You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Ma...@micorp.com on 2004/12/01 14:04:37 UTC
Re: X509CertificateResolver Does Not Use My StorageResolver
Raul - did my information answer your question? Is there any additional
information that you need?
Regards,
Matthew Hanson
Marshall & Ilsley Corporation
Office: (608) 252-5987
Fax: (608) 252-5811
matthew.hanson@micorp.com
Matthew.Hanson@micorp.com
11/30/2004 07:18 AM
Please respond to security-dev
To: security-dev@xml.apache.org
cc:
Subject: Re: X509CertificateResolver Does Not Use My StorageResolver
I am using xml-security 1.1.0 with JDK 1.4.2. Sorry for not including
that in the post.
Regards,
Matthew Hanson
Marshall & Ilsley Corporation
Office: (608) 252-5987
Fax: (608) 252-5811
matthew.hanson@micorp.com
Raul Benito <ra...@r-bg.com>
11/29/2004 06:53 PM
Please respond to security-dev
To: security-dev@xml.apache.org
cc:
Subject: Re: X509CertificateResolver Does Not Use My
StorageResolver
Matthew.Hanson@micorp.com wrote:
>
> Hi,
>
> I am trying to verify the following XML digital signature:
>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"
> xmlns:C="http://www.routeone.com/namespace.messaging.CreditApplication#"
> xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext">
> <SignedInfo>
> <CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <Reference URI="#Body">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue>niQfM6RR1CP+V1Puf9FlaXRNcFQ=</DigestValue>
> </Reference>
> </SignedInfo>
>
>
<SignatureValue>EQjU1zV9WpsCj0+tTJ6pYw4YjM3Ir+OgWsCGijjKGZ1kkNOgWlFkdbDbmb8wzcAaYHVVJrplVpOVC05jd4cX7N9doFDDjRhKobaYUogRErJV86wWpsZ4iP77/DqPy0Egw9laycMv0BxxoWgeW3TQ11EioKiA/sx1nIEudaQRlWjlkeWiU7U+8eCVzWYMNkuh/kEhMo8CqYxpoOFSELRLIuMzT/gcrqvbesTUVkuYXSSs4ZTL9wzYfAYZpyk4ES7WpD7lT6/bW741S9DjJq/4H/bP8kkyBxku9sRIYF5DHXDIwbcj7SWbyZ/por+vmxGI2jR3xByxMEGo+FK2MHDDtQ==</SignatureValue>
>
> <KeyInfo>
> <X509Data>
> <X509Certificate/>
> <X509IssuerSerial>
> <X509IssuerName>OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY
> LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3,
> OU="VeriSign, Inc.", O=VeriSign Trust Network</X509IssuerName>
>
<X509SerialNumber>77581175974713717168815171532918991769</X509SerialNumber>
>
> </X509IssuerSerial></X509Data></KeyInfo></Signature>
>
> Because I have the public certificate from the partner, I was hoping
> to use addStorageResolver method of KeyInfo to install a
> StorageResolver with the public certificate to help with decryption.
> The Resolver-Mania docs tell me the following:
>
> "If there is only key material identification information like a
> ds:KeyName or the serial number of the Certificate, the KeyResolver
> must use the StorageResolvers to query the available keys and
> certificates to find the correct one."
>
> Here is my code, hacked from the VerifySignature class:
>
> XMLSignature signature = new XMLSignature(sigElement,
> f.toURL().toString());
>
> signature.addResourceResolver(new OfflineResolver());
>
> // begin hack
> InputStream inStream = new
> FileInputStream("c:\\temp\\RouteOne\\New RouteOne DSig_SSL.cer");
> CertificateFactory cf =
CertificateFactory.getInstance("X.509");
> X509Certificate cert =
> (X509Certificate)cf.generateCertificate(inStream);
> inStream.close();
> // end hack
>
> // XMLUtils.outputDOMc14nWithComments(signature.getElement(),
> System.out);
> KeyInfo ki = signature.getKeyInfo();
> ki.addStorageResolver(new StorageResolver(cert));
> if (ki != null) {
> if (ki.containsX509Data()) {
> System.out
> .println("Could find a X509Data element in the
> KeyInfo");
> }
>
> cert = signature.getKeyInfo().getX509Certificate();
>
> From looking at the code, it doesn't look like the
> X509CertificateResolver is attempting to query the available keys (my
> public certificate). Here is some logging and the inevitable stack
> trace:
>
> 211 [main] DEBUG org.apache.xml.security.algorithms.SignatureAlgorithm
> - Create URI "http://www.w3.org/2000/09/xmldsig#rsa-sha1" class
>
"org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1"
>
> 211 [main] DEBUG org.apache.xml.security.algorithms.JCEMapper -
> Request for URI http://www.w3.org/2000/09/xmldsig#rsa-sha1
> 261 [main] DEBUG org.apache.xml.security.algorithms.JCEMapper - Found
> SHA1WithRSAEncryption from provider BC
> 271 [main] DEBUG
> org.apache.xml.security.algorithms.implementations.SignatureBaseRSA -
> Created SignatureDSA using SHA1WithRSAEncryption BC
> 301 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
> setElement("KeyInfo",
> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
> 321 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
> setElement("X509Data",
> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
> 331 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
> setElement("X509Certificate",
> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
> 331 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
> setElement("X509IssuerSerial",
> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
> X509Data(0)="Certificate IssuerSerial "
> Could find a X509Data element in the KeyInfo
> 331 [main] DEBUG org.apache.xml.security.keys.KeyInfo - Start
> getX509CertificateFromInternalResolvers() with 0 resolvers
> 331 [main] DEBUG org.apache.xml.security.keys.KeyInfo - I couldn't
> find a X509Certificate using the per-KeyInfo key resolvers
> 331 [main] DEBUG org.apache.xml.security.keys.KeyInfo - Start
> getX509CertificateFromStaticResolvers() with 7 resolvers
> 331 [main] DEBUG
>
org.apache.xml.security.keys.keyresolver.implementations.RSAKeyValueResolver
> - Can I resolve X509Data
> 331 [main] DEBUG
>
org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver
> - Can I resolve X509Data?
> 341 [main] DEBUG
>
org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver
> - Yes Sir, I can
> 341 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
> setElement("X509Certificate",
> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
> java.lang.NullPointerException
> at
> org.apache.xml.security.utils.ElementProxy.getBytesFromTextChild(Unknown
> Source)
> at
>
org.apache.xml.security.keys.content.x509.XMLX509Certificate.getCertificateBytes(Unknown
> Source)
> at
>
org.apache.xml.security.keys.content.x509.XMLX509Certificate.getX509Certificate(Unknown
> Source)
> at
>
org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver.engineResolveX509Certificate(Unknown
> Source)
> at
>
org.apache.xml.security.keys.keyresolver.KeyResolver.resolveX509Certificate(Unknown
> Source)
> at
>
org.apache.xml.security.keys.KeyInfo.getX509CertificateFromStaticResolvers(Unknown
> Source)
> at
> org.apache.xml.security.keys.KeyInfo.getX509Certificate(Unknown Source)
> at
>
org.apache.xml.security.samples.signature.VerifySignature.main(VerifySignature.java:155)
>
>
> Am I reading the usage docs incorrectly, or do I need to implement
> some custom stuff? Any pointers would be very helpful.
>
> Regards,
> Matthew Hanson
>
> Marshall & Ilsley Corporation
> Office: (608) 252-5987
> Fax: (608) 252-5811
> matthew.hanson@micorp.com
What version of xml-sec are you using?
Thnx,
Raul
Re: X509CertificateResolver Does Not Use My StorageResolver
Posted by Raul Benito <ra...@r-bg.com>.
> Raul - did my information answer your question? Is there any additional
> information that you need?
>
> Regards,
> Matthew Hanson
>
> Marshall & Ilsley Corporation
> Office: (608) 252-5987
> Fax: (608) 252-5811
> matthew.hanson@micorp.com
>
>
>
Sorry I'm going to take a look at it whenever I have time, ;). I asked you
the version to know if there is a regresion in the 1.2RC. But I will try
to give you answer soon.
Raul
http://r-bg.com
>
> Matthew.Hanson@micorp.com
> 11/30/2004 07:18 AM
> Please respond to security-dev
>
>
> To: security-dev@xml.apache.org
> cc:
> Subject: Re: X509CertificateResolver Does Not Use My
> StorageResolver
>
>
>
> I am using xml-security 1.1.0 with JDK 1.4.2. Sorry for not including
> that in the post.
>
> Regards,
> Matthew Hanson
>
> Marshall & Ilsley Corporation
> Office: (608) 252-5987
> Fax: (608) 252-5811
> matthew.hanson@micorp.com
>
>
>
> Raul Benito <ra...@r-bg.com>
> 11/29/2004 06:53 PM
> Please respond to security-dev
>
> To: security-dev@xml.apache.org
> cc:
> Subject: Re: X509CertificateResolver Does Not Use My
> StorageResolver
>
>
>
> Matthew.Hanson@micorp.com wrote:
>
>>
>> Hi,
>>
>> I am trying to verify the following XML digital signature:
>>
>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"
>> xmlns:C="http://www.routeone.com/namespace.messaging.CreditApplication#"
>> xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext">
>> <SignedInfo>
>> <CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> <SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>> <Reference URI="#Body">
>> <Transforms>
>> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> </Transforms>
>> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <DigestValue>niQfM6RR1CP+V1Puf9FlaXRNcFQ=</DigestValue>
>> </Reference>
>> </SignedInfo>
>>
>>
> <SignatureValue>EQjU1zV9WpsCj0+tTJ6pYw4YjM3Ir+OgWsCGijjKGZ1kkNOgWlFkdbDbmb8wzcAaYHVVJrplVpOVC05jd4cX7N9doFDDjRhKobaYUogRErJV86wWpsZ4iP77/DqPy0Egw9laycMv0BxxoWgeW3TQ11EioKiA/sx1nIEudaQRlWjlkeWiU7U+8eCVzWYMNkuh/kEhMo8CqYxpoOFSELRLIuMzT/gcrqvbesTUVkuYXSSs4ZTL9wzYfAYZpyk4ES7WpD7lT6/bW741S9DjJq/4H/bP8kkyBxku9sRIYF5DHXDIwbcj7SWbyZ/por+vmxGI2jR3xByxMEGo+FK2MHDDtQ==</SignatureValue>
>
>>
>> <KeyInfo>
>> <X509Data>
>> <X509Certificate/>
>> <X509IssuerSerial>
>> <X509IssuerName>OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY
>> LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3,
>> OU="VeriSign, Inc.", O=VeriSign Trust Network</X509IssuerName>
>>
> <X509SerialNumber>77581175974713717168815171532918991769</X509SerialNumber>
>
>>
>> </X509IssuerSerial></X509Data></KeyInfo></Signature>
>>
>> Because I have the public certificate from the partner, I was hoping
>> to use addStorageResolver method of KeyInfo to install a
>> StorageResolver with the public certificate to help with decryption.
>> The Resolver-Mania docs tell me the following:
>>
>> "If there is only key material identification information like a
>> ds:KeyName or the serial number of the Certificate, the KeyResolver
>> must use the StorageResolvers to query the available keys and
>> certificates to find the correct one."
>>
>> Here is my code, hacked from the VerifySignature class:
>>
>> XMLSignature signature = new XMLSignature(sigElement,
>> f.toURL().toString());
>>
>> signature.addResourceResolver(new OfflineResolver());
>>
>> // begin hack
>> InputStream inStream = new
>> FileInputStream("c:\\temp\\RouteOne\\New RouteOne DSig_SSL.cer");
>> CertificateFactory cf =
> CertificateFactory.getInstance("X.509");
>> X509Certificate cert =
>> (X509Certificate)cf.generateCertificate(inStream);
>> inStream.close();
>> // end hack
>>
>> // XMLUtils.outputDOMc14nWithComments(signature.getElement(),
>> System.out);
>> KeyInfo ki = signature.getKeyInfo();
>> ki.addStorageResolver(new StorageResolver(cert));
>> if (ki != null) {
>> if (ki.containsX509Data()) {
>> System.out
>> .println("Could find a X509Data element in the
>> KeyInfo");
>> }
>>
>> cert = signature.getKeyInfo().getX509Certificate();
>>
>> From looking at the code, it doesn't look like the
>> X509CertificateResolver is attempting to query the available keys (my
>> public certificate). Here is some logging and the inevitable stack
>> trace:
>>
>> 211 [main] DEBUG org.apache.xml.security.algorithms.SignatureAlgorithm
>> - Create URI "http://www.w3.org/2000/09/xmldsig#rsa-sha1" class
>>
> "org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1"
>
>>
>> 211 [main] DEBUG org.apache.xml.security.algorithms.JCEMapper -
>> Request for URI http://www.w3.org/2000/09/xmldsig#rsa-sha1
>> 261 [main] DEBUG org.apache.xml.security.algorithms.JCEMapper - Found
>> SHA1WithRSAEncryption from provider BC
>> 271 [main] DEBUG
>> org.apache.xml.security.algorithms.implementations.SignatureBaseRSA -
>> Created SignatureDSA using SHA1WithRSAEncryption BC
>> 301 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
>> setElement("KeyInfo",
>> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
>> 321 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
>> setElement("X509Data",
>> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
>> 331 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
>> setElement("X509Certificate",
>> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
>> 331 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
>> setElement("X509IssuerSerial",
>> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
>> X509Data(0)="Certificate IssuerSerial "
>> Could find a X509Data element in the KeyInfo
>> 331 [main] DEBUG org.apache.xml.security.keys.KeyInfo - Start
>> getX509CertificateFromInternalResolvers() with 0 resolvers
>> 331 [main] DEBUG org.apache.xml.security.keys.KeyInfo - I couldn't
>> find a X509Certificate using the per-KeyInfo key resolvers
>> 331 [main] DEBUG org.apache.xml.security.keys.KeyInfo - Start
>> getX509CertificateFromStaticResolvers() with 7 resolvers
>> 331 [main] DEBUG
>>
> org.apache.xml.security.keys.keyresolver.implementations.RSAKeyValueResolver
>
>> - Can I resolve X509Data
>> 331 [main] DEBUG
>>
> org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver
>
>> - Can I resolve X509Data?
>> 341 [main] DEBUG
>>
> org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver
>
>> - Yes Sir, I can
>> 341 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
>> setElement("X509Certificate",
>> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
>> java.lang.NullPointerException
>> at
>> org.apache.xml.security.utils.ElementProxy.getBytesFromTextChild(Unknown
>
>> Source)
>> at
>>
> org.apache.xml.security.keys.content.x509.XMLX509Certificate.getCertificateBytes(Unknown
>
>> Source)
>> at
>>
> org.apache.xml.security.keys.content.x509.XMLX509Certificate.getX509Certificate(Unknown
>
>> Source)
>> at
>>
> org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver.engineResolveX509Certificate(Unknown
>
>> Source)
>> at
>>
> org.apache.xml.security.keys.keyresolver.KeyResolver.resolveX509Certificate(Unknown
>
>> Source)
>> at
>>
> org.apache.xml.security.keys.KeyInfo.getX509CertificateFromStaticResolvers(Unknown
>
>> Source)
>> at
>> org.apache.xml.security.keys.KeyInfo.getX509Certificate(Unknown Source)
>> at
>>
> org.apache.xml.security.samples.signature.VerifySignature.main(VerifySignature.java:155)
>
>>
>>
>> Am I reading the usage docs incorrectly, or do I need to implement
>> some custom stuff? Any pointers would be very helpful.
>>
>> Regards,
>> Matthew Hanson
>>
>> Marshall & Ilsley Corporation
>> Office: (608) 252-5987
>> Fax: (608) 252-5811
>> matthew.hanson@micorp.com
>
> What version of xml-sec are you using?
> Thnx,
>
> Raul
>
>
>
>
>