[jboss-user] [JBoss Web Services] - Manual validation of SignatureValue

Giovanni Castellari do-not-reply at jboss.com
Sun Dec 12 12:05:06 EST 2010


Giovanni Castellari [http://community.jboss.org/people/giogio] created the discussion

"Manual validation of SignatureValue"

To view the discussion, visit: http://community.jboss.org/message/575559#575559

--------------------------------------------------------------
Hello, I'm trying to do a "manual" verification of a XML-Signed message. The message is the following, taken as is 
from the server.log:
 
<env:Envelope xmlns:env=' http://schemas.xmlsoap.org/soap/envelope/ http://schemas.xmlsoap.org/soap/envelope/'>
 <env:Header>
  <wsse:Security env:mustUnderstand='1' xmlns:wsse=' http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:wsu=' http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
   <wsu:Timestamp wsu:Id='timestamp'>
    <wsu:Created>2010-12-07T16:37:40.038Z</wsu:Created>
   </wsu:Timestamp>
   <wsse:BinarySecurityToken EncodingType=' http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary' ValueType=' http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' wsu:Id='token-2-1291739860138-12935734'>MIIBnDCCAQUCBEz+E1kwDQYJKoZIhvcNAQEEBQAwFTETMBEGA1UEAxMKbWlvY2xpZW50MTAeFw0x
MDEyMDcxMDU4MzNaFw0xMTAzMDcxMDU4MzNaMBUxEzARBgNVBAMTCm1pb2NsaWVudDEwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAJlzh8T0w+FG/uJ6oDzc6uVSJMgJhuL851BPjoAynW7wCeGV
1EEydEr2S9qOwsUEg32mLn6s9Mf19nkI3nGHjCuS9SmIil5WilWGWsHqfFSUFB7goKeLfqdGtP5i
WDZ4QFVZ0AjMjJZP9tAY8FYzkmJUEkcg5T2OcW/1019/Ttk5AgMBAAEwDQYJKoZIhvcNAQEEBQAD
gYEAP6De4XP3wSYDWqSUCgJZNqddZUJFIDxYp5cV6jH4yckV/xniD3IvVcTx8bCykbwWDEec3z95
BdYWNPuU2DPWtcab3dTtD7JXez1+Ywi2IYIexChQbthkziLXkvGoPofe9Z7BlaE3hiFzPMKWRjDF
qSOScxAyjSebLPvczWozAWQ=</wsse:BinarySecurityToken>
   <ds:Signature xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>
    <ds:SignedInfo xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>
     <ds:CanonicalizationMethod Algorithm=' http://www.w3.org/2001/10/xml-exc-c14n# http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds=' http://www.w3.org/2000/09/xmldsig#'/ http://www.w3.org/2000/09/xmldsig#'/>
     <ds:SignatureMethod Algorithm=' http://www.w3.org/2000/09/xmldsig#rsa-sha1 http://www.w3.org/2000/09/xmldsig#rsa-sha1' xmlns:ds=' http://www.w3.org/2000/09/xmldsig#'/ http://www.w3.org/2000/09/xmldsig#'/>
     <ds:Reference URI='#element-1-1291739860070-11803898' xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>
      <ds:Transforms xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>
       <ds:Transform Algorithm=' http://www.w3.org/2001/10/xml-exc-c14n# http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds=' http://www.w3.org/2000/09/xmldsig#'/ http://www.w3.org/2000/09/xmldsig#'/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm=' http://www.w3.org/2000/09/xmldsig#sha1 http://www.w3.org/2000/09/xmldsig#sha1' xmlns:ds=' http://www.w3.org/2000/09/xmldsig#'/ http://www.w3.org/2000/09/xmldsig#'/>
      <ds:DigestValue xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>d2cIarD4atw3HFADamfO9YTKkKs=</ds:DigestValue>
     </ds:Reference>
     <ds:Reference URI='#timestamp' xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>
      <ds:Transforms xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>
       <ds:Transform Algorithm=' http://www.w3.org/2001/10/xml-exc-c14n# http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds=' http://www.w3.org/2000/09/xmldsig#'/ http://www.w3.org/2000/09/xmldsig#'/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm=' http://www.w3.org/2000/09/xmldsig#sha1 http://www.w3.org/2000/09/xmldsig#sha1' xmlns:ds=' http://www.w3.org/2000/09/xmldsig#'/ http://www.w3.org/2000/09/xmldsig#'/>
      <ds:DigestValue xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>YR/fZlwJdw+KbyP24UYiyDv8/Dc=</ds:DigestValue>
     </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>
OZg96GMrGh0cEwbpHwv3KDhFtFcnzPxbwp9Xv0pgw8Mr9+NIjRlg/G1OyIZ3SdcOYqqzF4/TVLDi
5VclwnjBAFl3SEdkyUbbjXVAGkSsxPQcC4un9UYcecESETlAgV8UrHV3zTrjAWQvDg/YBKveoH90
FIhfAthslqeFu3h9U20=
</ds:SignatureValue>
    <ds:KeyInfo xmlns:ds=' http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#'>
     <wsse:SecurityTokenReference wsu:Id='reference-3-1291739860138-11726490'>
      <wsse:Reference URI='#token-2-1291739860138-12935734' ValueType=' http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3'/ http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3'/>
     </wsse:SecurityTokenReference>
    </ds:KeyInfo>
   </ds:Signature>
  </wsse:Security>
 </env:Header>
 <env:Body wsu:Id='element-1-1291739860070-11803898' xmlns:wsu=' http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
  <ns1:addizionami xmlns:ns1=' http://prova/ejb/to/ws/types http://prova/ejb/to/ws/types' xmlns:ns2=' http://prova/ejb/to/ws/types http://prova/ejb/to/ws/types'>
   <Integer_1>3</Integer_1>
   <Integer_2>78</Integer_2>
  </ns1:addizionami>
 </env:Body>
</env:Envelope>
 
 
This message was sent from a servlet deployed on JBoss 4.2.3GA and received by a WS-Security configured Web Service
deployed locally (on the same JBoss instance). All the automatic JBoss verifications are successful, here's the
log:
 
2010-12-07 17:37:40,404 INFO  [org.apache.xml.security.signature.Reference] Verification successful for URI "#element-1-1291739860070-11803898"
2010-12-07 17:37:40,405 INFO  [org.apache.xml.security.signature.Reference] Verification successful for URI "#timestamp"
2010-12-07 17:37:40,417 DEBUG [org.jboss.ws.extensions.security.WSSecurityDispatcher] Verification is successful
 
Now I want to verify this manually, so I decrypt the SignatureValue content with the public key and I obtain:
 
3021300906052b0e03021a05000414dccdb8570286d36c94bba8e5107faee91e0df088
 
I think I did this manual decryption well, because you can recognize the "ASN.1 BER SHA1 algorithm designator 
prefix" ( http://www.w3.org/TR/xmldsig-core/ http://www.w3.org/TR/xmldsig-core/) in the first part of this hex string (3021300906052b0e03021a05000414).
So the second part (dccdb8570286d36c94bba8e5107faee91e0df088) is my hash value, i.e. the SHA1 computation of the
canonicalized SignedInfo element, and in fact it's exactly 20 bytes long. But I can't get this hash value from the 
SignedInfo element. I'm using org.apache.xml.security.c14n.Canonicalizer for the canonicalization. Is there someone
that can obtain this hash value and tell me the exact steps/tools/code used? Thank you in advance.
 
 
Hello, I'm trying to do a "manual" verification of a XML-Signed message. The message is the following, taken as is 
from the server.log:

<env:Envelope xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'>
 <env:Header>
  <wsse:Security env:mustUnderstand='1' xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
   <wsu:Timestamp wsu:Id='timestamp'>
    <wsu:Created>2010-12-07T16:37:40.038Z</wsu:Created>
   </wsu:Timestamp>
   <wsse:BinarySecurityToken EncodingType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary' ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' wsu:Id='token-2-1291739860138-12935734'>MIIBnDCCAQUCBEz+E1kwDQYJKoZIhvcNAQEEBQAwFTETMBEGA1UEAxMKbWlvY2xpZW50MTAeFw0x
MDEyMDcxMDU4MzNaFw0xMTAzMDcxMDU4MzNaMBUxEzARBgNVBAMTCm1pb2NsaWVudDEwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAJlzh8T0w+FG/uJ6oDzc6uVSJMgJhuL851BPjoAynW7wCeGV
1EEydEr2S9qOwsUEg32mLn6s9Mf19nkI3nGHjCuS9SmIil5WilWGWsHqfFSUFB7goKeLfqdGtP5i
WDZ4QFVZ0AjMjJZP9tAY8FYzkmJUEkcg5T2OcW/1019/Ttk5AgMBAAEwDQYJKoZIhvcNAQEEBQAD
gYEAP6De4XP3wSYDWqSUCgJZNqddZUJFIDxYp5cV6jH4yckV/xniD3IvVcTx8bCykbwWDEec3z95
BdYWNPuU2DPWtcab3dTtD7JXez1+Ywi2IYIexChQbthkziLXkvGoPofe9Z7BlaE3hiFzPMKWRjDF
qSOScxAyjSebLPvczWozAWQ=</wsse:BinarySecurityToken>
   <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
    <ds:SignedInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
     <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/>
     <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/>
     <ds:Reference URI='#element-1-1291739860070-11803898' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
      <ds:Transforms xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
       <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/>
      <ds:DigestValue xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>d2cIarD4atw3HFADamfO9YTKkKs=</ds:DigestValue>
     </ds:Reference>
     <ds:Reference URI='#timestamp' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
      <ds:Transforms xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
       <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/>
      <ds:DigestValue xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>YR/fZlwJdw+KbyP24UYiyDv8/Dc=</ds:DigestValue>
     </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
OZg96GMrGh0cEwbpHwv3KDhFtFcnzPxbwp9Xv0pgw8Mr9+NIjRlg/G1OyIZ3SdcOYqqzF4/TVLDi
5VclwnjBAFl3SEdkyUbbjXVAGkSsxPQcC4un9UYcecESETlAgV8UrHV3zTrjAWQvDg/YBKveoH90
FIhfAthslqeFu3h9U20=
</ds:SignatureValue>
    <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
     <wsse:SecurityTokenReference wsu:Id='reference-3-1291739860138-11726490'>
      <wsse:Reference URI='#token-2-1291739860138-12935734' ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3'/>
     </wsse:SecurityTokenReference>
    </ds:KeyInfo>
   </ds:Signature>
  </wsse:Security>
 </env:Header>
 <env:Body wsu:Id='element-1-1291739860070-11803898' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
  <ns1:addizionami xmlns:ns1='http://prova/ejb/to/ws/types' xmlns:ns2='http://prova/ejb/to/ws/types'>
   <Integer_1>3</Integer_1>
   <Integer_2>78</Integer_2>
  </ns1:addizionami>
 </env:Body>
</env:Envelope>



This message was sent from a servlet deployed on JBoss 4.2.3GA and received by a WS-Security configured Web Service
deployed locally (on the same JBoss instance). All the automatic JBoss verifications are successful, here's the
log:

2010-12-07 17:37:40,404 INFO  [org.apache.xml.security.signature.Reference] Verification successful for URI "#element-1-1291739860070-11803898"
2010-12-07 17:37:40,405 INFO  [org.apache.xml.security.signature.Reference] Verification successful for URI "#timestamp"
2010-12-07 17:37:40,417 DEBUG [org.jboss.ws.extensions.security.WSSecurityDispatcher] Verification is successful

Now I want to verify this manually, so I decrypt the SignatureValue content with the public key and I obtain:

3021300906052b0e03021a05000414dccdb8570286d36c94bba8e5107faee91e0df088

I think I did this manual decryption well, because you can recognize the "ASN.1 BER SHA1 algorithm designator 
prefix" ( http://www.w3.org/TR/xmldsig-core/ http://www.w3.org/TR/xmldsig-core/) in the first part of this hex string (3021300906052b0e03021a05000414).
So the second part (dccdb8570286d36c94bba8e5107faee91e0df088) should be my hash value, i.e. the SHA1 computation of the
canonicalized SignedInfo element, and in fact it's exactly 20 bytes long. But I can't get this hash value from the 
SignedInfo element. I'm using org.apache.xml.security.c14n.Canonicalizer for the canonicalization. Is there someone
that can obtain this hash value and tell me the exact steps/tools/code used? Thank you in advance.
--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/575559#575559]

Start a new discussion in JBoss Web Services at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2044]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20101212/36fdb66e/attachment-0001.html 


More information about the jboss-user mailing list