Details
-
Wish
-
Status: Open
-
Critical
-
Resolution: Unresolved
-
Java 2.1.4
-
None
-
None
Description
Hi Team,
I am getting "digest value comparison" issue while validating the digital signature when we remove the second transform i.e. the normalization-algorithm.
Existing code :-
We are already signing the message with below CanonicalizationMethod and two Transforms:-
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <dsig:SignedInfo> <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <dsig:Reference URI=""> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <dsig:Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <dsig:DigestValue></dsig:DigestValue> </dsig:Reference> </dsig:SignedInfo> <dsig:SignatureValue></dsig:SignatureValue> <dsig:KeyInfo> <dsig:X509Data> <dsig:X509SubjectName></dsig:X509SubjectName> </dsig:X509Data> </dsig:KeyInfo> </dsig:Signature>
Now, the client's requirement is changed and we want to have only single transform, so we removed the second transformation i.e. <dsig:Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/> from our digital signature configuration.
And Now we are able to generate the signature with single transform as below:-
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <dsig:SignedInfo> <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <dsig:Reference URI=""> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <dsig:DigestValue></dsig:DigestValue> </dsig:Reference> </dsig:SignedInfo> <dsig:SignatureValue></dsig:SignatureValue> <dsig:KeyInfo> <dsig:X509Data> <dsig:X509SubjectName></dsig:X509SubjectName> </dsig:X509Data> </dsig:KeyInfo> </dsig:Signature>
However, while validating, one more Transform type is added in method buildTransformerChain() in class AbstractSignatureReferenceVerifyInputProcessor.java Below is the code snippet:-
if (transformTypeList.size() == 1 && XMLSecurityConstants.NS_XMLDSIG_ENVELOPED_SIGNATURE.equals(transformTypeList.get(0).getAlgorithm())) { TransformType transformType = new TransformType(); transformType.setAlgorithm(XMLSecurityConstants.NS_C14N_OMIT_COMMENTS); transformTypeList.add(transformType); }
And It fails while comparing digest values in compareDigest() method.
Below is the error stack:-
!org.apache.xml.security.exceptions.XMLSecurityException: Invalid digest of reference .! at org.apache.xml.security.stax.impl.processor.input.AbstractSignatureReferenceVerifyInputProcessor.compareDigest(AbstractSignatureReferenceVerifyInputProcessor.java:394)! org.apache.xml.security.stax.impl.processor.input.AbstractSignatureReferenceVerifyInputProcessor$InternalSignatureReferenceVerifier.processEvent(AbstractSignatureReferenceVerifyInputProcessor.java:460)! org.apache.xml.security.stax.impl.processor.input.AbstractSignatureReferenceVerifyInputProcessor$InternalSignatureReferenceVerifier.processNextEvent(AbstractSignatureReferenceVerifyInputProcessor.java:436)! org.apache.xml.security.stax.impl.InputProcessorChainImpl.processEvent(InputProcessorChainImpl.java:188)! org.apache.xml.security.stax.impl.processor.input.XMLSecurityInputProcessor.processNextEvent(XMLSecurityInputProcessor.java:76)! org.apache.xml.security.stax.impl.InputProcessorChainImpl.processEvent(InputProcessorChainImpl.java:188)! org.apache.xml.security.stax.impl.XMLSecurityStreamReader.next(XMLSecurityStreamReader.java:81)! com.clear2pay.bph.ips.digitalsignature.impl.XMLDigitalSignatureValidator.traverseSecuritystreamReader(XMLDigitalSignatureValidator.java:170)
So, Is the second transform mandatory to have when we use the CanonicalizationMethod Algorithm "http://www.w3.org/2001/10/xml-exc-c14n#" ?
or Is there any workaround so that we get pass the validation with single Transform in the digital signature?
Request you to please respond on an urgent basis.
Note :- We are using 2.0.8 version of xmlSec jar.