Validate XML signature JAVA

StackOverflow https://stackoverflow.com/questions/12580062

  •  03-07-2021
  •  | 
  •  

Question

Is it possible to Validate following XML document:

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>DsP5NLca+plhp9tZvGwykfb2whQYt3CQ5sbsVd9Q9aE=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
LrfE0po3YPvVxB/m77iBWWiR07Ghiuhuj7tO2C2LKqZK2cLrAiidt+3tjbJ3m16quCFxfh7bmjRtJsGi7a3HKtK
qY4auqrjNB62AtYrxvm+7Qd/cRacom4e3M9uF9JD1zTfoGun9w4WDfDrDaoZ+ZwUgNtf6sTYO5Ctcj5sYcD0=
</SignatureValue>
<KeyInfo>
<KeyName>7D665C81ABBE1A7D0E525BFC171F04D276F07BF2</KeyName>
</KeyInfo>
</Signature>

The problem is when i run my code, this error appears

Exception in thread "main" javax.xml.crypto.dsig.XMLSignatureException: cannot find validation key
    at org.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(Unknown Source)
    at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(Unknown Source)
    at paket.XmlValidator.validate(XmlValidator.java:28)
    at paket.Test.main(Test.java:43)
Caused by: javax.xml.crypto.KeySelectorException: No KeyValue element found!
    at paket.KeyValueKeySelector.select(KeyValueKeySelector.java:47)
    ... 4 more
javax.xml.crypto.KeySelectorException: No KeyValue element found!
    at paket.KeyValueKeySelector.select(KeyValueKeySelector.java:47)
    at org.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(Unknown Source)
    at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(Unknown Source)
    at paket.XmlValidator.validate(XmlValidator.java:28)
    at paket.Test.main(Test.java:43)

i have successfully validated the following XML with the same code:

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>+uYi9GD7lNpk5+AZWjVylxm4PeKGXoFEalJPd44oMeg=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>Ov9TJmROGakTblMO8F2otx3YsmzY1N7tUEuJVauqP4EgePUtYpfMdiv1fKdZreeLyri7WRIOrxiq
mEJEWCmpzVKZypJ293y4STmRw4rfUgFQeaatj2AmK2q5zDaE9jzl6+HtiRgDykZpgx7DWC8MHydK
P8wnEHyn2ozYdqL0VCjRfk95zcm0jMknWmytippXf1bqufkhlOLdS46VGyvYM8ZAc742MN3QX1+I
SvNs1a+FNrgQwb0NaYLzX2hWOtFNo2ZparQXynfQy1jj6JHBRvmldLjHiI4nwYgtfEZL6Fgh/H6c
PSnM/Sd6hoh1B6zjhbIViqfaLKLkds/Et6WNYw==</SignatureValue>
<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>xhbxdz2KP0/GwuoBuE2EfqoSUHj5nTZAC7c+UoUYtpqC8yRfe6BaFjdT/kWJNM8rZhJRawkh8qub
U4Iag0N1Cu8JNgOMXjeFJnVpa1HDijk9blQhLybGawh+TrC1v8D/9OGN5avkAjG/jpEFofOUpINp
Z2ThbhjgOzZV2kSa776nlwLhTLChf0iL5a78otVcDcuU8nmVkkhwFLbggbIRgdVFAk0bKFDYwWqw
kOmimDs2c7lLvu9n+X6IEFJLKt5YmKsBlhxx7LjvVih7vFc27+OtQpKw2EZjHPpmcP/qOEzESOCe
C8AHDrw3EWU5n1Bib8t8WteE5WPd2HbsJ86o3w==</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>

What is the difference between this tow XML Signature, and why is it working on the second XML example and not on the first ???

Was it helpful?

Solution

The difference is that in first XML you are providing keyInfo with KeyName

<KeyInfo>
<KeyName>7D665C81ABBE1A7D0E525BFC171F04D276F07BF2</KeyName>
</KeyInfo>

and in second:

<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>xhbxdz2KP0/GwuoBuE2EfqoSUHj5nTZAC7c+UoUYtpqC8yRfe6BaFjdT/kWJNM8rZhJRawkh8qub
U4Iag0N1Cu8JNgOMXjeFJnVpa1HDijk9blQhLybGawh+TrC1v8D/9OGN5avkAjG/jpEFofOUpINp
Z2ThbhjgOzZV2kSa776nlwLhTLChf0iL5a78otVcDcuU8nmVkkhwFLbggbIRgdVFAk0bKFDYwWqw
kOmimDs2c7lLvu9n+X6IEFJLKt5YmKsBlhxx7LjvVih7vFc27+OtQpKw2EZjHPpmcP/qOEzESOCe
C8AHDrw3EWU5n1Bib8t8WteE5WPd2HbsJ86o3w==</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>

OTHER TIPS

The KeyValueKeySelector won't help you here, as that signature contains no KeyValue. You have to extend KeySelector and implement e.g. a KeyNameKeySelector that will look up the actual key in a KeyStore, based on the given KeyName. Provided you have that Key in that Keystore then, yes, you can verify that signature.

This should get you going: http://jirablog.blogspot.no/2007/11/xml-signature-pouzit-nebo-ne.html

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top