I have the value of signature (extracted from the xml data), public key (extracted from a certificate), and the SignedInfo, which i have to canonicalize first. I've bee verifying it but returning an invalid signature, are there any other methods efficient for verifying xml signatures? here is my code:
fun verify(signature: String, breadcrumb: Breadcrumb): Boolean {
return try {
val canonicalizedSignedInfo = canonicalizeXml(signedInfo)
val sha256RSA = Signature.getInstance("SHA256withRSA")
val publicKey = getMcPubKey(breadcrumb)
sha256RSA.initVerify(publicKey)
sha256RSA.update(canonicalizedSignedInfo.toByteArray())
sha256RSA.verify(java.util.Base64.getDecoder().decode(signature))
} catch (e: Throwable) {
e.printStackTrace()
false
}
}
private fun canonicalizeXml(xmlString: String): String = ByteArrayOutputStream().let {
Canonicalizer
.getInstance(Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS)
.canonicalize(
xmlString.toByteArray(Charsets.UTF_8),
it,
true
)
return it.toString(Charsets.UTF_8)
}