You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Ian Hummel <hu...@parityinc.net> on 2008/06/26 23:25:28 UTC
Cannot get an evenloped signature to work...
Hi everyone,
I cannot seem to get a simple example enveloped signature example to
work. I guess I am doing something stupid, but I can't for the life
of me figure out what's wrong!
I get this error using jdk 5 and xmlsec 1.4.0 or 1.4.2 (but it seems
to work with 1.3.0??):
Exception in thread "main" java.lang.RuntimeException: Error doing it
at test.Test.main(Test.java:82)
Caused by: java.lang.NullPointerException
at org.apache.xml.security.utils.IdResolver.isElement(Unknown Source)
at org.apache.xml.security.utils.IdResolver.getEl(Unknown Source)
at
org.apache.xml.security.utils.IdResolver.getElementBySearching(Unknown
Source)
at org.apache.xml.security.utils.IdResolver.getElementById(Unknown
Source)
at
org
.apache
.xml
.security
.utils.resolver.implementations.ResolverFragment.engineResolve(Unknown
Source)
at
org
.apache.xml.security.utils.resolver.ResourceResolver.resolve(Unknown
Source)
at
org
.apache
.xml
.security.signature.Reference.getContentsBeforeTransformation(Unknown
Source)
at
org
.apache
.xml
.security
.signature.Reference.dereferenceURIandPerformTransforms(Unknown Source)
at
org.apache.xml.security.signature.Reference.calculateDigest(Unknown
Source)
at
org
.apache.xml.security.signature.Reference.generateDigestValue(Unknown
Source)
at
org
.apache.xml.security.signature.Manifest.generateDigestValues(Unknown
Source)
at org.apache.xml.security.signature.XMLSignature.sign(Unknown Source)
at test.Test.signDoc(Test.java:49)
at test.Test.main(Test.java:78)
Here is the sample code:
package test;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.apache.xml.security.c14n.Canonicalizer;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.transforms.Transforms;
import org.apache.xml.security.utils.Constants;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
public class Test {
private Certificate cert;
private PrivateKey privateKey;
static {
org.apache.xml.security.Init.init();
}
public Test() throws Exception {
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(new java.io.FileInputStream("keystore.jks"),
"changeit".toCharArray());
Certificate cert = keyStore.getCertificate("tomcat");
PrivateKey privateKey = (PrivateKey) keyStore.getKey("tomcat",
"changeit".toCharArray());
this.cert = cert;
this.privateKey = privateKey;
}
private void signDoc(Document doc, Element assertion, String
messageId) throws Exception {
XMLSignature signature = new XMLSignature(doc, "",
XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,
Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
assertion.appendChild(signature.getElement());
Transforms transforms = new Transforms(doc);
transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
signature.addDocument("#" + messageId, transforms,
Constants.ALGO_ID_DIGEST_SHA1);
signature.addKeyInfo(cert.getPublicKey());
signature.sign(privateKey);
}
private void verifyDoc(Document doc) {
}
private void dumpDoc(Document doc) throws Exception {
System.out.println("---------");
Transformer xformer =
TransformerFactory.newInstance().newTransformer();
DOMSource source = new DOMSource(doc);
StreamResult result = new StreamResult(System.out);
xformer.transform(source, result);
System.out.println();
System.out.println("---------");
}
public static void main(String[] args) {
try {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setValidating(false);
dbf.setNamespaceAware(true);
DocumentBuilder db = dbf.newDocumentBuilder();
Document doc = db.newDocument();
Element assertion = doc.createElement("Assertion");
assertion.setAttribute("id", "mynode");
doc.appendChild(assertion);
Test t = new Test();
t.dumpDoc(doc);
t.signDoc(doc, assertion, "mynode");
t.dumpDoc(doc);
t.verifyDoc(doc);
} catch (Exception e) {
throw new RuntimeException("Error doing it", e);
}
}
}
Re: Cannot get an evenloped signature to work...
Posted by Sean Mullan <Se...@Sun.COM>.
Ian Hummel wrote:
> hmmm you're right.
>
> Another thing I noticed is that if I add
>
> assertion.setIdAttribute("id", true);
>
> things seem to work as well...
>
>
> Can you comment on that?
Yes, you are registering the ID so it doesn't execute the same code path
that triggered the NPE.
But, you should still always use the DOM namespace aware methods because
even though this worked, you will definitely get problems in more
complicated scenarios.
--Sean
>
> Thank you Sean!
>
>
> On Jun 26, 2008, at 5:49 PM, Sean Mullan wrote:
>
>> You must always use the DOM namespace aware methods when creating
>> elements and attributes, change:
>>
>>> Element assertion = doc.createElement("Assertion");
>>> assertion.setAttribute("id", "mynode");
>>
>> to:
>>
>>> Element assertion = doc.createElementNS(null, "Assertion");
>>> assertion.setAttributeNS(null,"id", "mynode");
>>
>> Works fine after I made those changes.
>>
>> That said, the XMLSec code could be a bit more robust and check for
>> nulls and throw a more descriptive exception in these cases so I will
>> open a bug on this.
>>
>> --Sean
>>
>> Ian Hummel wrote:
>>> Hi everyone,
>>>
>>> I cannot seem to get a simple example enveloped signature example to
>>> work. I guess I am doing something stupid, but I can't for the life of
>>> me figure out what's wrong!
>>>
>>> I get this error using jdk 5 and xmlsec 1.4.0 or 1.4.2 (but it seems to
>>> work with 1.3.0??):
>>>
>>> Exception in thread "main" java.lang.RuntimeException: Error doing it
>>> at test.Test.main(Test.java:82)
>>> Caused by: java.lang.NullPointerException
>>> at org.apache.xml.security.utils.IdResolver.isElement(Unknown Source)
>>> at org.apache.xml.security.utils.IdResolver.getEl(Unknown Source)
>>> at
>>> org.apache.xml.security.utils.IdResolver.getElementBySearching(Unknown
>>> Source)
>>> at org.apache.xml.security.utils.IdResolver.getElementById(Unknown
>>> Source)
>>> at
>>> org.apache.xml.security.utils.resolver.implementations.ResolverFragment.engineResolve(Unknown
>>>
>>> Source)
>>> at
>>> org.apache.xml.security.utils.resolver.ResourceResolver.resolve(Unknown
>>> Source)
>>> at
>>> org.apache.xml.security.signature.Reference.getContentsBeforeTransformation(Unknown
>>>
>>> Source)
>>> at
>>> org.apache.xml.security.signature.Reference.dereferenceURIandPerformTransforms(Unknown
>>>
>>> Source)
>>> at org.apache.xml.security.signature.Reference.calculateDigest(Unknown
>>> Source)
>>> at
>>> org.apache.xml.security.signature.Reference.generateDigestValue(Unknown
>>> Source)
>>> at
>>> org.apache.xml.security.signature.Manifest.generateDigestValues(Unknown
>>> Source)
>>> at org.apache.xml.security.signature.XMLSignature.sign(Unknown Source)
>>> at test.Test.signDoc(Test.java:49)
>>> at test.Test.main(Test.java:78)
>>>
>>> Here is the sample code:
>>>
>>> package test;
>>> import java.security.KeyStore;
>>> import java.security.PrivateKey;
>>> import java.security.cert.Certificate;
>>>
>>> import javax.xml.parsers.DocumentBuilder;
>>> import javax.xml.parsers.DocumentBuilderFactory;
>>> import javax.xml.transform.Transformer;
>>> import javax.xml.transform.TransformerFactory;
>>> import javax.xml.transform.dom.DOMSource;
>>> import javax.xml.transform.stream.StreamResult;
>>>
>>> import org.apache.xml.security.c14n.Canonicalizer;
>>> import org.apache.xml.security.signature.XMLSignature;
>>> import org.apache.xml.security.transforms.Transforms;
>>> import org.apache.xml.security.utils.Constants;
>>> import org.w3c.dom.Document;
>>> import org.w3c.dom.Element;
>>>
>>>
>>> public class Test {
>>> private Certificate cert;
>>> private PrivateKey privateKey;
>>> static {
>>> org.apache.xml.security.Init.init();
>>> }
>>> public Test() throws Exception {
>>> KeyStore keyStore = KeyStore.getInstance("JKS");
>>> keyStore.load(new java.io.FileInputStream("keystore.jks"),
>>> "changeit".toCharArray());
>>> Certificate cert = keyStore.getCertificate("tomcat");
>>> PrivateKey privateKey = (PrivateKey) keyStore.getKey("tomcat",
>>> "changeit".toCharArray());
>>> this.cert = cert;
>>> this.privateKey = privateKey;
>>> }
>>>
>>> private void signDoc(Document doc, Element assertion, String messageId)
>>> throws Exception {
>>> XMLSignature signature = new XMLSignature(doc, "",
>>> XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,
>>> Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
>>> assertion.appendChild(signature.getElement());
>>>
>>> Transforms transforms = new Transforms(doc);
>>> transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
>>> transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
>>> signature.addDocument("#" + messageId, transforms,
>>> Constants.ALGO_ID_DIGEST_SHA1);
>>> signature.addKeyInfo(cert.getPublicKey());
>>> signature.sign(privateKey);
>>> }
>>> private void verifyDoc(Document doc) {
>>> }
>>> private void dumpDoc(Document doc) throws Exception {
>>> System.out.println("---------");
>>> Transformer xformer = TransformerFactory.newInstance().newTransformer();
>>> DOMSource source = new DOMSource(doc);
>>> StreamResult result = new StreamResult(System.out);
>>> xformer.transform(source, result);
>>> System.out.println();
>>> System.out.println("---------");
>>> }
>>> public static void main(String[] args) {
>>> try {
>>> DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
>>> dbf.setValidating(false);
>>> dbf.setNamespaceAware(true);
>>> DocumentBuilder db = dbf.newDocumentBuilder();
>>> Document doc = db.newDocument();
>>> Element assertion = doc.createElement("Assertion");
>>> assertion.setAttribute("id", "mynode");
>>> doc.appendChild(assertion);
>>> Test t = new Test();
>>> t.dumpDoc(doc);
>>> t.signDoc(doc, assertion, "mynode");
>>> t.dumpDoc(doc);
>>> t.verifyDoc(doc);
>>> } catch (Exception e) {
>>> throw new RuntimeException("Error doing it", e);
>>> }
>>> }
>>> }
>>
>
Re: Cannot get an evenloped signature to work...
Posted by Ian Hummel <hu...@parityinc.net>.
hmmm you're right.
Another thing I noticed is that if I add
assertion.setIdAttribute("id", true);
things seem to work as well...
Can you comment on that?
Thank you Sean!
On Jun 26, 2008, at 5:49 PM, Sean Mullan wrote:
> You must always use the DOM namespace aware methods when creating
> elements and attributes, change:
>
>> Element assertion = doc.createElement("Assertion");
>> assertion.setAttribute("id", "mynode");
>
> to:
>
>> Element assertion = doc.createElementNS(null, "Assertion");
>> assertion.setAttributeNS(null,"id", "mynode");
>
> Works fine after I made those changes.
>
> That said, the XMLSec code could be a bit more robust and check for
> nulls and throw a more descriptive exception in these cases so I will
> open a bug on this.
>
> --Sean
>
> Ian Hummel wrote:
>> Hi everyone,
>>
>> I cannot seem to get a simple example enveloped signature example to
>> work. I guess I am doing something stupid, but I can't for the
>> life of
>> me figure out what's wrong!
>>
>> I get this error using jdk 5 and xmlsec 1.4.0 or 1.4.2 (but it
>> seems to
>> work with 1.3.0??):
>>
>> Exception in thread "main" java.lang.RuntimeException: Error doing it
>> at test.Test.main(Test.java:82)
>> Caused by: java.lang.NullPointerException
>> at org.apache.xml.security.utils.IdResolver.isElement(Unknown Source)
>> at org.apache.xml.security.utils.IdResolver.getEl(Unknown Source)
>> at
>> org
>> .apache.xml.security.utils.IdResolver.getElementBySearching(Unknown
>> Source)
>> at org.apache.xml.security.utils.IdResolver.getElementById(Unknown
>> Source)
>> at
>> org
>> .apache
>> .xml
>> .security
>> .utils
>> .resolver.implementations.ResolverFragment.engineResolve(Unknown
>> Source)
>> at
>> org
>> .apache.xml.security.utils.resolver.ResourceResolver.resolve(Unknown
>> Source)
>> at
>> org
>> .apache
>> .xml
>> .security.signature.Reference.getContentsBeforeTransformation(Unknown
>> Source)
>> at
>> org
>> .apache
>> .xml
>> .security
>> .signature.Reference.dereferenceURIandPerformTransforms(Unknown
>> Source)
>> at
>> org.apache.xml.security.signature.Reference.calculateDigest(Unknown
>> Source)
>> at
>> org
>> .apache.xml.security.signature.Reference.generateDigestValue(Unknown
>> Source)
>> at
>> org
>> .apache.xml.security.signature.Manifest.generateDigestValues(Unknown
>> Source)
>> at org.apache.xml.security.signature.XMLSignature.sign(Unknown
>> Source)
>> at test.Test.signDoc(Test.java:49)
>> at test.Test.main(Test.java:78)
>>
>> Here is the sample code:
>>
>> package test;
>> import java.security.KeyStore;
>> import java.security.PrivateKey;
>> import java.security.cert.Certificate;
>>
>> import javax.xml.parsers.DocumentBuilder;
>> import javax.xml.parsers.DocumentBuilderFactory;
>> import javax.xml.transform.Transformer;
>> import javax.xml.transform.TransformerFactory;
>> import javax.xml.transform.dom.DOMSource;
>> import javax.xml.transform.stream.StreamResult;
>>
>> import org.apache.xml.security.c14n.Canonicalizer;
>> import org.apache.xml.security.signature.XMLSignature;
>> import org.apache.xml.security.transforms.Transforms;
>> import org.apache.xml.security.utils.Constants;
>> import org.w3c.dom.Document;
>> import org.w3c.dom.Element;
>>
>>
>> public class Test {
>> private Certificate cert;
>> private PrivateKey privateKey;
>> static {
>> org.apache.xml.security.Init.init();
>> }
>> public Test() throws Exception {
>> KeyStore keyStore = KeyStore.getInstance("JKS");
>> keyStore.load(new java.io.FileInputStream("keystore.jks"),
>> "changeit".toCharArray());
>> Certificate cert = keyStore.getCertificate("tomcat");
>> PrivateKey privateKey = (PrivateKey) keyStore.getKey("tomcat",
>> "changeit".toCharArray());
>> this.cert = cert;
>> this.privateKey = privateKey;
>> }
>>
>> private void signDoc(Document doc, Element assertion, String
>> messageId)
>> throws Exception {
>> XMLSignature signature = new XMLSignature(doc, "",
>> XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,
>> Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
>> assertion.appendChild(signature.getElement());
>>
>> Transforms transforms = new Transforms(doc);
>> transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
>> transforms
>> .addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
>> signature.addDocument("#" + messageId, transforms,
>> Constants.ALGO_ID_DIGEST_SHA1);
>> signature.addKeyInfo(cert.getPublicKey());
>> signature.sign(privateKey);
>> }
>> private void verifyDoc(Document doc) {
>> }
>> private void dumpDoc(Document doc) throws Exception {
>> System.out.println("---------");
>> Transformer xformer =
>> TransformerFactory.newInstance().newTransformer();
>> DOMSource source = new DOMSource(doc);
>> StreamResult result = new StreamResult(System.out);
>> xformer.transform(source, result);
>> System.out.println();
>> System.out.println("---------");
>> }
>> public static void main(String[] args) {
>> try {
>> DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
>> dbf.setValidating(false);
>> dbf.setNamespaceAware(true);
>> DocumentBuilder db = dbf.newDocumentBuilder();
>> Document doc = db.newDocument();
>> Element assertion = doc.createElement("Assertion");
>> assertion.setAttribute("id", "mynode");
>> doc.appendChild(assertion);
>> Test t = new Test();
>> t.dumpDoc(doc);
>> t.signDoc(doc, assertion, "mynode");
>> t.dumpDoc(doc);
>> t.verifyDoc(doc);
>> } catch (Exception e) {
>> throw new RuntimeException("Error doing it", e);
>> }
>> }
>> }
>
Re: Cannot get an evenloped signature to work...
Posted by Sean Mullan <Se...@Sun.COM>.
You must always use the DOM namespace aware methods when creating
elements and attributes, change:
> Element assertion = doc.createElement("Assertion");
> assertion.setAttribute("id", "mynode");
to:
> Element assertion = doc.createElementNS(null, "Assertion");
> assertion.setAttributeNS(null,"id", "mynode");
Works fine after I made those changes.
That said, the XMLSec code could be a bit more robust and check for
nulls and throw a more descriptive exception in these cases so I will
open a bug on this.
--Sean
Ian Hummel wrote:
> Hi everyone,
>
> I cannot seem to get a simple example enveloped signature example to
> work. I guess I am doing something stupid, but I can't for the life of
> me figure out what's wrong!
>
> I get this error using jdk 5 and xmlsec 1.4.0 or 1.4.2 (but it seems to
> work with 1.3.0??):
>
> Exception in thread "main" java.lang.RuntimeException: Error doing it
> at test.Test.main(Test.java:82)
> Caused by: java.lang.NullPointerException
> at org.apache.xml.security.utils.IdResolver.isElement(Unknown Source)
> at org.apache.xml.security.utils.IdResolver.getEl(Unknown Source)
> at
> org.apache.xml.security.utils.IdResolver.getElementBySearching(Unknown
> Source)
> at org.apache.xml.security.utils.IdResolver.getElementById(Unknown Source)
> at
> org.apache.xml.security.utils.resolver.implementations.ResolverFragment.engineResolve(Unknown
> Source)
> at
> org.apache.xml.security.utils.resolver.ResourceResolver.resolve(Unknown
> Source)
> at
> org.apache.xml.security.signature.Reference.getContentsBeforeTransformation(Unknown
> Source)
> at
> org.apache.xml.security.signature.Reference.dereferenceURIandPerformTransforms(Unknown
> Source)
> at org.apache.xml.security.signature.Reference.calculateDigest(Unknown
> Source)
> at
> org.apache.xml.security.signature.Reference.generateDigestValue(Unknown
> Source)
> at
> org.apache.xml.security.signature.Manifest.generateDigestValues(Unknown
> Source)
> at org.apache.xml.security.signature.XMLSignature.sign(Unknown Source)
> at test.Test.signDoc(Test.java:49)
> at test.Test.main(Test.java:78)
>
> Here is the sample code:
>
> package test;
> import java.security.KeyStore;
> import java.security.PrivateKey;
> import java.security.cert.Certificate;
>
> import javax.xml.parsers.DocumentBuilder;
> import javax.xml.parsers.DocumentBuilderFactory;
> import javax.xml.transform.Transformer;
> import javax.xml.transform.TransformerFactory;
> import javax.xml.transform.dom.DOMSource;
> import javax.xml.transform.stream.StreamResult;
>
> import org.apache.xml.security.c14n.Canonicalizer;
> import org.apache.xml.security.signature.XMLSignature;
> import org.apache.xml.security.transforms.Transforms;
> import org.apache.xml.security.utils.Constants;
> import org.w3c.dom.Document;
> import org.w3c.dom.Element;
>
>
> public class Test {
> private Certificate cert;
> private PrivateKey privateKey;
> static {
> org.apache.xml.security.Init.init();
> }
> public Test() throws Exception {
> KeyStore keyStore = KeyStore.getInstance("JKS");
> keyStore.load(new java.io.FileInputStream("keystore.jks"),
> "changeit".toCharArray());
> Certificate cert = keyStore.getCertificate("tomcat");
> PrivateKey privateKey = (PrivateKey) keyStore.getKey("tomcat",
> "changeit".toCharArray());
> this.cert = cert;
> this.privateKey = privateKey;
> }
>
> private void signDoc(Document doc, Element assertion, String messageId)
> throws Exception {
> XMLSignature signature = new XMLSignature(doc, "",
> XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,
> Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
> assertion.appendChild(signature.getElement());
>
> Transforms transforms = new Transforms(doc);
> transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
> transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
> signature.addDocument("#" + messageId, transforms,
> Constants.ALGO_ID_DIGEST_SHA1);
> signature.addKeyInfo(cert.getPublicKey());
> signature.sign(privateKey);
> }
> private void verifyDoc(Document doc) {
> }
> private void dumpDoc(Document doc) throws Exception {
> System.out.println("---------");
> Transformer xformer = TransformerFactory.newInstance().newTransformer();
> DOMSource source = new DOMSource(doc);
> StreamResult result = new StreamResult(System.out);
> xformer.transform(source, result);
> System.out.println();
> System.out.println("---------");
> }
> public static void main(String[] args) {
> try {
> DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
> dbf.setValidating(false);
> dbf.setNamespaceAware(true);
> DocumentBuilder db = dbf.newDocumentBuilder();
> Document doc = db.newDocument();
> Element assertion = doc.createElement("Assertion");
> assertion.setAttribute("id", "mynode");
> doc.appendChild(assertion);
> Test t = new Test();
> t.dumpDoc(doc);
> t.signDoc(doc, assertion, "mynode");
> t.dumpDoc(doc);
> t.verifyDoc(doc);
> } catch (Exception e) {
> throw new RuntimeException("Error doing it", e);
> }
> }
> }