Questions about exist crypto lib, validate-signature()

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Questions about exist crypto lib, validate-signature()

Olaf Schreck
Hi,

I'd like to use crypto:validate-signature() to validate a signed XML doc
(a SAML assertion actually).

I'm looking at test file validateEnvelopedDigitalSignature.xq from the
exist crypto lib.  Usage seems to be dead simple: pass in the signed doc,
get true() if the sig matches.

Tried this and got something like "no key found".  I assume this is because
the XML signature that I receive does not contain a "KeyInfo" element.  Is
that correct?  I couldn't find the exact error message in the crypto lib
source or in the
ro.kuberam.libs.java.crypto.digitalSignature.ValidateXmlSignature source.

In the test file I see $certificate-details bound to a <digital-certificate>
XML structure, but this var is not used anywhere?  Am I missing some
under-the-hood magic here?

Finally, how could I use crypto:validate-signature() to validate an XML sig
that does not contain KeyInfo, assuming I have the matching X.509 cert in
the local keystore?

Thanks,
Olaf

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Questions about exist crypto lib, validate-signature()

Adam Retter
Claudius,

Can you shed any light on this one?

Cheers Adam.

On 3 July 2017 at 13:50, Olaf Schreck <[hidden email]> wrote:
Hi,

I'd like to use crypto:validate-signature() to validate a signed XML doc
(a SAML assertion actually).

I'm looking at test file validateEnvelopedDigitalSignature.xq from the
exist crypto lib.  Usage seems to be dead simple: pass in the signed doc,
get true() if the sig matches.

Tried this and got something like "no key found".  I assume this is because
the XML signature that I receive does not contain a "KeyInfo" element.  Is
that correct?  I couldn't find the exact error message in the crypto lib
source or in the
ro.kuberam.libs.java.crypto.digitalSignature.ValidateXmlSignature source.

In the test file I see $certificate-details bound to a <digital-certificate>
XML structure, but this var is not used anywhere?  Am I missing some
under-the-hood magic here?

Finally, how could I use crypto:validate-signature() to validate an XML sig
that does not contain KeyInfo, assuming I have the matching X.509 cert in
the local keystore?

Thanks,
Olaf

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open



--
Adam Retter

eXist Developer
{ United Kingdom }
[hidden email]
irc://irc.freenode.net/existdb

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Questions about exist crypto lib, validate-signature()

Claudius Teodorescu
Hi,


The function crypto:validate-signature() indeed needs the key info (KeyValue element) to be inside the signed XML doc (as the example validateEnvelopedDigitalSignature.xq shows, where the validated signature is of enveloped type).

The $certificate-details variable is not used in that example, but it is there for some future developments (see div3[@id = 'explanations-about-parameters-parameter-of-crypto:encrypt' at https://raw.githubusercontent.com/expath/expath-cg/master/specs/crypto/crypto.xml).


Claudius
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Questions about exist crypto lib, validate-signature()

Olaf Schreck
Thanks for replying, Claudius.

> The function crypto:validate-signature() indeed needs the key info (KeyValue
> element) to be inside the signed XML doc

Confirms my interpretation, thanks.

Since I needed something quickly, I cloned your repo and added a function
crypto:validate-signature-by-certfile(), which expects a second parameter
$certfile which is the filename of an X.509 certificate in PEM format.
I pull the RSA pubkey out of the cert and use that in the validation
context, instead of a KeySelector instance.  Works fine here.

Will send diff if you're interested.  Actually, I bypassed the ro.kuberam
lib and use Java crypto/security libs directly, so YMMV.


ciao,
Olaf


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Loading...