You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Colm O hEigeartaigh <co...@apache.org> on 2015/02/12 11:27:03 UTC
Re: [WARNING : A/V UNSCANNABLE]AW: [VOTE] - Release Apache Santuario
- XML Security for Java 2.0.3
I'm getting a file not found error with this link:
http://apache-xml-project.6118.n7.nabble.com/attachment/41697/1/TestTSLAPI.zip
Colm.
On Wed, Feb 11, 2015 at 6:01 PM, tobias <to...@t-systems.com> wrote:
> In this package I`ve included everything you need to reproduce the issue.
> Currently the DOM support is enabled to reproduce the issue with the digest
> error. You can easily switch to the Stax support to reproduce the logging
> error.
>
>
>
> mit freundlichen Grüßen
>
> Tobias Wolf
>
>
>
> T-Systems International GmbH
>
> Systems Integration
>
> Horizontal Solutions
>
> Tobias Wolf
>
> Software Architekt
>
> Project Center ECM & ECM Strategy & Architecture Consulting
>
> Dachauer Str. 651, D-80995 München
>
> +49 89 54550 - 2479 (Tel.)
>
> +49 151 168 80 221 (Mobil)
>
> E-Mail: [hidden email]
> <http:///user/SendEmail.jtp?type=node&node=41697&i=0>
>
> Internet: http://www.t-systems.com
>
>
>
> T-Systems International GmbH
>
> Supervisory Board: Thomas Dannenfeldt (Chairman)
>
> Board of Management: Reinhard Clemens (Chairman), Dr. Ferri Abolhassan,
> Dr. Markus Müller, Georg Pepping, Hagen Rickmann, Klaus Werner
>
> Commercial register: Amtsgericht Frankfurt am Main HRB 55933
>
> Registered office: Frankfurt am Main
>
>
>
>
>
>
>
> Notice: This transmittal and/or attachments may be privileged or
> confidential. It is intended solely for the addressee named above. Any
> review, dissemination, or copying is strictly prohibited. If you received
> this transmittal in error, please notify us immediately by reply and
> immediately delete this message and all its attachments. Thank you.
>
>
>
>
>
>
>
> Big changes start small – conserve resources by not printing every e-mail.
>
>
>
> *Von:* Colm O hEigeartaigh-2 [via Apache XML Project] [mailto:[hidden
> email] <http:///user/SendEmail.jtp?type=node&node=41697&i=1>]
> *Gesendet:* Dienstag, 10. Februar 2015 15:07
> *An:* Wolf, Tobias
> *Betreff:* Re: [VOTE] - Release Apache Santuario - XML Security for Java
> 2.0.3
>
>
>
>
>
> You have a load of dependencies that aren't included, i.e. "IMCertUtil".
> Please create a test-case that I can just unzip + run without having to
> change any code.
>
> Colm.
>
>
>
> On Tue, Feb 10, 2015 at 12:50 PM, tobias <[hidden email]
> <http:///user/SendEmail.jtp?type=node&node=41695&i=0>> wrote:
>
> Attached to this mail I send you all needed files including a Junit test
> case. Currently I`m trying to sign with DOM but you can easily switch to
> Stax mode in the class TSLXmlSigner.
>
>
>
> *Von:* Colm O hEigeartaigh-2 [via Apache XML Project] [mailto:[hidden
> email] <http://user/SendEmail.jtp?type=node&node=41694&i=0>]
> *Gesendet:* Dienstag, 10. Februar 2015 13:06
> *An:* Wolf, Tobias
> *Betreff:* Re: [VOTE] - Release Apache Santuario - XML Security for Java
> 2.0.3
>
>
>
>
>
>
> Stax signer
> - When I set XMLSecurityProperties.setSignaturePosition(1); no signature is
> being written, with "0" the signature is written on the top of the file.
>
>
>
> I can't reproduce this. With "1", the Signature should be written out
> after the first child element. Could you create a test-case to reproduce
> the problem?
>
>
>
> Dom Verify
> - With this new version 2.0.3 I`m getting an exception, it was working with
> 2.0.2, but I need the RSA-PSS algorithm support, therefore I want to
> upgrade
> Caused by: org.apache.xml.security.exceptions.XMLSecurityException: Invalid
> digest of reference #ID_097f0764-9f73-4fb2-b2e0-7de370930288
>
>
> Could you create a test-case to reproduce the problem?
>
>
> Another question is, why does that code:
>
> String id = "ID_" +
> UUID.randomUUID().toString();
> elementToSign.setAttributeNS(null, "Id",
> id);
> elementToSign.setIdAttributeNS(null, "Id",
> true);
>
> transforms = new Transforms(document);
> transforms
> .addTransform("
> http://www.w3.org/2001/10/xml-exc-c14n#
> <http://www.w3.org/2001/10/xml-exc-c14n>");
> xmlSignature.addDocument("#" + id,
> transforms,
> "
> http://www.w3.org/2000/09/xmldsig#sha1");
>
> set the id on the top of the xml document and also to the reference field?
>
> <TrustServiceStatusList xmlns="http://uri.etsi.org/02231/v2#
> <http://uri.etsi.org/02231/v2>"
> Id="ID_90de3bdd-f5dd-4b66-af7f-39ad07dc2eed"
> TSLTag="http://uri.etsi.org/02231/TSLTag">
> <ds:Reference URI="#ID_90de3bdd-f5dd-4b66-af7f-39ad07dc2eed">
>
> Is that a correct behaviour?
>
>
>
> Yes, the reference URI points to the Element that is signed (in this case
> TrustServiceStatusList).
>
> Colm.
>
>
>
>
>
>
> --
> View this message in context:
> http://apache-xml-project.6118.n7.nabble.com/VOTE-Release-Apache-Santuario-XML-Security-for-Java-2-0-3-tp41648p41687.html
> Sent from the Apache XML - Security - Dev mailing list archive at
> Nabble.com.
>
>
>
>
>
> --
>
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
> ------------------------------
>
> *If you reply to this email, your message will be added to the discussion
> below:*
>
>
> http://apache-xml-project.6118.n7.nabble.com/VOTE-Release-Apache-Santuario-XML-Security-for-Java-2-0-3-tp41648p41692.html
>
> To unsubscribe from [VOTE] - Release Apache Santuario - XML Security for
> Java 2.0.3, click here.
> NAML
> <http://apache-xml-project.6118.n7.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
>
> [image:
> http://apache-xml-project.6118.n7.nabble.com/images/icon_attachment.gif]
> *TSLXmlSigner.java* (23K) Download Attachment
> <http://apache-xml-project.6118.n7.nabble.com/attachment/41694/0/TSLXmlSigner.java>
> [image:
> http://apache-xml-project.6118.n7.nabble.com/images/icon_attachment.gif]
> *test.xml* (210 bytes) Download Attachment
> <http://apache-xml-project.6118.n7.nabble.com/attachment/41694/1/test.xml>
> [image:
> http://apache-xml-project.6118.n7.nabble.com/images/icon_attachment.gif]
> *TestTSLXmlSigner.java* (1K) Download Attachment
> <http://apache-xml-project.6118.n7.nabble.com/attachment/41694/2/TestTSLXmlSigner.java>
> [image:
> http://apache-xml-project.6118.n7.nabble.com/images/icon_attachment.gif]
> *tsl_xml_sign.der* (1K) Download Attachment
> <http://apache-xml-project.6118.n7.nabble.com/attachment/41694/3/tsl_xml_sign.der>
> [image:
> http://apache-xml-project.6118.n7.nabble.com/images/icon_attachment.gif]
> *tsl_xml_sign.crt* (1K) Download Attachment
> <http://apache-xml-project.6118.n7.nabble.com/attachment/41694/4/tsl_xml_sign.crt>
>
>
> ------------------------------
>
> View this message in context: AW: [VOTE] - Release Apache Santuario - XML
> Security for Java 2.0.3
> <http://apache-xml-project.6118.n7.nabble.com/VOTE-Release-Apache-Santuario-XML-Security-for-Java-2-0-3-tp41648p41694.html>
> Sent from the Apache XML - Security - Dev mailing list archive
> <http://apache-xml-project.6118.n7.nabble.com/Apache-XML-Security-Dev-f33675.html>
> at Nabble.com.
>
>
>
>
>
> --
>
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
> ------------------------------
>
> *If you reply to this email, your message will be added to the discussion
> below:*
>
>
> http://apache-xml-project.6118.n7.nabble.com/VOTE-Release-Apache-Santuario-XML-Security-for-Java-2-0-3-tp41648p41695.html
>
> To unsubscribe from [VOTE] - Release Apache Santuario - XML Security for
> Java 2.0.3, click here.
> NAML
> <http://apache-xml-project.6118.n7.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
> *TestTSLAPI.zip* (7M) Download Attachment
> <http://apache-xml-project.6118.n7.nabble.com/attachment/41697/1/TestTSLAPI.zip>
>
> ------------------------------
> View this message in context: [WARNING : A/V UNSCANNABLE]AW: [VOTE] -
> Release Apache Santuario - XML Security for Java 2.0.3
> <http://apache-xml-project.6118.n7.nabble.com/VOTE-Release-Apache-Santuario-XML-Security-for-Java-2-0-3-tp41648p41697.html>
> Sent from the Apache XML - Security - Dev mailing list archive
> <http://apache-xml-project.6118.n7.nabble.com/Apache-XML-Security-Dev-f33675.html>
> at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: [WARNING : A/V UNSCANNABLE]AW: [WARNING : A/V UNSCANNABLE]AW:
[VOTE] - Release Apache Santuario - XML Security for Java 2.0.3
Posted by Colm O hEigeartaigh <co...@apache.org>.
I've fixed that, thanks.
Colm.
On Mon, Feb 16, 2015 at 10:56 AM, tobias <to...@t-systems.com> wrote:
> Yes will do. Another thing I found is your are defining algorithm in your
> signature, but your`re not using it. Maybe you want to verify that.
>
>
>
> public static ByteArrayOutputStream signUsingStAX(
>
> InputStream inputStream,
>
> List<QName> namesToSign,
>
> String algorithm,
>
> Key signingKey,
>
> X509Certificate signingCert
>
> ) throws Exception {
>
>
>
> --
> View this message in context:
> http://apache-xml-project.6118.n7.nabble.com/VOTE-Release-Apache-Santuario-XML-Security-for-Java-2-0-3-tp41648p41716.html
> Sent from the Apache XML - Security - Dev mailing list archive at
> Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: [WARNING : A/V UNSCANNABLE]AW: [WARNING : A/V UNSCANNABLE]AW:
[VOTE] - Release Apache Santuario - XML Security for Java 2.0.3
Posted by tobias <to...@t-systems.com>.
Yes will do. Another thing I found is your are defining algorithm in your
signature, but your`re not using it. Maybe you want to verify that.
public static ByteArrayOutputStream signUsingStAX(
InputStream inputStream,
List<QName> namesToSign,
String algorithm,
Key signingKey,
X509Certificate signingCert
) throws Exception {
--
View this message in context: http://apache-xml-project.6118.n7.nabble.com/VOTE-Release-Apache-Santuario-XML-Security-for-Java-2-0-3-tp41648p41716.html
Sent from the Apache XML - Security - Dev mailing list archive at Nabble.com.
Re: [WARNING : A/V UNSCANNABLE]AW: [WARNING : A/V UNSCANNABLE]AW:
[VOTE] - Release Apache Santuario - XML Security for Java 2.0.3
Posted by Colm O hEigeartaigh <co...@apache.org>.
You can add transforms when defining the "SecurePart" to be signed, e.g.:
String[] transforms = new String[2];
transforms[0] = "http://www.w3.org/2000/09/xmldsig#enveloped-signature";
transforms[1] = "http://www.w3.org/2001/10/xml-exc-c14n#";
securePart.setTransforms(transforms);
Colm.
On Mon, Feb 16, 2015 at 10:54 AM, tobias <to...@t-systems.com> wrote:
> How can I do the transforms.addTransform(TRANSFORM_ENVELOPED_SIGNATURE); in
> StAX mode?
>
>
>
> --
> View this message in context:
> http://apache-xml-project.6118.n7.nabble.com/VOTE-Release-Apache-Santuario-XML-Security-for-Java-2-0-3-tp41648p41715.html
> Sent from the Apache XML - Security - Dev mailing list archive at
> Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: [WARNING : A/V UNSCANNABLE]AW: [WARNING : A/V UNSCANNABLE]AW:
[VOTE] - Release Apache Santuario - XML Security for Java 2.0.3
Posted by tobias <to...@t-systems.com>.
How can I do the transforms.addTransform(TRANSFORM_ENVELOPED_SIGNATURE); in
StAX mode?
--
View this message in context: http://apache-xml-project.6118.n7.nabble.com/VOTE-Release-Apache-Santuario-XML-Security-for-Java-2-0-3-tp41648p41715.html
Sent from the Apache XML - Security - Dev mailing list archive at Nabble.com.
Re: [WARNING : A/V UNSCANNABLE]AW: [WARNING : A/V UNSCANNABLE]AW:
[VOTE] - Release Apache Santuario - XML Security for Java 2.0.3
Posted by Colm O hEigeartaigh <co...@apache.org>.
I checked with my testcase using "PurchaseOrder" as the node to sign +
adding the enveloped transform first, and the interop test works fine.
Maybe start from there and try to figure out why your testcase isn't
working?
https://github.com/coheigea/testcases/tree/master/apache/santuario/santuario-xml-signature
Colm.
On Fri, Feb 13, 2015 at 4:46 PM, tobias <to...@t-systems.com> wrote:
> That works! Thank you!
>
>
>
> Another question is when I sign using Stax and verify using Dom I`m
> getting the following exception:
>
>
>
> *org.w3c.dom.DOMException*: NOT_FOUND_ERR: Es wurde versucht, einen
> Knoten in einem Kontext zu referenzieren, in dem er nicht vorhanden ist.
>
>
>
> ------------------------------
> View this message in context: AW: [WARNING : A/V UNSCANNABLE]AW: [WARNING
> : A/V UNSCANNABLE]AW: [VOTE] - Release Apache Santuario - XML Security for
> Java 2.0.3
> <http://apache-xml-project.6118.n7.nabble.com/VOTE-Release-Apache-Santuario-XML-Security-for-Java-2-0-3-tp41648p41708.html>
> Sent from the Apache XML - Security - Dev mailing list archive
> <http://apache-xml-project.6118.n7.nabble.com/Apache-XML-Security-Dev-f33675.html>
> at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
AW: [WARNING : A/V UNSCANNABLE]AW: [WARNING : A/V UNSCANNABLE]AW:
[VOTE] - Release Apache Santuario - XML Security for Java 2.0.3
Posted by tobias <to...@t-systems.com>.
That works! Thank you!
Another question is when I sign using Stax and verify using Dom I`m getting the following exception:
org.w3c.dom.DOMException: NOT_FOUND_ERR: Es wurde versucht, einen Knoten in einem Kontext zu referenzieren, in dem er nicht vorhanden ist.
--
View this message in context: http://apache-xml-project.6118.n7.nabble.com/VOTE-Release-Apache-Santuario-XML-Security-for-Java-2-0-3-tp41648p41708.html
Sent from the Apache XML - Security - Dev mailing list archive at Nabble.com.
Re: [WARNING : A/V UNSCANNABLE]AW: [WARNING : A/V UNSCANNABLE]AW:
[VOTE] - Release Apache Santuario - XML Security for Java 2.0.3
Posted by Colm O hEigeartaigh <co...@apache.org>.
Ok the issue here is that you are signing the root Element of the document,
and then appending the Signature to the first child of the Document. So the
Signature is included in the signature verification and hence the failure.
XML Signature has a special transform for this use-case to tell it to
ignore the Signature. So in your "TSLXmlSigner" the transforms should be:
transforms = new Transforms(document);
transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
transforms.addTransform("http://www.w3.org/2001/10/xml-exc-c14n#");
Colm.
On Fri, Feb 13, 2015 at 7:44 AM, tobias <to...@t-systems.com> wrote:
> I`m sending it again, don`t know what problem it is.
>
>
>
> I'm getting a file not found error with this link:
> http://apache-xml-project.6118.n7.nabble.com/attachment/41697/1/TestTSLAPI.zip
>
> Colm.
>
>
>
>
>
> *TestTSLAPI.zip* (7M) Download Attachment
> <http://apache-xml-project.6118.n7.nabble.com/attachment/41705/0/TestTSLAPI.zip>
>
> ------------------------------
> View this message in context: [WARNING : A/V UNSCANNABLE]AW: [WARNING :
> A/V UNSCANNABLE]AW: [VOTE] - Release Apache Santuario - XML Security for
> Java 2.0.3
> <http://apache-xml-project.6118.n7.nabble.com/VOTE-Release-Apache-Santuario-XML-Security-for-Java-2-0-3-tp41648p41705.html>
> Sent from the Apache XML - Security - Dev mailing list archive
> <http://apache-xml-project.6118.n7.nabble.com/Apache-XML-Security-Dev-f33675.html>
> at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
[WARNING : A/V UNSCANNABLE]AW: [WARNING : A/V UNSCANNABLE]AW:
[VOTE] - Release Apache Santuario - XML Security for Java 2.0.3
Posted by tobias <to...@t-systems.com>.
I`m sending it again, don`t know what problem it is.
I'm getting a file not found error with this link: http://apache-xml-project.6118.n7.nabble.com/attachment/41697/1/TestTSLAPI.zip
Colm.
TestTSLAPI.zip (7M) <http://apache-xml-project.6118.n7.nabble.com/attachment/41705/0/TestTSLAPI.zip>
--
View this message in context: http://apache-xml-project.6118.n7.nabble.com/VOTE-Release-Apache-Santuario-XML-Security-for-Java-2-0-3-tp41648p41705.html
Sent from the Apache XML - Security - Dev mailing list archive at Nabble.com.