64583479

Date: 2020-10-29 01:10:42
Score: 6.5
Natty:
Report link

I am facing the same issue now, I am not sure if this is fixed as part of the latest code base, but i took the code from GIT compiled it.

If i use the XML without namespace it is able to verify the signature. But If i use the XML with namespace it failed with below error:

Error: 
3343 [main] DEBUG org.apache.xml.security.utils.DigesterOutputStream  - Pre-digested input:
3343 [main] DEBUG org.apache.xml.security.utils.DigesterOutputStream  - <xades:SignedProperties xmlns="http://e-dokumenty.mf.gov.pl" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" xmlns:xades141="http://uri.etsi.org/01903/v1.4.1#" Id="xmldsig-b5b52e53-c37d-4306-92f4-c73a01a27857-signedprops"><xades:SignedSignatureProperties><xades:SigningTime>2020-10-28T19:58:59.993-05:00</xades:SigningTime><xades:SigningCertificate><xades:Cert><xades:CertDigest><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod><ds:DigestValue>4btVb5gQ5cdcNhGpvDSWQZabPQrR9jf1x8e3YF9Ajss=</ds:DigestValue></xades:CertDigest><xades:IssuerSerial><ds:X509IssuerName>cn=Itermediate,ou=CC,o=ISEL,c=PT</ds:X509IssuerName><ds:X509SerialNumber>-119284162484605703133798696662099777223</ds:X509SerialNumber></xades:IssuerSerial></xades:Cert><xades:Cert><xades:CertDigest><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod><ds:DigestValue>vm5QpbblsWV7fCYXotPhNTeCt4nk8cLFuF36L5RJ4Ok=</ds:DigestValue></xades:CertDigest><xades:IssuerSerial><ds:X509IssuerName>cn=TestCA,ou=CC,o=ISEL,c=PT</ds:X509IssuerName><ds:X509SerialNumber>-46248926895392336918291885380930606289</ds:X509SerialNumber></xades:IssuerSerial></xades:Cert><xades:Cert><xades:CertDigest><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod><ds:DigestValue>AUaN+IdhKQqxIVmEOrFwq+Dn22ebTkXJqD3BoOP/x8E=</ds:DigestValue></xades:CertDigest><xades:IssuerSerial><ds:X509IssuerName>cn=TestCA,ou=CC,o=ISEL,c=PT</ds:X509IssuerName><ds:X509SerialNumber>-99704378678639105802976522062798066869</ds:X509SerialNumber></xades:IssuerSerial></xades:Cert></xades:SigningCertificate></xades:SignedSignatureProperties></xades:SignedProperties>
3343 [main] WARN org.apache.xml.security.signature.Reference  - Verification failed for URI "#xmldsig-b5b52e53-c37d-4306-92f4-c73a01a27857-signedprops"
3343 [main] WARN org.apache.xml.security.signature.Reference  - Expected Digest: 4YtReErAMl5nNTsLE8WBwJsINnQGmcLs6PfOff6YjoQ=
3343 [main] WARN org.apache.xml.security.signature.Reference  - Actual Digest: Z2hWrZB9/YVbVZOkko1Qcw/+dagaYXqHz96lVNB87Qc=
Exception in thread "main" xades4j.verification.ReferenceValueException: Reference '#xmldsig-b5b52e53-c37d-4306-92f4-c73a01a27857-signedprops' cannot be validated
    at xades4j.verification.XadesVerifierImpl.doCoreVerification(XadesVerifierImpl.java:340)
    at xades4j.verification.XadesVerifierImpl.verify(XadesVerifierImpl.java:202)

I tried to perform the same stuff mention on this thread but no luck, can you please help or let me know what wrong i am doing.

Below is my code and sample XML

Input XML:

<?xml version="1.0"?>
<InitUpload xmlns="http://e-dokumenty.mf.gov.pl">
  
</InitUpload>

Code:


public class TestExample {
    public TestExample() {
        super();
    }


   
   

    private static void signBes() throws Exception {

        Document doc = DocumentBuilderFactory
                .newInstance()
                .newDocumentBuilder()
                .parse(new File(DOCUMENT));
        
        
        
        
        
        Element elem = doc.getDocumentElement();
//        DOMHelper.useIdAsXmlId(elem);
        

        KeyingDataProvider kdp = new FileSystemKeyStoreKeyingDataProvider(
                "pkcs12",
                CERT_FOLDER + CERT,
                new FirstCertificateSelector(),
                new DirectPasswordProvider(PASS),
                new DirectPasswordProvider(PASS),
                true);
        //System.out.println(elem.getAttribute("InitUpload"));
        
        DataObjectDesc obj = new DataObjectReference("")        
//                .withTransform(new ExclusiveCanonicalXMLWithoutComments())
                .withTransform(new ExclusiveCanonicalXMLWithoutComments());
//        
        SignedDataObjects dataObjs = new SignedDataObjects().withSignedDataObject(obj);

        XadesSigner signer = new XadesBesSigningProfile(kdp).newSigner();
//        signer.sign(dataObjs, elem);
        
        new Enveloped(signer).sign(elem);

        TransformerFactory tFactory = TransformerFactory.newInstance();
        Transformer transformer = tFactory.newTransformer();
        DOMSource source = new DOMSource(doc);        
        StreamResult result = new StreamResult(new File(SIGNED));
        transformer.transform(source, result);
    }




    private static void verifyBes() throws Exception {

        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
        factory.setNamespaceAware(true);
        DocumentBuilder builder = factory.newDocumentBuilder();
        Document doc = builder.parse(new InputSource(new FileReader(SIGNED)));
//        DOMHelper.useIdAsXmlId(doc.getDocumentElement());

        NodeList nl = doc.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");

        FileSystemDirectoryCertStore certStore = new FileSystemDirectoryCertStore(CERT_FOLDER);
        KeyStore ks;
        try (FileInputStream fis = new FileInputStream(CERT_FOLDER + KEY_STORE)) {
            ks = KeyStore.getInstance("jks");
            ks.load(fis, TRUSTPASS.toCharArray());
        }

        CertificateValidationProvider provider = new PKIXCertificateValidationProvider(
                ks, false, certStore.getStore());
        XadesVerificationProfile profile = new XadesVerificationProfile(provider);
        Element sigElem = (Element) nl.item(0);
        XAdESVerificationResult r = profile.newVerifier().verify(sigElem, null);

        System.out.println("Signature form: " + r.getSignatureForm());
        System.out.println("Algorithm URI: " + r.getSignatureAlgorithmUri());
        System.out.println("Signed objects: " + r.getSignedDataObjects().size());
        System.out.println("Qualifying properties: " + r.getQualifyingProperties().all().size());
        
        for (QualifyingProperty qp : r.getQualifyingProperties().all()) {            
            if ("SigningCertificate".equals(qp.getName())) {
                Collection<X509Certificate> certs = ((SigningCertificateProperty)qp).getsigningCertificateChain();
                certs.forEach((cert) -> {
                    System.out.println("Issuer DN: " + cert.getIssuerDN());
                });
            }
            else if ("SigningTime".equals(qp.getName())) {
                System.out.println("Time: " + ((SigningTimeProperty)qp).getSigningTime().getTime().toString());
            } else if ("SignatureTimeStamp".equals(qp.getName())) {
                System.out.println("Time stamp: " + ((SignatureTimeStampProperty)qp).getTime().toString());
            }else { 
                System.out.println("QP: " + qp.getName());
            }
        }
    }
}

Below is the Output Signed XML

<?xml version="1.0" encoding="UTF-8" standalone="no"?><InitUpload xmlns="http://e-dokumenty.mf.gov.pl">
  
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="xmldsig-b5b52e53-c37d-4306-92f4-c73a01a27857">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference Id="xmldsig-b5b52e53-c37d-4306-92f4-c73a01a27857-ref0" URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>e/BUj0eMoZpgt/98k0X/tKaySQU1qStgUcWnYVGNQkE=</ds:DigestValue>
</ds:Reference>
<ds:Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#xmldsig-b5b52e53-c37d-4306-92f4-c73a01a27857-signedprops">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>4YtReErAMl5nNTsLE8WBwJsINnQGmcLs6PfOff6YjoQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue Id="xmldsig-b5b52e53-c37d-4306-92f4-c73a01a27857-sigvalue">
lmV+ARBkVsHcbBELl4s59GgJxgcp8l3thqArQdu1bD6EZujYomsULy6VQFKqb3qZikNmbXr/daFi&#13;
MLjfdcgmsl6wRjubRr1qiKYBbc4LeeHal4mFZzFE+5dWBJil1Q9+LDR26Z4mfkhDZZjV7hSWj8m2&#13;
J185hFwGShiS144xvME=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICbTCCAdqgAwIBAgIQpkK0uals+ItHxBlpJuypOTAJBgUrDgMCHQUAMD8xCzAJBgNVBAYTAlBU&#13;
MQ0wCwYDVQQKEwRJU0VMMQswCQYDVQQLEwJDQzEUMBIGA1UEAxMLSXRlcm1lZGlhdGUwHhcNMTAw&#13;
NjI1MTc1ODQ5WhcNMzkxMjMxMjM1OTU5WjBCMQswCQYDVQQGEwJQVDENMAsGA1UEChMESVNFTDEL&#13;
MAkGA1UECxMCQ0MxFzAVBgNVBAMTDkx1aXMgR29uY2FsdmVzMIGfMA0GCSqGSIb3DQEBAQUAA4GN&#13;
ADCBiQKBgQCpP9acMX69Dbg9ciMLFc5dm1tlpTY9OTNZ/EaCYoGVhh/3+DFgyIbEer6SA24hpREm&#13;
AhNG9+Ca0AurDPPgb3aKWFY9pj1WcOctis0VsR0YvzqP+2IGFqKDCd7bXFvv2tI0dEvpdc0oO6PF&#13;
Q02xvJG0kxQf44XljOCjUBU43jkJawIDAQABo28wbTBrBgNVHQEEZDBigBBdbbL4pDKLT56PpOpA&#13;
/56toTwwOjELMAkGA1UEBhMCUFQxDTALBgNVBAoTBElTRUwxCzAJBgNVBAsTAkNDMQ8wDQYDVQQD&#13;
EwZUZXN0Q0GCEN00x9qe7SuWQvpLK0/oay8wCQYFKw4DAh0FAAOBgQBSma8g9dQjiQo4WUljRRuG&#13;
yMUVRyCqW/9oRz8+0EoLNR/AhrIlGqdNbqQ1BkncgNNdqMAus5VD34v/EhgrkgWN5fZajMpYsmcR&#13;
Ahu4PzJ6hggAlWWMy245JwIYuV0s1Oi39GVTxVNOBIX//AONZlGWO4S2Psb1mqdZ99b/MugsaA==
</ds:X509Certificate>
<ds:X509IssuerSerial>
<ds:X509IssuerName>cn=Itermediate,ou=CC,o=ISEL,c=PT</ds:X509IssuerName>
<ds:X509SerialNumber>-119284162484605703133798696662099777223</ds:X509SerialNumber>
</ds:X509IssuerSerial>
<ds:X509SubjectName>cn=Luis Goncalves,ou=CC,o=ISEL,c=PT</ds:X509SubjectName>
</ds:X509Data>
</ds:KeyInfo>
<ds:Object><xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" xmlns:xades141="http://uri.etsi.org/01903/v1.4.1#" Target="#xmldsig-b5b52e53-c37d-4306-92f4-c73a01a27857"><xades:SignedProperties Id="xmldsig-b5b52e53-c37d-4306-92f4-c73a01a27857-signedprops"><xades:SignedSignatureProperties><xades:SigningTime>2020-10-28T19:58:59.993-05:00</xades:SigningTime><xades:SigningCertificate><xades:Cert><xades:CertDigest><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>4btVb5gQ5cdcNhGpvDSWQZabPQrR9jf1x8e3YF9Ajss=</ds:DigestValue></xades:CertDigest><xades:IssuerSerial><ds:X509IssuerName>cn=Itermediate,ou=CC,o=ISEL,c=PT</ds:X509IssuerName><ds:X509SerialNumber>-119284162484605703133798696662099777223</ds:X509SerialNumber></xades:IssuerSerial></xades:Cert><xades:Cert><xades:CertDigest><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>vm5QpbblsWV7fCYXotPhNTeCt4nk8cLFuF36L5RJ4Ok=</ds:DigestValue></xades:CertDigest><xades:IssuerSerial><ds:X509IssuerName>cn=TestCA,ou=CC,o=ISEL,c=PT</ds:X509IssuerName><ds:X509SerialNumber>-46248926895392336918291885380930606289</ds:X509SerialNumber></xades:IssuerSerial></xades:Cert><xades:Cert><xades:CertDigest><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>AUaN+IdhKQqxIVmEOrFwq+Dn22ebTkXJqD3BoOP/x8E=</ds:DigestValue></xades:CertDigest><xades:IssuerSerial><ds:X509IssuerName>cn=TestCA,ou=CC,o=ISEL,c=PT</ds:X509IssuerName><ds:X509SerialNumber>-99704378678639105802976522062798066869</ds:X509SerialNumber></xades:IssuerSerial></xades:Cert></xades:SigningCertificate></xades:SignedSignatureProperties></xades:SignedProperties></xades:QualifyingProperties></ds:Object>
</ds:Signature></InitUpload>
Reasons:
  • Blacklisted phrase (1): thx
  • Blacklisted phrase (1): no luck
  • RegEx Blacklisted phrase (3): can you please help
  • Long answer (-1):
  • Has code block (-0.5):
  • Me too answer (2): I am facing the same issue
  • Low reputation (1):
Posted by: lopes rohan