C
C
created4dev2015-04-27 08:51:56
Java
created4dev, 2015-04-27 08:51:56

Why does the digital signature check in the first variant give true and in the second false?

//Option 1

String xml=readFileAsString("test.xml");
Document doc = parseDocument(xml);
Element nscontext = XMLUtils.createDSctx(doc, "ds", "http://www.w3.org/2000/09/xmldsig#");
NodeList list = XPathAPI.selectNodeList(doc, "//ds:Signature", nscontext);
Element sigElement = (Element) list.item(list.getLength() - 1);
XMLSignature signature = new XMLSignature(sigElement, "");
org.apache.xml.security.keys.KeyInfo ki = signature.getKeyInfo();
X509Certificate certKey = null;
certKey = ki.getX509Certificate();
System.out.println(signature.checkSignatureValue(certKey));

//Option 2
//Строки берутся из этого же файла "test.xml"
String cert="...";  //Строчка берется из <ds:X509Certificate>
String data="...";  //Строчка берется из <ds:DigestValue>
String sign="...";  //Строчка берется из <ds:SignatureValue>
Certificate certificate = CertificateFactory.getInstance("X509").generateCertificate(new ByteArrayInputStream(Base64.decode(cert)));
PublicKey publicKey=certificate.getPublicKey();
Signature signature2 = Signature.getInstance(publicKey.getAlgorithm());		
signature2.initVerify(publicKey);
signature2.update(Base64.decode(data));
System.out.println(signature2.verify(Base64.decode(sign)));

What's the catch? What is the fundamental difference between XMLSignature and Signature? One and the same file, but the results are different (in the first it gives - true, in the second - false).

Answer the question

In order to leave comments, you need to log in

1 answer(s)
V
Vladimir Smirnov, 2015-04-29
@bobzer

Well, firstly, the meaning of the experiment is not clear - you have a working EDS verification code, why the second option?
Second, to the core of the issue. It can be assumed that XMLSignature is made for a reason, and differs in some way from Signature. The difference is that XMLSignature takes into account the fact that XML documents have a structure, while Signature checks for an unstructured byte array. When using XMLSignature, canonicalization is applied, which brings the DOM structure read from the file to some general form. At the same time, XMLSignature checks exactly the canonicalized DOM structure, and not an array of bytes read from a file without any interpretation of it.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question