Remote private key

["Legido Martínez, Isidoro" <is...@gmail.com>]

Hi everybody:

Firs, I will try to explain my current situation (sorry in advanced for my
poor English :-( ). My signing system is splitted in two pieces: a
lightweith client that owns the private key and ONLY can sign (no digest)
and the server side that does everything else EXCEPT signing (digest, add
Manifest elements or aditional References).
My initial idea was: the server side builds the SignedInfo elements, get its
digest and send it to the client. The client signs and send the result to
the server, which adds this to the SignedInfo. Is that possible withe the
current implementation?
I expected that

  SignedInfo si.generateDigestValues();
  String digest = Base64.encode(si.getCanonicalizedOctetStream());

'digest' would contain the digest value in Base64, but what I get is
something different. How can I get the digest? After signing, is there any
way for adding it to SignInfo.

Thanks a lot

Isi

Re: Remote private key

["Legido Martínez, Isidoro" <is...@gmail.com>]

Hi Sergio:

Thanks a lot, I will try it :-)

Isi


2008/7/29 Lopez Cantero, Sergio <SL...@sadiel.es>

>  As far as I know, yes, you have to digest them "by hand"
>
>
>
> I hope to have helped you.
>
>
>
> Sergio
>
>
>
> *De:* Legido Martínez, Isidoro [mailto:islegmar@gmail.com]
> *Enviado el:* martes, 29 de julio de 2008 8:41
> *Para:* security-dev@xml.apache.org
> *Asunto:* Re: Remote private key
>
>
>
> Thanks
>
> So, how can I get the digested value? Do I have to digest them "by hand"?
>
> Thanks
>
> Isi
>
>  2008/7/29 Lopez Cantero, Sergio <SL...@sadiel.es>
>
> Hi Isidoro,
>
> getCanonicalizedOctetStream returns the bytes you have to digest, not the
> digested data, so that's the difference.
>
> Concerning the way to put back the signature, you can get the signature
> element and search through the DOM for the SignatureValue Element to fill
> its contents.
>
> I'm doing something like that ;)
>
>
>
> Sergio
>
>
>
> *De:* Legido Martínez, Isidoro [mailto:islegmar@gmail.com]
> *Enviado el:* lunes, 28 de julio de 2008 21:45
> *Para:* security-dev@xml.apache.org
> *Asunto:* Remote private key
>
>
>
> Hi everybody:
>
> Firs, I will try to explain my current situation (sorry in advanced for my
> poor English :-( ). My signing system is splitted in two pieces: a
> lightweith client that owns the private key and ONLY can sign (no digest)
> and the server side that does everything else EXCEPT signing (digest, add
> Manifest elements or aditional References).
> My initial idea was: the server side builds the SignedInfo elements, get
> its digest and send it to the client. The client signs and send the result
> to the server, which adds this to the SignedInfo. Is that possible withe the
> current implementation?
> I expected that
>
>   SignedInfo si.generateDigestValues();
>   String digest = Base64.encode(si.getCanonicalizedOctetStream());
>
> 'digest' would contain the digest value in Base64, but what I get is
> something different. How can I get the digest? After signing, is there any
> way for adding it to SignInfo.
>
> Thanks a lot
>
> Isi
>
>
>
>
> --
> ,-""""""-.
> /\j__/\ ( \`--.
> \`@_@'/ _) >--.`.
> _{.:Y:_}_{{_,' ) )
> {_}`-^{_} ``` (_/
>



-- 
,-""""""-.
/\j__/\ ( \`--.
\`@_@'/ _) >--.`.
_{.:Y:_}_{{_,' ) )
{_}`-^{_} ``` (_/

RE: Remote private key

["Lopez Cantero, Sergio" <SL...@sadiel.es>]

Well, in my case data transfer is via HTTPS, so nobody can alter data I think.
But keep in mind that signatures are verified after client signs it so you
Can detect if the data signed was wrong.

-----Mensaje original-----
De: jason marshall [mailto:jdmarshall@gmail.com] 
Enviado el: miércoles, 06 de agosto de 2008 20:03
Para: security-dev@xml.apache.org
Asunto: Re: Remote private key

Perhaps it goes without saying, but I'm a sucker for pointing out the
supposedly obvious (mostly because of how often it turns out not to
have been so obvious).

If you have your keys on one machine, and your signed material on
another, how are you getting the data between them without someone
altering it?

One thing you might consider doing is applying a temporary signature
on the machine that has the source material, and then send the signed
XML document back to the machine holding the real key to add a second
signature (the one third parties will honor).  That should prove
easier to pull off than trying to trick the XML-Sec library into
signing something without calculating the digests itself first.  I
tried to do this with 1.3 and had no luck.  I would be interested in
hearing if you guys figure out how to do this, however not for remote
signing (rather for re-signing to replace an expiring cert).

-Jason





On Tue, Aug 5, 2008 at 11:12 PM, Lopez Cantero, Sergio
<SL...@sadiel.es> wrote:
> This is because before you sign it, you have to encode in DER the digest
> with something like:
>
> (Using bouncycastle classes)
>
>       public static byte[] doDER(byte[] data) throws IOException {
>
> //This OID is for SHA1 only
>
>             String hashOID = 1.3.14.3.2.26;
>
>             DigestInfo dInfo = new DigestInfo(new AlgorithmIdentifier(
>
>                         new DERObjectIdentifier(hashOID), null), data);
>
>             return dInfo.getEncoded(ASN1Encodable.DER);
>
>       }
>
> I recommend sending the digested hash, not the entire byte secuence, so you
> can do DER  it and sign it with "NONEwithRSA" algorithm afterwards.
>
> De: Legido Martínez, Isidoro [mailto:islegmar@gmail.com]
> Enviado el: martes, 05 de agosto de 2008 23:21
> Para: security-dev@xml.apache.org
> Asunto: Re: Remote private key
>
>
>
> Hi:
>
> I'm still having problems. After building the Signature element (everything
> but the SignatureValue element) I execute:
>
>   [Server side]
>   XMLSignature sig = .... -> It uses
> http://www.w3.org/2000/09/xmldsig#rsa-sha1 as signature method
>   sig.getSignedInfo().generateDigestValues();
>   byte[] data2Sign = sig.getSignedInfo().getCanonicalizedOctetStream();
>
> then, the Server sends 'data2Sign' to the Client (encoded) and the client
> executes
>
> [Client side]
>   PrivateKey pKey = ....
>   Signature signature = Signature.getInstance("SHA1withRSA");
>   signature.initSign(privateKey);
>   signature.update(data2Sign); --> data2Sign is the decoded data received
> from the Server
>   byte[] dataSigned =  signature.sign();
>
> then, the Client sends back to the Server 'dataSigned' (encoded) and the
> server adds it to the SignatureValue element (decoded).
>
> But the signature build this way is not valid :-( If I execute
> XMLSignature.sign() directly, the signature I get is different. What I'm
> doing wrong?
>
> As you can see, the server sends directly the C14N data, not the digested
> one. I have also tried digesting it before with the same result. In fact, I
> am doing the same that XMLSignature.sign()'s method, so I can't see where
> the problem is.
>
> Does anybody have an idea?
>
> Thanks a lot
>
> Isi
>
>
> 2008/7/29 Lopez Cantero, Sergio <SL...@sadiel.es>
>
> As far as I know, yes, you have to digest them "by hand"
>
>
>
> I hope to have helped you.
>
>
>
> Sergio
>
>
>
>
>
> De: Legido Martínez, Isidoro [mailto:islegmar@gmail.com]
> Enviado el: martes, 29 de julio de 2008 8:41
>
> Para: security-dev@xml.apache.org
>
> Asunto: Re: Remote private key
>
>
>
> Thanks
>
> So, how can I get the digested value? Do I have to digest them "by hand"?
>
> Thanks
>
> Isi
>
> 2008/7/29 Lopez Cantero, Sergio <SL...@sadiel.es>
>
> Hi Isidoro,
>
> getCanonicalizedOctetStream returns the bytes you have to digest, not the
> digested data, so that's the difference.
>
> Concerning the way to put back the signature, you can get the signature
> element and search through the DOM for the SignatureValue Element to fill
> its contents.
>
> I'm doing something like that ;)
>
>
>
> Sergio
>
>
>
> De: Legido Martínez, Isidoro [mailto:islegmar@gmail.com]
> Enviado el: lunes, 28 de julio de 2008 21:45
> Para: security-dev@xml.apache.org
> Asunto: Remote private key
>
>
>
> Hi everybody:
>
> Firs, I will try to explain my current situation (sorry in advanced for my
> poor English :-( ). My signing system is splitted in two pieces: a
> lightweith client that owns the private key and ONLY can sign (no digest)
> and the server side that does everything else EXCEPT signing (digest, add
> Manifest elements or aditional References).
> My initial idea was: the server side builds the SignedInfo elements, get its
> digest and send it to the client. The client signs and send the result to
> the server, which adds this to the SignedInfo. Is that possible withe the
> current implementation?
> I expected that
>
>   SignedInfo si.generateDigestValues();
>   String digest = Base64.encode(si.getCanonicalizedOctetStream());
>
> 'digest' would contain the digest value in Base64, but what I get is
> something different. How can I get the digest? After signing, is there any
> way for adding it to SignInfo.
>
> Thanks a lot
>
> Isi
>
>
> --
> ,-""""""-.
> /\j__/\ ( \`--.
> \`@_@'/ _) >--.`.
> _{.:Y:_}_{{_,' ) )
> {_}`-^{_} ``` (_/
>
>
> --
> ,-""""""-.
> /\j__/\ ( \`--.
> \`@_@'/ _) >--.`.
> _{.:Y:_}_{{_,' ) )
> {_}`-^{_} ``` (_/



-- 
- Jason

Re: Remote private key

[jason marshall <jd...@gmail.com>]

Perhaps it goes without saying, but I'm a sucker for pointing out the
supposedly obvious (mostly because of how often it turns out not to
have been so obvious).

If you have your keys on one machine, and your signed material on
another, how are you getting the data between them without someone
altering it?

One thing you might consider doing is applying a temporary signature
on the machine that has the source material, and then send the signed
XML document back to the machine holding the real key to add a second
signature (the one third parties will honor).  That should prove
easier to pull off than trying to trick the XML-Sec library into
signing something without calculating the digests itself first.  I
tried to do this with 1.3 and had no luck.  I would be interested in
hearing if you guys figure out how to do this, however not for remote
signing (rather for re-signing to replace an expiring cert).

-Jason





On Tue, Aug 5, 2008 at 11:12 PM, Lopez Cantero, Sergio
<SL...@sadiel.es> wrote:
> This is because before you sign it, you have to encode in DER the digest
> with something like:
>
> (Using bouncycastle classes)
>
>       public static byte[] doDER(byte[] data) throws IOException {
>
> //This OID is for SHA1 only
>
>             String hashOID = 1.3.14.3.2.26;
>
>             DigestInfo dInfo = new DigestInfo(new AlgorithmIdentifier(
>
>                         new DERObjectIdentifier(hashOID), null), data);
>
>             return dInfo.getEncoded(ASN1Encodable.DER);
>
>       }
>
> I recommend sending the digested hash, not the entire byte secuence, so you
> can do DER  it and sign it with "NONEwithRSA" algorithm afterwards.
>
> De: Legido Martínez, Isidoro [mailto:islegmar@gmail.com]
> Enviado el: martes, 05 de agosto de 2008 23:21
> Para: security-dev@xml.apache.org
> Asunto: Re: Remote private key
>
>
>
> Hi:
>
> I'm still having problems. After building the Signature element (everything
> but the SignatureValue element) I execute:
>
>   [Server side]
>   XMLSignature sig = .... -> It uses
> http://www.w3.org/2000/09/xmldsig#rsa-sha1 as signature method
>   sig.getSignedInfo().generateDigestValues();
>   byte[] data2Sign = sig.getSignedInfo().getCanonicalizedOctetStream();
>
> then, the Server sends 'data2Sign' to the Client (encoded) and the client
> executes
>
> [Client side]
>   PrivateKey pKey = ....
>   Signature signature = Signature.getInstance("SHA1withRSA");
>   signature.initSign(privateKey);
>   signature.update(data2Sign); --> data2Sign is the decoded data received
> from the Server
>   byte[] dataSigned =  signature.sign();
>
> then, the Client sends back to the Server 'dataSigned' (encoded) and the
> server adds it to the SignatureValue element (decoded).
>
> But the signature build this way is not valid :-( If I execute
> XMLSignature.sign() directly, the signature I get is different. What I'm
> doing wrong?
>
> As you can see, the server sends directly the C14N data, not the digested
> one. I have also tried digesting it before with the same result. In fact, I
> am doing the same that XMLSignature.sign()'s method, so I can't see where
> the problem is.
>
> Does anybody have an idea?
>
> Thanks a lot
>
> Isi
>
>
> 2008/7/29 Lopez Cantero, Sergio <SL...@sadiel.es>
>
> As far as I know, yes, you have to digest them "by hand"
>
>
>
> I hope to have helped you.
>
>
>
> Sergio
>
>
>
>
>
> De: Legido Martínez, Isidoro [mailto:islegmar@gmail.com]
> Enviado el: martes, 29 de julio de 2008 8:41
>
> Para: security-dev@xml.apache.org
>
> Asunto: Re: Remote private key
>
>
>
> Thanks
>
> So, how can I get the digested value? Do I have to digest them "by hand"?
>
> Thanks
>
> Isi
>
> 2008/7/29 Lopez Cantero, Sergio <SL...@sadiel.es>
>
> Hi Isidoro,
>
> getCanonicalizedOctetStream returns the bytes you have to digest, not the
> digested data, so that's the difference.
>
> Concerning the way to put back the signature, you can get the signature
> element and search through the DOM for the SignatureValue Element to fill
> its contents.
>
> I'm doing something like that ;)
>
>
>
> Sergio
>
>
>
> De: Legido Martínez, Isidoro [mailto:islegmar@gmail.com]
> Enviado el: lunes, 28 de julio de 2008 21:45
> Para: security-dev@xml.apache.org
> Asunto: Remote private key
>
>
>
> Hi everybody:
>
> Firs, I will try to explain my current situation (sorry in advanced for my
> poor English :-( ). My signing system is splitted in two pieces: a
> lightweith client that owns the private key and ONLY can sign (no digest)
> and the server side that does everything else EXCEPT signing (digest, add
> Manifest elements or aditional References).
> My initial idea was: the server side builds the SignedInfo elements, get its
> digest and send it to the client. The client signs and send the result to
> the server, which adds this to the SignedInfo. Is that possible withe the
> current implementation?
> I expected that
>
>   SignedInfo si.generateDigestValues();
>   String digest = Base64.encode(si.getCanonicalizedOctetStream());
>
> 'digest' would contain the digest value in Base64, but what I get is
> something different. How can I get the digest? After signing, is there any
> way for adding it to SignInfo.
>
> Thanks a lot
>
> Isi
>
>
> --
> ,-""""""-.
> /\j__/\ ( \`--.
> \`@_@'/ _) >--.`.
> _{.:Y:_}_{{_,' ) )
> {_}`-^{_} ``` (_/
>
>
> --
> ,-""""""-.
> /\j__/\ ( \`--.
> \`@_@'/ _) >--.`.
> _{.:Y:_}_{{_,' ) )
> {_}`-^{_} ``` (_/



-- 
- Jason

RE: Remote private key

["Lopez Cantero, Sergio" <SL...@sadiel.es>]

This is because before you sign it, you have to encode in DER the digest with something like:

(Using bouncycastle classes)

      public static byte[] doDER(byte[] data) throws IOException {

//This OID is for SHA1 only

            String hashOID = 1.3.14.3.2.26;

            DigestInfo dInfo = new DigestInfo(new AlgorithmIdentifier(

                        new DERObjectIdentifier(hashOID), null), data);

            return dInfo.getEncoded(ASN1Encodable.DER);

      }

I recommend sending the digested hash, not the entire byte secuence, so you can do DER  it and sign it with "NONEwithRSA" algorithm afterwards.

De: Legido Martínez, Isidoro [mailto:islegmar@gmail.com] 
Enviado el: martes, 05 de agosto de 2008 23:21
Para: security-dev@xml.apache.org
Asunto: Re: Remote private key

 

Hi:

I'm still having problems. After building the Signature element (everything but the SignatureValue element) I execute:

  [Server side]
  XMLSignature sig = .... -> It uses http://www.w3.org/2000/09/xmldsig#rsa-sha1 as signature method
  sig.getSignedInfo().generateDigestValues();
  byte[] data2Sign = sig.getSignedInfo().getCanonicalizedOctetStream();

then, the Server sends 'data2Sign' to the Client (encoded) and the client executes

[Client side]
  PrivateKey pKey = ....
  Signature signature = Signature.getInstance("SHA1withRSA");
  signature.initSign(privateKey);
  signature.update(data2Sign); --> data2Sign is the decoded data received from the Server
  byte[] dataSigned =  signature.sign();

then, the Client sends back to the Server 'dataSigned' (encoded) and the server adds it to the SignatureValue element (decoded). 

But the signature build this way is not valid :-( If I execute XMLSignature.sign() directly, the signature I get is different. What I'm doing wrong? 

As you can see, the server sends directly the C14N data, not the digested one. I have also tried digesting it before with the same result. In fact, I am doing the same that XMLSignature.sign()'s method, so I can't see where the problem is.

Does anybody have an idea?

Thanks a lot

Isi




2008/7/29 Lopez Cantero, Sergio <SL...@sadiel.es>

As far as I know, yes, you have to digest them "by hand"

 

I hope to have helped you.

 

Sergio

 


 

	De: Legido Martínez, Isidoro [mailto:islegmar@gmail.com] 
	Enviado el: martes, 29 de julio de 2008 8:41

	
	Para: security-dev@xml.apache.org

	Asunto: Re: Remote private key

	 

	Thanks
	
	So, how can I get the digested value? Do I have to digest them "by hand"?
	
	Thanks
	
	Isi

	2008/7/29 Lopez Cantero, Sergio <SL...@sadiel.es>

	Hi Isidoro, 

	getCanonicalizedOctetStream returns the bytes you have to digest, not the digested data, so that's the difference.

	Concerning the way to put back the signature, you can get the signature element and search through the DOM for the SignatureValue Element to fill its contents.

	I'm doing something like that ;)

	 

	Sergio

	 

	De: Legido Martínez, Isidoro [mailto:islegmar@gmail.com] 
	Enviado el: lunes, 28 de julio de 2008 21:45
	Para: security-dev@xml.apache.org
	Asunto: Remote private key

	 

	Hi everybody:
	
	Firs, I will try to explain my current situation (sorry in advanced for my poor English :-( ). My signing system is splitted in two pieces: a lightweith client that owns the private key and ONLY can sign (no digest) and the server side that does everything else EXCEPT signing (digest, add Manifest elements or aditional References). 
	My initial idea was: the server side builds the SignedInfo elements, get its digest and send it to the client. The client signs and send the result to the server, which adds this to the SignedInfo. Is that possible withe the current implementation? 
	I expected that
	
	  SignedInfo si.generateDigestValues();
	  String digest = Base64.encode(si.getCanonicalizedOctetStream());
	
	'digest' would contain the digest value in Base64, but what I get is something different. How can I get the digest? After signing, is there any way for adding it to SignInfo.
	
	Thanks a lot
	
	Isi

	
	
	
	-- 
	,-""""""-.
	/\j__/\ ( \`--.
	\`@_@'/ _) >--.`.
	_{.:Y:_}_{{_,' ) )
	{_}`-^{_} ``` (_/




-- 
,-""""""-.
/\j__/\ ( \`--.
\`@_@'/ _) >--.`.
_{.:Y:_}_{{_,' ) )
{_}`-^{_} ``` (_/

Re: Remote private key

["Legido Martínez, Isidoro" <is...@gmail.com>]

Hi:

I'm still having problems. After building the Signature element (everything
but the SignatureValue element) I execute:

  [Server side]
  XMLSignature sig = .... -> It uses
http://www.w3.org/2000/09/xmldsig#rsa-sha1 as signature method
  sig.getSignedInfo().generateDigestValues();
  byte[] data2Sign = sig.getSignedInfo().getCanonicalizedOctetStream();

then, the Server sends 'data2Sign' to the Client (encoded) and the client
executes

[Client side]
  PrivateKey pKey = ....
  Signature signature = Signature.getInstance("SHA1withRSA");
  signature.initSign(privateKey);
  signature.update(data2Sign); --> data2Sign is the decoded data received
from the Server
  byte[] dataSigned =  signature.sign();

then, the Client sends back to the Server 'dataSigned' (encoded) and the
server adds it to the SignatureValue element (decoded).

But the signature build this way is not valid :-( If I execute
XMLSignature.sign()
directly, the signature I get is different. What I'm doing wrong?

As you can see, the server sends directly the C14N data, not the digested
one. I have also tried digesting it before with the same result. In fact, I
am doing the same that XMLSignature.sign()'s method, so I can't see where
the problem is.

Does anybody have an idea?

Thanks a lot

Isi



2008/7/29 Lopez Cantero, Sergio <SL...@sadiel.es>

>  As far as I know, yes, you have to digest them "by hand"
>
>
>
> I hope to have helped you.
>
>
>
> Sergio
>
>
>
> **
>



> *De:* Legido Martínez, Isidoro [mailto:islegmar@gmail.com]
> *Enviado el:* martes, 29 de julio de 2008 8:41
> *Para:* security-dev@xml.apache.org
> *Asunto:* Re: Remote private key
>
>
>
> Thanks
>
> So, how can I get the digested value? Do I have to digest them "by hand"?
>
> Thanks
>
> Isi
>
>  2008/7/29 Lopez Cantero, Sergio <SL...@sadiel.es>
>
> Hi Isidoro,
>
> getCanonicalizedOctetStream returns the bytes you have to digest, not the
> digested data, so that's the difference.
>
> Concerning the way to put back the signature, you can get the signature
> element and search through the DOM for the SignatureValue Element to fill
> its contents.
>
> I'm doing something like that ;)
>
>
>
> Sergio
>
>
>
> *De:* Legido Martínez, Isidoro [mailto:islegmar@gmail.com]
> *Enviado el:* lunes, 28 de julio de 2008 21:45
> *Para:* security-dev@xml.apache.org
> *Asunto:* Remote private key
>
>
>
> Hi everybody:
>
> Firs, I will try to explain my current situation (sorry in advanced for my
> poor English :-( ). My signing system is splitted in two pieces: a
> lightweith client that owns the private key and ONLY can sign (no digest)
> and the server side that does everything else EXCEPT signing (digest, add
> Manifest elements or aditional References).
> My initial idea was: the server side builds the SignedInfo elements, get
> its digest and send it to the client. The client signs and send the result
> to the server, which adds this to the SignedInfo. Is that possible withe the
> current implementation?
> I expected that
>
>   SignedInfo si.generateDigestValues();
>   String digest = Base64.encode(si.getCanonicalizedOctetStream());
>
> 'digest' would contain the digest value in Base64, but what I get is
> something different. How can I get the digest? After signing, is there any
> way for adding it to SignInfo.
>
> Thanks a lot
>
> Isi
>
>
>
>
> --
> ,-""""""-.
> /\j__/\ ( \`--.
> \`@_@'/ _) >--.`.
> _{.:Y:_}_{{_,' ) )
> {_}`-^{_} ``` (_/
>



-- 
,-""""""-.
/\j__/\ ( \`--.
\`@_@'/ _) >--.`.
_{.:Y:_}_{{_,' ) )
{_}`-^{_} ``` (_/

RE: Remote private key

["Lopez Cantero, Sergio" <SL...@sadiel.es>]

As far as I know, yes, you have to digest them "by hand"

 

I hope to have helped you.

 

Sergio

 

De: Legido Martínez, Isidoro [mailto:islegmar@gmail.com] 
Enviado el: martes, 29 de julio de 2008 8:41
Para: security-dev@xml.apache.org
Asunto: Re: Remote private key

 

Thanks

So, how can I get the digested value? Do I have to digest them "by hand"?

Thanks

Isi



2008/7/29 Lopez Cantero, Sergio <SL...@sadiel.es>

Hi Isidoro, 

getCanonicalizedOctetStream returns the bytes you have to digest, not the digested data, so that's the difference.

Concerning the way to put back the signature, you can get the signature element and search through the DOM for the SignatureValue Element to fill its contents.

I'm doing something like that ;)

 

Sergio

 

De: Legido Martínez, Isidoro [mailto:islegmar@gmail.com] 
Enviado el: lunes, 28 de julio de 2008 21:45
Para: security-dev@xml.apache.org
Asunto: Remote private key

 

Hi everybody:

Firs, I will try to explain my current situation (sorry in advanced for my poor English :-( ). My signing system is splitted in two pieces: a lightweith client that owns the private key and ONLY can sign (no digest) and the server side that does everything else EXCEPT signing (digest, add Manifest elements or aditional References). 
My initial idea was: the server side builds the SignedInfo elements, get its digest and send it to the client. The client signs and send the result to the server, which adds this to the SignedInfo. Is that possible withe the current implementation? 
I expected that

  SignedInfo si.generateDigestValues();
  String digest = Base64.encode(si.getCanonicalizedOctetStream());

'digest' would contain the digest value in Base64, but what I get is something different. How can I get the digest? After signing, is there any way for adding it to SignInfo.

Thanks a lot

Isi




-- 
,-""""""-.
/\j__/\ ( \`--.
\`@_@'/ _) >--.`.
_{.:Y:_}_{{_,' ) )
{_}`-^{_} ``` (_/

Re: Remote private key

["Legido Martínez, Isidoro" <is...@gmail.com>]

Thanks

So, how can I get the digested value? Do I have to digest them "by hand"?

Thanks

Isi


2008/7/29 Lopez Cantero, Sergio <SL...@sadiel.es>

>  Hi Isidoro,
>
> getCanonicalizedOctetStream returns the bytes you have to digest, not the
> digested data, so that's the difference.
>
> Concerning the way to put back the signature, you can get the signature
> element and search through the DOM for the SignatureValue Element to fill
> its contents.
>
> I'm doing something like that ;)
>
>
>
> Sergio
>
>
>
> *De:* Legido Martínez, Isidoro [mailto:islegmar@gmail.com]
> *Enviado el:* lunes, 28 de julio de 2008 21:45
> *Para:* security-dev@xml.apache.org
> *Asunto:* Remote private key
>
>
>
> Hi everybody:
>
> Firs, I will try to explain my current situation (sorry in advanced for my
> poor English :-( ). My signing system is splitted in two pieces: a
> lightweith client that owns the private key and ONLY can sign (no digest)
> and the server side that does everything else EXCEPT signing (digest, add
> Manifest elements or aditional References).
> My initial idea was: the server side builds the SignedInfo elements, get
> its digest and send it to the client. The client signs and send the result
> to the server, which adds this to the SignedInfo. Is that possible withe the
> current implementation?
> I expected that
>
>   SignedInfo si.generateDigestValues();
>   String digest = Base64.encode(si.getCanonicalizedOctetStream());
>
> 'digest' would contain the digest value in Base64, but what I get is
> something different. How can I get the digest? After signing, is there any
> way for adding it to SignInfo.
>
> Thanks a lot
>
> Isi
>



-- 
,-""""""-.
/\j__/\ ( \`--.
\`@_@'/ _) >--.`.
_{.:Y:_}_{{_,' ) )
{_}`-^{_} ``` (_/

RE: Remote private key

["Lopez Cantero, Sergio" <SL...@sadiel.es>]

Hi Isidoro, 

getCanonicalizedOctetStream returns the bytes you have to digest, not the digested data, so that's the difference.

Concerning the way to put back the signature, you can get the signature element and search through the DOM for the SignatureValue Element to fill its contents.

I'm doing something like that ;)

 

Sergio

 

De: Legido Martínez, Isidoro [mailto:islegmar@gmail.com] 
Enviado el: lunes, 28 de julio de 2008 21:45
Para: security-dev@xml.apache.org
Asunto: Remote private key

 

Hi everybody:

Firs, I will try to explain my current situation (sorry in advanced for my poor English :-( ). My signing system is splitted in two pieces: a lightweith client that owns the private key and ONLY can sign (no digest) and the server side that does everything else EXCEPT signing (digest, add Manifest elements or aditional References). 
My initial idea was: the server side builds the SignedInfo elements, get its digest and send it to the client. The client signs and send the result to the server, which adds this to the SignedInfo. Is that possible withe the current implementation? 
I expected that

  SignedInfo si.generateDigestValues();
  String digest = Base64.encode(si.getCanonicalizedOctetStream());

'digest' would contain the digest value in Base64, but what I get is something different. How can I get the digest? After signing, is there any way for adding it to SignInfo.

Thanks a lot

Isi