Canonicalized SignedInfo
843811Aug 28 2009 — edited Aug 28 2009Using JDK6 with Apache XML Security 1.4.2 endorsed. While validating a signature, I am seeing that it is failing.
The canonicalized signed info is:
FINE: Canonicalized SignedInfo:
<SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod><Reference URI="#ID_994e7f12-b918-424c-8032-a74e812913e6"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><DigestValue>21LntxtgQbYEdnTgyJKCs/WjHqo=</DigestValue></Reference></SignedInfo>
This is the canonicalized SI during validation.
The interesting aspect is during signing, the canonicalized signed info is:
========
Canonicalized SignedInfo:
<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod><Reference URI="#ID_2c16a186-ad5a-4cf4-b028-69daf7203036"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><DigestValue>XUoyUIhOH7IEpeb7jFMewrzaa0c=</DigestValue></Reference></SignedInfo>
===========
My signature validation is failing on the signature of SI while the validation of references is working.
The difference in the canonicalized signed info during signing and validation is the absence of xmlns="..." during validation when it is present during signing. I see that the parent Signature element has the xmlns
Why is the exclusive canonicalize step ignore the xmlns during validation thereby busting the digest.