You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Cláudio Engelsdorff Avila <cl...@tracesistemas.com> on 2006/04/04 20:44:57 UTC
Need lots of help - Validating Signed XML files
I'm developing an application that signs and validate xml files using the
apache xml security library.
To sign a file is easy, but the validation part is becoming a real problem
for me.
I've been able to validate te signature itself, and its expiration dates,
but i need more than just that. I need to validate the certification chain
and rcl files as well.
To be honest I could find some examples to validate the chain, but I don't
understand how the certification chain really works.
If you guys could give me some steps to follow would be very nice. My
deadline is coming and i still have some pieces to put together.
My goals are:
- Assure that the certicate used was an end user certificate and not from
a certification authority; (Didn't find nothing about this kind of
validation)
- Adopt rules defined by RFC 3280 for RCL and chain of trust
(certification chain); (Completely lost on this one)
- Verify if the revogation and chain lists are up to date; (Didn't get
that far on my research)
- Validate the key type used accept only keys type A; (I didn't find
anything about this types only when you pucharse your key you choose this
kind of things, at least here on brazil.)
Thanks in advance.
Re: Need lots of help - Validating Signed XML files
Posted by Cláudio Engelsdorff Avila <cl...@tracesistemas.com>.
By RCL i mean Revogation Certificate List.
I'll look the JCA, thanks for answering that fast.
Best regards
"Martin Labarthe Dubois" <du...@consist.com.ar>
04/04/2006 16:12
Please respond to
security-dev@xml.apache.org
To
<se...@xml.apache.org>
cc
Subject
Re: Need lots of help - Validating Signed XML files
My goals are:
- Assure that the certicate used was an end user certificate and not from
a certification authority; (Didn't find nothing about this kind of
validation)
use JCA
- Adopt rules defined by RFC 3280 for RCL and chain of trust
(certification chain); (Completely lost on this one)
what do you mean with RCL ? to many definitions related to that.
- Verify if the revogation and chain lists are up to date; (Didn't get
that far on my research)
use JCA
- Validate the key type used accept only keys type A; (I didn't find
anything about this types only when you pucharse your key you choose this
kind of things, at least here on brazil.)
keys type A is something related to brazil, we need more info.
Re: Need lots of help - Validating Signed XML files
Posted by Martin Labarthe Dubois <du...@consist.com.ar>.
My goals are:
- Assure that the certicate used was an end user certificate and not from a certification authority; (Didn't find nothing about this kind of validation)
use JCA
- Adopt rules defined by RFC 3280 for RCL and chain of trust (certification chain); (Completely lost on this one)
what do you mean with RCL ? to many definitions related to that.
- Verify if the revogation and chain lists are up to date; (Didn't get that far on my research)
use JCA
- Validate the key type used accept only keys type A; (I didn't find anything about this types only when you pucharse your key you choose this kind of things, at least here on brazil.)
keys type A is something related to brazil, we need more info.
Re: Need lots of help - Validating Signed XML files
Posted by Martin Labarthe Dubois <du...@consist.com.ar>.
Hey,
i just tested the code with jdk 1.4
public static void main(String[] args) throws Exception {
InputStream inStream = new FileInputStream("c:/temp/LatestCRL.crl");
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509CRL crl = (X509CRL) cf.generateCRL(inStream);
inStream.close();
System.out.println(crl.getIssuerDN().getName());
and obtained:
CN=AC CertiSign V3, OU=AC CertiSign V3, O=ICP-Brasil, C=BR
so, you have don´t need conversion for that, it should work fine.
----- Original Message -----
From: Cláudio Engelsdorff Avila
To: security-dev@xml.apache.org
Sent: Thursday, April 06, 2006 12:05 PM
Subject: Re: Need lots of help - Validating Signed XML files
I'm using the newest hava version (1.5), yet still throws a tag parse error when i try to open.
I tried this code to open th crl file:
// open an input stream to the file
FileInputStream fis = new FileInputStream(filename);
// instantiate a CertificateFactory for X.509
CertificateFactory cf = CertificateFactory.getInstance("X.509");
// extract the certification path from
// the PKCS7 SignedData structure
CertPath cp = cf.generateCertPath(fis, "PKCS7");
// print each certificate in the path
List certs = cp.getCertificates();
Iterator i = certs.iterator();
while (i.hasNext()) {
X509Certificate cert = (X509Certificate) i.next();
System.out.println(cert);
}
And it gives me:
java.security.cert.CertificateException: IOException parsing PKCS7 data: sun.security.pkcs.ParsingException: X509.ObjectIdentifier() -- data isn't an object ID (tag = 48)
I don't like to bother anyone but i tried everything that i could think of.
Re: Need lots of help - Validating Signed XML files
Posted by Martin Labarthe Dubois <du...@consist.com.ar>.
there are a couple of very similar pkcs#7 formats,
with openssl you can transform from one to another.
i remember that i had to use it to make some certificates in that format readable from java.
that´s probably the problem.
----- Original Message -----
From: Cláudio Engelsdorff Avila
To: security-dev@xml.apache.org
Sent: Thursday, April 06, 2006 12:05 PM
Subject: Re: Need lots of help - Validating Signed XML files
I'm using the newest hava version (1.5), yet still throws a tag parse error when i try to open.
I tried this code to open th crl file:
// open an input stream to the file
FileInputStream fis = new FileInputStream(filename);
// instantiate a CertificateFactory for X.509
CertificateFactory cf = CertificateFactory.getInstance("X.509");
// extract the certification path from
// the PKCS7 SignedData structure
CertPath cp = cf.generateCertPath(fis, "PKCS7");
// print each certificate in the path
List certs = cp.getCertificates();
Iterator i = certs.iterator();
while (i.hasNext()) {
X509Certificate cert = (X509Certificate) i.next();
System.out.println(cert);
}
And it gives me:
java.security.cert.CertificateException: IOException parsing PKCS7 data: sun.security.pkcs.ParsingException: X509.ObjectIdentifier() -- data isn't an object ID (tag = 48)
I don't like to bother anyone but i tried everything that i could think of.
Re: Need lots of help - Validating Signed XML files
Posted by Cláudio Engelsdorff Avila <cl...@tracesistemas.com>.
I'm using the newest hava version (1.5), yet still throws a tag parse
error when i try to open.
I tried this code to open th crl file:
// open an input stream to the file
FileInputStream fis = new FileInputStream(filename);
// instantiate a CertificateFactory for X.509
CertificateFactory cf = CertificateFactory.getInstance("X.509");
// extract the certification path from
// the PKCS7 SignedData structure
CertPath cp = cf.generateCertPath(fis, "PKCS7");
// print each certificate in the path
List certs = cp.getCertificates();
Iterator i = certs.iterator();
while (i.hasNext()) {
X509Certificate cert = (X509Certificate) i.next();
System.out.println(cert);
}
And it gives me:
java.security.cert.CertificateException: IOException parsing PKCS7 data:
sun.security.pkcs.ParsingException: X509.ObjectIdentifier() -- data isn't
an object ID (tag = 48)
I don't like to bother anyone but i tried everything that i could think
of.
Re: Need lots of help - Validating Signed XML files
Posted by Martin Labarthe Dubois <du...@consist.com.ar>.
again, use: Std. Ed. v1.4.2
InputStream inStream = new FileInputStream("fileName-of-crl");
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509CRL crl = (X509CRL)cf.generateCRL(inStream);
inStream.close();
crl.verify(yourCertificate or publicKey here)
----- Original Message -----
From: Cláudio Engelsdorff Avila
To: security-dev@xml.apache.org
Sent: Thursday, April 06, 2006 11:41 AM
Subject: Re: Need lots of help - Validating Signed XML files
If you could download this files and try to help me to open them would be perfect i'm running out of ideas for solving this matter.
the revocation list that i'm using is :http://icp-brasil.certisign.com.br/repositorio/lcr/ACCertiSignV3/LatestCRL.crl
Anyhelp will more then welcome.
Cláudio Engelsdorff Avila
://Consultor de Sistemas
://Fone/Fax: +55 51 2101 6918
://Celular: +55 51 9303 2988
TRACE SISTEMAS
www.tracesistemas.com.br
www.tracegp.com.br
Cláudio Engelsdorff Avila <cl...@tracesistemas.com>
06/04/2006 10:51 Please respond to
security-dev@xml.apache.org
To security-dev@xml.apache.org
cc
Subject Re: Need lots of help - Validating Signed XML files
For that rovacation lists the URL is "http://icp-brasil.certisign.com.br/repositorio/index.htm".
Sorry i thought that i had pasted that link here too.
Thanks in advance
"Martin Labarthe Dubois" <du...@consist.com.ar>
06/04/2006 10:39
Please respond to
security-dev@xml.apache.org
To <se...@xml.apache.org>
cc
Subject Re: Need lots of help - Validating Signed XML files
I only found the certificate chains there,
but not the revocation lists.
----- Original Message -----
From: Cláudio Engelsdorff Avila
To: security-dev@xml.apache.org
Sent: Thursday, April 06, 2006 10:17 AM
Subject: Re: Need lots of help - Validating Signed XML files
Yeah it helped for me to see that i'm on the right path.
But i'm stil having some problems trying to open revocation lists and so forth.
I got my chain and revocations lists from this URL "http://www.certisign.com.br/suporte/downloads.jsp#icp".
If someone could enlighten me.
Thanks in advance.
www.tracesistemas.com.br
www.tracegp.com.br
Milan Tomic <to...@yahoo.com>
05/04/2006 04:36
Please respond to
security-dev@xml.apache.org
To security-dev@xml.apache.org
cc
Subject Re: Need lots of help - Validating Signed XML files
Take a look at this article:
http://java.sun.com/j2se/1.4.2/docs/guide/security/certpath/CertPathProgGuide.html
Hope it helps,
Milan
--- Cl�udio Engelsdorff Avila <cl...@tracesistemas.com> wrote:
> I'm developing an application that signs and validate xml files using the
> apache xml security library.
>
> To sign a file is easy, but the validation part is becoming a real problem
> for me.
>
> I've been able to validate te signature itself, and its expiration dates,
> but i need more than just that. I need to validate the certification chain
> and rcl files as well.
> To be honest I could find some examples to validate the chain, but I don't
> understand how the certification chain really works.
>
> If you guys could give me some steps to follow would be very nice. My
> deadline is coming and i still have some pieces to put together.
>
>
> My goals are:
> - Assure that the certicate used was an end user certificate and not from
> a certification authority; (Didn't find nothing about this kind of
> validation)
> - Adopt rules defined by RFC 3280 for RCL and chain of trust
> (certification chain); (Completely lost on this one)
> - Verify if the revogation and chain lists are up to date; (Didn't get
> that far on my research)
> - Validate the key type used accept only keys type A; (I didn't find
> anything about this types only when you pucharse your key you choose this
> kind of things, at least here on brazil.)
>
>
>
> Thanks in advance.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Re: Need lots of help - Validating Signed XML files
Posted by Cláudio Engelsdorff Avila <cl...@tracesistemas.com>.
If you could download this files and try to help me to open them would be
perfect i'm running out of ideas for solving this matter.
the revocation list that i'm using is
:http://icp-brasil.certisign.com.br/repositorio/lcr/ACCertiSignV3/LatestCRL.crl
Anyhelp will more then welcome.
Cláudio Engelsdorff Avila
://Consultor de Sistemas
://Fone/Fax: +55 51 2101 6918
://Celular: +55 51 9303 2988
TRACE SISTEMAS
www.tracesistemas.com.br
www.tracegp.com.br
Cláudio Engelsdorff Avila <cl...@tracesistemas.com>
06/04/2006 10:51
Please respond to
security-dev@xml.apache.org
To
security-dev@xml.apache.org
cc
Subject
Re: Need lots of help - Validating Signed XML files
For that rovacation lists the URL is "
http://icp-brasil.certisign.com.br/repositorio/index.htm".
Sorry i thought that i had pasted that link here too.
Thanks in advance
"Martin Labarthe Dubois" <du...@consist.com.ar>
06/04/2006 10:39
Please respond to
security-dev@xml.apache.org
To
<se...@xml.apache.org>
cc
Subject
Re: Need lots of help - Validating Signed XML files
I only found the certificate chains there,
but not the revocation lists.
----- Original Message -----
From: Cláudio Engelsdorff Avila
To: security-dev@xml.apache.org
Sent: Thursday, April 06, 2006 10:17 AM
Subject: Re: Need lots of help - Validating Signed XML files
Yeah it helped for me to see that i'm on the right path.
But i'm stil having some problems trying to open revocation lists and so
forth.
I got my chain and revocations lists from this URL "
http://www.certisign.com.br/suporte/downloads.jsp#icp".
If someone could enlighten me.
Thanks in advance.
www.tracesistemas.com.br
www.tracegp.com.br
Milan Tomic <to...@yahoo.com>
05/04/2006 04:36
Please respond to
security-dev@xml.apache.org
To
security-dev@xml.apache.org
cc
Subject
Re: Need lots of help - Validating Signed XML files
Take a look at this article:
http://java.sun.com/j2se/1.4.2/docs/guide/security/certpath/CertPathProgGuide.html
Hope it helps,
Milan
--- Cl�udio Engelsdorff Avila <cl...@tracesistemas.com> wrote:
> I'm developing an application that signs and validate xml files using
the
> apache xml security library.
>
> To sign a file is easy, but the validation part is becoming a real
problem
> for me.
>
> I've been able to validate te signature itself, and its expiration
dates,
> but i need more than just that. I need to validate the certification
chain
> and rcl files as well.
> To be honest I could find some examples to validate the chain, but I
don't
> understand how the certification chain really works.
>
> If you guys could give me some steps to follow would be very nice. My
> deadline is coming and i still have some pieces to put together.
>
>
> My goals are:
> - Assure that the certicate used was an end user certificate and not
from
> a certification authority; (Didn't find nothing about this kind of
> validation)
> - Adopt rules defined by RFC 3280 for RCL and chain of trust
> (certification chain); (Completely lost on this one)
> - Verify if the revogation and chain lists are up to date; (Didn't get
> that far on my research)
> - Validate the key type used accept only keys type A; (I didn't find
> anything about this types only when you pucharse your key you choose
this
> kind of things, at least here on brazil.)
>
>
>
> Thanks in advance.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Re: Need lots of help - Validating Signed XML files
Posted by Cláudio Engelsdorff Avila <cl...@tracesistemas.com>.
For that rovacation lists the URL is
"http://icp-brasil.certisign.com.br/repositorio/index.htm".
Sorry i thought that i had pasted that link here too.
Thanks in advance
"Martin Labarthe Dubois" <du...@consist.com.ar>
06/04/2006 10:39
Please respond to
security-dev@xml.apache.org
To
<se...@xml.apache.org>
cc
Subject
Re: Need lots of help - Validating Signed XML files
I only found the certificate chains there,
but not the revocation lists.
----- Original Message -----
From: Cláudio Engelsdorff Avila
To: security-dev@xml.apache.org
Sent: Thursday, April 06, 2006 10:17 AM
Subject: Re: Need lots of help - Validating Signed XML files
Yeah it helped for me to see that i'm on the right path.
But i'm stil having some problems trying to open revocation lists and so
forth.
I got my chain and revocations lists from this URL "
http://www.certisign.com.br/suporte/downloads.jsp#icp".
If someone could enlighten me.
Thanks in advance.
www.tracesistemas.com.br
www.tracegp.com.br
Milan Tomic <to...@yahoo.com>
05/04/2006 04:36
Please respond to
security-dev@xml.apache.org
To
security-dev@xml.apache.org
cc
Subject
Re: Need lots of help - Validating Signed XML files
Take a look at this article:
http://java.sun.com/j2se/1.4.2/docs/guide/security/certpath/CertPathProgGuide.html
Hope it helps,
Milan
--- Cl�udio Engelsdorff Avila <cl...@tracesistemas.com> wrote:
> I'm developing an application that signs and validate xml files using
the
> apache xml security library.
>
> To sign a file is easy, but the validation part is becoming a real
problem
> for me.
>
> I've been able to validate te signature itself, and its expiration
dates,
> but i need more than just that. I need to validate the certification
chain
> and rcl files as well.
> To be honest I could find some examples to validate the chain, but I
don't
> understand how the certification chain really works.
>
> If you guys could give me some steps to follow would be very nice. My
> deadline is coming and i still have some pieces to put together.
>
>
> My goals are:
> - Assure that the certicate used was an end user certificate and not
from
> a certification authority; (Didn't find nothing about this kind of
> validation)
> - Adopt rules defined by RFC 3280 for RCL and chain of trust
> (certification chain); (Completely lost on this one)
> - Verify if the revogation and chain lists are up to date; (Didn't get
> that far on my research)
> - Validate the key type used accept only keys type A; (I didn't find
> anything about this types only when you pucharse your key you choose
this
> kind of things, at least here on brazil.)
>
>
>
> Thanks in advance.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Re: Need lots of help - Validating Signed XML files
Posted by Martin Labarthe Dubois <du...@consist.com.ar>.
I only found the certificate chains there,
but not the revocation lists.
----- Original Message -----
From: Cláudio Engelsdorff Avila
To: security-dev@xml.apache.org
Sent: Thursday, April 06, 2006 10:17 AM
Subject: Re: Need lots of help - Validating Signed XML files
Yeah it helped for me to see that i'm on the right path.
But i'm stil having some problems trying to open revocation lists and so forth.
I got my chain and revocations lists from this URL "http://www.certisign.com.br/suporte/downloads.jsp#icp".
If someone could enlighten me.
Thanks in advance.
www.tracesistemas.com.br
www.tracegp.com.br
Milan Tomic <to...@yahoo.com>
05/04/2006 04:36 Please respond to
security-dev@xml.apache.org
To security-dev@xml.apache.org
cc
Subject Re: Need lots of help - Validating Signed XML files
Take a look at this article:
http://java.sun.com/j2se/1.4.2/docs/guide/security/certpath/CertPathProgGuide.html
Hope it helps,
Milan
--- Cl�udio Engelsdorff Avila <cl...@tracesistemas.com> wrote:
> I'm developing an application that signs and validate xml files using the
> apache xml security library.
>
> To sign a file is easy, but the validation part is becoming a real problem
> for me.
>
> I've been able to validate te signature itself, and its expiration dates,
> but i need more than just that. I need to validate the certification chain
> and rcl files as well.
> To be honest I could find some examples to validate the chain, but I don't
> understand how the certification chain really works.
>
> If you guys could give me some steps to follow would be very nice. My
> deadline is coming and i still have some pieces to put together.
>
>
> My goals are:
> - Assure that the certicate used was an end user certificate and not from
> a certification authority; (Didn't find nothing about this kind of
> validation)
> - Adopt rules defined by RFC 3280 for RCL and chain of trust
> (certification chain); (Completely lost on this one)
> - Verify if the revogation and chain lists are up to date; (Didn't get
> that far on my research)
> - Validate the key type used accept only keys type A; (I didn't find
> anything about this types only when you pucharse your key you choose this
> kind of things, at least here on brazil.)
>
>
>
> Thanks in advance.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Re: Need lots of help - Validating Signed XML files
Posted by Cláudio Engelsdorff Avila <cl...@tracesistemas.com>.
Yeah it helped for me to see that i'm on the right path.
But i'm stil having some problems trying to open revocation lists and so
forth.
I got my chain and revocations lists from this URL
"http://www.certisign.com.br/suporte/downloads.jsp#icp".
If someone could enlighten me.
Thanks in advance.
www.tracesistemas.com.br
www.tracegp.com.br
Milan Tomic <to...@yahoo.com>
05/04/2006 04:36
Please respond to
security-dev@xml.apache.org
To
security-dev@xml.apache.org
cc
Subject
Re: Need lots of help - Validating Signed XML files
Take a look at this article:
http://java.sun.com/j2se/1.4.2/docs/guide/security/certpath/CertPathProgGuide.html
Hope it helps,
Milan
--- Cl�udio Engelsdorff Avila <cl...@tracesistemas.com> wrote:
> I'm developing an application that signs and validate xml files using
the
> apache xml security library.
>
> To sign a file is easy, but the validation part is becoming a real
problem
> for me.
>
> I've been able to validate te signature itself, and its expiration
dates,
> but i need more than just that. I need to validate the certification
chain
> and rcl files as well.
> To be honest I could find some examples to validate the chain, but I
don't
> understand how the certification chain really works.
>
> If you guys could give me some steps to follow would be very nice. My
> deadline is coming and i still have some pieces to put together.
>
>
> My goals are:
> - Assure that the certicate used was an end user certificate and not
from
> a certification authority; (Didn't find nothing about this kind of
> validation)
> - Adopt rules defined by RFC 3280 for RCL and chain of trust
> (certification chain); (Completely lost on this one)
> - Verify if the revogation and chain lists are up to date; (Didn't get
> that far on my research)
> - Validate the key type used accept only keys type A; (I didn't find
> anything about this types only when you pucharse your key you choose
this
> kind of things, at least here on brazil.)
>
>
>
> Thanks in advance.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Re: Need lots of help - Validating Signed XML files
Posted by Milan Tomic <to...@yahoo.com>.
Take a look at this article:
http://java.sun.com/j2se/1.4.2/docs/guide/security/certpath/CertPathProgGuide.html
Hope it helps,
Milan
--- Cl�udio Engelsdorff Avila <cl...@tracesistemas.com> wrote:
> I'm developing an application that signs and validate xml files using the
> apache xml security library.
>
> To sign a file is easy, but the validation part is becoming a real problem
> for me.
>
> I've been able to validate te signature itself, and its expiration dates,
> but i need more than just that. I need to validate the certification chain
> and rcl files as well.
> To be honest I could find some examples to validate the chain, but I don't
> understand how the certification chain really works.
>
> If you guys could give me some steps to follow would be very nice. My
> deadline is coming and i still have some pieces to put together.
>
>
> My goals are:
> - Assure that the certicate used was an end user certificate and not from
> a certification authority; (Didn't find nothing about this kind of
> validation)
> - Adopt rules defined by RFC 3280 for RCL and chain of trust
> (certification chain); (Completely lost on this one)
> - Verify if the revogation and chain lists are up to date; (Didn't get
> that far on my research)
> - Validate the key type used accept only keys type A; (I didn't find
> anything about this types only when you pucharse your key you choose this
> kind of things, at least here on brazil.)
>
>
>
> Thanks in advance.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com