You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Markus Werner <ma...@gmx.at> on 2006/09/01 11:27:07 UTC
Re: dumping the canonical form of a Reference to a log or stdout
Hi Sean,
thank you for your reply. The following lines of code provide the
expected result:
SignedInfo signedInfo = sig.getSignedInfo();
for (int i = 0; i < signedInfo.getLength(); i++) {
Reference reference = signedInfo.item(i);
// System.out.println(reference.getContentsAfterTransformation());
System.out.println(new String(reference.getReferencedBytes()));
}
The client-side output is something like the following:
<foo:bar Id="ref0815">rest is the same</foo:bar>
while the server-side output is as follows:
<foo:bar xmlns:foo="http://www.asdf.org/foo#" Id="ref0815">
rest is the same</foo:bar>
Both outputs seem to be correctly canonicalized, but the digest input on
the server-side includes some addidional namespace-declaration in the
opening tag of <foo:bar>.
What can cause this?
Thank you in advance,
Markus.
Sean Mullan schrieb:
> I would try calling Reference.getContentsAfterTransformation (returns an
> XMLSignatureInput) or Reference.getReferencedBytes (returns a byte[]),
> each of which return the dereferenced and transformed contents before it
> is digested. I haven't really used those methods so I'm hoping someone
> on the list that is more familiar with them will send you some sample code.
>
> --Sean
>
> Markus Werner wrote:
>> Hi,
>>
>> first of all, I'm relatively new to Apache XML Security, so please be
>> patient :-)
>>
>> My job is to sign an element inside a DOM-Document with the help of a
>> secretKey. Let the element that should be signed be called <Foo> and its
>> Id be "id" in beneath code snippet. The signature should be a detached
>> signature.
>>
>> ---------------------------------------------------------------------
>> private static Document sign(
>> Document doc, String id, SecretKey secretKey)
>> throws Exception
>> {
>> XMLSignature sig = new XMLSignature(doc, baseURI,
>> XMLSignature.ALGO_ID_MAC_HMAC_SHA1,
>> Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
>>
>> Node root = doc.getFirstChild();
>> root.appendChild(sig.getElement());
>>
>> Transforms transforms = new Transforms(doc);
>> transforms.addTransform(
>> Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
>>
>> sig.addDocument("#" + id, transforms,
>> Constants.ALGO_ID_DIGEST_SHA1);
>> sig.sign(secretKey);
>>
>> return doc;
>> }
>> ---------------------------------------------------------------------
>>
>> I'm working here on the client-side and the server responds, that there
>> is something wrong with the digest value of the signed reference while
>> the SignedInfo is correctly digested.
>>
>> To get sure what went wrong we have to compare the digest inputs (value
>> after canonicalization) on both sides. I already got the canonicalized
>> Element as String from the server-side and I should do the same with my
>> implementation.
>>
>> When I use the following lines of code to save the document immediately
>> before signing it I get the whole document in a canonicalized form.
>>
>> FileOutputStream f = new FileOutputStream("test.xml");
>> XMLUtils.outputDOMc14nWithComments(doc, f);
>>
>> But I only need the canonicalized form of the referenced element <Foo>.
>> Is there some way to dump the canonical form of a Reference to a log or
>> stdout?
>>
>> Best regards,
>> Markus.
>
Re: dumping the canonical form of a Reference to a log or stdout
Posted by Raul Benito <ra...@apache.org>.
Markus I'm not a JDOM expert, well I have never use it. But It seems
to me that the JDOM is not creating a DOM tree namespace-aware. To see
what it means instead of
DOMOutputter outputter = new DOMOutputter();
return outputter.output(jdomDoc);
Just write to a ByteArray or a String, a parse it again with
DocumentBuilder.parse with the DocumentBuilder namespace aware.
Regards,
Raul
On 9/4/06, Markus Werner <ma...@gmx.at> wrote:
> Hi Raul,
>
> the client side uses Apache XML Security for Java 1.3.0 [1].
>
> The XML-Document is created using JDOM first and then it is translated
> into a org.w3c.Document using the following function:
>
> public org.w3c.dom.Document convertToDOM(Document jdomDoc)
> throws JDOMException
> {
> DOMOutputter outputter = new DOMOutputter();
> return outputter.output(jdomDoc);
> }
>
> The resulting DOM-Document will then be signed, which leads in a
> resulting output as shown below. It is not possible to create the
> DOM-document directly in my implementation, i.e. the workaround using
> JDOM first is necessary.
>
> I extended the convertion function as follows:
>
> public static Document convertToJDOM(org.w3c.dom.Document domDoc)
> throws JDOMException, ParserConfigurationException
> {
> javax.xml.parsers.DocumentBuilderFactory dbf =
> javax.xml.parsers.DocumentBuilderFactory.newInstance();
> dbf.setNamespaceAware(true);
>
> javax.xml.parsers.DocumentBuilder db = dbf.newDocumentBuilder();
> org.w3c.dom.Document doc = db.newDocument();
>
> // input missing link here
>
> DOMBuilder builder = new DOMBuilder();
> return builder.build(domDoc);
> }
>
> But I wasn't able to fill the missing link between the DocumentBuilder
> and the final org.w3c.Document. Would anyone please be so kind and help
> me with that?
>
> Thank you in advance,
> Markus.
>
> --
> [1] http://xml.apache.org/security/dist/java-library/
>
>
> Raul Benito schrieb:
> > Hi Markus,
> >
> > The output from the server side is correct. In the client, What
> > version of xmlsec are you using?. Are you creating the
> > org.w3c.Document namespace aware?
> >
> > Regards,
> >
> > Raul
> >
> > On 9/2/06, Markus Werner <ma...@gmx.at> wrote:
> >> Hi Sean,
> >>
> >> The server processes exactly the same message, since it is sent by the
> >> client to the server. Here is the abbreviated message I send to the
> >> server:
> >>
> >> <?xml version="1.0" encoding="UTF-8"?>
> >> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
> >> <soap:Body>
> >> <xmks:RegisterRequest xmlns:xmks="http://www.w3.org/2002/03/xkms#"
> >> xmlns:ds="http://www.w3.org/2000/09/xmldsig#" [snip]>
> >> [snip]
> >> <xmks:PrototypeKeyBinding Id="_foobar">
> >> [snip]
> >> </xmks:PrototypeKeyBinding>
> >> <xmks:Authentication>
> >> <xmks:KeyBindingAuthentication>
> >> <ds:Signature>
> >> <ds:SignedInfo>
> >> <ds:CanonicalizationMethod
> >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> >> <ds:SignatureMethod
> >> Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" />
> >> <ds:Reference URI="#_foobar">
> >> <ds:Transforms>
> >> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> >> </ds:Transforms>
> >> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
> >> <ds:DigestValue>FQcqlzTyFLwFBdJb5tgN1Vd3H+g=</ds:DigestValue>
> >> </ds:Reference>
> >> </ds:SignedInfo>
> >> <ds:SignatureValue>VchVOu8J+qwBuRTVjxECrV5xH+I=</ds:SignatureValue>
> >> <ds:KeyInfo>
> >> <ds:KeyName>XKMSInteropClient</ds:KeyName>
> >> </ds:KeyInfo>
> >> </ds:Signature>
> >> </xmks:KeyBindingAuthentication>
> >> </xmks:Authentication>
> >> </xmks:RegisterRequest>
> >> </soap:Body>
> >> </soap:Envelope>
> >>
> >> The server calculates the following digest input:
> >>
> >> <xmks:PrototypeKeyBinding xmlns:xmks="http://www.w3.org/2002/03/xkms#"
> >> Id="_foobar">[snip]</xmks:PrototypeKeyBinding>
> >>
> >> while the client calculates the following digest input:
> >>
> >> <xmks:PrototypeKeyBinding Id="_foobar">[snip]</xmks:PrototypeKeyBinding>
> >>
> >> The server-side uses another implementation of XML Signature that I
> >> don't know. The only thing I know is, that it is not Apache XML Security.
> >>
> >> TIA,
> >> Markus.
> >>
> >>
> >> Sean Mullan wrote:
> >> > I don't have enough information, but it sounds like when canonicalizing
> >> > on the client, it doesn't find the namespace definition for foo. Is it
> >> > defined by an ancestor of the bar element on the server but not on the
> >> > client?
> >> >
> >> > --Sean
> >> >
> >> > Markus Werner wrote:
> >> >> Hi Sean,
> >> >>
> >> >> thank you for your reply. The following lines of code provide the
> >> >> expected result:
> >> >>
> >> >> SignedInfo signedInfo = sig.getSignedInfo();
> >> >> for (int i = 0; i < signedInfo.getLength(); i++) {
> >> >> Reference reference = signedInfo.item(i);
> >> >> // System.out.println(reference.getContentsAfterTransformation());
> >> >> System.out.println(new String(reference.getReferencedBytes()));
> >> >> }
> >> >>
> >> >> The client-side output is something like the following:
> >> >>
> >> >> <foo:bar Id="ref0815">rest is the same</foo:bar>
> >> >>
> >> >> while the server-side output is as follows:
> >> >>
> >> >> <foo:bar xmlns:foo="http://www.asdf.org/foo#" Id="ref0815">
> >> >> rest is the same</foo:bar>
> >> >>
> >> >> Both outputs seem to be correctly canonicalized, but the digest
> >> input on
> >> >> the server-side includes some addidional namespace-declaration in the
> >> >> opening tag of <foo:bar>.
> >> >>
> >> >> What can cause this?
> >> >>
> >> >> Thank you in advance,
> >> >> Markus.
> >> >>
> >> >>
> >> >> Sean Mullan schrieb:
> >> >>> I would try calling Reference.getContentsAfterTransformation
> >> (returns an
> >> >>> XMLSignatureInput) or Reference.getReferencedBytes (returns a
> >> byte[]),
> >> >>> each of which return the dereferenced and transformed contents
> >> before it
> >> >>> is digested. I haven't really used those methods so I'm hoping
> >> someone
> >> >>> on the list that is more familiar with them will send you some sample
> >> >>> code.
> >> >>>
> >> >>> --Sean
> >> >>>
> >> >>> Markus Werner wrote:
> >> >>>> Hi,
> >> >>>>
> >> >>>> first of all, I'm relatively new to Apache XML Security, so
> >> please be
> >> >>>> patient :-)
> >> >>>>
> >> >>>> My job is to sign an element inside a DOM-Document with the help
> >> of a
> >> >>>> secretKey. Let the element that should be signed be called <Foo> and
> >> >>>> its
> >> >>>> Id be "id" in beneath code snippet. The signature should be a
> >> detached
> >> >>>> signature.
> >> >>>>
> >> >>>>
> >> ---------------------------------------------------------------------
> >> >>>> private static Document sign(
> >> >>>> Document doc, String id, SecretKey secretKey)
> >> >>>> throws Exception
> >> >>>> {
> >> >>>> XMLSignature sig = new XMLSignature(doc, baseURI,
> >> >>>> XMLSignature.ALGO_ID_MAC_HMAC_SHA1,
> >> >>>> Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
> >> >>>>
> >> >>>> Node root = doc.getFirstChild();
> >> >>>> root.appendChild(sig.getElement());
> >> >>>>
> >> >>>> Transforms transforms = new Transforms(doc);
> >> >>>> transforms.addTransform(
> >> >>>> Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
> >> >>>>
> >> >>>> sig.addDocument("#" + id, transforms,
> >> >>>> Constants.ALGO_ID_DIGEST_SHA1);
> >> >>>> sig.sign(secretKey);
> >> >>>>
> >> >>>> return doc;
> >> >>>> }
> >> >>>>
> >> ---------------------------------------------------------------------
> >> >>>>
> >> >>>> I'm working here on the client-side and the server responds, that
> >> there
> >> >>>> is something wrong with the digest value of the signed reference
> >> while
> >> >>>> the SignedInfo is correctly digested.
> >> >>>>
> >> >>>> To get sure what went wrong we have to compare the digest inputs
> >> (value
> >> >>>> after canonicalization) on both sides. I already got the
> >> canonicalized
> >> >>>> Element as String from the server-side and I should do the same
> >> with my
> >> >>>> implementation.
> >> >>>>
> >> >>>> When I use the following lines of code to save the document
> >> immediately
> >> >>>> before signing it I get the whole document in a canonicalized form.
> >> >>>>
> >> >>>> FileOutputStream f = new FileOutputStream("test.xml");
> >> >>>> XMLUtils.outputDOMc14nWithComments(doc, f);
> >> >>>>
> >> >>>> But I only need the canonicalized form of the referenced element
> >> <Foo>.
> >> >>>> Is there some way to dump the canonical form of a Reference to a
> >> log or
> >> >>>> stdout?
> >> >>>>
> >> >>>> Best regards,
> >> >>>> Markus.
> >>
> >
> >
>
>
--
http://r-bg.com
Re: dumping the canonical form of a Reference to a log or stdout
Posted by Markus Werner <ma...@gmx.at>.
Hi Raul,
the client side uses Apache XML Security for Java 1.3.0 [1].
The XML-Document is created using JDOM first and then it is translated
into a org.w3c.Document using the following function:
public org.w3c.dom.Document convertToDOM(Document jdomDoc)
throws JDOMException
{
DOMOutputter outputter = new DOMOutputter();
return outputter.output(jdomDoc);
}
The resulting DOM-Document will then be signed, which leads in a
resulting output as shown below. It is not possible to create the
DOM-document directly in my implementation, i.e. the workaround using
JDOM first is necessary.
I extended the convertion function as follows:
public static Document convertToJDOM(org.w3c.dom.Document domDoc)
throws JDOMException, ParserConfigurationException
{
javax.xml.parsers.DocumentBuilderFactory dbf =
javax.xml.parsers.DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
javax.xml.parsers.DocumentBuilder db = dbf.newDocumentBuilder();
org.w3c.dom.Document doc = db.newDocument();
// input missing link here
DOMBuilder builder = new DOMBuilder();
return builder.build(domDoc);
}
But I wasn't able to fill the missing link between the DocumentBuilder
and the final org.w3c.Document. Would anyone please be so kind and help
me with that?
Thank you in advance,
Markus.
--
[1] http://xml.apache.org/security/dist/java-library/
Raul Benito schrieb:
> Hi Markus,
>
> The output from the server side is correct. In the client, What
> version of xmlsec are you using?. Are you creating the
> org.w3c.Document namespace aware?
>
> Regards,
>
> Raul
>
> On 9/2/06, Markus Werner <ma...@gmx.at> wrote:
>> Hi Sean,
>>
>> The server processes exactly the same message, since it is sent by the
>> client to the server. Here is the abbreviated message I send to the
>> server:
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
>> <soap:Body>
>> <xmks:RegisterRequest xmlns:xmks="http://www.w3.org/2002/03/xkms#"
>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#" [snip]>
>> [snip]
>> <xmks:PrototypeKeyBinding Id="_foobar">
>> [snip]
>> </xmks:PrototypeKeyBinding>
>> <xmks:Authentication>
>> <xmks:KeyBindingAuthentication>
>> <ds:Signature>
>> <ds:SignedInfo>
>> <ds:CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
>> <ds:SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" />
>> <ds:Reference URI="#_foobar">
>> <ds:Transforms>
>> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
>> </ds:Transforms>
>> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>> <ds:DigestValue>FQcqlzTyFLwFBdJb5tgN1Vd3H+g=</ds:DigestValue>
>> </ds:Reference>
>> </ds:SignedInfo>
>> <ds:SignatureValue>VchVOu8J+qwBuRTVjxECrV5xH+I=</ds:SignatureValue>
>> <ds:KeyInfo>
>> <ds:KeyName>XKMSInteropClient</ds:KeyName>
>> </ds:KeyInfo>
>> </ds:Signature>
>> </xmks:KeyBindingAuthentication>
>> </xmks:Authentication>
>> </xmks:RegisterRequest>
>> </soap:Body>
>> </soap:Envelope>
>>
>> The server calculates the following digest input:
>>
>> <xmks:PrototypeKeyBinding xmlns:xmks="http://www.w3.org/2002/03/xkms#"
>> Id="_foobar">[snip]</xmks:PrototypeKeyBinding>
>>
>> while the client calculates the following digest input:
>>
>> <xmks:PrototypeKeyBinding Id="_foobar">[snip]</xmks:PrototypeKeyBinding>
>>
>> The server-side uses another implementation of XML Signature that I
>> don't know. The only thing I know is, that it is not Apache XML Security.
>>
>> TIA,
>> Markus.
>>
>>
>> Sean Mullan wrote:
>> > I don't have enough information, but it sounds like when canonicalizing
>> > on the client, it doesn't find the namespace definition for foo. Is it
>> > defined by an ancestor of the bar element on the server but not on the
>> > client?
>> >
>> > --Sean
>> >
>> > Markus Werner wrote:
>> >> Hi Sean,
>> >>
>> >> thank you for your reply. The following lines of code provide the
>> >> expected result:
>> >>
>> >> SignedInfo signedInfo = sig.getSignedInfo();
>> >> for (int i = 0; i < signedInfo.getLength(); i++) {
>> >> Reference reference = signedInfo.item(i);
>> >> // System.out.println(reference.getContentsAfterTransformation());
>> >> System.out.println(new String(reference.getReferencedBytes()));
>> >> }
>> >>
>> >> The client-side output is something like the following:
>> >>
>> >> <foo:bar Id="ref0815">rest is the same</foo:bar>
>> >>
>> >> while the server-side output is as follows:
>> >>
>> >> <foo:bar xmlns:foo="http://www.asdf.org/foo#" Id="ref0815">
>> >> rest is the same</foo:bar>
>> >>
>> >> Both outputs seem to be correctly canonicalized, but the digest
>> input on
>> >> the server-side includes some addidional namespace-declaration in the
>> >> opening tag of <foo:bar>.
>> >>
>> >> What can cause this?
>> >>
>> >> Thank you in advance,
>> >> Markus.
>> >>
>> >>
>> >> Sean Mullan schrieb:
>> >>> I would try calling Reference.getContentsAfterTransformation
>> (returns an
>> >>> XMLSignatureInput) or Reference.getReferencedBytes (returns a
>> byte[]),
>> >>> each of which return the dereferenced and transformed contents
>> before it
>> >>> is digested. I haven't really used those methods so I'm hoping
>> someone
>> >>> on the list that is more familiar with them will send you some sample
>> >>> code.
>> >>>
>> >>> --Sean
>> >>>
>> >>> Markus Werner wrote:
>> >>>> Hi,
>> >>>>
>> >>>> first of all, I'm relatively new to Apache XML Security, so
>> please be
>> >>>> patient :-)
>> >>>>
>> >>>> My job is to sign an element inside a DOM-Document with the help
>> of a
>> >>>> secretKey. Let the element that should be signed be called <Foo> and
>> >>>> its
>> >>>> Id be "id" in beneath code snippet. The signature should be a
>> detached
>> >>>> signature.
>> >>>>
>> >>>>
>> ---------------------------------------------------------------------
>> >>>> private static Document sign(
>> >>>> Document doc, String id, SecretKey secretKey)
>> >>>> throws Exception
>> >>>> {
>> >>>> XMLSignature sig = new XMLSignature(doc, baseURI,
>> >>>> XMLSignature.ALGO_ID_MAC_HMAC_SHA1,
>> >>>> Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
>> >>>>
>> >>>> Node root = doc.getFirstChild();
>> >>>> root.appendChild(sig.getElement());
>> >>>>
>> >>>> Transforms transforms = new Transforms(doc);
>> >>>> transforms.addTransform(
>> >>>> Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
>> >>>>
>> >>>> sig.addDocument("#" + id, transforms,
>> >>>> Constants.ALGO_ID_DIGEST_SHA1);
>> >>>> sig.sign(secretKey);
>> >>>>
>> >>>> return doc;
>> >>>> }
>> >>>>
>> ---------------------------------------------------------------------
>> >>>>
>> >>>> I'm working here on the client-side and the server responds, that
>> there
>> >>>> is something wrong with the digest value of the signed reference
>> while
>> >>>> the SignedInfo is correctly digested.
>> >>>>
>> >>>> To get sure what went wrong we have to compare the digest inputs
>> (value
>> >>>> after canonicalization) on both sides. I already got the
>> canonicalized
>> >>>> Element as String from the server-side and I should do the same
>> with my
>> >>>> implementation.
>> >>>>
>> >>>> When I use the following lines of code to save the document
>> immediately
>> >>>> before signing it I get the whole document in a canonicalized form.
>> >>>>
>> >>>> FileOutputStream f = new FileOutputStream("test.xml");
>> >>>> XMLUtils.outputDOMc14nWithComments(doc, f);
>> >>>>
>> >>>> But I only need the canonicalized form of the referenced element
>> <Foo>.
>> >>>> Is there some way to dump the canonical form of a Reference to a
>> log or
>> >>>> stdout?
>> >>>>
>> >>>> Best regards,
>> >>>> Markus.
>>
>
>
Re: dumping the canonical form of a Reference to a log or stdout
Posted by Raul Benito <ra...@apache.org>.
Hi Markus,
The output from the server side is correct. In the client, What
version of xmlsec are you using?. Are you creating the
org.w3c.Document namespace aware?
Regards,
Raul
On 9/2/06, Markus Werner <ma...@gmx.at> wrote:
> Hi Sean,
>
> The server processes exactly the same message, since it is sent by the
> client to the server. Here is the abbreviated message I send to the server:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
> <soap:Body>
> <xmks:RegisterRequest xmlns:xmks="http://www.w3.org/2002/03/xkms#"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#" [snip]>
> [snip]
> <xmks:PrototypeKeyBinding Id="_foobar">
> [snip]
> </xmks:PrototypeKeyBinding>
> <xmks:Authentication>
> <xmks:KeyBindingAuthentication>
> <ds:Signature>
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" />
> <ds:Reference URI="#_foobar">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
> <ds:DigestValue>FQcqlzTyFLwFBdJb5tgN1Vd3H+g=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>VchVOu8J+qwBuRTVjxECrV5xH+I=</ds:SignatureValue>
> <ds:KeyInfo>
> <ds:KeyName>XKMSInteropClient</ds:KeyName>
> </ds:KeyInfo>
> </ds:Signature>
> </xmks:KeyBindingAuthentication>
> </xmks:Authentication>
> </xmks:RegisterRequest>
> </soap:Body>
> </soap:Envelope>
>
> The server calculates the following digest input:
>
> <xmks:PrototypeKeyBinding xmlns:xmks="http://www.w3.org/2002/03/xkms#"
> Id="_foobar">[snip]</xmks:PrototypeKeyBinding>
>
> while the client calculates the following digest input:
>
> <xmks:PrototypeKeyBinding Id="_foobar">[snip]</xmks:PrototypeKeyBinding>
>
> The server-side uses another implementation of XML Signature that I
> don't know. The only thing I know is, that it is not Apache XML Security.
>
> TIA,
> Markus.
>
>
> Sean Mullan wrote:
> > I don't have enough information, but it sounds like when canonicalizing
> > on the client, it doesn't find the namespace definition for foo. Is it
> > defined by an ancestor of the bar element on the server but not on the
> > client?
> >
> > --Sean
> >
> > Markus Werner wrote:
> >> Hi Sean,
> >>
> >> thank you for your reply. The following lines of code provide the
> >> expected result:
> >>
> >> SignedInfo signedInfo = sig.getSignedInfo();
> >> for (int i = 0; i < signedInfo.getLength(); i++) {
> >> Reference reference = signedInfo.item(i);
> >> // System.out.println(reference.getContentsAfterTransformation());
> >> System.out.println(new String(reference.getReferencedBytes()));
> >> }
> >>
> >> The client-side output is something like the following:
> >>
> >> <foo:bar Id="ref0815">rest is the same</foo:bar>
> >>
> >> while the server-side output is as follows:
> >>
> >> <foo:bar xmlns:foo="http://www.asdf.org/foo#" Id="ref0815">
> >> rest is the same</foo:bar>
> >>
> >> Both outputs seem to be correctly canonicalized, but the digest input on
> >> the server-side includes some addidional namespace-declaration in the
> >> opening tag of <foo:bar>.
> >>
> >> What can cause this?
> >>
> >> Thank you in advance,
> >> Markus.
> >>
> >>
> >> Sean Mullan schrieb:
> >>> I would try calling Reference.getContentsAfterTransformation (returns an
> >>> XMLSignatureInput) or Reference.getReferencedBytes (returns a byte[]),
> >>> each of which return the dereferenced and transformed contents before it
> >>> is digested. I haven't really used those methods so I'm hoping someone
> >>> on the list that is more familiar with them will send you some sample
> >>> code.
> >>>
> >>> --Sean
> >>>
> >>> Markus Werner wrote:
> >>>> Hi,
> >>>>
> >>>> first of all, I'm relatively new to Apache XML Security, so please be
> >>>> patient :-)
> >>>>
> >>>> My job is to sign an element inside a DOM-Document with the help of a
> >>>> secretKey. Let the element that should be signed be called <Foo> and
> >>>> its
> >>>> Id be "id" in beneath code snippet. The signature should be a detached
> >>>> signature.
> >>>>
> >>>> ---------------------------------------------------------------------
> >>>> private static Document sign(
> >>>> Document doc, String id, SecretKey secretKey)
> >>>> throws Exception
> >>>> {
> >>>> XMLSignature sig = new XMLSignature(doc, baseURI,
> >>>> XMLSignature.ALGO_ID_MAC_HMAC_SHA1,
> >>>> Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
> >>>>
> >>>> Node root = doc.getFirstChild();
> >>>> root.appendChild(sig.getElement());
> >>>>
> >>>> Transforms transforms = new Transforms(doc);
> >>>> transforms.addTransform(
> >>>> Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
> >>>>
> >>>> sig.addDocument("#" + id, transforms,
> >>>> Constants.ALGO_ID_DIGEST_SHA1);
> >>>> sig.sign(secretKey);
> >>>>
> >>>> return doc;
> >>>> }
> >>>> ---------------------------------------------------------------------
> >>>>
> >>>> I'm working here on the client-side and the server responds, that there
> >>>> is something wrong with the digest value of the signed reference while
> >>>> the SignedInfo is correctly digested.
> >>>>
> >>>> To get sure what went wrong we have to compare the digest inputs (value
> >>>> after canonicalization) on both sides. I already got the canonicalized
> >>>> Element as String from the server-side and I should do the same with my
> >>>> implementation.
> >>>>
> >>>> When I use the following lines of code to save the document immediately
> >>>> before signing it I get the whole document in a canonicalized form.
> >>>>
> >>>> FileOutputStream f = new FileOutputStream("test.xml");
> >>>> XMLUtils.outputDOMc14nWithComments(doc, f);
> >>>>
> >>>> But I only need the canonicalized form of the referenced element <Foo>.
> >>>> Is there some way to dump the canonical form of a Reference to a log or
> >>>> stdout?
> >>>>
> >>>> Best regards,
> >>>> Markus.
>
--
http://r-bg.com
Re: dumping the canonical form of a Reference to a log or stdout
Posted by Markus Werner <ma...@gmx.at>.
Hi Sean,
The server processes exactly the same message, since it is sent by the
client to the server. Here is the abbreviated message I send to the server:
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Body>
<xmks:RegisterRequest xmlns:xmks="http://www.w3.org/2002/03/xkms#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" [snip]>
[snip]
<xmks:PrototypeKeyBinding Id="_foobar">
[snip]
</xmks:PrototypeKeyBinding>
<xmks:Authentication>
<xmks:KeyBindingAuthentication>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" />
<ds:Reference URI="#_foobar">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>FQcqlzTyFLwFBdJb5tgN1Vd3H+g=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>VchVOu8J+qwBuRTVjxECrV5xH+I=</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyName>XKMSInteropClient</ds:KeyName>
</ds:KeyInfo>
</ds:Signature>
</xmks:KeyBindingAuthentication>
</xmks:Authentication>
</xmks:RegisterRequest>
</soap:Body>
</soap:Envelope>
The server calculates the following digest input:
<xmks:PrototypeKeyBinding xmlns:xmks="http://www.w3.org/2002/03/xkms#"
Id="_foobar">[snip]</xmks:PrototypeKeyBinding>
while the client calculates the following digest input:
<xmks:PrototypeKeyBinding Id="_foobar">[snip]</xmks:PrototypeKeyBinding>
The server-side uses another implementation of XML Signature that I
don't know. The only thing I know is, that it is not Apache XML Security.
TIA,
Markus.
Sean Mullan wrote:
> I don't have enough information, but it sounds like when canonicalizing
> on the client, it doesn't find the namespace definition for foo. Is it
> defined by an ancestor of the bar element on the server but not on the
> client?
>
> --Sean
>
> Markus Werner wrote:
>> Hi Sean,
>>
>> thank you for your reply. The following lines of code provide the
>> expected result:
>>
>> SignedInfo signedInfo = sig.getSignedInfo();
>> for (int i = 0; i < signedInfo.getLength(); i++) {
>> Reference reference = signedInfo.item(i);
>> // System.out.println(reference.getContentsAfterTransformation());
>> System.out.println(new String(reference.getReferencedBytes()));
>> }
>>
>> The client-side output is something like the following:
>>
>> <foo:bar Id="ref0815">rest is the same</foo:bar>
>>
>> while the server-side output is as follows:
>>
>> <foo:bar xmlns:foo="http://www.asdf.org/foo#" Id="ref0815">
>> rest is the same</foo:bar>
>>
>> Both outputs seem to be correctly canonicalized, but the digest input on
>> the server-side includes some addidional namespace-declaration in the
>> opening tag of <foo:bar>.
>>
>> What can cause this?
>>
>> Thank you in advance,
>> Markus.
>>
>>
>> Sean Mullan schrieb:
>>> I would try calling Reference.getContentsAfterTransformation (returns an
>>> XMLSignatureInput) or Reference.getReferencedBytes (returns a byte[]),
>>> each of which return the dereferenced and transformed contents before it
>>> is digested. I haven't really used those methods so I'm hoping someone
>>> on the list that is more familiar with them will send you some sample
>>> code.
>>>
>>> --Sean
>>>
>>> Markus Werner wrote:
>>>> Hi,
>>>>
>>>> first of all, I'm relatively new to Apache XML Security, so please be
>>>> patient :-)
>>>>
>>>> My job is to sign an element inside a DOM-Document with the help of a
>>>> secretKey. Let the element that should be signed be called <Foo> and
>>>> its
>>>> Id be "id" in beneath code snippet. The signature should be a detached
>>>> signature.
>>>>
>>>> ---------------------------------------------------------------------
>>>> private static Document sign(
>>>> Document doc, String id, SecretKey secretKey)
>>>> throws Exception
>>>> {
>>>> XMLSignature sig = new XMLSignature(doc, baseURI,
>>>> XMLSignature.ALGO_ID_MAC_HMAC_SHA1,
>>>> Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
>>>>
>>>> Node root = doc.getFirstChild();
>>>> root.appendChild(sig.getElement());
>>>>
>>>> Transforms transforms = new Transforms(doc);
>>>> transforms.addTransform(
>>>> Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
>>>>
>>>> sig.addDocument("#" + id, transforms,
>>>> Constants.ALGO_ID_DIGEST_SHA1);
>>>> sig.sign(secretKey);
>>>>
>>>> return doc;
>>>> }
>>>> ---------------------------------------------------------------------
>>>>
>>>> I'm working here on the client-side and the server responds, that there
>>>> is something wrong with the digest value of the signed reference while
>>>> the SignedInfo is correctly digested.
>>>>
>>>> To get sure what went wrong we have to compare the digest inputs (value
>>>> after canonicalization) on both sides. I already got the canonicalized
>>>> Element as String from the server-side and I should do the same with my
>>>> implementation.
>>>>
>>>> When I use the following lines of code to save the document immediately
>>>> before signing it I get the whole document in a canonicalized form.
>>>>
>>>> FileOutputStream f = new FileOutputStream("test.xml");
>>>> XMLUtils.outputDOMc14nWithComments(doc, f);
>>>>
>>>> But I only need the canonicalized form of the referenced element <Foo>.
>>>> Is there some way to dump the canonical form of a Reference to a log or
>>>> stdout?
>>>>
>>>> Best regards,
>>>> Markus.
Re: dumping the canonical form of a Reference to a log or stdout
Posted by Sean Mullan <Se...@Sun.COM>.
I don't have enough information, but it sounds like when canonicalizing
on the client, it doesn't find the namespace definition for foo. Is it
defined by an ancestor of the bar element on the server but not on the
client?
--Sean
Markus Werner wrote:
> Hi Sean,
>
> thank you for your reply. The following lines of code provide the
> expected result:
>
> SignedInfo signedInfo = sig.getSignedInfo();
> for (int i = 0; i < signedInfo.getLength(); i++) {
> Reference reference = signedInfo.item(i);
> // System.out.println(reference.getContentsAfterTransformation());
> System.out.println(new String(reference.getReferencedBytes()));
> }
>
> The client-side output is something like the following:
>
> <foo:bar Id="ref0815">rest is the same</foo:bar>
>
> while the server-side output is as follows:
>
> <foo:bar xmlns:foo="http://www.asdf.org/foo#" Id="ref0815">
> rest is the same</foo:bar>
>
> Both outputs seem to be correctly canonicalized, but the digest input on
> the server-side includes some addidional namespace-declaration in the
> opening tag of <foo:bar>.
>
> What can cause this?
>
> Thank you in advance,
> Markus.
>
>
> Sean Mullan schrieb:
>> I would try calling Reference.getContentsAfterTransformation (returns an
>> XMLSignatureInput) or Reference.getReferencedBytes (returns a byte[]),
>> each of which return the dereferenced and transformed contents before it
>> is digested. I haven't really used those methods so I'm hoping someone
>> on the list that is more familiar with them will send you some sample code.
>>
>> --Sean
>>
>> Markus Werner wrote:
>>> Hi,
>>>
>>> first of all, I'm relatively new to Apache XML Security, so please be
>>> patient :-)
>>>
>>> My job is to sign an element inside a DOM-Document with the help of a
>>> secretKey. Let the element that should be signed be called <Foo> and its
>>> Id be "id" in beneath code snippet. The signature should be a detached
>>> signature.
>>>
>>> ---------------------------------------------------------------------
>>> private static Document sign(
>>> Document doc, String id, SecretKey secretKey)
>>> throws Exception
>>> {
>>> XMLSignature sig = new XMLSignature(doc, baseURI,
>>> XMLSignature.ALGO_ID_MAC_HMAC_SHA1,
>>> Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
>>>
>>> Node root = doc.getFirstChild();
>>> root.appendChild(sig.getElement());
>>>
>>> Transforms transforms = new Transforms(doc);
>>> transforms.addTransform(
>>> Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
>>>
>>> sig.addDocument("#" + id, transforms,
>>> Constants.ALGO_ID_DIGEST_SHA1);
>>> sig.sign(secretKey);
>>>
>>> return doc;
>>> }
>>> ---------------------------------------------------------------------
>>>
>>> I'm working here on the client-side and the server responds, that there
>>> is something wrong with the digest value of the signed reference while
>>> the SignedInfo is correctly digested.
>>>
>>> To get sure what went wrong we have to compare the digest inputs (value
>>> after canonicalization) on both sides. I already got the canonicalized
>>> Element as String from the server-side and I should do the same with my
>>> implementation.
>>>
>>> When I use the following lines of code to save the document immediately
>>> before signing it I get the whole document in a canonicalized form.
>>>
>>> FileOutputStream f = new FileOutputStream("test.xml");
>>> XMLUtils.outputDOMc14nWithComments(doc, f);
>>>
>>> But I only need the canonicalized form of the referenced element <Foo>.
>>> Is there some way to dump the canonical form of a Reference to a log or
>>> stdout?
>>>
>>> Best regards,
>>> Markus.