You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by Anthony Dodd <an...@finastra.com> on 2018/05/09 14:56:09 UTC

StAX Signature Generation, X509 data options

All,

When using the DOM implementation you can request which elements of the X509 data you want to appear in the signature.

      // add x509 data
      X509Data x509data = new X509Data(document);
      x509data.add(new XMLX509SubjectName(document, certificate));
      x509data.add(new XMLX509IssuerSerial(document, certificate));

In the StAX implementation, we appear to be limited to the following

    public static final KeyIdentifier KeyIdentifier_KeyValue = new KeyIdentifier("KeyValue");
    public static final KeyIdentifier KeyIdentifier_KeyName = new KeyIdentifier("KeyName");
    public static final KeyIdentifier KeyIdentifier_IssuerSerial = new KeyIdentifier("IssuerSerial");
    public static final KeyIdentifier KeyIdentifier_SkiKeyIdentifier = new KeyIdentifier("SkiKeyIdentifier");
    public static final KeyIdentifier KeyIdentifier_X509KeyIdentifier = new KeyIdentifier("X509KeyIdentifier");
    public static final KeyIdentifier KeyIdentifier_X509SubjectName = new KeyIdentifier("X509SubjectName");
    public static final KeyIdentifier KeyIdentifier_NoKeyInfo = new KeyIdentifier("NoKeyInfo");
    public static final KeyIdentifier KeyIdentifier_EncryptedKey = new KeyIdentifier("EncryptedKey");

In the StAX implementation, I can either choose KeyIdentifier_IssuerSerial or KeyIdentifier_X509SubutbjectName but not both as we could with the DOM code fragment above.

The reason I ask is that we have a service provider who has stipulated a strict format for the signature to be used when signing and sending data to them

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
  <SignedInfo>
    <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
    <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
    <Reference URI="">
      <Transforms>
        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
        <Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
      </Transforms>
      <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
      <DigestValue>xe/kONljHYOi5X1sw8AmgIjbHw/SX8zjAT98zpJahhI=</DigestValue>
    </Reference>
  </SignedInfo>
  <SignatureValue>7vdS9h04J/slnfUO1aoQ/RvbvWE=</SignatureValue>
  <KeyInfo>
    <X509Data>
      <X509SubjectName>CN=rsa0,OU=rtp,O=org,L=location,ST=Unknown,C=</X509SubjectName>
      <X509IssuerSerial>
        <X509IssuerName>CN=sign0, OU=rtp, O=org, L=location, ST=Unknown,C=</X509IssuerName>
        <X509SerialNumber>1328092436</X509SerialNumber>
      </X509IssuerSerial>
    </X509Data>
  </KeyInfo>
</Signature>

Regards
Tony
"FINASTRA" is the trade name of the FINASTRA group of companies. This email and any attachments have been scanned for known viruses using multiple scanners. This email message is intended for the named recipient only. It may be privileged and/or confidential. If you are not the named recipient of this email please notify us immediately and do not copy it or use it for any purpose, nor disclose its contents to any other person. This email does not constitute the commencement of legal relations between you and FINASTRA. Please refer to the executed contract between you and the relevant member of the FINASTRA group for the identity of the contracting party with which you are dealing.

Re: StAX Signature Generation, X509 data options

Posted by Colm O hEigeartaigh <co...@apache.org>.

This will be fixed for the next release, see
https://issues.apache.org/jira/browse/SANTUARIO-486

Colm.

On Wed, May 9, 2018 at 3:56 PM, Anthony Dodd <an...@finastra.com>
wrote:

> All,
>
>
>
> When using the DOM implementation you can request which elements of the
> X509 data you want to appear in the signature.
>
>
>
>       // add x509 data
>
>       X509Data x509data = *new* X509Data(document);
>
>       x509data.add(*new* XMLX509SubjectName(document, certificate));
>
>       x509data.add(*new* XMLX509IssuerSerial(document, certificate));
>
>
>
> In the StAX implementation, we appear to be limited to the following
>
>
>
>     *public* *static* *final* KeyIdentifier *KeyIdentifier_KeyValue* =
> *new* KeyIdentifier("KeyValue");
>
>     *public* *static* *final* KeyIdentifier *KeyIdentifier_KeyName* =
> *new* KeyIdentifier("KeyName");
>
>     *public* *static* *final* KeyIdentifier *KeyIdentifier_IssuerSerial*
> = *new* KeyIdentifier("IssuerSerial");
>
>     *public* *static* *final* KeyIdentifier
> *KeyIdentifier_SkiKeyIdentifier* = *new* KeyIdentifier("SkiKeyIdentifier"
> );
>
>     *public* *static* *final* KeyIdentifier
> *KeyIdentifier_X509KeyIdentifier* = *new* KeyIdentifier("
> X509KeyIdentifier");
>
>     *public* *static* *final* KeyIdentifier
> *KeyIdentifier_X509SubjectName* = *new* KeyIdentifier("X509SubjectName");
>
>     *public* *static* *final* KeyIdentifier *KeyIdentifier_NoKeyInfo* =
> *new* KeyIdentifier("NoKeyInfo");
>
>     *public* *static* *final* KeyIdentifier *KeyIdentifier_EncryptedKey*
> = *new* KeyIdentifier("EncryptedKey");
>
>
>
> In the StAX implementation, I can either choose *KeyIdentifier_IssuerSerial
> *or *KeyIdentifier_X509SubutbjectName *but not both as we could with the
> DOM code fragment above.
>
>
>
> The reason I ask is that we have a service provider who has stipulated a
> strict format for the signature to be used when signing and sending data to
> them
>
>
>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>
>   <SignedInfo>
>
>     <CanonicalizationMethod Algorithm="http://www.w3.org/
> TR/2001/REC-xml-c14n-20010315"/>
>
>     <SignatureMethod Algorithm="http://www.w3.org/
> 2001/04/xmldsig-more#rsa-sha256"/>
>
>     <Reference URI="">
>
>       <Transforms>
>
>         <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-
> signature"/>
>
>         <Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
>
>       </Transforms>
>
>       <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>
>       <DigestValue>xe/kONljHYOi5X1sw8AmgIjbHw/SX8zjAT98zpJahhI=</
> DigestValue>
>
>     </Reference>
>
>   </SignedInfo>
>
>   <SignatureValue>7vdS9h04J/slnfUO1aoQ/RvbvWE=</SignatureValue>
>
>   <KeyInfo>
>
>     <X509Data>
>
>       <X509SubjectName>CN=rsa0,OU=rtp,O=org,L=location,ST=
> Unknown,C=</X509SubjectName>
>
>       <X509IssuerSerial>
>
>         <X509IssuerName>CN=sign0, OU=rtp, O=org, L=location,
> ST=Unknown,C=</X509IssuerName>
>
>         <X509SerialNumber>1328092436</X509SerialNumber>
>
>       </X509IssuerSerial>
>
>     </X509Data>
>
>   </KeyInfo>
>
> </Signature>
>
>
>
> Regards
>
> Tony
> "FINASTRA" is the trade name of the FINASTRA group of companies. This
> email and any attachments have been scanned for known viruses using
> multiple scanners. This email message is intended for the named recipient
> only. It may be privileged and/or confidential. If you are not the named
> recipient of this email please notify us immediately and do not copy it or
> use it for any purpose, nor disclose its contents to any other person. This
> email does not constitute the commencement of legal relations between you
> and FINASTRA. Please refer to the executed contract between you and the
> relevant member of the FINASTRA group for the identity of the contracting
> party with which you are dealing.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com