Giovanni Castellari [http://community.jboss.org/people/giogio] created the discussion "Manual validation of SignatureValue" To view the discussion, visit: http://community.jboss.org/message/575559#575559 -------------------------------------------------------------- Hello, I'm trying to do a "manual" verification of a XML-Signed message. The message is the following, taken as is from the server.log: <env:Envelope xmlns:env=' http://schemas.xmlsoap.org/soap/envelope/ http://schemas.xmlsoap.org/soap/envelope/'> <env:Header>   <wsse:Security env:mustUnderstand='1' xmlns:wsse=' http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext... http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext... xmlns:wsu=' http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utilit... http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utilit...    <wsu:Timestamp wsu:Id='timestamp'>     <wsu:Created>2010-12-07T16:37:40.038Z</wsu:Created>    </wsu:Timestamp>    <wsse:BinarySecurityToken EncodingType=' http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-secu... http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-secu... ValueType=' http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profil... http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profil... wsu:Id='token-2-1291739860138-12935734'>MIIBnDCCAQUCBEz+E1kwDQYJKoZIhvcNAQEEBQAwFTETMBEGA1UEAxMKbWlvY2xpZW50MTAeFw0x MDEyMDcxMDU4MzNaFw0xMTAzMDcxMDU4MzNaMBUxEzARBgNVBAMTCm1pb2NsaWVudDEwgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBAJlzh8T0w+FG/uJ6oDzc6uVSJMgJhuL851BPjoAynW7wCeGV 1EEydEr2S9qOwsUEg32mLn6s9Mf19nkI3nGHjCuS9SmIil5WilWGWsHqfFSUFB7goKeLfqdGtP5i WDZ4QFVZ0AjMjJZP9tAY8FYzkmJUEkcg5T2OcW/1019/Ttk5AgMBAAEwDQYJKoZIhvcNAQEEBQAD gYEAP6De4XP3wSYDWqSUCgJZNqddZUJFIDxYp5cV6jH4yckV/xniD3IvVcTx8bCykbwWDEec3z95 BdYWNPuU2DPWtcab3dTtD7JXez1+Ywi2IYIexChQbthkziLXkvGoPofe9Z7BlaE3hiFzPMKWRjDF qSOScxAyjSebLPvczWozAWQ=</wsse:BinarySecurityToken>    <ds:Signature xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>     <ds:SignedInfo xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>      <ds:CanonicalizationMethod Algorithm=' http://www.w3.org/2001/10/xml-exc-c14n# http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds=' http://www.w3.org/2000/09/xmldsig#'/ http://www.w3.org/2000/09/xmldsig#'/>      <ds:SignatureMethod Algorithm=' http://www.w3.org/2000/09/xmldsig#rsa-sha1 http://www.w3.org/2000/09/xmldsig#rsa-sha1' xmlns:ds=' http://www.w3.org/2000/09/xmldsig#'/ http://www.w3.org/2000/09/xmldsig#'/>      <ds:Reference URI='#element-1-1291739860070-11803898' xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>       <ds:Transforms xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>        <ds:Transform Algorithm=' http://www.w3.org/2001/10/xml-exc-c14n# http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds=' http://www.w3.org/2000/09/xmldsig#'/ http://www.w3.org/2000/09/xmldsig#'/>       </ds:Transforms>       <ds:DigestMethod Algorithm=' http://www.w3.org/2000/09/xmldsig#sha1 http://www.w3.org/2000/09/xmldsig#sha1' xmlns:ds=' http://www.w3.org/2000/09/xmldsig#'/ http://www.w3.org/2000/09/xmldsig#'/>       <ds:DigestValue xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>d2cIarD4atw3HFADamfO9YTKkKs=&l...      </ds:Reference>      <ds:Reference URI='#timestamp' xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>       <ds:Transforms xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>        <ds:Transform Algorithm=' http://www.w3.org/2001/10/xml-exc-c14n# http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds=' http://www.w3.org/2000/09/xmldsig#'/ http://www.w3.org/2000/09/xmldsig#'/>       </ds:Transforms>       <ds:DigestMethod Algorithm=' http://www.w3.org/2000/09/xmldsig#sha1 http://www.w3.org/2000/09/xmldsig#sha1' xmlns:ds=' http://www.w3.org/2000/09/xmldsig#'/ http://www.w3.org/2000/09/xmldsig#'/>       <ds:DigestValue xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>YR/fZlwJdw+KbyP24UYiyDv8/Dc=&l...      </ds:Reference>     </ds:SignedInfo>     <ds:SignatureValue xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'> OZg96GMrGh0cEwbpHwv3KDhFtFcnzPxbwp9Xv0pgw8Mr9+NIjRlg/G1OyIZ3SdcOYqqzF4/TVLDi 5VclwnjBAFl3SEdkyUbbjXVAGkSsxPQcC4un9UYcecESETlAgV8UrHV3zTrjAWQvDg/YBKveoH90 FIhfAthslqeFu3h9U20= </ds:SignatureValue>     <ds:KeyInfo xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>      <wsse:SecurityTokenReference wsu:Id='reference-3-1291739860138-11726490'>       <wsse:Reference URI='#token-2-1291739860138-12935734' ValueType=' http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profil... http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profil...      </wsse:SecurityTokenReference>     </ds:KeyInfo>    </ds:Signature>   </wsse:Security> </env:Header> <env:Body wsu:Id='element-1-1291739860070-11803898' xmlns:wsu=' http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utilit... http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utilit...   <ns1:addizionami xmlns:ns1=' http://prova/ejb/to/ws/types http://prova/ejb/to/ws/types' xmlns:ns2=' http://prova/ejb/to/ws/types http://prova/ejb/to/ws/types'>    <Integer_1>3</Integer_1>    <Integer_2>78</Integer_2>   </ns1:addizionami> </env:Body> </env:Envelope> This message was sent from a servlet deployed on JBoss 4.2.3GA and received by a WS-Security configured Web Service deployed locally (on the same JBoss instance). All the automatic JBoss verifications are successful, here's the log: 2010-12-07 17:37:40,404 INFO  [org.apache.xml.security.signature.Reference] Verification successful for URI "#element-1-1291739860070-11803898" 2010-12-07 17:37:40,405 INFO  [org.apache.xml.security.signature.Reference] Verification successful for URI "#timestamp" 2010-12-07 17:37:40,417 DEBUG [org.jboss.ws.extensions.security.WSSecurityDispatcher] Verification is successful Now I want to verify this manually, so I decrypt the SignatureValue content with the public key and I obtain: 3021300906052b0e03021a05000414dccdb8570286d36c94bba8e5107faee91e0df088 I think I did this manual decryption well, because you can recognize the "ASN.1 BER SHA1 algorithm designator prefix" ( http://www.w3.org/TR/xmldsig-core/ http://www.w3.org/TR/xmldsig-core/) in the first part of this hex string (3021300906052b0e03021a05000414). So the second part (dccdb8570286d36c94bba8e5107faee91e0df088) is my hash value, i.e. the SHA1 computation of the canonicalized SignedInfo element, and in fact it's exactly 20 bytes long. But I can't get this hash value from the SignedInfo element. I'm using org.apache.xml.security.c14n.Canonicalizer for the canonicalization. Is there someone that can obtain this hash value and tell me the exact steps/tools/code used? Thank you in advance. Hello, I'm trying to do a "manual" verification of a XML-Signed message. The message is the following, taken as is from the server.log: <env:Envelope xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'> <env:Header>   <wsse:Security env:mustUnderstand='1' xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-w... xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ws...    <wsu:Timestamp wsu:Id='timestamp'>     <wsu:Created>2010-12-07T16:37:40.038Z</wsu:Created>    </wsu:Timestamp>    <wsse:BinarySecurityToken EncodingType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss... ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x5... wsu:Id='token-2-1291739860138-12935734'>MIIBnDCCAQUCBEz+E1kwDQYJKoZIhvcNAQEEBQAwFTETMBEGA1UEAxMKbWlvY2xpZW50MTAeFw0x MDEyMDcxMDU4MzNaFw0xMTAzMDcxMDU4MzNaMBUxEzARBgNVBAMTCm1pb2NsaWVudDEwgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBAJlzh8T0w+FG/uJ6oDzc6uVSJMgJhuL851BPjoAynW7wCeGV 1EEydEr2S9qOwsUEg32mLn6s9Mf19nkI3nGHjCuS9SmIil5WilWGWsHqfFSUFB7goKeLfqdGtP5i WDZ4QFVZ0AjMjJZP9tAY8FYzkmJUEkcg5T2OcW/1019/Ttk5AgMBAAEwDQYJKoZIhvcNAQEEBQAD gYEAP6De4XP3wSYDWqSUCgJZNqddZUJFIDxYp5cV6jH4yckV/xniD3IvVcTx8bCykbwWDEec3z95 BdYWNPuU2DPWtcab3dTtD7JXez1+Ywi2IYIexChQbthkziLXkvGoPofe9Z7BlaE3hiFzPMKWRjDF qSOScxAyjSebLPvczWozAWQ=</wsse:BinarySecurityToken>    <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>     <ds:SignedInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>      <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/>      <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/>      <ds:Reference URI='#element-1-1291739860070-11803898' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>       <ds:Transforms xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>        <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/>       </ds:Transforms>       <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/>       <ds:DigestValue xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>d2cIarD4atw3HFAD...      </ds:Reference>      <ds:Reference URI='#timestamp' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>       <ds:Transforms xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>        <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/>       </ds:Transforms>       <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/>       <ds:DigestValue xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>YR/fZlwJdw+KbyP2...      </ds:Reference>     </ds:SignedInfo>     <ds:SignatureValue xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> OZg96GMrGh0cEwbpHwv3KDhFtFcnzPxbwp9Xv0pgw8Mr9+NIjRlg/G1OyIZ3SdcOYqqzF4/TVLDi 5VclwnjBAFl3SEdkyUbbjXVAGkSsxPQcC4un9UYcecESETlAgV8UrHV3zTrjAWQvDg/YBKveoH90 FIhfAthslqeFu3h9U20= </ds:SignatureValue>     <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>      <wsse:SecurityTokenReference wsu:Id='reference-3-1291739860138-11726490'>       <wsse:Reference URI='#token-2-1291739860138-12935734' ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x5...      </wsse:SecurityTokenReference>     </ds:KeyInfo>    </ds:Signature>   </wsse:Security> </env:Header> <env:Body wsu:Id='element-1-1291739860070-11803898' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ws...   <ns1:addizionami xmlns:ns1='http://prova/ejb/to/ws/types' xmlns:ns2='http://prova/ejb/to/ws/types'>    <Integer_1>3</Integer_1>    <Integer_2>78</Integer_2>   </ns1:addizionami> </env:Body> </env:Envelope> This message was sent from a servlet deployed on JBoss 4.2.3GA and received by a WS-Security configured Web Service deployed locally (on the same JBoss instance). All the automatic JBoss verifications are successful, here's the log: 2010-12-07 17:37:40,404 INFO  [org.apache.xml.security.signature.Reference] Verification successful for URI "#element-1-1291739860070-11803898" 2010-12-07 17:37:40,405 INFO  [org.apache.xml.security.signature.Reference] Verification successful for URI "#timestamp" 2010-12-07 17:37:40,417 DEBUG [org.jboss.ws.extensions.security.WSSecurityDispatcher] Verification is successful Now I want to verify this manually, so I decrypt the SignatureValue content with the public key and I obtain: 3021300906052b0e03021a05000414dccdb8570286d36c94bba8e5107faee91e0df088 I think I did this manual decryption well, because you can recognize the "ASN.1 BER SHA1 algorithm designator prefix" ( http://www.w3.org/TR/xmldsig-core/ http://www.w3.org/TR/xmldsig-core/) in the first part of this hex string (3021300906052b0e03021a05000414). So the second part (dccdb8570286d36c94bba8e5107faee91e0df088) should be my hash value, i.e. the SHA1 computation of the canonicalized SignedInfo element, and in fact it's exactly 20 bytes long. But I can't get this hash value from the SignedInfo element. I'm using org.apache.xml.security.c14n.Canonicalizer for the canonicalization. Is there someone that can obtain this hash value and tell me the exact steps/tools/code used? Thank you in advance. -------------------------------------------------------------- Reply to this message by going to Community [http://community.jboss.org/message/575559#575559] Start a new discussion in JBoss Web Services at Community [http://community.jboss.org/choose-container!input.jspa?contentType=1&...]