Verify SHA1withRSA signature

I have to verify the signature of files, the signature is included in an XML file generated throw C# .Net.
The public key is also extracted from the XML file. Every time I want to verify a file it returns false, I'd like to know if my code is correct or not :
Certificate cer = null;
XMLCertificateExtraction extractor = XMLCertificateExtraction.getInstance( luxtrust.Configuration.getInstance(args) );
String str = "d:\\projet_LUX_TRUST\\svn\\luxtrust.trunk
full_middleware_packages.xml";
cer = extractor.extractFromID( str );
else try{
            /* input the signature bytes */*
*            String __signature = "wIeY0g1MdbFDVsEjqfK2YGsvRfVgtofcvwmzQP6l8ZCMuud0t95GmywqT5BTPVrRWkbwzp7GzJIkaD9u629XQfz4i2q+Hfmmn8+cj+zwvXWCfG9Y+l/dL9lwcFwr6pfpnFsSucrxZTKKDA11vNerMtP7P5wC5XMyhMtI48MDBm09tsaNntr1LeJkH9FRXSbGzqStv7MAnBYQLYYPT83PBs0rnu1Kz0LRUJhxEe5EfmXeUMtkeaChzdgJCkr/eueOH/Gt1pdtOU8kl96cJSE4bmQfO+1r8uXgOpenzrw3yvMTSHqlVEIg9uttZN/QNHPpylQYpEwax2sfZN7Okxe4IA==";*
*            /* create a Signature object and initialize it with the public key */
            Signature sig = Signature.getInstance("SHA1withRSA");
            sig.initVerify(cer.getPublicKey());
            FileInputStream datafis = new FileInputStream(args[0]);
            BufferedInputStream bufin = new BufferedInputStream(datafis);
            byte[] buffer = new byte[1024];
            int len;
            while (bufin.available() != 0) {
                len = bufin.read(buffer);
                sig.update(buffer, 0, len);
            bufin.close();
            boolean verifies = sig.verify(__signature.getBytes());
            System.out.println("signature verifies: " + verifies);

I still didn't achieve the signature verification.
I had a doubt about the signature validity so I've done the following steps.
I took my pkcs#12 file, I used openssl to retrieve the private key, I than generated a certificate and a public key.
I've signed a binary file using the generated private key , and than went to java and tried to verify the signature without sucess.
While :
$ openssl dgst -sha1 -verify x509lx.crt.pub -signature signature.sig install_sdc.exe
Verified OKI used this code to verify the signature against the openssl generated siganture:
File pubKeyFile = new File(
 "D:\\projet_LUX_TRUST\\svn\\luxtrust.trunk\\keys\\openssl\\x509lx.crt");
 File sigFile = new File(
 "D:\\projet_LUX_TRUST\\svn\\luxtrust.trunk\\keys\\openssl\\signature.sig");
 File fileToSign = new File(
 "D:\\projet_LUX_TRUST\\svn\\luxtrust.trunk\\install_sdc.exe");
 java.security.cert.Certificate certLX = importCertificate(pubKeyFile);
 Signature rsa = Signature.getInstance("SHA1withRSA");
 /* Initializing signature verification */
 rsa.initVerify(certLX.getPublicKey());
 FileInputStream datafis = new FileInputStream(fileToSign);
 BufferedInputStream bufin = new BufferedInputStream(datafis);
 byte[] buffer = new byte[1024];
 int len = 0;
 while (bufin.read(buffer) != -1) {
 rsa.update(buffer, 0, len);
 bufin.close();
 boolean verifies = rsa.verify(getBytesFromFile(sigFile));
 System.out.println("2..signature = " + getBytesFromFile(sigFile));
 System.out.println("2..signature verifies: " + verifies);
 return true;
public static java.security.cert.Certificate importCertificate(File file) {
 try {
 FileInputStream is = new FileInputStream(file);
 CertificateFactory cf = CertificateFactory.getInstance("X.509");
 java.security.cert.Certificate cert = cf.generateCertificate(is);
 return cert;
 } catch (CertificateException e) {
 } catch (IOException e) {
 return null;
private static byte[] getBytesFromFile(File file) throws IOException {
 InputStream is = new FileInputStream(file);
 System.out.println("\nDEBUG: FileInputStream is " + file);
 // Get the size of the file
 long length = file.length();
 System.out.println("DEBUG: Length of " + file + " is " + length + "\n");
 * You cannot create an array using a long type. It needs to be an int
 * type. Before converting to an int type, check to ensure that file is
 * not loarger than Integer.MAX_VALUE;
 if (length > Integer.MAX_VALUE) {
 System.out.println("File is too large to process");
 return null;
 // Create the byte array to hold the data
 byte[] bytes = new byte[(int)length];
 // Read in the bytes
 int offset = 0;
 int numRead = 0;
 while ( (offset < bytes.length)
 ( (numRead=is.read(bytes, offset, bytes.length-offset)) >= 0) ) {
 offset += numRead;
 // Ensure all the bytes have been read in
 if (offset < bytes.length) {
 throw new IOException("Could not completely read file " + file.getName());
 is.close();
 return bytes;
 }What's wrong in my code or in my comprehension of RSA SHA1 usage ?

Similar Messages

On windows 8 adobe touch reader, where do i get options to validate/verify digital signatures in pdf?

i have windows 8 OS in my laptop, i need to verify digital signatures present in my pdf. the steps to verify/validate them are-
1. Open the PDF file in PDF Reader.
2. Left-click on the Digital Signature field.
3. Click "Verify/Validate Signature".
4. Click "Signature Properties".
5. Click "Validate Signature or Verify Identity".
6. Add "Contact information for certificate owner:"
7. Click "Add to List".
8. Click "Close".
but i cannot find such options in adobe touch reader.
please help to verify the digital signatures.
thank you

Unfotunately, this functionality is not supported in current version of Adobe Reader Touch. But, we have noted down your feature request and we might consider it for our future releases.

Problem verifying xml signature

We have a problem with verifying XML Signatures which are part of a SOAP message. Thanks a lot for helping! Hope my problem is understandable - otherwise ask.
We use the following enviroment:
Java6
Axis 2 V1.2 with XML Beans
Step 1:
The Java 6 XML Signature is an enveloped signature over an element called payload with exclusive XML canonicalization. We sign the payload and send the payload including signature to the server. At first I discovered the following namespace problem.
DigesterOutputstream Create Signature:
FEINER: <Payload Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDAyNDAwPC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:34D51D9DE4B7A19DD411938151524022</MessageID><Timestamp><Created>UNDO</Created></Timestamp></Payload>
DigesterOutput Verify Signature:
FEINER: <Payload xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDAyNDAwPC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:34D51D9DE4B7A19DD411938151524022</MessageID><Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><Created>UNDO</Created></Timestamp></Payload>
31.10.2007 08:25:48 org.jcp.xml.dsig.internal.dom.DOMReference validate
FEIN: Expected digest: 71PfJ/xxn38TtQrpZOpRdqTZsBw=
31.10.2007 08:25:48 org.jcp.xml.dsig.internal.dom.DOMReference validate
FEIN: Actual digest: B1Qdei/0yW1mqR2T50LXKFfxhl0=
Soap request with payload:
<?xml version='1.0' encoding='utf-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><TelematikHeader xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1"><MessageID>urn:uuid:34D51D9DE4B7A19DD411938151524022</MessageID><ConversationID /><ServiceLocalization><Type>VSD</Type><Provider>101575519</Provider></ServiceLocalization><MessageType><Component>VSD</Component><Operation>PerformUpdates</Operation></MessageType><RoleDataProcessor /></TelematikHeader><TransportHeader xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1"><InterfaceVersion>0.0.24.3</InterfaceVersion></TransportHeader></soapenv:Header><soapenv:Body><TelematikExecute xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1"><Payload Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDAyNDAwPC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:34D51D9DE4B7A19DD411938151524022</MessageID><Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><Created>UNDO</Created></Timestamp><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#c623c3be-529b-4d6d-8f1e-a4a29660f344"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>71PfJ/xxn38TtQrpZOpRdqTZsBw=</DigestValue></Reference></SignedInfo><SignatureValue>FuhOdrz9kHR0MeAUq9Rxkg6w++7foR77s9AYQUQxb8qPJ44Ba6By8R/H+CCn5JP5cPFz8/mGOgOD NGKLgZp66xbVSWe1UeehmZLH1a2kvHsx/VvYo3Lr5foHsl6YikUBMXCBdhI4ukKJTuwBOK/7m3lu 7Zl07SFo0zWL73gUTxc=</SignatureValue><KeyInfo><X509Data><X509SubjectName>CN=Harris Knafla,OU=IP,O=TK,ST=Hamburg,C=DE</X509SubjectName><X509Certificate>MIIC0DCCAjmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCREUxEDAOBgNVBAgT B0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxCzAJBgNVBAoTAlRLMQswCQYDVQQLEwJJUDEUMBIG A1UEAxMLTmlscyBLbmFmbGExKjAoBgkqhkiG9w0BCQEWG0RyLk5pbHMuS25hZmxhQHRrLW9ubGlu ZS5kZTAeFw0wNzA2MjkxNzQ2MzBaFw0wODA2MjgxNzQ2MzBaMFExCzAJBgNVBAYTAkRFMRAwDgYD VQQIEwdIYW1idXJnMQswCQYDVQQKEwJUSzELMAkGA1UECxMCSVAxFjAUBgNVBAMTDUhhcnJpcyBL bmFmbGEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMjAnKFGjXjbPbi4X1vnI/H7ArNfayv HO7+QbuV1FqIR+aZuAYZeR5v0s8NKyGOcMxscAQk59ZrdfqaaIiwtcXk2fNHphtSVqLqR4NLWO2q xJKXwBcAxIn7byjq/DqjiUr5nmw1cMWJtK1xwB6pVMvCv97KGg2Z8peronBxg6mVAgMBAAGjezB5 MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl MB0GA1UdDgQWBBRaMTzoUhWt1wguyvPlPuUUV8VRtTAfBgNVHSMEGDAWgBQuZ2A4G1XF+GvL7vai Zst6RUCqYjANBgkqhkiG9w0BAQUFAAOBgQAr3rtJIVNchr3pMEfFcSzbJJWo/c0LRkUnWkP1gD6f MqLoLFUbl8k6tKJ9V4P0Oe2BODRIfNyTFjKLzD1lHAFFRz9pzYUx+hq4VDWooA3MsewNDDyJwupi vlmHcM+Y8Cv97q9pERiqAY88TRMZxntl/b98W61KARAO+HUDhTnA1g==</X509Certificate></X509Data></KeyInfo></Signature></Payload></TelematikExecute></soapenv:Body></soapenv:Envelope>
The problem is the namespaces under the elements payload and timestamp. For verification the namespaces are inherited from parent element. I wonder why this happens - I thought this should not happen when using exclusive canonicalization, or?
Step 2:
Then I added the namespaces before creating the signature , e.g.
payloadElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns", "http://ws.gematik.de/Schema/Telematik/Transport/V1");
for all attributes that are not part of the create signature log. Then the xml signature was verify successfully when I tested this against my own server. See log files:
DigesterOutputstream for create signature:
31.10.2007 11:16:00 org.jcp.xml.dsig.internal.DigesterOutputStream write
FEINER: <Payload xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDMwMjI5PC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:9E0D31C48FDB63BBCD11938257462232</MessageID><Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><Created>UNDO</Created></Timestamp></Payload>
DigesterOutputstream verify signature:
31.10.2007 11:19:00 org.jcp.xml.dsig.internal.DigesterOutputStream write
FEINER: <Payload xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDMwMjI5PC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:9E0D31C48FDB63BBCD11938257462232</MessageID><Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><Created>UNDO</Created></Timestamp></Payload>
The whole soap request:
<?xml version='1.0' encoding='utf-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1"><wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-3596382">MIIC0DCCAjmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCREUxEDAOBgNVBAgTB0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxCzAJBgNVBAoTAlRLMQswCQYDVQQLEwJJUDEUMBIGA1UEAxMLTmlscyBLbmFmbGExKjAoBgkqhkiG9w0BCQEWG0RyLk5pbHMuS25hZmxhQHRrLW9ubGluZS5kZTAeFw0wNzA2MjkxNzQ2MzBaFw0wODA2MjgxNzQ2MzBaMFExCzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdIYW1idXJnMQswCQYDVQQKEwJUSzELMAkGA1UECxMCSVAxFjAUBgNVBAMTDUhhcnJpcyBLbmFmbGEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMjAnKFGjXjbPbi4X1vnI/H7ArNfayvHO7+QbuV1FqIR+aZuAYZeR5v0s8NKyGOcMxscAQk59ZrdfqaaIiwtcXk2fNHphtSVqLqR4NLWO2qxJKXwBcAxIn7byjq/DqjiUr5nmw1cMWJtK1xwB6pVMvCv97KGg2Z8peronBxg6mVAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRaMTzoUhWt1wguyvPlPuUUV8VRtTAfBgNVHSMEGDAWgBQuZ2A4G1XF+GvL7vaiZst6RUCqYjANBgkqhkiG9w0BAQUFAAOBgQAr3rtJIVNchr3pMEfFcSzbJJWo/c0LRkUnWkP1gD6fMqLoLFUbl8k6tKJ9V4P0Oe2BODRIfNyTFjKLzD1lHAFFRz9pzYUx+hq4VDWooA3MsewNDDyJwupivlmHcM+Y8Cv97q9pERiqAY88TRMZxntl/b98W61KARAO+HUDhTnA1g==</wsse:BinarySecurityToken><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-8331318"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#id-28000914"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>Q2LregRFO//cXlkcThu9Bx0jal4=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-10464309"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>BX651XEWk4u4pGgshQhocYxPkSo=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#Timestamp-7651652"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>ezisLn/pGWNqMHbT6UlHyM4Ez64=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> Xl4SSEwrtyUnsqf8xOmfzojLLU18tOrikOhK+HRyqHqv0lPF+AqANLU6yygNdhbfI5qyef9BLr6I CmSPIX4QQR+Hq45l/Ewa+M2K1OOjqvBUGYyQqrKCqUFtsISr9xPudB8ZmaVfaUu5chjIvy/sPYYx TuYv2Ma6uEwek1YZpbE= </ds:SignatureValue> <ds:KeyInfo Id="KeyId-1823783"> <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-17125267"><wsse:Reference URI="#CertId-3596382" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /></wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature><wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-7651652"><wsu:Created>2007-10-31T10:16:00.474Z</wsu:Created><wsu:Expires>2007-10-31T10:21:00.474Z</wsu:Expires></wsu:Timestamp></wsse:Security><TelematikHeader xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-10464309"><MessageID>urn:uuid:9E0D31C48FDB63BBCD11938257462232</MessageID><ConversationID /><ServiceLocalization><Type>VSD</Type><Provider>101575519</Provider></ServiceLocalization><MessageType><Component>VSD</Component><Operation>PerformUpdates</Operation></MessageType><RoleDataProcessor /></TelematikHeader><TransportHeader xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1"><InterfaceVersion>0.0.24.3</InterfaceVersion></TransportHeader></soapenv:Header><soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-28000914"><TelematikExecute xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1"><Payload Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDMwMjI5PC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:9E0D31C48FDB63BBCD11938257462232</MessageID><Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><Created>UNDO</Created></Timestamp><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#c623c3be-529b-4d6d-8f1e-a4a29660f344"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>XHIiHK4NYczByvAJSZH8u3hSvuQ=</DigestValue></Reference></SignedInfo><SignatureValue>JQnTQJ1TidrMuWmSmpHE3ZR5M728A3tlvKjrM3GxFPuy5YOmmybxR0T7xe72WSdWsqvFT9QGE+iP GL5POuc3s8lLc1QGZRKhZvjHAKFldDNyxAMWRL7ZXmhpjsRXT3HethKWew3669SKjJFkZ1IYEnZz QrJOmgt1MMjWx99CgaQ=</SignatureValue><KeyInfo><X509Data><X509SubjectName>CN=Harris Knafla,OU=IP,O=TK,ST=Hamburg,C=DE</X509SubjectName><X509Certificate>MIIC0DCCAjmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCREUxEDAOBgNVBAgT B0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxCzAJBgNVBAoTAlRLMQswCQYDVQQLEwJJUDEUMBIG A1UEAxMLTmlscyBLbmFmbGExKjAoBgkqhkiG9w0BCQEWG0RyLk5pbHMuS25hZmxhQHRrLW9ubGlu ZS5kZTAeFw0wNzA2MjkxNzQ2MzBaFw0wODA2MjgxNzQ2MzBaMFExCzAJBgNVBAYTAkRFMRAwDgYD VQQIEwdIYW1idXJnMQswCQYDVQQKEwJUSzELMAkGA1UECxMCSVAxFjAUBgNVBAMTDUhhcnJpcyBL bmFmbGEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMjAnKFGjXjbPbi4X1vnI/H7ArNfayv HO7+QbuV1FqIR+aZuAYZeR5v0s8NKyGOcMxscAQk59ZrdfqaaIiwtcXk2fNHphtSVqLqR4NLWO2q xJKXwBcAxIn7byjq/DqjiUr5nmw1cMWJtK1xwB6pVMvCv97KGg2Z8peronBxg6mVAgMBAAGjezB5 MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl MB0GA1UdDgQWBBRaMTzoUhWt1wguyvPlPuUUV8VRtTAfBgNVHSMEGDAWgBQuZ2A4G1XF+GvL7vai Zst6RUCqYjANBgkqhkiG9w0BAQUFAAOBgQAr3rtJIVNchr3pMEfFcSzbJJWo/c0LRkUnWkP1gD6f MqLoLFUbl8k6tKJ9V4P0Oe2BODRIfNyTFjKLzD1lHAFFRz9pzYUx+hq4VDWooA3MsewNDDyJwupi vlmHcM+Y8Cv97q9pERiqAY88TRMZxntl/b98W61KARAO+HUDhTnA1g==</X509Certificate></X509Data></KeyInfo></Signature></Payload></TelematikExecute></soapenv:Body></soapenv:Envelope>
As you can see in the soap request on top of the xml signature there is a Webservice Security signature (WSSE) over three elements. This should be no problem altough WSSE adds the wsu:id attribute to the body element. WSSE was omitted in step 1 for simplicity.
I wonder that the attributes which have been set to the payloadElement are not part of the actual message. But it works!
Step 3:
The same request was sent to an external webservice server and the server reports a xml signature verification problem. I don't have any logs or further information. But I have to get this to work against this server.
Java Files for Create + Verify Signature. For Create I get a DOM Node from a XML Bean. For step 1 the attribute setting should be in comments. I use VerifySignature for step 1 + 2.
SignPayload.java:
package de.tk.signature;
import java.io.ByteArrayOutputStream;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.OutputStream;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.xml.crypto.dsig.CanonicalizationMethod;
import javax.xml.crypto.dsig.DigestMethod;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.SignatureMethod;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.Transform;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.dsig.spec.ExcC14NParameterSpec;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;
import org.apache.xmlbeans.XmlObject;
import de.tk.schemaTools.TkSchemaHandler;
import de.tk.util.ClientProperties;
public class SignPayload {
 public static void signDocument(XmlObject telematikExecuteXmlObject, String payloadId) {
 try {
 // get Document
 org.w3c.dom.Node node = telematikExecuteXmlObject.getDomNode();
 Document documentTo = node.getOwnerDocument();
 XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
 Reference ref = fac.newReference("#"+payloadId, fac.newDigestMethod(DigestMethod.SHA1, null), Collections.singletonList(fac
 .newTransform(Transform.ENVELOPED, (TransformParameterSpec) null)), null, null);
 // Create the SignedInfo.
 SignedInfo si = fac.newSignedInfo(fac.newCanonicalizationMethod(CanonicalizationMethod.EXCLUSIVE, (C14NMethodParameterSpec) null), fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null),
 Collections.singletonList(ref));
 KeyStore keyStore = KeyStore.getInstance("JKS");
 String keyStoreFilename = ClientProperties.getKeystorefile();
 FileInputStream keyStoreFile = new FileInputStream(keyStoreFilename);
 keyStore.load(keyStoreFile, "storePwd".toCharArray());
 keyStoreFile.close();
 KeyStore.PrivateKeyEntry keyEntry = (KeyStore.PrivateKeyEntry) keyStore.getEntry("harris", new KeyStore.PasswordProtection("keyPwd".toCharArray()));
 X509Certificate cert = (X509Certificate) keyEntry.getCertificate();
 // Create the KeyInfo containing the X509Data.
 KeyInfoFactory kif = fac.getKeyInfoFactory();
 List x509Content = new ArrayList();
 x509Content.add(cert.getSubjectX500Principal().getName());
 x509Content.add(cert);
 X509Data xd = kif.newX509Data(x509Content);
 KeyInfo ki = kif.newKeyInfo(Collections.singletonList(xd));
 Node payloadNode = new TkSchemaHandler().getNode(documentTo, "Payload");
 String prefix = payloadNode.getPrefix();
 NamedNodeMap nameNodeMap = payloadNode.getAttributes();
 // String baseUri = payloadNode.getBaseURI(); not implemented
 boolean attributes = payloadNode.hasAttributes();
 Element payloadElement = (Element) payloadNode;
 //xmlns is the prefix and first parameter the namespaceURI
 // xmlns existiert ohne WSSE, beim Create XMLOutputter ausgegeben
 payloadElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns", "http://ws.gematik.de/Schema/Telematik/Transport/V1");
 // existiert ohne WSSE
 // bei Create nicht; aber bei Verify im DigestOutputter mit drin
 payloadElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:soapenv", "http://schemas.xmlsoap.org/soap/envelope/");
 // existiert nur bei WSSE
 payloadElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:wsu", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
 Node timestampNode = new TkSchemaHandler().getNode(documentTo, "Timestamp");
 Element timestampElement = (Element) timestampNode;
 // existiert ohne WSSE
 // beim Create Outputter angegeben sowie beim Verify
 timestampElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
 // existiert nur bei WSSE, war wohl nur notwendig da bei WSSE Signature auf falschen Timestamp zugegriffen worden ist.
 // Create a DOMSignContext and specify the RSA PrivateKey and
 // location of the resulting XMLSignature's parent element.
 DOMSignContext dsc = new DOMSignContext(keyEntry.getPrivateKey(),payloadNode);
 // Create the XMLSignature, but don't sign it yet.
 XMLSignature signature = fac.newXMLSignature(si, ki);
 // DomInfo.visualize(document);
 SAXBuilderDemo2.print(documentTo);
 // Marshal, generate, and sign the enveloped signature.
 signature.sign(dsc);
 } catch (Exception exc) {
 throw new RuntimeException(exc.getMessage());
VerifySignature.java:
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.OutputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import javax.xml.crypto.dsig.CanonicalizationMethod;
import javax.xml.crypto.dsig.DigestMethod;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.SignatureMethod;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.Transform;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.w3c.dom.Document;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
public class VerifySignature {
 * @param args
 public static void main(String[] args) {
 // TODO Auto-generated method stub
 try {
 String filename = args[0];
 System.out.println("Verify Document: " + filename);
 XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
 DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 dbf.setNamespaceAware(true);
 Document doc = dbf
 .newDocumentBuilder()
 .parse(
 new FileInputStream(filename));
// Find Signature element.
// NodeList nl =
// doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
 Node node = TkSchemaHandler.getNode(doc,"/*[local-name()='Envelope' and namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/']/*[local-name()='Body' and namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/'][1]/*[local-name()='TelematikExecute' and namespace-uri()='http://ws.gematik.de/Schema/Telematik/Transport/V1'][1]/*[local-name()='Payload' and namespace-uri()='http://ws.gematik.de/Schema/Telematik/Transport/V1'][1]/*[local-name()='Signature' and namespace-uri()='http://www.w3.org/2000/09/xmldsig#'][1]");
 if (nl.getLength() == 0) {
 throw new Exception("Cannot find Signature element");
 Node node = nl.item(0); */
// Create a DOMValidateContext and specify a KeySelector
// and document context.
 DOMValidateContext valContext = new DOMValidateContext
 (new X509KeySelector(), node);
// Unmarshal the XMLSignature.
 XMLSignature signature = fac.unmarshalXMLSignature(valContext);
// Validate the XMLSignature.
 boolean coreValidity = signature.validate(valContext);
 // sample 6
// Check core validation status.
 if (coreValidity == false) {
 System.err.println("Signature failed core validation");
 boolean sv = signature.getSignatureValue().validate(valContext);
 System.out.println("signature validation status: " + sv);
 if (sv == false) {
 // Check the validation status of each Reference.
 Iterator i = signature.getSignedInfo().getReferences().iterator();
 for (int j=0; i.hasNext(); j++) {
 boolean refValid = ((Reference) i.next()).validate(valContext);
 System.out.println("ref["+j+"] validity status: " + refValid);
 } else {
 System.out.println("OK! Signature passed core validation!");
 } catch (Exception exc) {
 exc.printStackTrace();
Questions:
1. Do I really have to set all the namespace attributes? I thought with exclusive xml this should not be necessary. Is there any other solution?
2. Do you think I got all the settings right in SignPayload.java?
Thanks a lot in advance.
Cheers !
Nils

It seems to be a bug with the JDK you are using. What is the JDK version you are using?

How to Verify digital signature in ABAP web dynpro enviroment

Hi,
I have few questions regarding, how we can Verify digital signature in ABAP WebDynpro ?
Do we have class or function modules to verify digital signature on WAS once signed offline or online interactive form is uploaded back?
can we use function modules in function group SSFG for validating authors signature? Or any other classes or interfaces are available in NetWeaver environment.
I searched to find any sample for validating signatures in ABAP WebDynpro, however I could not find any thing. Any sample code will be very useful?
Thanks,
Nitesh Shelar.

I Found that Interface IF_FP_PDF_OBJECT can be used to extract signatures from document.
Thanks,
Nitesh Shelar.

Failed to verify Authenticode signature on DLL msxmlsql.dll

Hello, I got this error message. The server is experiencing issue of service broker suddenly stopping, so we are ruling out all errors at this point. Server is setup with HADR.
Win Server 2008 R2 Ent SP1
SQL 2012 11.0.3349 Ent
Log Name: Application
Source: MSSQL$SQL01
Date: 4/18/2013 7:17:26 AM
Event ID: 33081
Task Category: Server
Level: Information
Keywords: Classic
User: N/A
Computer: SQL01.xxxxxx.xxx
Description:
Failed to verify Authenticode signature on DLL 'C:\Program Files\Microsoft SQL Server\MSSQL11.SQL01\MSSQL\Binn\msxmlsql.dll'.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
 <Provider Name="MSSQL$SQL01" />
 <EventID Qualifiers="16384">33081</EventID>
 <Level>4</Level>
 <Task>2</Task>
 <Keywords>0x80000000000000</Keywords>
 <TimeCreated SystemTime="2013-04-18T11:17:26.000000000Z" />
 <EventRecordID>28935</EventRecordID>
 <Channel>Application</Channel>
 <Computer>SQL01.xxxxxx.xxx</Computer>
 <Security />
</System>
<EventData>
 <Data>C:\Program Files\Microsoft SQL Server\MSSQL11.SQL01\MSSQL\Binn\msxmlsql.dll</Data>
 <Binary>398100000A0000000F000000500052004F004400530051004C0031005C0043004F00530051004C000000040000004F006E0065000000</Binary>
</EventData>
</Event>
Thanks.

Hi ASR,
Have you found C:\Program Files\Microsoft SQL Server\MSSQL11.SQL01\MSSQL\Binn\msxmlsql.dll? I think msxmlsql.dll is in the C:\Program Files\Microsoft SQL Server\110\Shared. Please check it. You could try to Copying msxmlsql.dll to the Binn folder to see
if it would be OK.
Or you could try to repair the SQL Server through SQL Server Installation Center.
Thanks.
If you have any feedback on our support, please click
here.
Maggie Luo
TechNet Community Support

Verifying detached signature

Hi,
Im trying to verify the PKCS& detached signature.. Verification is working fine. But if i try to alter or delete certian characters in my signature file its still saying verification success can anybody have a look at this code and help me to sort out this issue. Is there any other way with which i can verify the signature.
Here is the code:
import java.security.Security;
import java.io.*;
import org.bouncycastle.jce.PKCS7SignedData;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import java.util.Arrays;
import java.util.*;
import java.text.SimpleDateFormat;
import java.util.Iterator;
import java.util.List;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.io.FileInputStream;
import javax.security.auth.x500.X500Principal;
import java.lang.*;
import java.io.PrintWriter;
import java.security.cert.*;
import java.util.Vector;
import java.lang.*;
import java.io.IOException;
import java.util.Collection;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.SignerInformationStore;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
class VerifyP7s {
public static void main(String args[]) {
if (args.length < 2)
usage();
//Plug the Provider into the JCA/JCE
Security.addProvider(new BouncyCastleProvider());
FileInputStream freader = null;
//------ Get the content data from file -------------
File f = new File(args[1]) ;
int sizecontent = ((int) f.length());
byte[] bytes = new byte[sizecontent];
try {
freader = new FileInputStream(f);
System.out.print("\nContent Bytes: " + freader.read(bytes, 0, sizecontent));
freader.close();
catch(IOException ioe) {
System.out.println(ioe.toString());
return;
//------ Get the pkcs #7 data from file -------
File p7s = new File(args[0]) ;
int size = ((int) p7s.length());
byte[] bytessig = new byte[size];
try {
freader = new FileInputStream(p7s);
System.out.println(" PKCS#7 bytes: " + freader.read(bytessig, 0, size));
freader.close();
catch(IOException ioe) {
System.out.println(ioe.toString());
return;
// --- Use Bouncy Castle provider to attempt verification of p7s ---
if(isBase64Encoded(bytessig)){
System.out.println("Signature file is BASE64 encoded") ;
try{
sun.misc.BASE64Decoder dec = new sun.misc.BASE64Decoder() ;
byte[] bdecoded = dec.decodeBuffer(new String(bytessig));
if (isVerified(bdecoded, bytes))
System.out.println("Verified pkcs#7 data: \"" + args[0] + "\" as BASE64-encoded DER file\n" +
"against content file \"" + args[1] + "\"") ;
else
System.out.println("Failed to verify " + args[0] + " as valid pkcs#7 detached signature.");
catch(Exception exc) {
System.out.println("Failed to verify " + args[0] + " as valid pkcs#7 detached signature.");
return;
else { //if NOT base64 encoded
if (isVerified(bytessig, bytes))
System.out.println("Verified pkcs#7 data: \"" + args[0] + "\" as binary DER file\n" +
"against content file \"" + args[1] + "\"") ;
else
System.out.println("Failed to verify " + args[0] + " as valid pkcs#7 detached signature.");
private static byte[] toUnicode(byte[] bytes) {
byte[] ucbytes = new byte[2*bytes.length];
for (int j = 0; j< bytes.length; j++) {
ucbytes[2*j] = bytes[j];
ucbytes[2*j+1] = 0x00; //null byte for UNICODE encoding
return ucbytes;
private static final boolean isVerified(byte[] sig, byte[] content) {
try{
PKCS7SignedData pkcs7 = new PKCS7SignedData(sig);
pkcs7.update(content, 0, content.length); // Update checksum
boolean verified = pkcs7.verify(); // Does it add up?
if(!verified) { //see if original data was UNICODE byte encoding
//System.out.println("Original byte content not verified.\nTrying UNICODE encoding ...");
pkcs7 = new PKCS7SignedData(sig);
pkcs7.update(toUnicode(content), 0, 2*content.length);
verified = pkcs7.verify();
if(verified){
System.out.println("\nUNICODE-encoding of signed content was verified.");
return true;
else
//System.out.println("\nCould NOT verify signed detached content");
return false;
else
System.out.println("ANSI-encoding of signed content was verified.");
return true ;
catch(java.security.cert.CRLException crle) {
//System.out.println("crl " + crle.toString());
return false;
catch(java.security.SignatureException sigex) {
//System.out.println("sigexcept " + sigex.toString());
return false;
catch(Exception secex) {
//System.out.println("other exception " + secex.toString());
return false;
private static final boolean isBase64Encoded(byte[] data) {
Arrays.sort(Base64Map);
for (int i=0; i<data.length; i++){
//System.out.println("data[" + i + "] " + (char)data) ;
if( Arrays.binarySearch(Base64Map, (char)data)<0
&& !Character.isWhitespace((char)data) )
return false;
return true;
public String printX509Cert(X509Certificate cert){
try{
String discrt = cert.getPublicKey().toString();
return discrt;
catch(Exception exception)
System.err.println("Exception is: "+exception.getMessage());
String ex = exception.getMessage();
return ex;
private static char[] Base64Map =
{ 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H',
'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P',
'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X',
'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f',
'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n',
'o', 'p', 'q', 'r', 's', 't', 'u', 'v',
'w', 'x', 'y', 'z', '0', '1', '2', '3',
'4', '5', '6', '7', '8', '9', '+', '/', '='
private static void usage() {
System.out.println("Usage:\n java VerifyP7s <pkcs #7 signature file> <contentfile> ") ;
System.exit(1);
Here is my signature file:
MIIEoAYJKoZIhvcNAQcCoIIEkTCCBI0CAQExDjAMBggqhkiG9w0CBQUAMAsGCSqGSIb3DQEHAaCC
A3kwggN1MIICXaADAgECAhBjffJNbUvAx4VWV4qkdNLGMA0GCSqGSIb3DQEBBAUAMDExETAPBgNV
BAoTCFNJRlkgTHRkMRwwGgYDVQQDExNTSUZZIEx0ZCBQcml2YXRlIENBMB4XDTA0MDcyNjAwMDAw
MFoXDTA1MDcyNjIzNTk1OVowgZwxETAPBgNVBAoUCFNJRlkgTHRkMSIwIAYDVQQLFBlIdW1hbiBS
ZXNvdXJjZSBEZXBhcnRtZW50MRswGQYDVQQLFBJFbXBsb3llZUlEIC0gU0YwNjcxGzAZBgNVBAMT
ElN1ZGVlcCBLdW1hciBQLiBLLjEpMCcGCSqGSIb3DQEJARYac3VkZWVwa3VtYXJAc2FmZXNjcnlw
dC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANGOpSIhZEDQ5Z6cxLMpZssi5WWdD0h7
kFWkbXPQk842HqCBFPcClUUWWeT/LJ10VCC9Ff0KrI5lviGl9umnVW+LeCYiI/ksnea/p7tKfOgN
NO+UBoJ4PE5XnUEq03CFWdHhGNfukNqWZiMC+bUX8e6+blFU/6ipUtHmIkIrlNZBAgMBAAGjgaAw
gZ0wCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwEQYJYIZIAYb4QgEBBAQDAgeAMF0GA1UdHwRWMFQw
UqBQoE6GTGh0dHA6Ly9vbnNpdGVjcmwuc2FmZXNjcnlwdC5jb20vU0lGWUx0ZEh1bWFuUmVzb3Vy
Y2VEZXBhcnRtZW50L0xhdGVzdENSTC5jcmwwEQYKYIZIAYb4RQEGCQQDAQH/MA0GCSqGSIb3DQEB
BAUAA4IBAQBpFEGmTHOSfA/SkeC/bvZE3sYpBU0+RG8iSm+DTbP5tiCyWT+L0AidTWDk0ZuXz7yA
eF9NR0OZyxp3/v+OQYn3Q0a1awe+JKnDCD+zayehcPbvD+q79WYHO5Ibm5UA2VnGoBbV3CDhj1qC
lCyqllEKVWk11iB6wu24PzB31uARxkar3cynFNX4P6nxy6vb83W/Wnt8eOMQHI2SiVvJtjU5SwL6
ILrkZfrm7NLcCQY2w7w4/WeFgeb2Ko8hYHSRyvJWwBUyv2ExDGnv0eqHJn6HC+4IE8wzirWre0jY
Y0529u3MfIL0F7lrkuwYnpVa3zE/b2HwCaMrN+TuY/oNkf2YMYHtMIHqAgEBMEUwMTERMA8GA1UE
ChMIU0lGWSBMdGQxHDAaBgNVBAMTE1NJRlkgTHRkIFByaXZhdGUgQ0ECEGN98k1tS8DHhVZXiqR0
0sYwDAYIKoZIhvcNAgUFADANBgkqhkiG9w0BAQEFAASBgDUpkV5Zpi781vTmtydAdOVJ7cecnQ9v
8fdTZwMgz56Q3ZI0pj6+60e8lIafO3mo596eCF2mBsZm2wEO1PhnXPKAQFXWIseDp0GVdmwTp1tH
M2e9fC2bOppNhBKkpZAr26PE6/BIDittE1rM8nJOa+9lzJcDCBBpJM3MdlHjY+8v
My Content file is:
<table width=100%><TR align=center><TH COLSPAN=3>Transfer Funds Request</TH></TR><TR><TD ALIGN=RIGHT>TRANSFER FROM</TD><TD>..........</TD><TD>Money Market</TD></TR><TR><TD ALIGN=RIGHT>TRANSFER TO</TD><TD>..........</TD><TD>Cash</TD></TR><TR><TD ALIGN=RIGHT>AMOUNT</TD><TD>..........</TD><TD>/ \ & \n</TD></TR></table> I am authorizing the transfer of the above funds by digitally signing this request.
Thanx in advance.

Your PKCS#7 signature file is dumped by DUMPASN1 as follows:
The verifying code only checks the public key against the data.
If you change some byte of the PKCS#7 data that can "blow up" the ASN.1 structures, you cannot get the public key, so the data would not be verified OK.
But if you change some other byte in the PKCS#7 signature data, it could change some things that are not important to ASN.1 Parsing, like changing 'Human Resource Department' to 'Departamentos de Recursos' that is a string with the same length. So as you don't changed the Public key bytes it's all OK.
If you are concerned about PKCS#7 signature file modification, you can try verifying the signer certificates inside - an additional step, but not difficult to do.
 0 30 1184: SEQUENCE {
 4 06 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
15 A0 1169: [0] {
19 30 1165: SEQUENCE {
23 02 1: INTEGER 1
26 31 14: SET {
28 30 12: SEQUENCE {
30 06 8: OBJECT IDENTIFIER md5 (1 2 840 113549 2 5)
40 05 0: NULL
42 30 11: SEQUENCE {
44 06 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
55 A0 889: [0] {
59 30 885: SEQUENCE {
63 30 605: SEQUENCE {
67 A0 3: [0] {
69 02 1: INTEGER 2
72 02 16: INTEGER
 : 63 7D F2 4D 6D 4B C0 C7 85 56 57 8A A4 74 D2 C6
90 30 13: SEQUENCE {
92 06 9: OBJECT IDENTIFIER
 : md5withRSAEncryption (1 2 840 113549 1 1 4)
103 05 0: NULL
105 30 49: SEQUENCE {
107 31 17: SET {
109 30 15: SEQUENCE {
111 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
116 13 8: PrintableString 'SIFY Ltd'
126 31 28: SET {
128 30 26: SEQUENCE {
130 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
135 13 19: PrintableString 'SIFY Ltd Private CA'
156 30 30: SEQUENCE {
158 17 13: UTCTime 26/07/2004 00:00:00 GMT
173 17 13: UTCTime 26/07/2005 23:59:59 GMT
188 30 156: SEQUENCE {
191 31 17: SET {
193 30 15: SEQUENCE {
195 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
200 14 8: TeletexString 'SIFY Ltd'
210 31 34: SET {
212 30 32: SEQUENCE {
214 06 3: OBJECT IDENTIFIER
 : organizationalUnitName (2 5 4 11)
219 14 25: TeletexString 'Human Resource Department'
246 31 27: SET {
248 30 25: SEQUENCE {
250 06 3: OBJECT IDENTIFIER
 : organizationalUnitName (2 5 4 11)
255 14 18: TeletexString 'EmployeeID - SF067'
275 31 27: SET {
277 30 25: SEQUENCE {
279 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
284 13 18: PrintableString 'Sudeep Kumar P. K.'
304 31 41: SET {
306 30 39: SEQUENCE {
308 06 9: OBJECT IDENTIFIER
 : emailAddress (1 2 840 113549 1 9 1)
319 16 26: IA5String '[email protected]'
347 30 159: SEQUENCE {
350 30 13: SEQUENCE {
352 06 9: OBJECT IDENTIFIER
 : rsaEncryption (1 2 840 113549 1 1 1)
363 05 0: NULL
365 03 141: BIT STRING, encapsulates {
369 30 137: SEQUENCE {
372 02 129: INTEGER
 : 00 D1 8E A5 22 21 64 40 D0 E5 9E 9C C4 B3 29 66
 : CB 22 E5 65 9D 0F 48 7B 90 55 A4 6D 73 D0 93 CE
 : 36 1E A0 81 14 F7 02 95 45 16 59 E4 FF 2C 9D 74
 : 54 20 BD 15 FD 0A AC 8E 65 BE 21 A5 F6 E9 A7 55
 : 6F 8B 78 26 22 23 F9 2C 9D E6 BF A7 BB 4A 7C E8
 : 0D 34 EF 94 06 82 78 3C 4E 57 9D 41 2A D3 70 85
 : 59 D1 E1 18 D7 EE 90 DA 96 66 23 02 F9 B5 17 F1
 : EE BE 6E 51 54 FF A8 A9 52 D1 E6 22 42 2B 94 D6
 : [ Another 1 bytes skipped ]
504 02 3: INTEGER 65537
509 A3 160: [3] {
512 30 157: SEQUENCE {
515 30 9: SEQUENCE {
517 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
522 04 2: OCTET STRING, encapsulates {
524 30 0: SEQUENCE {}
526 30 11: SEQUENCE {
528 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
533 04 4: OCTET STRING, encapsulates {
535 03 2: BIT STRING 5 unused bits
 : '101'B
539 30 17: SEQUENCE {
541 06 9: OBJECT IDENTIFIER
 : netscape-cert-type (2 16 840 1 113730 1 1)
552 04 4: OCTET STRING, encapsulates {
554 03 2: BIT STRING 7 unused bits
 : '1'B (bit 0)
558 30 93: SEQUENCE {
560 06 3: OBJECT IDENTIFIER
 : cRLDistributionPoints (2 5 29 31)
565 04 86: OCTET STRING, encapsulates {
567 30 84: SEQUENCE {
569 30 82: SEQUENCE {
571 A0 80: [0] {
573 A0 78: [0] {
575 86 76: [6]
 : 'http://onsitecrl.safescrypt.com/SIFYLtdHumanReso'
 : 'urceDepartment/LatestCRL.crl'
653 30 17: SEQUENCE {
655 06 10: OBJECT IDENTIFIER '2 16 840 1 113733 1 6 9'
667 04 3: OCTET STRING, encapsulates {
669 01 1: BOOLEAN TRUE
672 30 13: SEQUENCE {
674 06 9: OBJECT IDENTIFIER
 : md5withRSAEncryption (1 2 840 113549 1 1 4)
685 05 0: NULL
687 03 257: BIT STRING
 : 69 14 41 A6 4C 73 92 7C 0F D2 91 E0 BF 6E F6 44
 : DE C6 29 05 4D 3E 44 6F 22 4A 6F 83 4D B3 F9 B6
 : 20 B2 59 3F 8B D0 08 9D 4D 60 E4 D1 9B 97 CF BC
 : 80 78 5F 4D 47 43 99 CB 1A 77 FE FF 8E 41 89 F7
 : 43 46 B5 6B 07 BE 24 A9 C3 08 3F B3 6B 27 A1 70
 : F6 EF 0F EA BB F5 66 07 3B 92 1B 9B 95 00 D9 59
 : C6 A0 16 D5 DC 20 E1 8F 5A 82 94 2C AA 96 51 0A
 : 55 69 35 D6 20 7A C2 ED B8 3F 30 77 D6 E0 11 C6
 : [ Another 128 bytes skipped ]
948 31 237: SET {
951 30 234: SEQUENCE {
954 02 1: INTEGER 1
957 30 69: SEQUENCE {
959 30 49: SEQUENCE {
961 31 17: SET {
963 30 15: SEQUENCE {
965 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
970 13 8: PrintableString 'SIFY Ltd'
980 31 28: SET {
982 30 26: SEQUENCE {
984 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
989 13 19: PrintableString 'SIFY Ltd Private CA'
1010 02 16: INTEGER
 : 63 7D F2 4D 6D 4B C0 C7 85 56 57 8A A4 74 D2 C6
1028 30 12: SEQUENCE {
1030 06 8: OBJECT IDENTIFIER md5 (1 2 840 113549 2 5)
1040 05 0: NULL
1042 30 13: SEQUENCE {
1044 06 9: OBJECT IDENTIFIER
 : rsaEncryption (1 2 840 113549 1 1 1)
1055 05 0: NULL
1057 04 128: OCTET STRING
 : 35 29 91 5E 59 A6 2E FC D6 F4 E6 B7 27 40 74 E5
 : 49 ED C7 9C 9D 0F 6F F1 F7 53 67 03 20 CF 9E 90
 : DD 92 34 A6 3E BE EB 47 BC 94 86 9F 3B 79 A8 E7
 : DE 9E 08 5D A6 06 C6 66 DB 01 0E D4 F8 67 5C F2
 : 80 40 55 D6 22 C7 83 A7 41 95 76 6C 13 A7 5B 47
 : 33 67 BD 7C 2D 9B 3A 9A 4D 84 12 A4 A5 90 2B DB
 : A3 C4 EB F0 48 0E 2B 6D 13 5A CC F2 72 4E 6B EF
 : 65 CC 97 03 08 10 69 24 CD CC 76 51 E3 63 EF 2F
 : }

Verify digital signature mobile 5.0

i have a jad file d2link and i get this error msg [unable to verify digital signature ] can any one help its on a 8525 phone with wm5 on it with the java program 6.1 i have downloaded opera it seem to work fine plus the golf tracker and gmail and them seem to work fine or is there any way to bypass this or add something to make it work
Message was edited by:
[email protected]

Hi, I was wondering if you solved already the digital signature verifying error on the MDA.
I am also trying to install something on my MDA and I get the error message "Unable to verify the digital signature"!
I am desperate because I really dont know where the problem is!!!
I would really appreciate if you could give me any hint!
Thank you so much in advance.
Clara Fdz

Unable to verify message signature

1 - I am using Lion and some emails come with a signature and it appears a message on top of the message saying:
"Unable to verify message signature" (here in attach). What should i do?
2 - I would like to use digital signature for my emails. What companies wirks with Digital Signatures for OS X v10.7 Lion ?
Thank You,
Paulo Guedes

There is another picture related with this problem

Cannot verify digital signature

Hi i have sap b1 2005 pl 34. due to some reason, the server is formatted. now i installed sap b1 2005 pl 05 base installation and than upgrading to pl 34. now while importing lic file i gor error "cann't verify digital signature". now i updated the path from file B1200xLS00P_00.zip. now wile importing the lic i got the error coorupt service manager reinstall it.
what to do now.

Hi Ash
Even i got the same error follow the same what i have done
Get these two files from Portal Or ask Ur team manager to give those files
1)B1LASVerify.pse
2).B1License.exe
place these files under follow this path
C:\Program Files\SAP\SAP Business One ServerTools\License
Replace those two files
Hope this helps u
Regards
Jenny

How to get verified digital signature for applets?

Hi All,
I run a small website with an applet ( [http://www.tozsdeasz.hu/grafikonrajzolo/inditas.html|http://www.tozsdeasz.hu/grafikonrajzolo/inditas.html] ). Visitors can load files into the applet, so the applet needs to ask for permission from the user to access files on the visitor's computer. When doing so an unfriendly window pops up telling that the digital signature of the application cannot be verified (you can see it for yourself by the link). Some users keep complaining about it fearing of the security risk.
What is the proper way of getting a properly signed applet? (how to get a verified digital signature?)
Please help me!
Best wishes:
Szabolcs Kelemen

Thanks for the links.
As far as I saw in the documents I need a "digital certification authority" to sign the jar.
Do you know any of these authorities that is free? The entire application does not worth much, I can't afford expensive certifications.
Best regards:
Szabolcs Kelemen

Verify digital signature??

I've seen the tutorials from java and so on but I cant get the thing work.
I have a .cer certificate so i want it to read like:
FileInputStream keyfis = new FileInputStream("C:\\Work\\java\\editorDeTexto\\cert.der");
        byte[] encKey = new byte[keyfis.available()];
        keyfis.read(encKey);
        keyfis.close();
        X509EncodedKeySpec pubKeySpec = new X509EncodedKeySpec(encKey);
        KeyFactory keyFactory1 = KeyFactory.getInstance("RSA");
        PublicKey pubKey = keyFactory1.generatePublic(pubKeySpec); ........The program cant read the FileStream, anyway when it reads the stream i get this error:
derInputStream.getLenght(): lenghtTag = 111 too big
I dont know how to solve this problem at all... this is my main problem.

Finally did it... after a lot of days searching:
public static PublicKey get(String filename)
        throws Exception {
        File f = new File(filename);
        FileInputStream fis = new FileInputStream(f);
        DataInputStream dis = new DataInputStream(fis);
        byte[] keyBytes = new byte[(int)f.length()];
        dis.readFully(keyBytes);
        dis.close();
        X509EncodedKeySpec spec =
          new X509EncodedKeySpec(keyBytes);
        KeyFactory kf = KeyFactory.getInstance("RSA");
        return kf.generatePublic(spec);
public static boolean verifySig(byte[] data, PublicKey key, byte[] sig) throws Exception {
        Signature signer = Signature.getInstance("SHA1withRSA");
        signer.initVerify(key);
        signer.update(data);
        return (signer.verify(sig));
      }The main problem is the public key, java dont read PEM files so you have to convert it.
The solution for all your problems are here:
[http://codeartisan.blogspot.com/2009/05/public-key-cryptography-in-java.html|http://codeartisan.blogspot.com/2009/05/public-key-cryptography-in-java.html]
[http://www.keyzam.com/forum/index.php?topic=4.0|http://www.keyzam.com/forum/index.php?topic=4.0]
Remember to stay put, and not become crazy... this is really difficult (The prove is that noone helps me).
Anyway thanks to all.
Good signing/checking.
Edited by: alrik11es on Aug 24, 2009 2:00 PM

Verifying digital signatures in PDF documents

I'm working on verifying PDFs digital signatures.
I know that when a PDF is signed, a byterange is defined, the certificates get embedded, and from what i've read, the signed message digest and the timestamp are also stored in the PDF.
I already can extract the certificates and validate them. Now I'm trying to validate the pdf's integrity and my problem is I don't know where the signed message digest is located.
In this sample signed pdf (http://blogs.adobe.com/security/SampleSignedPDFDocument.pdf), I can clearly identify the digest since it is down below the embedded certificates: /DigestMethod/MD5/DigestValue/ (line 1520).
But that PDF sample seems to be from 2009, and I suspect the message digest is stored in a different way now, because I signed a PDF with Adobe Reader and I can't find any message digest field like the previous one. Can someone tell if the digests are now stored in a different way? Where are they located?
Anyway, for now I'm using that sample document, and trying to verify its integrity. I'm getting the document's bytes to be signed acording to the specified byterange, and digesting them with MD5 algorithm, but the digest value I get doesn't match with the one from the message digest field... Am I doing something wrong? Is the digest also signed with the signer's private key?
I appreciate any help.

You cannot rely on the digest to be in a certain place in PDF. If you want to manually verify the digest in a PDF signature here's what you need to do.
1. Open PDF in a Text Editor.
2. Find Signature Dictionary for your signature.
3. Get the Hex String which is the value of the /Contents entry in the Signature Dictionary.
4. Convert Hex String to binary string and discard trailing zeros. Remember that in a Hex string each byte is represented with two characters and the last one might be a zero. So, when you discard zeros make sure that what you get left has even number of bytes.
5. Use one of the commercially available BER Viewers (you can find free BER Viewers on the Web) to convert the binary string to ANSI.1 representation.
6. Analyze the BER-decoded PKCS#7 signature object (RFC 2315 describes it) and find the digest that you are looking for in it. It is an OCTET STRING.
If you want to programmatically validate a signature, you need to write code that does all that. Signature validation includes much more than checking the digest. You need to build chain, validate each certificate in the chain, check revocation for each certificate in the chain, etc. RFC 5280 is the guide what to do.
Good luck!

Turn off "Verifying all signatures" when digitally signing a pdf form?

Hey All!
I have a pdf form (created with Acrobat X) with muliple digital signatures fields. Any time you sign a field, Adobe verifies all other signed signatures fields within the document.
So the more signature fields allready been signed, the longer it takes to place a new digital signature due to the adobe verifying setting mentioned above.
I have allready turned off "Verify signatures when the document is opened" in the security preferences, but I couldn't find a place to turn it off when signing a document.
I am just thinking, whoever designed the Acrobat/Adobe program must have left an option to disable those security features...so I even looked in Adobe policy within windows
registry, but I couldn't find anything either.
It's very frustrating - at the end of the form it takes up to 20 minutes to place a signature.
Any ideas and thoughts are more the welcome!!
Thanks

Sir, thank you for the quick response!
No, It's a 22-pages form with 25 different signatures using PKI.

SSF - verify digital signatures in C ( or other Microsoft language )

Hi Experts,
Could you please tell me where to find examples of / information on verifying a digita signature from SAP externally using C ( or other microsoft language ).
The SSF Progrsammers Guide refers to header files such as ssfxxlib.h and a c program called ssfxxsup.c
On SDN, The 'Christophe Solution' refers to a header file called ssfxxapi.h
Do you have any idea where to obtain these header files
Thanking you for all help -
Andy

Hi,
you can download whole SSF specification from this [link|ftp://ftp.sap.com/pub/icc/bc-ssf45/SSF_Specifications.zip]. You can get to this link from [ICC|http://www.sdn.sap.com/irj/sdn/icc]. It's nicely hidden
Cheers

Verifying digital signature

Hi, I am a newbie to security. All I want is to sign a message with a private key and check the signature with corresponding public key.
But running below program I always keep getting "Signature failed. Possible imposter found."
What am I doing wrong in below program. Any help is greatly appreciated.
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.KeyPair;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
public class GetKeys1 {
     public static void main(String[] args) throws Exception {
          KeyPair keyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
          RSAPublicKey pubKey = (RSAPublicKey) keyPair.getPublic();
          RSAPrivateKey privKey = (RSAPrivateKey) keyPair.getPrivate();
//data to be signed
String str = "Testing Keys";
     Signature mySig = Signature.getInstance("MD5withRSA");
     mySig.initSign(privKey);
     mySig.update(str.getBytes());
     byte[] byteSignedData = mySig.sign();
     //decode the signature
     Signature theirSig = Signature.getInstance("MD5withRSA");
     theirSig.initVerify(pubKey);
     theirSig.update(byteSignedData);
     if (theirSig.verify(str.getBytes())) {
     System.out.println("Signature checks out." );
     } else {
     System.out.println("Signature failed. Possible imposter found.");
Thanks
Kolli

Well isn;t the verification like:
1. Sign the message with private key
2. Decode the message with public key
3. compare the the decoded message and original message
right?
I actually change d the decoding part of my program by doing below update. it still did not work
//decode the signature
     Signature theirSig = Signature.getInstance("MD5withRSA");
     theirSig.initVerify(pubKey);
     theirSig.update(str.getBytes());
     if (theirSig.verify(byteSignedData)) {
     System.out.println("Signature checks out." );
     } else {
     System.out.println("Signature failed. Possible imposter found.");
Thank you very much for replying for the post.

Verify SHA1withRSA signature

Similar Messages

Maybe you are looking for