devxlogo

XML Signature Core Validation Failure with Java and Apache Axis

XML Signature Core Validation Failure with Java and Apache Axis

Many people are using XML Digital signatures these days. Most of these are using the standard code snippet available on the web to apply digital signatures.

When tried independently, the snippet works fine, and core validation happens successfully. However, when integrated with Apache Axis, core validation fails.

The core validation failure may result from either signature validation failure or from validation failure of any of the references present.

A signature value validation failure implies that the signature tag added after applying digital signature has been altered.

A reference failure occurs when there has been some change in the signed data since the digest value for the data was generated.

A possible reason for these alterations could be the namespace declarations that XML parsers add automatically. For example, assume you use the code snippet as shown below:

NodeList nodelist = doc.getElementsByTagNameNS(   "", );Node nn = nodelist.item(0);DOMSignContext dsc = new DOMSignContext(   objKeys.getPrivate(), nn);//where objKeys is KeyPairXMLSignature signature = fac.newXMLSignature(si, ki); //where ki is key info an si is signed info// Marshal, generate (and sign) the enveloped signaturesignature.sign(dsc);

The generated XML will look like this:

                      ...

However, if you then attempt to generate a SOAPBodyElement using Apache Axis, then the Signature and its child elements—which ideally should have used a default namespace—define a new name space. The new namespace tag gets embedded into the element as follows:

                      ...

As you can see, the preceding XML gives the default namespace the prefix ns1, which ultimately leads to validation failure. The additions are difficult to identify. One possible workaround is to make the XML namespace-aware and give every element in the XML a namespace prefix beforehand, so that XML parsers won’t add such declarations on their own.

To achieve this you can add dsc.setDefaultNamespacePrefix(““) to the snippet while applying the digital signature. Now the code becomes:

NodeList nodelist = doc.getElementsByTagNameNS(   "", );Node nn = nodelist.item(0); DOMSignContext dsc = new DOMSignContext(objKeys.getPrivate(), nn);//to insert Prefix to namespace of signaturedsc.setDefaultNamespacePrefix("dsig");//where objKeys is KeyPairXMLSignature signature = fac.newXMLSignature(si, ki); //where ki is key info an si is signed info// Marshal, generate (and sign) the enveloped signaturesignature.sign(dsc);

That code deliberately asks the API to add a default prefix to the signature while generating the DOM context, so that other XML operations don’t add extra namespaces that can cause validation failure.

The XML will now look like:

                      ...

That solves the problem. The preceding XML works just fine.

devx-admin

Share the Post: