DIY information cards - Issue with enveloping signature
Hi,
it looks like I could need some help. My situation is following:
- I create DIY cards through some homegrown Java code
- I sign these DIY cards with Apache xmlsec version 1.3 (latest release). Verification works with this toolkit.
- The CardSpace application always refuses to import the crd files saying "An error occurred during the import of a card. Errors in reading the imported card file." in the event log (Event ID 260)
- The signature verification seems to work (if I manipulate the signed data, I get the event description "An incoming identity could not be validated. Signature could not be verified.")
- The signature path validation seems to work (if I removed the trusted certificate, I get chain trust errors)
- The contained information card object seems to be OK (if I sign the same object with the Microsoft .NET class for XML Signature and the same keys, I can import this card to CardSpace)
- When I verify the Apache xmlsec-generated signature with the Microsoft .NET class for XML Signature, I get a valid with the directive "preserveWhitespace(true)" and a not valid with the directive "preserveWhitespace(false)"
- When comparing the Apache xmlsec and Microsoft .NET-signed objects by a diff, I just recognize line breaks in the signature value and the certificate as well as the representation of empty elements as differences. But that should not make a difference in my opinion. A sample of my signature object is attached at the bottom of this message.
Does somebody have suggestions on what I should change - on the side of signature creation and/or some configuration setting at the side of the client?
Best regards,
Oliver
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
<Reference URI="#_Object_InfoCard">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>/+xfgW9+5HQz4jxphHSowyu29eo=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
gKE4vZ3FMF6v0+ociWL0ZuHgBmYYE8hrvTBkasP7hc7f0igFHtONF0/1jHL16xVfrq7nUFfv7MLE
H24EwpHgz3Go33/4KtV9dtF30iDP3EAx8YNLuAObMrnMtRXR2SYby7rpcQZQObQeOdpAcwdtYaCa
HgTpqwrWEih6LpBESyg=
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>
MIIDXzCCAkegAwIBAgIEQKnfeTANBgkqhkiG9w0BAQUFADB8MQswCQYDVQQGEwJERTEPMA0GA1UE
BxMGQmVybGluMRkwFwYDVQQKExBHZXN1bmRoZWl0c3dlc2VuMUEwPwYDVQQDEzhIZWFsdGggUHJv
ZmVzc2lvbmFsIEludGVybWVkaWF0ZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNDAxMDEw
MDAwMDBaFw0xMzEyMzEyMzU5NTlaMIGLMQswCQYDVQQGEwJERTETMBEGA1UEChMKU2llbWVucyBB
RzEjMCEGA1UECxMaQmV0cmllYnNhZXJ6dGxpY2hlciBEaWVuc3QxFTATBgNVBAMTDFN2ZW4gU2ll
bWVuczENMAsGA1UEKhMEU3ZlbjEQMA4GA1UEBBMHU2llbWVuczEKMAgGA1UEBRMBNTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEA0UL1X+qUkflj11zcLAPFPaeYbuEvUiv/QurACaWOv5oaRbNi
9+QX3lR8GHKvDIcJi8iS1BxNTzil8x69fKq+SN72tg2vyxA0WYJfHsNzzVMjeJHg9bodSCIyljYt
3v/Z5osQo+Dlvqm8Bc321MuWp9cMCiCHAfSlHrfFT+Cj6ksCAwEAAaNdMFswHQYDVR0OBBYEFDCA
wW04NRXrDSzad/NwbtDSKRNgMB8GA1UdIwQYMBaAFME3tY/hIiDX1MpBkYdJvL86u6jVMA4GA1Ud
DwEB/wQEAwIFoDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQAWNPoffuTgKetN8mm5hO7q
5higoAwKZejHRGDcJrbHEsjnzO/vrWDAVfuvNZzKaYJ0e2hkPrU2TzBWFIqub7HFvWs5xPU+Rt2h
IRP2QuW1qj6bzkphDeZ5a4XV/T9P0J+XZRiJHzzdb9F691nZK5QF1PGzcGn0lJbC/OzTZQrScdzA
n8bHajbD5ozT1YaoCH8WDm6yz6V1CdiY094BFaiX9+HFead+rWbIzQjfmKabinFOveek+qbHq5Vw
hHbB9zY3V8QumTytrY8eBlBlWV1ePuLT0EPbv73CWjV+zi9NA3gdgVsCd23gR/k005peP4y+sNwS
3SKlFQCrobgDSPl7
</X509Certificate>
</X509Data>
</KeyInfo>
<Object Id="_Object_InfoCard"><InformationCard xmlns="http://schemas.microsoft.com/ws/2005/05/identity" xml:lang="en-us"><!-- omitted since that child element should not cause the problem--></InformationCard></Object>
</Signature>
