You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@camel.apache.org by salkin <ni...@cargoit.se> on 2016/08/30 08:34:12 UTC
XML Security - Is it possible to change transform algorithm on
KeyInfo-object and SignedProperties?
*I'm trying to generate an XML-signature using Apache Camel Xml-Security
component. My RouteBuilder and configuration looks like this:
*
/
private void createRouteBuilders() throws Exception {
/**
* Sign XML with enveloping signature
*
* JndiRegistry is used to bind signature variables
*
* Key accessor = Use organisation X509Certificate
* Signature algorithm =
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256&
* Canonicalization method = http://www.w3.org/2001/10/xml-exc-c14n#
* Transform method = http://www.w3.org/2001/10/xml-exc-c14n#
* Xades signature = defined in xadesProperties
*
* */
context.addRoutes(new RouteBuilder() {
public void configure() throws Exception {
//TODO: Handle exception
from("direct:xml-signature")
.convertBodyTo(String.class)
.to("xmlsecurity:sign://enveloping?"
+ "keyAccessor=#accessor&"
+
"signatureAlgorithm=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256&"
+ "canonicalizationMethod=#canonicalizationMethod1&"
+ "transformMethods=#transformMethods&"
+ "properties=#xadesProperties")
.convertBodyTo(Document.class);
}
});
}
private JndiRegistry createRegistry() throws Exception {
JndiRegistry registry = new JndiRegistry();
registry.bind("accessor", getKeyAccessor(keyPair.getPrivate()));
registry.bind("canonicalizationMethod1", getCanonicalizationMethod());
registry.bind("transformMethods", getTransformMethods());
registry.bind("xadesProperties", getXadesProperties());
return registry;
}
private XAdESSignatureProperties getXadesProperties() {
XAdESSignatureProperties props = new XAdESSignatureProperties();
props.setNamespace("http://uri.etsi.org/01903/v1.3.2#");
props.setPrefix("xades");
props.setAddSigningTime(true);
return props;
}
private AlgorithmMethod getCanonicalizationMethod() {
return
XmlSignatureHelper.getCanonicalizationMethod(CanonicalizationMethod.EXCLUSIVE);
}
private List<AlgorithmMethod> getTransformMethods() {
ArrayList<AlgorithmMethod> transformMethods = new
ArrayList<AlgorithmMethod>();
transformMethods.add(getCanonicalizationMethod());
return transformMethods;
}/
*The resulting XML looks like this:*
/
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Id="_78256618-6394-43fb-a551-45013f9df404">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_d1e0da88-0f2e-4491-8817-7a6a9b566a86">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>KKcHfq+gpUlD9ltfvxUJC0DRLySRKeZqKebHrjxz1aI=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#_42cbaaa6-2387-4991-b479-79f3aee1c4c6">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>g6DR+ETW13DssymC5AHS2CsPwUFAlBKQeTHH81b+w/c=</ds:DigestValue>
</ds:Reference>
<ds:Reference Type="http://uri.etsi.org/01903#SignedProperties"
URI="#_f6ff95f0-42af-41f0-a4d7-37d9c7070bb6">
<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>w+s0PSrSzE1bfGZYt2U3mipZMYv+ETcdB6eK6DtqB48=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>JOxBA0/9+hoxI7azTMemZfijEF4BoOU1wMmdzYtTSQchxDxr2LerQswNG2/26ANVAmWgmvMnrd5a8yxJsUw9EbkpQfAaJXX+ccXWLQVLxFSKYOVZqOG0UR1uPRN/Gs9LYjpDYsdKHbWzycfaSiKwSvFFUxrdt40xev4YEHh0xMVDpUQwruXEOrSfw1ceWLpJYTrLWAPcM3Ynd1/lXfEPylUJhHZPZ38ALk6QopOJ4D5jqndvzzGnWyXF1n0YImFut4OeviD+pHujRga6I3BN16ADErtEJQaQOR6CAVDkQvaiC12qrPwTm3vD4k5zgdtkdYPWWexxl3IiRJlcqoVuSQ==</ds:SignatureValue>
<ds:KeyInfo Id="_42cbaaa6-2387-4991-b479-79f3aee1c4c6">
<ds:X509Data>
<ds:X509Certificate>
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<ds:Object Id="_d1e0da88-0f2e-4491-8817-7a6a9b566a86">
</ds:Object>
<ds:Object>
<xades:QualifyingProperties
xmlns:xades="http://uri.etsi.org/01903/v1.3.2#"
Target="#_78256618-6394-43fb-a551-45013f9df404">
<xades:SignedProperties Id="_f6ff95f0-42af-41f0-a4d7-37d9c7070bb6">
<xades:SignedSignatureProperties>
<xades:SigningTime>2016-08-25T14:43:39+02:00</xades:SigningTime>
</xades:SignedSignatureProperties>
</xades:SignedProperties>
</xades:QualifyingProperties>
</ds:Object>/
*
I want my chosen transform algorithm (Exclusive Canonicalization) to also
apply on the KeyInfo and the SignedProperties objects. Is this possible? If
it is, how do I achieve this? *
--
View this message in context: http://camel.465427.n5.nabble.com/XML-Security-Is-it-possible-to-change-transform-algorithm-on-KeyInfo-object-and-SignedProperties-tp5786982.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: XML Security - Is it possible to change transform algorithm on
KeyInfo-object and SignedProperties?
Posted by Franz Paul Forsthofer <em...@googlemail.com>.
Hello Niklas,
can you point me in the spec https://www.w3.org/TR/xmldsig-core/ to the
part which allows to define transformations also for the KeyInfo element. I
could not find such kind of definition. If it is there in the specification
we might think about to include this into our camel processor.
This holds as well as for the SignedProperties element. See spec
http://www.etsi.org/deliver/etsi_ts%5C101900_101999%5C101903%5C01.04.02_60%5Cts_101903v010402p.pdf
Best Regards Franz
On Tue, Aug 30, 2016 at 10:34 AM, salkin <ni...@cargoit.se>
wrote:
> *I'm trying to generate an XML-signature using Apache Camel Xml-Security
> component. My RouteBuilder and configuration looks like this:
> *
> /
> private void createRouteBuilders() throws Exception {
> /**
> * Sign XML with enveloping signature
> *
> * JndiRegistry is used to bind signature variables
> *
> * Key accessor = Use organisation X509Certificate
> * Signature algorithm =
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256&
> * Canonicalization method = http://www.w3.org/2001/10/xml-exc-c14n#
> * Transform method = http://www.w3.org/2001/10/xml-exc-c14n#
> * Xades signature = defined in xadesProperties
> *
> * */
> context.addRoutes(new RouteBuilder() {
> public void configure() throws Exception {
> //TODO: Handle exception
> from("direct:xml-signature")
> .convertBodyTo(String.class)
> .to("xmlsecurity:sign://enveloping?"
> + "keyAccessor=#accessor&"
> +
> "signatureAlgorithm=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256&"
> + "canonicalizationMethod=#canonicalizationMethod1&"
> + "transformMethods=#transformMethods&"
> + "properties=#xadesProperties")
> .convertBodyTo(Document.class);
> }
> });
> }
>
> private JndiRegistry createRegistry() throws Exception {
> JndiRegistry registry = new JndiRegistry();
>
> registry.bind("accessor", getKeyAccessor(keyPair.getPrivate()));
> registry.bind("canonicalizationMethod1", getCanonicalizationMethod());
> registry.bind("transformMethods", getTransformMethods());
> registry.bind("xadesProperties", getXadesProperties());
>
> return registry;
> }
>
> private XAdESSignatureProperties getXadesProperties() {
> XAdESSignatureProperties props = new XAdESSignatureProperties();
>
> props.setNamespace("http://uri.etsi.org/01903/v1.3.2#");
> props.setPrefix("xades");
> props.setAddSigningTime(true);
>
> return props;
> }
>
> private AlgorithmMethod getCanonicalizationMethod() {
> return
> XmlSignatureHelper.getCanonicalizationMethod(CanonicalizationMethod.
> EXCLUSIVE);
> }
>
> private List<AlgorithmMethod> getTransformMethods() {
> ArrayList<AlgorithmMethod> transformMethods = new
> ArrayList<AlgorithmMethod>();
> transformMethods.add(getCanonicalizationMethod());
> return transformMethods;
> }/
>
> *The resulting XML looks like this:*
> /
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> Id="_78256618-6394-43fb-a551-45013f9df404">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> <ds:Reference URI="#_d1e0da88-0f2e-4491-8817-7a6a9b566a86">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>
> <ds:DigestValue>KKcHfq+gpUlD9ltfvxUJC0DRLySRKeZqKebHr
> jxz1aI=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#_42cbaaa6-2387-4991-b479-79f3aee1c4c6">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>
> <ds:DigestValue>g6DR+ETW13DssymC5AHS2CsPwUFAlBKQeTH
> H81b+w/c=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference Type="http://uri.etsi.org/01903#SignedProperties"
> URI="#_f6ff95f0-42af-41f0-a4d7-37d9c7070bb6">
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>
> <ds:DigestValue>w+s0PSrSzE1bfGZYt2U3mipZMYv+ETcdB6eK6DtqB48=</ds:
> DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>JOxBA0/9+hoxI7azTMemZfijEF4BoOU1wMmdzYt
> TSQchxDxr2LerQswNG2/26ANVAmWgmvMnrd5a8yxJsUw9EbkpQfAaJXX+
> ccXWLQVLxFSKYOVZqOG0UR1uPRN/Gs9LYjpDYsdKHbWzycfaSiKwSvFFUx
> rdt40xev4YEHh0xMVDpUQwruXEOrSfw1ceWLpJYTrLWAPcM3Ynd1/
> lXfEPylUJhHZPZ38ALk6QopOJ4D5jqndvzzGnWyXF1n0YImFut4OeviD+
> pHujRga6I3BN16ADErtEJQaQOR6CAVDkQvaiC12qrPwTm3vD4k5zgdtkdYPW
> Wexxl3IiRJlcqoVuSQ==</ds:SignatureValue>
> <ds:KeyInfo Id="_42cbaaa6-2387-4991-b479-79f3aee1c4c6">
> <ds:X509Data>
> <ds:X509Certificate>
>
> </ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
> <ds:Object Id="_d1e0da88-0f2e-4491-8817-7a6a9b566a86">
>
> </ds:Object>
> <ds:Object>
> <xades:QualifyingProperties
> xmlns:xades="http://uri.etsi.org/01903/v1.3.2#"
> Target="#_78256618-6394-43fb-a551-45013f9df404">
> <xades:SignedProperties Id="_f6ff95f0-42af-41f0-a4d7-
> 37d9c7070bb6">
> <xades:SignedSignatureProperties>
>
> <xades:SigningTime>2016-08-25T14:43:39+02:00</xades:SigningTime>
> </xades:SignedSignatureProperties>
> </xades:SignedProperties>
> </xades:QualifyingProperties>
> </ds:Object>/
> *
> I want my chosen transform algorithm (Exclusive Canonicalization) to also
> apply on the KeyInfo and the SignedProperties objects. Is this possible? If
> it is, how do I achieve this? *
>
>
>
> --
> View this message in context: http://camel.465427.n5.nabble.
> com/XML-Security-Is-it-possible-to-change-transform-
> algorithm-on-KeyInfo-object-and-SignedProperties-tp5786982.html
> Sent from the Camel - Users mailing list archive at Nabble.com.
>