Incorrect reference in signature

Question

I have another problem with Counter Signature. This time I forced it to work... almost.

Bellow is the copy of the Signature:

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="xmldsig-33fefaee-5877-4bcb-8ee2-782d23424a86">
<ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
    <ds:Reference Id="xmldsig-33fefaee-5877-4bcb-8ee2-782d23424a86-ref0" URI="">
        <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <ds:DigestValue>tYHwvIGQOhMyX1gAfjLqUwxPaQVEbr9b5aVRNb1GLZA=</ds:DigestValue>
    </ds:Reference>
    <ds:Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#xmldsig-33fefaee-5877-4bcb-8ee2-782d23424a86-signedprops">
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <ds:DigestValue>60WWYTr+S6Na75HS+IDlenFiSImMmDdJGn9VH/Jm00o=</ds:DigestValue>
    </ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue Id="xmldsig-33fefaee-5877-4bcb-8ee2-782d23424a86-sigvalue">
cbJxI3IQOBZqcsGTCl/kgBR3aqS876ck9glukj4gJh4QggnUW46+eb3yucrtxojyF4W9jwqhVmwP
IYUJpKjgDnRbIIrVKWYiLpQV70MqWsV8DKPLdzz7vofDZuWQAsKSlEQqzkd1JMQf/HkgDK0PbXCX
iXBCye/+W1eshR/byrU=
</ds:SignatureValue>
<ds:KeyInfo>
    <ds:X509Data>
        <ds:X509Certificate>
MIICODCCAaGgAwIBAgIBFjANBgkqhkiG9w0BAQUFADA0MQswCQYDVQQGEwJQTDEOMAwGA1UEChMF
cGVrYW8xFTATBgNVBAMUDENBX1BFS0FPX1NTTDAeFw0xNDA2MjYxMDU2MzdaFw0xNTA2MjYxMDU2
MzdaMF8xCzAJBgNVBAYTAlBMMQ4wDAYDVQQKEwVQRUtBTzEWMBQGA1UECxMNUGVrYW9CSVpORVMy
NDEoMCYGA1UEAxQfQkFSVE9TWiBK01pFRiBKQVJLT1dTS0ksIDcxMDU4NjCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEA4ZlPMdEYmwlsy1wFoGTVGShW6nPyHHeAVm2r+nuin9ZOeRFlDl+PPyTJ
oZ6avZKCyt1R3o4oju7LmKQhlCsSR88CZrXF0vPovZjthblvrUJ742RC4laoiBSR9hZIg4CWorF1
rk3/bHobz3ZLCLg+P64RKmTI7WYrgCeHsBJMPfECAwEAAaMvMC0wCQYDVR0TBAIwADALBgNVHQ8E
BAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAiJqNtI1ml8OKSnB5
PzbhfCJlK+12SPFX6GcQkO6dF7ezNFzzC9bcD6MOkAEnR4IfEkD3CIl8Jx8v29XV/eCes3gDa9Z6
OSzVZpMBDFQicWtLfch7Xmh/KS2GFelbkiqHHf/UKfhcN32fsV86WOP6DOb8XMJLrcgmMz0bxvl3
yfM=
        </ds:X509Certificate>
    </ds:X509Data>
</ds:KeyInfo>
<ds:Object>
    <xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" xmlns:xades141="http://uri.etsi.org/01903/v1.4.1#" Target="#xmldsig-33fefaee-5877-4bcb-8ee2-782d23424a86">
        <xades:SignedProperties Id="xmldsig-33fefaee-5877-4bcb-8ee2-782d23424a86-signedprops">
            <xades:SignedSignatureProperties>
                <xades:SigningTime>2014-07-08T15:14:22.357+02:00</xades:SigningTime>
                <xades:SigningCertificate>
                    <xades:Cert>
                        <xades:CertDigest>
                            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                            <ds:DigestValue>XmRm5R3UpnVKBPiumnYVL6TXgnqCsbk0XF/JwA5he4c=</ds:DigestValue>
                        </xades:CertDigest>
                        <xades:IssuerSerial>
                            <ds:X509IssuerName>DELETED</ds:X509IssuerName>
                            <ds:X509SerialNumber>22</ds:X509SerialNumber>
                        </xades:IssuerSerial>
                    </xades:Cert>
                </xades:SigningCertificate>
            </xades:SignedSignatureProperties>
            <xades:SignedDataObjectProperties>
                <xades:CommitmentTypeIndication>
                    <xades:CommitmentTypeId>
                        <xades:Identifier>http://uri.etsi.org/01903/v1.2.2#ProofOfApproval</xades:Identifier>
                        <xades:Description>Indicates that the signer has approved the content of the signed data object</xades:Description>
                    </xades:CommitmentTypeId>
                    <xades:ObjectReference>#xmldsig-33fefaee-5877-4bcb-8ee2-782d23424a86-ref0</xades:ObjectReference>
                </xades:CommitmentTypeIndication>
            </xades:SignedDataObjectProperties>
        </xades:SignedProperties>
        <xades:UnsignedProperties>
            <xades:UnsignedSignatureProperties>
                <xades:CounterSignature>
                    <ds:Signature Id="xmldsig-d848b745-aee3-476c-8b93-6ceafa34eaea" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                        <ds:SignedInfo>
                            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
                            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                            <ds:Reference Id="xmldsig-d848b745-aee3-476c-8b93-6ceafa34eaea-ref0" URI="#xmldsig-33fefaee-5877-4bcb-8ee2-782d23424a86-sigvalue">
                                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                                <ds:DigestValue>5bEeIUwcOzwar60fKN7CQrkhukdl1twK+h/J3iLgSso=</ds:DigestValue>
                            </ds:Reference>
                            <ds:Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#xmldsig-d848b745-aee3-476c-8b93-6ceafa34eaea-signedprops">
                                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                                <ds:DigestValue>VpjF9Ag6SUwezpv1FL/wSgLr5eBme67r3mXz9gqXegE=</ds:DigestValue>
                            </ds:Reference>
                        </ds:SignedInfo>
                        <ds:SignatureValue Id="xmldsig-d848b745-aee3-476c-8b93-6ceafa34eaea-sigvalue">
0V/J3Tgooevc0vkLAkd/2OGMN1mSvfy/Xn12iBTDEejcQR7c9JR96RIQpZGkYw23tufBf1uReLkf
R7mdHuOWIVeDJjPZYL+l9rP7dv9ceJMtjOxUUgY/codnb5yRv0LnhBkPVBBiEfIogqzsgSM99Rpw
byiAPW6jZT2Qb4MIrlc=
                        </ds:SignatureValue>
                        <ds:KeyInfo>
                            <ds:X509Data>
                                <ds:X509Certificate>
MIICODCCAaGgAwIBAgIBFjANBgkqhkiG9w0BAQUFADA0MQswCQYDVQQGEwJQTDEOMAwGA1UEChMF
cGVrYW8xFTATBgNVBAMUDENBX1BFS0FPX1NTTDAeFw0xNDA2MjYxMDU2MzdaFw0xNTA2MjYxMDU2
MzdaMF8xCzAJBgNVBAYTAlBMMQ4wDAYDVQQKEwVQRUtBTzEWMBQGA1UECxMNUGVrYW9CSVpORVMy
NDEoMCYGA1UEAxQfQkFSVE9TWiBK01pFRiBKQVJLT1dTS0ksIDcxMDU4NjCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEA4ZlPMdEYmwlsy1wFoGTVGShW6nPyHHeAVm2r+nuin9ZOeRFlDl+PPyTJ
oZ6avZKCyt1R3o4oju7LmKQhlCsSR88CZrXF0vPovZjthblvrUJ742RC4laoiBSR9hZIg4CWorF1
rk3/bHobz3ZLCLg+P64RKmTI7WYrgCeHsBJMPfECAwEAAaMvMC0wCQYDVR0TBAIwADALBgNVHQ8E
BAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAiJqNtI1ml8OKSnB5
PzbhfCJlK+12SPFX6GcQkO6dF7ezNFzzC9bcD6MOkAEnR4IfEkD3CIl8Jx8v29XV/eCes3gDa9Z6
OSzVZpMBDFQicWtLfch7Xmh/KS2GFelbkiqHHf/UKfhcN32fsV86WOP6DOb8XMJLrcgmMz0bxvl3
yfM=
                                </ds:X509Certificate>
                            </ds:X509Data>
                        </ds:KeyInfo>
                        <ds:Object>
                            <xades:QualifyingProperties Target="#xmldsig-d848b745-aee3-476c-8b93-6ceafa34eaea" xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" xmlns:xades141="http://uri.etsi.org/01903/v1.4.1#">
                                <xades:SignedProperties Id="xmldsig-d848b745-aee3-476c-8b93-6ceafa34eaea-signedprops">
                                    <xades:SignedSignatureProperties>
                                        <xades:SigningTime>2014-07-08T15:17:53.877+02:00</xades:SigningTime>
                                        <xades:SigningCertificate>
                                            <xades:Cert>
                                                <xades:CertDigest>
                                                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                                                    <ds:DigestValue>XmRm5R3UpnVKBPiumnYVL6TXgnqCsbk0XF/JwA5he4c=</ds:DigestValue>
                                                </xades:CertDigest>
                                                <xades:IssuerSerial>
                                                    <ds:X509IssuerName>DELETED</ds:X509IssuerName>
                                                    <ds:X509SerialNumber>22</ds:X509SerialNumber>
                                                </xades:IssuerSerial>
                                            </xades:Cert>
                                        </xades:SigningCertificate>
                                    </xades:SignedSignatureProperties>
                                </xades:SignedProperties>
                            </xades:QualifyingProperties>
                        </ds:Object>
                    </ds:Signature>
                </xades:CounterSignature>
            </xades:UnsignedSignatureProperties>
        </xades:UnsignedProperties>
    </xades:QualifyingProperties>
</ds:Object>

My JAVA code:

Element signatureNode = (Element)docSource.getElementsByTagNameNS(Constants.SignatureSpecNS, "Signature").item(0);
//If signatureNode is null, it means there is no certificate in the file - need to create new Enveloped Certificate.
//If signatureNode is not null, we can extend it with CounterSignature.
if (signatureNode != null)
{
    String sigValueId = signatureNode.getAttribute(Constants._ATT_ID);
    DataObjectReference sigValueRef = new DataObjectReference('#' + sigValueId)
        .withType(CounterSignatureProperty.COUNTER_SIGNATURE_TYPE_URI);

XadesSignatureFormatExtender instance = (XadesSignatureFormatExtender)new XadesFormatExtenderProfile().getFormatExtender();
XMLSignature sig = new XMLSignature(signatureNode, "");            
Collection<UnsignedSignatureProperty> usp = new ArrayList<UnsignedSignatureProperty>(1);
usp.add(new CounterSignatureProperty(signer));
instance.enrichSignature(sig, new UnsignedProperties(usp));

}
else
{
    DataObjectDesc obj1 = new DataObjectReference("")
        .withTransform(new EnvelopedSignatureTransform());

    signer.sign(new SignedDataObjects(obj1), docSource.getDocumentElement());

//new Enveloped(signer).sign(docSource.getDocumentElement());
}

When I'm trying to verify this document (with two external applications) I'm getting error saying "Incorrect reference in countersign".

Now I'm investigating what went wrong. Did I miss to reference something?

EDIT: I checked with different app and I think I got better error message. It is saying exactly: Signature digest is not equal file digest.

Best Regards John S.

No, not yet. I checked with two external apps and both showing error :( — user3805907, Jul 09 '14 at 19:24
Can you try, please? To see if it's a problem also on xades4j. — lgoncalves, Jul 09 '14 at 22:09
Hi! Sorry, I'm not able to create the Verify component. Any other idea on how to make it working? BTW. I created a class almost exactly the same as testSignBESWithCounterSig.. And the verification also didn't work. — user3805907, Jul 10 '14 at 01:36
Hey! Can anyone look at the code and help me? I'm starting to think that xades4j is **not able** to produce a correct counter signature. — user3805907, Jul 10 '14 at 22:37
Your code seems ok. I've created a test using xades4j that does the same thing and then verifies the signature, and everything is ok. Of course this is not sufficient since xades4j is both producing and verifying the property. Do you have any signature created by a third party software that includes a counter signature? I could try to verify it using xades4j. — lgoncalves, Jul 10 '14 at 23:25

Incorrect reference in signature

0 Answers0

Linked