Skip to main content

XMLDSIG Core Validation Failure

2 replies [Last post]
franknatoli
Offline
Joined: 2007-04-13
Points: 0

Below is an extract from the JWSDP-2.0 sample Validate.java. What does it mean when the core validity fails (returns false), and the signature validation status fails (returns false), but the reference validation succeeds (returns true) and there is only one reference?

// Validate the XMLSignature (generated above)
boolean coreValidity = signature.validate(valContext);
// Check core validation status
if (coreValidity == false)
{
System.err.println("Signature failed core validation");
boolean sv = signature.getSignatureValue().validate(valContext);
System.out.println("signature validation status: " + sv);
// check the validation status of each Reference
Iterator i = signature.getSignedInfo().getReferences().iterator();
for (int j=0; i.hasNext(); j++)
{
boolean refValid = ((Reference) i.next()).validate(valContext);
System.out.println("ref["+j+"] validity status: " + refValid);
}
}
else
{
System.out.println("Signature passed core validation");
}

Have some rather peculiar circumstances triggering the above problem. Have an API that generates two digital signatures, one detached and one enveloped, both inserted into a single XML file. When the API is tested via JUnit and ANT, the two signatures generate objects without any namespace prefix and both signatures pass core validation.

But when the API is invoked via a web GUI, the first [detached] signature bears a namespace prefix and fails core validation, fails signature validation but passes reference validation. The second [enveloped] signature bears no namespace prefix and passes core validation.

Have enabled logging for org.jcp.xml.dsig.internal and com.sun.org.apache.xml.internal.security. Curiously, the expected digest and actual digest for the detached signature that fails core validation match. But XMLDSIG provides no logging information between "verifying with key: ..." and the failure.

With reference validation passing, can I disregard failed core and signature validation?

Thanks for your time.

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
franknatoli
Offline
Joined: 2007-04-13
Points: 0

As per Sean Mullan's recommendation to perform SignedInfo.getCanonicalizedData, see http://weblogs.java.net/blog/mullan/archive/security/index.html, I have discovered that something is injecting an "xmlns" where it did not previously exist.

The input XML is simply .

But SignedInfo.getCanonicalizedData returns

This is almost certainly the cause of the core validation failure and the signature validation failure.

Question is: how can the additional "xmlns" injection be suppressed?

franknatoli
Offline
Joined: 2007-04-13
Points: 0

The "solution" was to employ the JAXB-RI NamespacePrefixMapper to rigorously control namespace assignments, in particular to ensure that http://www.w3.org/2000/09/xmldsig#, the XMLDSIG namespace, gets the null/default xmlns namespace and all other namespaces get explicit xmlns:XXX namespaces. This coercion of the namespace assignments guarantees that XMLDSIG validation does not get corrupted by modified data.

The following needs to be inserted into the marshalling code:

m.setProperty("com.sun.xml.bind.namespacePrefixMapper", new NamespacePrefixMapperImpl());

And the following class needs to be implemented:

import com.sun.xml.bind.marshaller.NamespacePrefixMapper;
class NamespacePrefixMapperImpl extends NamespacePrefixMapper
{
public String getPreferredPrefix(String namespaceUri, String suggestion, boolean requirePrefix)
{
if ("https://www.jatdi.mil/schema".equals(namespaceUri))
return("jatdi");
if ("https://www.jatdi.mil/schema/ddms".equals(namespaceUri))
return("ddms");
if ("urn:us:gov:ic:ism:v2".equals(namespaceUri))
return("icism");
if ("http://schemas.opengis.net/gml/3.1.1/base/".equals(namespaceUri))
return("opengis");
if ("http://www.w3.org/1999/xlink".equals(namespaceUri))
return("xlink");
if ("http://www.w3.org/2000/09/xmldsig#".equals(namespaceUri))
return("");
return(suggestion);
}

// public String[] getPreDeclaredNamespaceUris()
// {
// return new String[] { "urn:abc", "urn:def" };
// }
}

It seems incredible that a element with an explicit namespace prefix, e.g., cannot pass digital signature validation, because as stated in the above posts the call to XMLSignatureFactory.unmarshallXMLSignature gratuitously modifies the element. Must conclude by Sun's silence that this is a "feature" and not a "bug".