Meaningless Drivel is fun!*
The moose likes Security and the fly likes xml signature interoperability issue between Java(apache) and .net Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "xml signature interoperability issue between Java(apache) and .net" Watch "xml signature interoperability issue between Java(apache) and .net" New topic
Author

xml signature interoperability issue between Java(apache) and .net

Junabc Li
Greenhorn

Joined: Apr 15, 2011
Posts: 3
I need to sign a xml file with RSA-SHA1 signing in enveloped mode in java. and check the signature in .net.

the signature is valid if sign and verification both done in java apache security package. it's also valid if both done in .net.

but verification failed if done in other side.

could some one have any clue on this?

Many thanks!

Jun

.net signature code:

public static void SignDocument(string xmlFilePath, string keyFilePath, string outputFilePath)
{
try
{
XmlDocument Doc = new XmlDocument();
Doc.Load(xmlFilePath);

X509Certificate2 cert = new X509Certificate2("abc.pfx", "0123456789");
RSACryptoServiceProvider key = (RSACryptoServiceProvider)cert.PrivateKey;

// Create a SignedXml object.
SignedXml signedXml = new SignedXml(Doc);

// Add the key to the SignedXml document.
signedXml.SigningKey = Key;

// Create a reference to be signed.
Reference reference = new Reference();
reference.Uri = "";

// Add an enveloped transformation to the reference.
XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform();
reference.AddTransform(env);

// Add the reference to the SignedXml object.
signedXml.AddReference(reference);

// Compute the signature.
signedXml.ComputeSignature();

// Get the XML representation of the signature and save
// it to an XmlElement object.
XmlElement xmlDigitalSignature = signedXml.GetXml();

// Append the element to the XML document.
Doc.DocumentElement.AppendChild(Doc.ImportNode(xmlDigitalSignature, true));

Doc.Save(outputFilePath);
}
catch (Exception err)
{
OutputWriter.WriteLine(string.Format("Error : {0}", err.Message));
}
}


//java signature code:

private static void rsaSign() throws Exception{

KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(new FileInputStream("abc.pfx"), "0123456789".toCharArray());
PrivateKey privKey = (PrivateKey)ks.getKey(“abc”, "0615166328".toCharArray());


DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
docFactory.setNamespaceAware(true);
DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
Document doc = docBuilder.parse(new FileInputStream("tmp-encrpted.xml"));
Element element = doc.getDocumentElement();

File xmlFile = new File("signed.xml");


String baseURI = xmlFile.toURL().toString();
XMLSignature xmlSig = new XMLSignature(doc, baseURI, XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1);




Element sigElement = xmlSig.getElement();
element.appendChild(sigElement);

Transforms transforms = new Transforms(doc);
transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
//transforms.addTransform(Transforms.TRANSFORM_C14N_WITH_COMMENTS);
xmlSig.addDocument("", transforms, Constants.ALGO_ID_DIGEST_SHA1);

xmlSig.sign(privKey);
FileOutputStream out = new FileOutputStream(xmlFile);
XMLUtils.outputDOMc14nWithComments(doc, out);
out.close();
}

Igor Delac
Greenhorn

Joined: Nov 23, 2012
Posts: 6
did you find solution?
Maybe it's problem in improper canonicalization.
Junabc Li
Greenhorn

Joined: Apr 15, 2011
Posts: 3
Yes. In the .Net verification code, there is a configuration parameter(may be related to canonicalization, I cann't remember which one) is not set properly.
Igor Delac
Greenhorn

Joined: Nov 23, 2012
Posts: 6
Junabc Li wrote:Yes. In the .Net verification code, there is a configuration parameter(may be related to canonicalization, I cann't remember which one) is not set properly.

At the end you have same signature, both java application and .net application produce same values?
Igor Delac
Greenhorn

Joined: Nov 23, 2012
Posts: 6
just to add what I did to solve this problem:

So, before computing digest and signature, you need to strip whitespace and CRLF when loading xml from file. Otherwise, signature and digest compared to .Net soulution would be different.
Junabc Li
Greenhorn

Joined: Apr 15, 2011
Posts: 3
thanks! I tried transforms.addTransform(Transforms.TRANSFORM_C14N_WITH_COMMENTS); or similar things which should do same.
I eventually found the issue is the settings in the verification code.
Igor Delac
Greenhorn

Joined: Nov 23, 2012
Posts: 6
Junabc Li wrote:thanks! I tried transforms.addTransform(Transforms.TRANSFORM_C14N_WITH_COMMENTS); or similar things which should do same.
I eventually found the issue is the settings in the verification code.

Do you use jsr105 crypto library? I have small issue regarding xml signature verification if I use PKCS12 keystore. Do you have a good documentation where I could read how to do xml signature verification?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: xml signature interoperability issue between Java(apache) and .net
 
Similar Threads
Signing & Verify XML Document
How to get an XML field?
problem in Digitally Signing a particular element of an XML Document
How to use SAML 2.0 Sender Vouches?
NUll pointer exception in XML sig program