Unable to verify Signed XML with Certificate (.cer)

Question

I'm trying to verify signed XML(signature) with certificate but it always returns false. Please advice

Signed XML

<?xml version="1.0" encoding="utf-16"?><LicenseEntity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="MyLicense"><AppName>QMS</AppName><ClientName>SBI</ClientName><UID>1HFELV6-15FTOEJ-SGKXQG-1YDT2I4</UID><Type>Single</Type><CreateDateTime>0001-01-01T00:00:00</CreateDateTime><LicenseValues><EnableFeatureKey>Transfer</EnableFeatureKey><EnableFeatureValue>true</EnableFeatureValue></LicenseValues><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><DigestValue>RT2AjddRXYe5urTO2XS0rsiQmkzqfrFFGQUInCb9xPg=</DigestValue></Reference></SignedInfo><SignatureValue>lWYs8T6LxkqLk9wh9CCR1KKlNWj0voXlB+E5cZDX3/IOKQpVCyS9PPsnqYsYjuKXyWnkldB10AIJdBRa1CSV3iW3j7wniKPl0FNItS+zNtSOBYz2vDQy+67p3JHXZaWCN+BAKmvGqyB9Kba4Xh0cCfa6OaExcW7axTad8E0ez2+hveNLXgKvKtDcaRk6h/RXzj3hMLMIeQEViyOzmlIxo5kIUPCPd1t4YIdr9U+7rcPP2PNp+p8GbXdBe6bsoTcF/hh8Wj78803hVjFE1hkymI6AiHXQohVTKEKdzNygEpN4SsilCulVKHJFhX4gavd0zJWUrtNKWBvXAvVkaST2hQ==</SignatureValue></Signature></LicenseEntity>

Here is my code to verify

private boolean validateCertificate(String xml,String signatureValue){


    CertificateFactory certificateFactory = null;

    try {

        certificateFactory = CertificateFactory.getInstance("X.509");

        InputStream inputStream = requireContext().getAssets().open("licence-01.cer");
        Certificate certificate = certificateFactory.generateCertificate(inputStream);
        X509Certificate x509Certificate = (X509Certificate) certificate;

        RSAPublicKey rsaPublicKey = (RSAPublicKey) x509Certificate.getPublicKey();
       

        Signature signature = Signature.getInstance("SHA1WithRSA");
        signature.initVerify(rsaPublicKey);
        signature.update(xml.getBytes());
        return signature.verify(signatureValue.getBytes());

    } catch (CertificateException | IOException | NoSuchAlgorithmException | InvalidKeyException | SignatureException e) {
        e.printStackTrace();
        Utility.showLog(TAG,String.valueOf(e));
    }

    return false;
}

Please suggest what I'm doing wrong. TIA.

https://stackoverflow.com/questions/31737763/signature-verify-is-returning-false-in-java — Usama Altaf, Feb 09 '21 at 11:00

b.s · Answer 1 · 2021-02-19T14:07:26.350

You can use the following code in order to test the behaviour. Read the signed xml and public certificate to verify the signatures. Any minimal change in the original signed xml will invalidate the signatures and you can test it easily by changing any character in the signed xml.

package com;

import java.io.FileInputStream;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;

public class ValidateUsingCertificate {
  
  public static final String SIGNED_XML = "response.xml";
  public static final String CERTIFICATE = "cert.cer";
  
  public static void main(String[] args) throws Exception {
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    dbf.setNamespaceAware(true);
    
    FileInputStream fis = new FileInputStream(SIGNED_XML);
    Document doc = dbf.newDocumentBuilder().parse(fis);
    
    CertificateFactory fact = CertificateFactory.getInstance("X.509");
    FileInputStream is = new FileInputStream(CERTIFICATE);
    X509Certificate cert = (X509Certificate) fact.generateCertificate(is);
    boolean verify = verifySignature(doc, cert);
    System.out.println("verify :" + verify);
  }
  
  
  private static boolean verifySignature(Document doc, X509Certificate cert) {
    try {
      if (doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature").getLength() == 0)
        throw new Exception("Cannot find Signature element");
      
      DOMValidateContext valContext = new DOMValidateContext(cert.getPublicKey(),
          doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature").item(0));
      
      XMLSignature signature =
          XMLSignatureFactory.getInstance("DOM").unmarshalXMLSignature(valContext);
      
      return signature.validate(valContext);
    } catch (Exception e) {
      e.printStackTrace();
    }
    return false;
  }
  
}

I don't see XMLSignature in android – moDev Feb 19 '21 at 18:41 — moDev, Feb 19 '21 at 18:41
Where I can get the library for android? – moDev Feb 19 '21 at 19:47 — moDev, Feb 19 '21 at 19:47

Unable to verify Signed XML with Certificate (.cer)

1 Answers1

Linked