Hello, I'm trying to do a "manual" verification of a XML-Signed message. The message is the following, taken as is
from the server.log:
This message was sent from a
servlet deployed on
JBoss 4.2.3GA and received by a WS-Security configured Web Service
deployed locally (on the same JBoss instance). All the automatic JBoss verifications are successful, here's the
log:
2010-12-07 17:37:40,404 INFO [org.apache.xml.security.signature.Reference] Verification successful for URI "#element-1-1291739860070-11803898"
2010-12-07 17:37:40,405 INFO [org.apache.xml.security.signature.Reference] Verification successful for URI "#timestamp"
2010-12-07 17:37:40,417 DEBUG [org.jboss.ws.extensions.security.WSSecurityDispatcher] Verification is successful
Now I want to verify this manually, so I decrypt the SignatureValue content with the public key and I obtain:
3021300906052b0e03021a05000414dccdb8570286d36c94bba8e5107faee91e0df088
I think I did this manual decryption well, because you can recognize the "ASN.1 BER SHA1 algorithm designator
prefix" (
http://www.w3.org/TR/xmldsig-core/) in the first part of this hex
string (3021300906052b0e03021a05000414).
So the second part (dccdb8570286d36c94bba8e5107faee91e0df088) should be my hash value, i.e. the SHA1 computation of the
canonicalized SignedInfo element, and in fact it's exactly 20 bytes long. But I can't get this hash value from the
SignedInfo element. I'm using org.apache.xml.security.c14n.Canonicalizer for the canonicalization. Is there anyone
that can obtain this hash value and tell me the exact steps/tools/code used? Thank you in advance.