verify referenced xml digital signature

Hi.

I would like to verify referenced xml digital signature:

this is xml document that I want to verify:

######################################################################################

<ThreeDSecure>

<Message id="xfm5_3_0.4133">

<PARes id="PARes52524142080316501023">

<version>1.0.2</version>

<Merchant>

<acqBIN>11111111111</acqBIN>

<merID>MasterCard</merID>

</Merchant>

<Purchase>

<xid>0CG3gS6kQReTBLwGfBloSwkBAwU=</xid>

<date>20070319 12:22:16</date>

<purchAmount>19999</purchAmount>

<currency>840</currency>

<exponent>2</exponent>

</Purchase>

<pan>0000000000009135</pan>

<TX>

<time>20070319 12:24:40</time>

<status>Y</status>

<cavv>jNtsxQ7pHyUFCBEAAAAIA0kAAAA=</cavv>

<eci>02</eci>

<cavvAlgorithm>3</cavvAlgorithm>

</TX>

</PARes>

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

<SignedInfo>

<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/

REC-xml-c14n-20010315"/>

<SignatureMethod Algorithm="http://www.w3.org/2000/09/

xmldsig#rsa-sha1"/>

<Reference URI="#PARes52524142080316501023">

<DigestMethod Algorithm="http://www.w3.org/2000/09/

xmldsig#sha1"/>

<DigestValue>1cORuvyMSRdY0BgIJ98PV9KDAsg=</DigestValue>

</Reference>

</SignedInfo>

<SignatureValue>YNK4Q7wu6Rj83TAmyOFPsEj4uvbuw6NBuFUAhI3Sc73rBplpK/

JvF6Jsk06JgEaciYp032DUwrPS

lbpxftvZNVJ0UBQr0SaGKYi2M60YpJxcUU8bdAOYM0PQu/W23CSG5K7ldksw2m

+DMqLLITatvGdc

3KpS1ui40ayZXrrC8tc=

</SignatureValue>

<KeyInfo>

<X509Data>

<X509SubjectName>CN=testdigsig, OU=acs, O=logos, C=HR<>

<X509Certificate>MIID8jCCAtqgAwIBAgICSvcwDQYJKoZIhvcNAQEFBQAwgawxCzAJBgNVBAYTAlVTMSEwHwYDVQQK

ExhNYXN0ZXJDYXJkIEludGVybmF0aW9uYWwxMTAvBgNVBAsTKE1hc3RlckNhcmQgSW50ZXJuYXRp

b25hbCBTZWN1cmVDb2RlIFRFU1QxRzBFBgNVBAMTPk1hc3RlckNhcmQgU2VjdXJlQ29kZSBURVNU

IElzc3VlciBhbmQgRGlyZWN0b3J5IFN1Ym9yZGluYXRlIENBMB4XDTA3MDMwNzE0NDAwNFoXDTEx

MDMwNzE0MzczM1owQDELMAkGA1UEBhMCSFIxDjAMBgNVBAoTBWxvZ29zMQwwCgYDVQQLEwNhY3Mx

EzARBgNVBAMTCnRlc3RkaWdzaWcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ7piqxhTygO

qM08Uis7RSR7IAfrvHChmbATwhGC4BkjeVeEiZ3P0nAid0VlSdXwIIfaaTBkzpuhIKXM1FVqXp

+H

hSQG01Vf0cqO9Ns5oL1kf1VWvUBCG1cnIPUoWt3hxJueSH3s3S0oDr8dOzx37g54mOvERXzxMtPC

NU2cuTL5AgMBAAGjggELMIIBBzAJBgNVHRMEAjAAMA4GA1UdDwEB/

wQEAwIHgDArBgNVHRAEJDAi

gA8yMDA3MDMwNzE0MzcwMFqBDzIwMTAwMzA3MTQzNzAwWjCBvAYDVR0jBIG0MIGxoYGrpIGoMIGl

MQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTWFzdGVyQ2FyZCBJbnRlcm5hdGlvbmFsMTEwLwYDVQQL

EyhNYXN0ZXJDYXJkIEludGVybmF0aW9uYWwgU2VjdXJlQ29kZSBURVNUMUAwPgYDVQQDEzdNYXN0

ZXJDYXJkIFNlY3VyZUNvZGUgVEVTVCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEIMA0G

CSqGSIb3DQEBBQUAA4IBAQCSwMgmnUN5g/b/38zJexa2LDvAJgGKBBm

+Oy3Yey020yn70Uz5tjik

Z36toU+AlJRuBp78CU91PaUa3KReFiY2FbuT1JZbgpEa7XTo

+vpPMxggAP36164K6IjmWAigFpxz

TVkM3ssJXIGSDSfCL1R+y1NSHgSBDrCYL0hVklNgUzQmhZac2eN3Bx3rgxtk/

XtH89iAXsJg4gHw

DITXPV7BdyFS9FmPf2BgX0wg0X0oAUQ5YdtCJ8ZKBZeHyLS+7aF5QMxeTHNtmTxir//

qU1h/MgSi

NEF27MeLZH+xxwEdMS1BzYBusG+FpDAvcKx7mm4jYj7En7ItuESuXz5umPC7<>

<X509Certificate>MIIECTCCAvGgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMCVVMxITAfBgNVBAoT

GE1hc3RlckNhcmQgSW50ZXJuYXRpb25hbDExMC8GA1UECxMoTWFzdGVyQ2FyZCBJbnRlcm5hdGlv

bmFsIFNlY3VyZUNvZGUgVEVTVDFAMD4GA1UEAxM3TWFzdGVyQ2FyZCBTZWN1cmVDb2RlIFRFU1Qg

Um9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wMzA0MjUxMzI1NTJaFw0xMzA0MjUxMzIz

NDZaMIGlMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTWFzdGVyQ2FyZCBJbnRlcm5hdGlvbmFsMTEw

LwYDVQQLEyhNYXN0ZXJDYXJkIEludGVybmF0aW9uYWwgU2VjdXJlQ29kZSBURVNUMUAwPgYDVQQD

EzdNYXN0ZXJDYXJkIFNlY3VyZUNvZGUgVEVTVCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt8RSwKLytmKkKQAJDHa2gUMwJgTqKZJg

1xj+xMZgWX286Z81aTtA2xNDrkW5+DvYItZMTyUe2/G4DNpt85ffB5nYWx

+6dxOa5N8LQl0qI5Sm

pAjy6grwA/RiJAdfzvEkrTqf8EEVrfLN2MiThXpN5mkE

+k1YYBhTRAWiL2tLHSYCQHvyaLThXc06

HC8pGwmoHc3chUi7z8wcD7ONr/tYFbMswMk/PzynX6SIHe3te7VyrMKmFEMs9P7mh

+usRcDR+eIl

//474XqhdqU6Q3ZIRS136QjgV9RLRxPfvvGPt8KQzDhJ+oAy3VNi0748MK0CjFNkw/

810u9+Q5Qf

I2fiJQIDAQABo0IwQDAPBgNVHRMECDAGAQH/AgEBMA4GA1UdDwEB/

wQEAwIBBjAdBgNVHQ4EFgQU

tMRqjBW1xuwPImv2gjLHHDYxDWswDQYJKoZIhvcNAQEFBQADggEBACh6idUo4ufb9EdWb94cSsln

Mzi9Wbktb7vevENofPai1nblYPWyzBrvUHBG+4yj8C/

YoDIReSYCgfQOAXVdjUqysry1HPmJsXMg

Ud9pyEdkjg9v9DmXym6j9NescbDrJdTX2XaPJzBFOrjXz3wlHl7dXfDCaDvr0uvJKpeTJyi0K5GL

sd0u8WugdmkmdJt70rlNpMPr9NN+JApbNdXi6yaw8X+ep6ZYv1m3d2BtOKmNIY/qE/

RtL6PZbn6I

hd725c7wHawybB4d9Nsn15JsaqkqwKxvJIDQncZhHDrjwNh8AUheqa2TNurdvawr545UnDR8uiPk

pNCs01KKG99tNPo=

</X509Certificate>

<X509Certificate>MIIE0jCCA7qgAwIBAgIBCDANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMCVVMxITAfBgNVBAoT

GE1hc3RlckNhcmQgSW50ZXJuYXRpb25hbDExMC8GA1UECxMoTWFzdGVyQ2FyZCBJbnRlcm5hdGlv

bmFsIFNlY3VyZUNvZGUgVEVTVDFAMD4GA1UEAxM3TWFzdGVyQ2FyZCBTZWN1cmVDb2RlIFRFU1Qg

Um9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wMzA0MjUxMzQyMDFaFw0xMzA0MjUxMzIz

NDZaMIGsMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTWFzdGVyQ2FyZCBJbnRlcm5hdGlvbmFsMTEw

LwYDVQQLEyhNYXN0ZXJDYXJkIEludGVybmF0aW9uYWwgU2VjdXJlQ29kZSBURVNUMUcwRQYDVQQD

Ez5NYXN0ZXJDYXJkIFNlY3VyZUNvZGUgVEVTVCBJc3N1ZXIgYW5kIERpcmVjdG9yeSBTdWJvcmRp

bmF0ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKbWuu5xvMBrG3QS75Cp

+Y9t

d9xir+zCsCRY79YPGGc8D7KvifA

+jWkKQCBqlVlcd5DHnYYPEQ8jmTRh1ILhqfnhm3eydFCV9FBx

zEuB5N2Rba6JIr04vDogtECsmmqKP7dMmG/

u4ZfEEpjVjpT477GsyQNIJ0mKPnuOXU4T8ophPcIy

JcOIlb8yw3gH2ux1vOqZqXmBovr3BBf4T/TB6io

+rGDjku9JyPmojCOhxxa6N0fFTeps6LlTq0lx

udbDqD8ZJAfjJ/RKZvmG1f5EC8DhUQA6APuEfvA+BcM

+9INbCSNcW3ZNEIOFL0LiqwHP5NYpfdrC

rfRGJw27GcFQwmkCAwEAAaOCAQIwgf8wDwYDVR0TBAgwBgEB/

wIBADAOBgNVHQ8BAf8EBAMCAQYw

gbwGA1UdIwSBtDCBsaGBq6SBqDCBpTELMAkGA1UEBhMCVVMxITAfBgNVBAoTGE1hc3RlckNhcmQg

SW50ZXJuYXRpb25hbDExMC8GA1UECxMoTWFzdGVyQ2FyZCBJbnRlcm5hdGlvbmFsIFNlY3VyZUNv

ZGUgVEVTVDFAMD4GA1UEAxM3TWFzdGVyQ2FyZCBTZWN1cmVDb2RlIFRFU1QgUm9vdCBDZXJ0aWZp

Y2F0aW9uIEF1dGhvcml0eYIBATAdBgNVHQ4EFgQUHF9p4KsctkhLItck9kisg3raCoswDQYJKoZI

hvcNAQEFBQADggEBAGlO9RLBu6Y2S17bxFfe2gbYfBLKOd7cIy2D3YzZqGjhdODfcvS9M1wB1xWK

gbJxHZYi7Fcrix/3UChR+tQHXM7Mt6UuMIDppkUv+Sba4x4AkHmoqJVYkVzeP/

0/3cn27jlTjdtc

kQUCbIQNeoKtmQnnKwSWfkl5AyDQxYKpbrIT0UZf50Has+CQ1zumkCC/

TvNDWIEJuauX8ZA2SdGR

/llFKbIziaGshNTqIv4x2StyGTZPnQgd6W5VoxGfsViZrxT4z6BR/

DhQP3K2G8VQKB7kFcet+zGw

lKPEAouBjYWHB0vVkd81HZAw/pIu+AyBR1DUF7dVku3ETNYhY5Pzz1A=

</X509Certificate>

</X509Data>

</KeyInfo>

</Signature>

</Message>

</ThreeDSecure>

######################################################################################

I tried something like this (with apache xml signature):

public static boolean verify(Document doc) {

try {

// Initialize the library - this is now done inside servlet WSSInit

org.apache.xml.security.Init.init();

// must match baseURI

String baseURI = "PARes52524142080316501023";

CachedXPathAPI xpathAPI = new CachedXPathAPI();

Element nsctx = doc.createElement("nsctx");

nsctx.setAttribute("xmlns:ds", Constants.SignatureSpecNS);

Element signatureElem = (Element) xpathAPI.selectSingleNode(doc,

"//ds:Signature", nsctx);

// Check to make sure that the document claims to have been signed

if (null == signatureElem) {

throw new IllegalStateException(

"SOAP Document not digitally signed - missing element: //

ds:Signature");

}

XMLSignature sig = new XMLSignature(signatureElem, baseURI);

X509Certificate cert=sig.getKeyInfo().getX509Certificate();

System.out.println(cert.getSubjectDN().getName());

boolean verify =

sig.checkSignatureValue(sig.getKeyInfo().getX509Certificate());

if (true == verify) {

System.out.println("verify ok");

return true;

}

} catch (Exception e) {

e.printStackTrace();

return false;

}

// signature verification failed -

// do not forward request to SOAP Service.

return false;

}

but I always get "- Verification failed for URI

"#PARes52524142080316501023"

I tried with java xmldigsig:

public static boolean verify(Document doc) throws Exception{

NodeList nl =

doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");

if (nl.getLength() == 0) {

throw new Exception("Cannot find Signature element");

}

// Create a DOM XMLSignatureFactory that will be used to unmarshal

the

// document containing the XMLSignature

String providerName = System.getProperty

("jsr105Provider",

"org.jcp.xml.dsig.internal.dom.XMLDSigRI");

XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM",

(Provider) Class.forName(providerName).newInstance());

// Create a DOMValidateContext and specify a KeyValue KeySelector

// and document context

DOMValidateContext valContext = new DOMValidateContext

(new X509KeySelector(), nl.item(0));

// unmarshal the XMLSignature

XMLSignature signature = fac.unmarshalXMLSignature(valContext);

// Validate the XMLSignature (generated above)

boolean coreValidity = signature.validate(valContext);

// Check core validation status

if (coreValidity == false) {

System.err.println("Signature failed core validation");

boolean sv = signature.getSignatureValue().validate(valContext);

System.out.println("signature validation status: " + sv);

// check the validation status of each Reference

Iterator i =

signature.getSignedInfo().getReferences().iterator();

for (int j=0; i.hasNext(); j++) {

boolean refValid =

((Reference) i.next()).validate(valContext);

System.out.println("ref["+j+"] validity status: " + refValid);

}

return false;

} else {

System.out.println("Signature passed core validation");

return true;

}

}

but I always get "- Couldn't validate the References

Signature failed core validation"

In Java xmldigsig Javadoc I found an interface "URIDereferencer" that

can be implemented and set to DOMValidateContext:

valContext.setURIDereferencer(),

but I was not able to implement this interface.

I would prefer to use java xmldig sig rather than apache, but any

solution wold be nice.

Can anyone help?

Thanks,

Alan

[11199 byte] By [aklikica] at [2007-11-27 0:41:32]