You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by tobias <to...@t-systems.com> on 2015/03/09 08:48:26 UTC

Optional ID of attached element

In the example SignatureUtils.java there is this code line
signedElement.setIdAttributeNS(null, "Id", true); which referes to the
optional id of attached xml element where ths signature is embedded.But by
specification says it`s an optional attribute.My question is how can I do or
check if the id attribute is there, because when it is not there I`m getting
an "Element not found" error at this place.



--
View this message in context: http://apache-xml-project.6118.n7.nabble.com/Optional-ID-of-attached-element-tp41910.html
Sent from the Apache XML - Security - Dev mailing list archive at Nabble.com.

Re: Optional ID of attached element

Posted by tobias <to...@t-systems.com>.

ok, you`re right. I found out that in the custmer xml I`ve got two refernce
blocks and the second one is making me trouble.

			<ds:Reference Id="Reference-TSL-1430866800574" URI="">
				<ds:Transforms>
					<ds:Transform
					
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
					<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
				</ds:Transforms>
				<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
				<ds:DigestValue>43acDj5lSIqh6LBvpVbQ9Hj9QFjX0vZ4IWrw7E8OY0g=
				</ds:DigestValue>
			</ds:Reference>
			<ds:Reference Id="Reference-SignedProperties-1430866800684"
				Type="http://uri.etsi.org/01903#SignedProperties"
URI="#SignedProperties-1430866800583">
				<ds:Transforms>
					<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
				</ds:Transforms>
				<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
				<ds:DigestValue>ms/B/LYB/XjPHZeuHpBgtTYG1fq9sLfqld5ArY4E/N4=
				</ds:DigestValue>
			</ds:Reference>



--
View this message in context: http://apache-xml-project.6118.n7.nabble.com/Optional-ID-of-attached-element-tp41910p42080.html
Sent from the Apache XML - Security - Dev mailing list archive at Nabble.com.

Re: Optional ID of attached element

Posted by "Cantor, Scott" <ca...@osu.edu>.

On 5/18/15, 12:58 PM, "tobias" <to...@t-systems.com> wrote:

>I just want to get rid of the need of an Id attribute in the signed 
>element.

And I told you how non-ID based signatures of an entire document are 
expressed.

>I understand that the way you are showing in the examples is a good way to
>do it,

I don't know what examples you mean, but they have nothing to do with me.

-- Scott

Re: Optional ID of attached element

Posted by tobias <to...@t-systems.com>.

I just want to get rid of the need of an Id attribute in the signed element.
I understand that the way you are showing in the examples is a good way to
do it, but our customer is delivering an xml document without an id in the
root element (always the signed element). I just want to solve my use case
and need your help!



--
View this message in context: http://apache-xml-project.6118.n7.nabble.com/Optional-ID-of-attached-element-tp41910p42078.html
Sent from the Apache XML - Security - Dev mailing list archive at Nabble.com.

Re: Optional ID of attached element

Posted by "Cantor, Scott" <ca...@osu.edu>.

On 5/18/15, 11:58 AM, "tobias" <to...@t-systems.com> wrote:

>Out customers delivers a xml file where always the root element is the 
>part
>which is being signed by default. Don`t know how to handle a signed xml 
>file
>without an id as maker.

If you mean you want to sign the whole document, that requires a Reference 
URI of "" (literally the empty string). This is all covered by the 
standard, which you need to read if you use the library. XML Signature is 
not something you can just let the library take care of for you, there are 
too many application-layer issues involved to do anything safely with the 
spec.

-- Scott

Re: Optional ID of attached element

Posted by tobias <to...@t-systems.com>.

I`m getting this error when I try to verify a signed xml. The problem is it
has not ID and therefore I tried to disable the ID mapping by removing this
line of code signedElement.setIdAttributeNS(null, "Id", true);

Out customers delivers a xml file where always the root element is the part
which is being signed by default. Don`t know how to handle a signed xml file
without an id as maker.

Caused by: org.apache.xml.security.utils.resolver.ResourceResolverException:
Cannot resolve element with ID SignedProperties-1430866800583
	at
org.apache.xml.security.utils.resolver.implementations.ResolverFragment.engineResolveURI(ResolverFragment.java:81)
~[xmlsec-2.0.4.jar:2.0.4]
	at
org.apache.xml.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:288)
~[xmlsec-2.0.4.jar:2.0.4]
	at
org.apache.xml.security.signature.Reference.getContentsBeforeTransformation(Reference.java:426)
~[xmlsec-2.0.4.jar:2.0.4]
	at
org.apache.xml.security.signature.Reference.dereferenceURIandPerformTransforms(Reference.java:606)
~[xmlsec-2.0.4.jar:2.0.4]
	at
org.apache.xml.security.signature.Reference.calculateDigest(Reference.java:718)
~[xmlsec-2.0.4.jar:2.0.4]
	at org.apache.xml.security.signature.Reference.verify(Reference.java:787)
~[xmlsec-2.0.4.jar:2.0.4]
	at
org.apache.xml.security.signature.Manifest.verifyReferences(Manifest.java:334)
~[xmlsec-2.0.4.jar:2.0.4]



--
View this message in context: http://apache-xml-project.6118.n7.nabble.com/Optional-ID-of-attached-element-tp41910p42076.html
Sent from the Apache XML - Security - Dev mailing list archive at Nabble.com.

Re: Optional ID of attached element

Posted by "Cantor, Scott" <ca...@osu.edu>.

On 3/12/15, 10:48 AM, "tobias" <to...@t-systems.com> wrote:

>I understand your point. But the W3C spec is saying that the id is optional,
>right? How could a element referenced by when it has no id attribute? I
>don`t know! Maybe via the element name?!

XPath, generally. It's extremely complex to reference anything other than by ID and generally difficult to secure unless you parse only the referenced octets into application space.

-- Scott

Re: Optional ID of attached element

Posted by tobias <to...@t-systems.com>.

I understand your point. But the W3C spec is saying that the id is optional,
right? How could a element referenced by when it has no id attribute? I
don`t know! Maybe via the element name?!



--
View this message in context: http://apache-xml-project.6118.n7.nabble.com/Optional-ID-of-attached-element-tp41910p41933.html
Sent from the Apache XML - Security - Dev mailing list archive at Nabble.com.

Re: Optional ID of attached element

Posted by Colm O hEigeartaigh <co...@apache.org>.

How is the signature referencing whatever is signed in the SOAP request?

Colm.

On Thu, Mar 12, 2015 at 8:58 AM, tobias <to...@t-systems.com> wrote:

> We have 2 usecases, one with a id attribute and it works fine. But the
> second
> usecase is a soap request and we`ve to verify that signature in the soap
> request, but there is no id attribute and it fails.
>
>
>
> --
> View this message in context:
> http://apache-xml-project.6118.n7.nabble.com/Optional-ID-of-attached-element-tp41910p41931.html
> Sent from the Apache XML - Security - Dev mailing list archive at
> Nabble.com.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: Optional ID of attached element

Posted by tobias <to...@t-systems.com>.

We have 2 usecases, one with a id attribute and it works fine. But the second
usecase is a soap request and we`ve to verify that signature in the soap
request, but there is no id attribute and it fails.



--
View this message in context: http://apache-xml-project.6118.n7.nabble.com/Optional-ID-of-attached-element-tp41910p41931.html
Sent from the Apache XML - Security - Dev mailing list archive at Nabble.com.

Re: Optional ID of attached element

Posted by Colm O hEigeartaigh <co...@apache.org>.

You need some way to reference what is being signed inside the Signature.
How are you referencing the Element if it has no "Id" attribute?

Colm.

On Mon, Mar 9, 2015 at 7:48 AM, tobias <to...@t-systems.com> wrote:

> In the example SignatureUtils.java there is this code line
> signedElement.setIdAttributeNS(null, "Id", true); which referes to the
> optional id of attached xml element where ths signature is embedded. But by
> specification says it`s an optional attribute. My question is how can I do
> or check if the id attribute is there, because when it is not there I`m
> getting an "Element not found" error at this place.
> ------------------------------
> View this message in context: Optional ID of attached element
> <http://apache-xml-project.6118.n7.nabble.com/Optional-ID-of-attached-element-tp41910.html>
> Sent from the Apache XML - Security - Dev mailing list archive
> <http://apache-xml-project.6118.n7.nabble.com/Apache-XML-Security-Dev-f33675.html>
> at Nabble.com.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com