Verify XADES signature with XADES4j
We would like to create a java web application that validates the "XADES" signature, this application must accept two files: a source file and its dedicated signature.
I am using XADES4j library which is a great project. with XADES4j, is there a way to verify the signature without checking the link for the file URI? because the given referenced file in the XML signature cannot be accessed.
For link checking: I'm looking to compare the digest value calculated from a given orignal file and the digestValue extracted from the signature file.
Here is an exception
Exception in thread "main" xades4j.XAdES4jXMLSigException: Error verifying the signature
at xades4j.verification.XadesVerifierImpl.doCoreVerification(XadesVerifierImpl.java:285)
at xades4j.verification.XadesVerifierImpl.verify(XadesVerifierImpl.java:188)
at com.wct.VerifyXades.main(VerifyXades.java:33)
Caused by: org.apache.xml.security.signature.MissingResourceFailureException: The Reference for URI file:/D:/workspace/xades4j-487d7a9bb9e5/data_to_sign/test.txt has no XMLSignatureInput
Original Exception was org.apache.xml.security.signature.ReferenceNotInitializedException: D:\workspace\xades4j-487d7a9bb9e5\data_to_sign\test.txt (Le fichier spécifié est introuvable)
Original Exception was org.apache.xml.security.signature.ReferenceNotInitializedException: D:\workspace\xades4j-487d7a9bb9e5\data_to_sign\test.txt (Le fichier spécifié est introuvable)
Original Exception was org.apache.xml.security.signature.ReferenceNotInitializedException: D:\workspace\xades4j-487d7a9bb9e5\data_to_sign\test.txt (Le fichier spécifié est introuvable)
Original Exception was org.apache.xml.security.utils.resolver.ResourceResolverException: D:\workspace\xades4j-487d7a9bb9e5\data_to_sign\test.txt (Le fichier spécifié est introuvable)
Original Exception was java.io.FileNotFoundException: D:\workspace\xades4j-487d7a9bb9e5\data_to_sign\test.txt (Le fichier spécifié est introuvable)
at org.apache.xml.security.signature.Manifest.verifyReferences(Manifest.java:412)
at org.apache.xml.security.signature.SignedInfo.verify(SignedInfo.java:256)
at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(XMLSignature.java:764)
at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(XMLSignature.java:696)
at xades4j.verification.XadesVerifierImpl.doCoreVerification(XadesVerifierImpl.java:278)
... 2 more
Here's the source code I'm using to verify the XADES signature:
package com.wct;
import java.io.FileInputStream;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Date;
import java.util.List;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
import xades4j.providers.CertificateValidationException;
import xades4j.providers.CertificateValidationProvider;
import xades4j.providers.ValidationData;
import xades4j.verification.UnexpectedJCAException;
import xades4j.verification.XAdESVerificationResult;
import xades4j.verification.XadesVerificationProfile;
import xades4j.verification.XadesVerifier;
public class VerifyXades {
public static void main(String[] args) throws Exception {
CertificateValidationProvider certValidator = new CertificateValidationProviderImpl();
XadesVerificationProfile p = new XadesVerificationProfile(certValidator);
p.acceptUnknownProperties(true);
XadesVerifier v = p.newVerifier();
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
DocumentBuilder db = dbf.newDocumentBuilder();
Document doc = db.parse(new FileInputStream("data_signed/detachedTestSignature.xml"));
XAdESVerificationResult vr = v.verify(doc.getDocumentElement(), null);
}
}
class CertificateValidationProviderImpl implements CertificateValidationProvider {
@Override
public ValidationData validate(X509CertSelector certSelector,
Date validationDate, Collection<X509Certificate> otherCerts)
throws CertificateValidationException, UnexpectedJCAException {
return new ValidationData((List<X509Certificate>) otherCerts);
}
}
I am new to signature / verification development and have no good experience. please, help
Thanks in advance for your help.
source to share
You shouldn't be doing digest comparisons at all. The file must be accessible in some way so that the link can be verified as part of the signature verification.
Are you in control of signature generation? IF so, you should change the URI for the relative URI, or perhaps use an anonymous reference (see below for more details). In any case, all of your options will be based on SignatureSpecificVerificationOptions .
If you can change the signature verification :
- Use a relative uri file in the link and provide a base URI for both production and verification signatures . There are examples of xades4j tests.
- Use an anonymous reference (no URI attribute) and specify the data using AnonymousDataObjectReference to generate a signature and enter the corresponding verification .
If you cannot change the signature :
- Register a custom ResourceResolver that processes file URIs and returns file data from there. There's already a file-based resolver URI on Apache Santuario (used by xades4j), but custom resolvers take precedence. This is kind of a workaround. Having these absolute file URI signatures will likely lead to the problems you are having.
source to share