You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Ma...@micorp.com on 2004/11/29 23:01:50 UTC
X509CertificateResolver Does Not Use My StorageResolver
Hi,
I am trying to verify the following XML digital signature:
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"
xmlns:C="http://www.routeone.com/namespace.messaging.CreditApplication#"
xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#Body">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>niQfM6RR1CP+V1Puf9FlaXRNcFQ=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>EQjU1zV9WpsCj0+tTJ6pYw4YjM3Ir+OgWsCGijjKGZ1kkNOgWlFkdbDbmb8wzcAaYHVVJrplVpOVC05jd4cX7N9doFDDjRhKobaYUogRErJV86wWpsZ4iP77/DqPy0Egw9laycMv0BxxoWgeW3TQ11EioKiA/sx1nIEudaQRlWjlkeWiU7U+8eCVzWYMNkuh/kEhMo8CqYxpoOFSELRLIuMzT/gcrqvbesTUVkuYXSSs4ZTL9wzYfAYZpyk4ES7WpD7lT6/bW741S9DjJq/4H/bP8kkyBxku9sRIYF5DHXDIwbcj7SWbyZ/por+vmxGI2jR3xByxMEGo+FK2MHDDtQ==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate/>
<X509IssuerSerial>
<X509IssuerName>OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign,
Inc.", O=VeriSign Trust Network</X509IssuerName>
<X509SerialNumber>77581175974713717168815171532918991769</X509SerialNumber>
</X509IssuerSerial></X509Data></KeyInfo></Signature>
Because I have the public certificate from the partner, I was hoping to
use addStorageResolver method of KeyInfo to install a StorageResolver with
the public certificate to help with decryption. The Resolver-Mania docs
tell me the following:
"If there is only key material identification information like a
ds:KeyName or the serial number of the Certificate, the KeyResolver must
use the StorageResolvers to query the available keys and certificates to
find the correct one."
Here is my code, hacked from the VerifySignature class:
XMLSignature signature = new XMLSignature(sigElement,
f.toURL().toString());
signature.addResourceResolver(new OfflineResolver());
// begin hack
InputStream inStream = new
FileInputStream("c:\\temp\\RouteOne\\New RouteOne DSig_SSL.cer");
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert =
(X509Certificate)cf.generateCertificate(inStream);
inStream.close();
// end hack
// XMLUtils.outputDOMc14nWithComments(signature.getElement(),
System.out);
KeyInfo ki = signature.getKeyInfo();
ki.addStorageResolver(new StorageResolver(cert));
if (ki != null) {
if (ki.containsX509Data()) {
System.out
.println("Could find a X509Data element in the
KeyInfo");
}
cert = signature.getKeyInfo().getX509Certificate();
>From looking at the code, it doesn't look like the X509CertificateResolver
is attempting to query the available keys (my public certificate). Here
is some logging and the inevitable stack trace:
211 [main] DEBUG org.apache.xml.security.algorithms.SignatureAlgorithm -
Create URI "http://www.w3.org/2000/09/xmldsig#rsa-sha1" class
"org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1"
211 [main] DEBUG org.apache.xml.security.algorithms.JCEMapper - Request
for URI http://www.w3.org/2000/09/xmldsig#rsa-sha1
261 [main] DEBUG org.apache.xml.security.algorithms.JCEMapper - Found
SHA1WithRSAEncryption from provider BC
271 [main] DEBUG
org.apache.xml.security.algorithms.implementations.SignatureBaseRSA -
Created SignatureDSA using SHA1WithRSAEncryption BC
301 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
setElement("KeyInfo",
"file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
321 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
setElement("X509Data",
"file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
331 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
setElement("X509Certificate",
"file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
331 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
setElement("X509IssuerSerial",
"file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
X509Data(0)="Certificate IssuerSerial "
Could find a X509Data element in the KeyInfo
331 [main] DEBUG org.apache.xml.security.keys.KeyInfo - Start
getX509CertificateFromInternalResolvers() with 0 resolvers
331 [main] DEBUG org.apache.xml.security.keys.KeyInfo - I couldn't find a
X509Certificate using the per-KeyInfo key resolvers
331 [main] DEBUG org.apache.xml.security.keys.KeyInfo - Start
getX509CertificateFromStaticResolvers() with 7 resolvers
331 [main] DEBUG
org.apache.xml.security.keys.keyresolver.implementations.RSAKeyValueResolver
- Can I resolve X509Data
331 [main] DEBUG
org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver
- Can I resolve X509Data?
341 [main] DEBUG
org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver
- Yes Sir, I can
341 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
setElement("X509Certificate",
"file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
java.lang.NullPointerException
at
org.apache.xml.security.utils.ElementProxy.getBytesFromTextChild(Unknown
Source)
at
org.apache.xml.security.keys.content.x509.XMLX509Certificate.getCertificateBytes(Unknown
Source)
at
org.apache.xml.security.keys.content.x509.XMLX509Certificate.getX509Certificate(Unknown
Source)
at
org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver.engineResolveX509Certificate(Unknown
Source)
at
org.apache.xml.security.keys.keyresolver.KeyResolver.resolveX509Certificate(Unknown
Source)
at
org.apache.xml.security.keys.KeyInfo.getX509CertificateFromStaticResolvers(Unknown
Source)
at org.apache.xml.security.keys.KeyInfo.getX509Certificate(Unknown
Source)
at
org.apache.xml.security.samples.signature.VerifySignature.main(VerifySignature.java:155)
Am I reading the usage docs incorrectly, or do I need to implement some
custom stuff? Any pointers would be very helpful.
Regards,
Matthew Hanson
Marshall & Ilsley Corporation
Office: (608) 252-5987
Fax: (608) 252-5811
matthew.hanson@micorp.com
Re: X509CertificateResolver Does Not Use My StorageResolver
Posted by Raul Benito <ra...@r-bg.com>.
Matthew.Hanson@micorp.com wrote:
>
> Hi,
>
> I am trying to verify the following XML digital signature:
>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"
> xmlns:C="http://www.routeone.com/namespace.messaging.CreditApplication#"
> xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext">
> <SignedInfo>
> <CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <Reference URI="#Body">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue>niQfM6RR1CP+V1Puf9FlaXRNcFQ=</DigestValue>
> </Reference>
> </SignedInfo>
>
> <SignatureValue>EQjU1zV9WpsCj0+tTJ6pYw4YjM3Ir+OgWsCGijjKGZ1kkNOgWlFkdbDbmb8wzcAaYHVVJrplVpOVC05jd4cX7N9doFDDjRhKobaYUogRErJV86wWpsZ4iP77/DqPy0Egw9laycMv0BxxoWgeW3TQ11EioKiA/sx1nIEudaQRlWjlkeWiU7U+8eCVzWYMNkuh/kEhMo8CqYxpoOFSELRLIuMzT/gcrqvbesTUVkuYXSSs4ZTL9wzYfAYZpyk4ES7WpD7lT6/bW741S9DjJq/4H/bP8kkyBxku9sRIYF5DHXDIwbcj7SWbyZ/por+vmxGI2jR3xByxMEGo+FK2MHDDtQ==</SignatureValue>
>
> <KeyInfo>
> <X509Data>
> <X509Certificate/>
> <X509IssuerSerial>
> <X509IssuerName>OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY
> LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3,
> OU="VeriSign, Inc.", O=VeriSign Trust Network</X509IssuerName>
> <X509SerialNumber>77581175974713717168815171532918991769</X509SerialNumber>
>
> </X509IssuerSerial></X509Data></KeyInfo></Signature>
>
> Because I have the public certificate from the partner, I was hoping
> to use addStorageResolver method of KeyInfo to install a
> StorageResolver with the public certificate to help with decryption.
> The Resolver-Mania docs tell me the following:
>
> "If there is only key material identification information like a
> ds:KeyName or the serial number of the Certificate, the KeyResolver
> must use the StorageResolvers to query the available keys and
> certificates to find the correct one."
>
> Here is my code, hacked from the VerifySignature class:
>
> XMLSignature signature = new XMLSignature(sigElement,
> f.toURL().toString());
>
> signature.addResourceResolver(new OfflineResolver());
>
> // begin hack
> InputStream inStream = new
> FileInputStream("c:\\temp\\RouteOne\\New RouteOne DSig_SSL.cer");
> CertificateFactory cf = CertificateFactory.getInstance("X.509");
> X509Certificate cert =
> (X509Certificate)cf.generateCertificate(inStream);
> inStream.close();
> // end hack
>
> // XMLUtils.outputDOMc14nWithComments(signature.getElement(),
> System.out);
> KeyInfo ki = signature.getKeyInfo();
> ki.addStorageResolver(new StorageResolver(cert));
> if (ki != null) {
> if (ki.containsX509Data()) {
> System.out
> .println("Could find a X509Data element in the
> KeyInfo");
> }
>
> cert = signature.getKeyInfo().getX509Certificate();
>
> From looking at the code, it doesn't look like the
> X509CertificateResolver is attempting to query the available keys (my
> public certificate). Here is some logging and the inevitable stack
> trace:
>
> 211 [main] DEBUG org.apache.xml.security.algorithms.SignatureAlgorithm
> - Create URI "http://www.w3.org/2000/09/xmldsig#rsa-sha1" class
> "org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1"
>
> 211 [main] DEBUG org.apache.xml.security.algorithms.JCEMapper -
> Request for URI http://www.w3.org/2000/09/xmldsig#rsa-sha1
> 261 [main] DEBUG org.apache.xml.security.algorithms.JCEMapper - Found
> SHA1WithRSAEncryption from provider BC
> 271 [main] DEBUG
> org.apache.xml.security.algorithms.implementations.SignatureBaseRSA -
> Created SignatureDSA using SHA1WithRSAEncryption BC
> 301 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
> setElement("KeyInfo",
> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
> 321 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
> setElement("X509Data",
> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
> 331 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
> setElement("X509Certificate",
> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
> 331 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
> setElement("X509IssuerSerial",
> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
> X509Data(0)="Certificate IssuerSerial "
> Could find a X509Data element in the KeyInfo
> 331 [main] DEBUG org.apache.xml.security.keys.KeyInfo - Start
> getX509CertificateFromInternalResolvers() with 0 resolvers
> 331 [main] DEBUG org.apache.xml.security.keys.KeyInfo - I couldn't
> find a X509Certificate using the per-KeyInfo key resolvers
> 331 [main] DEBUG org.apache.xml.security.keys.KeyInfo - Start
> getX509CertificateFromStaticResolvers() with 7 resolvers
> 331 [main] DEBUG
> org.apache.xml.security.keys.keyresolver.implementations.RSAKeyValueResolver
> - Can I resolve X509Data
> 331 [main] DEBUG
> org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver
> - Can I resolve X509Data?
> 341 [main] DEBUG
> org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver
> - Yes Sir, I can
> 341 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
> setElement("X509Certificate",
> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
> java.lang.NullPointerException
> at
> org.apache.xml.security.utils.ElementProxy.getBytesFromTextChild(Unknown
> Source)
> at
> org.apache.xml.security.keys.content.x509.XMLX509Certificate.getCertificateBytes(Unknown
> Source)
> at
> org.apache.xml.security.keys.content.x509.XMLX509Certificate.getX509Certificate(Unknown
> Source)
> at
> org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver.engineResolveX509Certificate(Unknown
> Source)
> at
> org.apache.xml.security.keys.keyresolver.KeyResolver.resolveX509Certificate(Unknown
> Source)
> at
> org.apache.xml.security.keys.KeyInfo.getX509CertificateFromStaticResolvers(Unknown
> Source)
> at
> org.apache.xml.security.keys.KeyInfo.getX509Certificate(Unknown Source)
> at
> org.apache.xml.security.samples.signature.VerifySignature.main(VerifySignature.java:155)
>
>
> Am I reading the usage docs incorrectly, or do I need to implement
> some custom stuff? Any pointers would be very helpful.
>
> Regards,
> Matthew Hanson
>
> Marshall & Ilsley Corporation
> Office: (608) 252-5987
> Fax: (608) 252-5811
> matthew.hanson@micorp.com
What version of xml-sec are you using?
Thnx,
Raul