIhvcNAQEFBQAwgawxCzAJBgNVBAYTAlVTMSEwHwYDVQQK
ExhNYXN0ZXJDYXJkIEludGVybmF0aW9uYWwxMTAvBgNVBAsTKE1hc3RlckNhcmQgSW50ZXJuYXRp
b25hbCBTZWN1cmVDb2RlIFRFU1QxRzBFBgNVBAMTPk1hc3RlckNhcmQgU2VjdXJlQ29kZSBURVNU
IElzc3VlciBhbmQgRGlyZWN0b3J5IFN1Ym9yZGluYXRlIENBMB4XDTA3MDMwNzE0NDAwNFoXDTEx
MDMwNzE0MzczM1owQDELMAkGA1UEBhMCSFIxDjAMBgNVBAoTBWxvZ29zMQwwCgYDVQQLEwNhY3Mx
EzARBgNVBAMTCnRlc3RkaWdzaWcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ7piqxhTygO
qM08Uis7RSR7IAfrvHChmbATwhGC4BkjeVeEiZ3P0nAid0VlSdXwIIfaaTBkzpuhIKXM1FVqXp
+H
hSQG01Vf0cqO9Ns5oL1kf1VWvUBCG1cnIPUoWt3hxJueSH3s3S0oDr8dOzx37g54mOvERXzxMtPC
NU2cuTL5AgMBAAGjggELMIIBBzAJBgNVHRMEAjAAMA4GA1UdDwEB/
wQEAwIHgDArBgNVHRAEJDAi
gA8yMDA3MDMwNzE0MzcwMFqBDzIwMTAwMzA3MTQzNzAwWjCBvAYDVR0jBIG0MIGxoYGrpIGoMIGl
MQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTWFzdGVyQ2FyZCBJbnRlcm5hdGlvbmFsMTEwLwYDVQQL
EyhNYXN0ZXJDYXJkIEludGVybmF0aW9uYWwgU2VjdXJlQ29kZSBURVNUMUAwPgYDVQQDEzdNYXN0
ZXJDYXJkIFNlY3VyZUNvZGUgVEVTVCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEIMA0G
CSqGSIb3DQEBBQUAA4IBAQCSwMgmnUN5g/b/38zJexa2LDvAJgGKBBm
+Oy3Yey020yn70Uz5tjik
Z36toU+AlJRuBp78CU91PaUa3KReFiY2FbuT1JZbgpEa7XTo
+vpPMxggAP36164K6IjmWAigFpxz
TVkM3ssJXIGSDSfCL1R+y1NSHgSBDrCYL0hVklNgUzQmhZac2eN3Bx3rgxtk/
XtH89iAXsJg4gHw
DITXPV7BdyFS9FmPf2BgX0wg0X0oAUQ5YdtCJ8ZKBZeHyLS+7aF5QMxeTHNtmTxir//
qU1h/MgSi
NEF27MeLZH+xxwEdMS1BzYBusG+FpDAvcKx7mm4jYj7En7ItuESuXz5umPC7</
X509Certificate>

<X509Certificate>MIIECTCCAvGgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMCVVMxITAfBgNVBAoT
GE1hc3RlckNhcmQgSW50ZXJuYXRpb25hbDExMC8GA1UECxMoTWFzdGVyQ2FyZCBJbnRlcm5hdGlv
bmFsIFNlY3VyZUNvZGUgVEVTVDFAMD4GA1UEAxM3TWFzdGVyQ2FyZCBTZWN1cmVDb2RlIFRFU1Qg
Um9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wMzA0MjUxMzI1NTJaFw0xMzA0MjUxMzIz
NDZaMIGlMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTWFzdGVyQ2FyZCBJbnRlcm5hdGlvbmFsMTEw
LwYDVQQLEyhNYXN0ZXJDYXJkIEludGVybmF0aW9uYWwgU2VjdXJlQ29kZSBURVNUMUAwPgYDVQQD
EzdNYXN0ZXJDYXJkIFNlY3VyZUNvZGUgVEVTVCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt8RSwKLytmKkKQAJDHa2gUMwJgTqKZJg
1xj+xMZgWX286Z81aTtA2xNDrkW5+DvYItZMTyUe2/G4DNpt85ffB5nYWx
+6dxOa5N8LQl0qI5Sm
pAjy6grwA/RiJAdfzvEkrTqf8EEVrfLN2MiThXpN5mkE
+k1YYBhTRAWiL2tLHSYCQHvyaLThXc06
HC8pGwmoHc3chUi7z8wcD7ONr/tYFbMswMk/PzynX6SIHe3te7VyrMKmFEMs9P7mh
+usRcDR+eIl
//474XqhdqU6Q3ZIRS136QjgV9RLRxPfvvGPt8KQzDhJ+oAy3VNi0748MK0CjFNkw/
810u9+Q5Qf
I2fiJQIDAQABo0IwQDAPBgNVHRMECDAGAQH/AgEBMA4GA1UdDwEB/
wQEAwIBBjAdBgNVHQ4EFgQU
tMRqjBW1xuwPImv2gjLHHDYxDWswDQYJKoZIhvcNAQEFBQADggEBACh6idUo4ufb9EdWb94cSsln
Mzi9Wbktb7vevENofPai1nblYPWyzBrvUHBG+4yj8C/
YoDIReSYCgfQOAXVdjUqysry1HPmJsXMg
Ud9pyEdkjg9v9DmXym6j9NescbDrJdTX2XaPJzBFOrjXz3wlHl7dXfDCaDvr0uvJKpeTJyi0K5GL
sd0u8WugdmkmdJt70rlNpMPr9NN+JApbNdXi6yaw8X+ep6ZYv1m3d2BtOKmNIY/qE/
RtL6PZbn6I
hd725c7wHawybB4d9Nsn15JsaqkqwKxvJIDQncZhHDrjwNh8AUheqa2TNurdvawr545UnDR8uiPk
pNCs01KKG99tNPo=
</X509Certificate>

<X509Certificate>MIIE0jCCA7qgAwIBAgIBCDANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMCVVMxITAfBgNVBAoT
GE1hc3RlckNhcmQgSW50ZXJuYXRpb25hbDExMC8GA1UECxMoTWFzdGVyQ2FyZCBJbnRlcm5hdGlv
bmFsIFNlY3VyZUNvZGUgVEVTVDFAMD4GA1UEAxM3TWFzdGVyQ2FyZCBTZWN1cmVDb2RlIFRFU1Qg
Um9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wMzA0MjUxMzQyMDFaFw0xMzA0MjUxMzIz
NDZaMIGsMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTWFzdGVyQ2FyZCBJbnRlcm5hdGlvbmFsMTEw
LwYDVQQLEyhNYXN0ZXJDYXJkIEludGVybmF0aW9uYWwgU2VjdXJlQ29kZSBURVNUMUcwRQYDVQQD
Ez5NYXN0ZXJDYXJkIFNlY3VyZUNvZGUgVEVTVCBJc3N1ZXIgYW5kIERpcmVjdG9yeSBTdWJvcmRp
bmF0ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKbWuu5xvMBrG3QS75Cp
+Y9t
d9xir+zCsCRY79YPGGc8D7KvifA
+jWkKQCBqlVlcd5DHnYYPEQ8jmTRh1ILhqfnhm3eydFCV9FBx
zEuB5N2Rba6JIr04vDogtECsmmqKP7dMmG/
u4ZfEEpjVjpT477GsyQNIJ0mKPnuOXU4T8ophPcIy
JcOIlb8yw3gH2ux1vOqZqXmBovr3BBf4T/TB6io
+rGDjku9JyPmojCOhxxa6N0fFTeps6LlTq0lx
udbDqD8ZJAfjJ/RKZvmG1f5EC8DhUQA6APuEfvA+BcM
+9INbCSNcW3ZNEIOFL0LiqwHP5NYpfdrC
rfRGJw27GcFQwmkCAwEAAaOCAQIwgf8wDwYDVR0TBAgwBgEB/
wIBADAOBgNVHQ8BAf8EBAMCAQYw
gbwGA1UdIwSBtDCBsaGBq6SBqDCBpTELMAkGA1UEBhMCVVMxITAfBgNVBAoTGE1hc3RlckNhcmQg
SW50ZXJuYXRpb25hbDExMC8GA1UECxMoTWFzdGVyQ2FyZCBJbnRlcm5hdGlvbmFsIFNlY3VyZUNv
ZGUgVEVTVDFAMD4GA1UEAxM3TWFzdGVyQ2FyZCBTZWN1cmVDb2RlIFRFU1QgUm9vdCBDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eYIBATAdBgNVHQ4EFgQUHF9p4KsctkhLItck9kisg3raCoswDQYJKoZI
hvcNAQEFBQADggEBAGlO9RLBu6Y2S17bxFfe2gbYfBLKOd7cIy2D3YzZqGjhdODfcvS9M1wB1xWK
gbJxHZYi7Fcrix/3UChR+tQHXM7Mt6UuMIDppkUv+Sba4x4AkHmoqJVYkVzeP/
0/3cn27jlTjdtc
kQUCbIQNeoKtmQnnKwSWfkl5AyDQxYKpbrIT0UZf50Has+CQ1zumkCC/
TvNDWIEJuauX8ZA2SdGR
/llFKbIziaGshNTqIv4x2StyGTZPnQgd6W5VoxGfsViZrxT4z6BR/
DhQP3K2G8VQKB7kFcet+zGw
lKPEAouBjYWHB0vVkd81HZAw/pIu+AyBR1DUF7dVku3ETNYhY5Pzz1A=
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</Message>
</ThreeDSecure>
######################################################################################

I tried something like this (with apache xml signature):
public static boolean verify(Document doc) {
try {
// Initialize the library - this is now done inside servlet WSSInit
org.apache.xml.security.Init.init();

// must match baseURI
String baseURI = "PARes52524142080316501023";
CachedXPathAPI xpathAPI = new CachedXPathAPI();
Element nsctx = doc.createElement("nsctx");
nsctx.setAttribute("xmlns:ds", Constants.SignatureSpecNS);

Element signatureElem = (Element) xpathAPI.selectSingleNode(doc,
"//ds:Signature", nsctx);
// Check to make sure that the document claims to have been signed
if (null == signatureElem) {
throw new IllegalStateException(
"SOAP Document not digitally signed - missing element: //
ds:Signature");
}

XMLSignature sig = new XMLSignature(signatureElem, baseURI);
X509Certificate cert=sig.getKeyInfo().getX509Certificate();
System.out.println(cert.getSubjectDN().getName());
boolean verify =
sig.checkSignatureValue(sig.getKeyInfo().getX509Certificate());
if (true == verify) {
System.out.println("verify ok");
return true;
}
} catch (Exception e) {
e.printStackTrace();
return false;
}

// signature verification failed -
// do not forward request to SOAP Service.
return false;
}
but I always get "- Verification failed for URI
"#PARes52524142080316501023"

I tried with java xmldigsig:
public static boolean verify(Document doc) throws Exception{

NodeList nl =
doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
if (nl.getLength() == 0) {
throw new Exception("Cannot find Signature element");
}

// Create a DOM XMLSignatureFactory that will be used to unmarshal
the
// document containing the XMLSignature
String providerName = System.getProperty
("jsr105Provider",
"org.jcp.xml.dsig.internal.dom.XMLDSigRI");
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM",
(Provider) Class.forName(providerName).newInstance());

// Create a DOMValidateContext and specify a KeyValue KeySelector
// and document context
DOMValidateContext valContext = new DOMValidateContext
(new X509KeySelector(), nl.item(0));

// unmarshal the XMLSignature
XMLSignature signature = fac.unmarshalXMLSignature(valContext);

// Validate the XMLSignature (generated above)
boolean coreValidity = signature.validate(valContext);

// Check core validation status
if (coreValidity == false) {
System.err.println("Signature failed core validation");
boolean sv = signature.getSignatureValue().validate(valContext);
System.out.println("signature validation status: " + sv);
// check the validation status of each Reference
Iterator i =
signature.getSignedInfo().getReferences().iterator();
for (int j=0; i.hasNext(); j++) {
boolean refValid =
((Reference) i.next()).validate(valContext);
System.out.println("ref["+j+"] validity status: " + refValid);
}
return false;
} else {
System.out.println("Signature passed core validation");
return true;
}
}
but I always get "- Couldn't validate the References
Signature failed core validation"

In Java xmldigsig Javadoc I found an interface "URIDereferencer" that
can be implemented and set to DOMValidateContext:
valContext.setURIDereferencer(),

but I was not able to implement this interface.

I would prefer to use java xmldig sig rather than apache, but any
solution wold be nice.
Can anyone help?

Thanks,
Alan
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Top