Which result Verifies a signed XML - Core validation,Signature validation and reference Validation

StackOverflow https://stackoverflow.com/questions/16455080

  •  14-04-2022
  •  | 
  •  

Question

I have signed an xml document and am trying to verify the signature.

I have been going through sample code given in XML API as below

After checking for validation, It says core valdiation failed Signature validation failed , but reference validity as true.

How are these types of validations different and what should be considered to state that xml signature has been verified to be authentic or not

public class Validate {
public static void main(String[] args) throws Exception {
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    dbf.setNamespaceAware(true);
    Document doc =dbf.newDocumentBuilder().parse(new FileInputStream("C:\\ABC1.xml"));
    NodeList nl =doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
    XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
    DOMValidateContext valContext;
    for(int signature_count=0;signature_count<nl.getLength();signature_count++)
    {

    valContext= new DOMValidateContext(new KeyValueKeySelector(),nl.item(signature_count));
    XMLSignature signature = fac.unmarshalXMLSignature(valContext);
    boolean coreValidity = signature.validate(valContext);
    // Check core validation status
    if (coreValidity == false) {
        System.err.println("Signature failed core validation");
        boolean sv = signature.getSignatureValue().validate(valContext);
        System.out.println("signature validation status: " + sv);
        // check the validation status of each Reference
        Iterator i = signature.getSignedInfo().getReferences().iterator();
        for (int j = 0; i.hasNext(); j++) {
            boolean refValid =((Reference) i.next()).validate(valContext);
            System.out.println("ref[" + j + "] validity status: " + refValid);
        }
    } else {
        System.out.println("Signature passed core validation");
        break;
    }
}
}

private static class KeyValueKeySelector extends KeySelector {

    public KeySelectorResult select(KeyInfo keyInfo,
            KeySelector.Purpose purpose,
            AlgorithmMethod method,
            XMLCryptoContext context)
            throws KeySelectorException {
        if (keyInfo == null) {
            throw new KeySelectorException("Null KeyInfo object!");
        }
        SignatureMethod sm = (SignatureMethod) method;
        List list = keyInfo.getContent();

        for (int i = 0; i < list.size(); i++) {
            XMLStructure xmlStructure = (XMLStructure) list.get(i);
            if (xmlStructure instanceof KeyValue) {
                PublicKey pk = null;
                try {
                    pk = ((KeyValue) xmlStructure).getPublicKey();
                } catch (KeyException ke) {
                    throw new KeySelectorException(ke);
                }
                // make sure algorithm is compatible with method
                if (algEquals(sm.getAlgorithm(), pk.getAlgorithm())) {
                    return new SimpleKeySelectorResult(pk);
                }
            } 

        }
        throw new KeySelectorException("No KeyValue element found!");
    }

    static boolean algEquals(String algURI, String algName) {
        if (algName.equalsIgnoreCase("DSA")
                && algURI.equalsIgnoreCase(SignatureMethod.DSA_SHA1)) {
            return true;
        } else if (algName.equalsIgnoreCase("RSA")
                && algURI.equalsIgnoreCase(SignatureMethod.RSA_SHA1)) {
            return true;
        } else {
            return false;
        }
    }
}

private static class SimpleKeySelectorResult implements KeySelectorResult {

    private PublicKey pk;

    SimpleKeySelectorResult(PublicKey pk) {
        this.pk = pk;
    }

    public Key getKey() {
        return pk;
    }
}
Was it helpful?

Solution

XML Signature core validation consists of 2 phases:

  • reference validation
  • signature validation

Reference validation is the verification of the message digest of each of the references(URIs) in the XML Signature.

Signature validation is the verification of the signature over the signed contents, or the SignedInfo element.

Both phases must pass for the XML signature to be valid.

In your case, the the reference validation passed, but the Signature validation failed, ie. the signature element was tampered and the reference element or the URI signed wasn't.

So ultimately the core Signature validation failed.

Refer here for more explanation.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top