XML Digital Signature validation

Question

I was trying to validate an XML signature.

The validation according to this tutorial works fine.

But I also tried to a second approach. To verify it with the verify method of the Signature class I extracted the signature and the certificate from the xml file, and I did the following:

    public static boolean checkSignedFile(byte[] data, byte[] sigToVerify,
        byte[] cert, String algorithm) throws CertificateException,
        NoSuchAlgorithmException, InvalidKeyException, SignatureException {
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    Certificate c = (Certificate) cf
            .generateCertificate(new ByteArrayInputStream(cert));
    PublicKey pk = c.getPublicKey();
    Signature sig;
    boolean verifies = false;
    sig = Signature.getInstance(algorithm);
    sig.initVerify(pk);
    sig.update(data);
    verifies = sig.verify(sigToVerify);
    return verifies;
}

the result was false. The signature did not verify. What could be the reason for that?

Answer 1

You can't verify XMLDsig like this. It wouldn't work. The signature is not calculated over the raw XML. It has to go through canonicalization, digest etc.

What do you use for data[]? To get it right, you almost have to rewrite the XMLDsig library.

Answer 2

If data[] is the content of the signed XML file, what is sigToVerify?

XMLSig creates a Signature-Element (SignedInfo) that contains the digest of each Element to be signed and meta-information like used canonicalization/transformation algorithms. Then the digest of this SignedInfo-Elemnt is calculated and signed.

Hence, if sigToVerify is the signature created by a XMLSignature implementation it must not be equal to the signature of the complete XML file.

Here is a more complete explanation. And if your interested, take a look at the specification.