You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by Hugo Trippaers <tr...@gmail.com> on 2016/10/12 20:55:57 UTC

Question on specific document requirements

Hey folks,

Hope this is the right place to ask this, but i’m working on an interface to a system with some specific requirements i haven’t figured out yet. I’ve got some of them covered so far (they use KeyName as key identifier for example), but i have a few remaining things i need to solve and i would like to know if those are possible to configure with the current version of the santuario library.

First of all their implementation expects the signature element to be the last element in the resulting xml document. See the example below, can this be done with a configuration?

<xml..>
<root>
  <payload>….</payload>
  <Signature>…</Signature>
</root>

Second they don’t accept Ids in the root and signature element and expect the Reference URI to be an empty string.

And they also seem to take offence at the '<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />’ transform being present.

Below it the complete signature as generated by my current configuration. 

If using the library indirectly from the CXF XmlSecOutInterceptor with the following configuration:

final SignatureProperties properties = new SignatureProperties();

/* 1. The entire XML message must be signed.
/* 2. For the purpose of generating the digest of the main message, the inclusive canonicalization algorithm must be used.
/* 3. For the purpose of generating the signature value, the exclusive canonicalization algorithm must be used.
 */
properties.setSignatureC14nMethod(XMLSecurityConstants.NS_C14N_EXCL);

/* 4. The syntax for an enveloped signature must be used.
 * 5. For hashing purposes the SHA256 algorithm must be used.
 */
properties.setSignatureDigestAlgo(XMLSecurityConstants.NS_XENC_SHA256);

/* 6. For signature purposes the RSAWithSHA256 algorithm must be used. RSA keys must be 2,048 bits long.
 */
properties.setSignatureAlgo(XMLSecurityConstants.NS_XMLDSIG_RSASHA256);

/* 7. The public key must be referenced using a fingerprint of an X.509 certificate. The fingerprint must be
 * calculated according to the following formula HEX(SHA-1(DER certificate)).
 */
properties.setSignatureKeyIdType("KeyName");


Looking for some pointer to get this done, if it is configuration that would be great. If this needs some modifications in the code i would be happy with some pointers in the right direction.

Thanks!

Hugo




  <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Id="G1345d174-e9d2-4a6f-b573-8b750773b2ee">
    <dsig:SignedInfo>
      <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      <dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
      <dsig:Reference URI="#G0f49a5bd-86ed-4e12-8146-57f584a5f6c1">
        <dsig:Transforms>
          <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </dsig:Transforms>
        <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
        <dsig:DigestValue>AtXiXRQ7sLparlwtp9PwFcUmdzR8XsJenVNxy3Ulue4=</dsig:DigestValue>
      </dsig:Reference>
    </dsig:SignedInfo>
    <dsig:SignatureValue>I+qG/S2HV+1c9a6quuH15cooZHslLG+GlyWgvnzn83DYGh6tgG4c2sKgUMy3OuES3raw8dczf02Q
THvwztwoMl7136Ca2M9/Qyc/BRhW7fVoMqMzkppHcTtFFB/V7Q3D9k8VquqdPuGwFb+rPSgQfdxe
owB00/OGt5eXcMcpLERvbK6t9iRbg6ykLBGgc0VLQSYbxcA4FgBe1RTOFbuUadq9Nz4qVxXmZyTY
rH/kdmOIvsL1yrCmhQ2EqVw8XalNVBoamu2T3WCxPWDSvZrvJ0Hf7bp0K6hd/aF7vRwaYzklDA0Z
F1XAUMctYXnBNFc5yjeyrCEGiEmkLYsafcP3AQ==
</dsig:SignatureValue>
    <dsig:KeyInfo Id="Gf05095c8-a7ea-47bb-8d68-80f5481ea9e3">
      <dsig:KeyName>B1E1820D3DC7D8E57F80AF11B968749380A5D1EB</dsig:KeyName>
    </dsig:KeyInfo>
  </dsig:Signature>

Re: Question on specific document requirements

Posted by Colm O hEigeartaigh <co...@apache.org>.

Bear in mind that the streaming XML Signature implementation is far less
flexible than the DOM implementation. So perhaps you want to use the DOM
implementation instead if the consumer is "picky" about positioning and
attributes.


> First of all their implementation expects the signature element to be the
> last element in the resulting xml document. See the example below, can this
> be done with a configuration?
>


Yes. The XMLSecurityProperties Object has a setSignaturePosition(int)
method which controls where the Signature is output for the streaming code.
By default it will be in the first position (0).


>
> <xml..>
> <root>
>   <payload>….</payload>
>   <Signature>…</Signature>
> </root>
>
> Second they don’t accept Ids in the root and signature element and expect
> the Reference URI to be an empty string.
>

IDs are generated by default. I guess we could add a switch to avoid adding
an Id to the Signature Element in XMLSecurityProperties. I think for the
enveloped case as well we could just use "" and avoid adding an Id to the
enveloping Element.


>
> And they also seem to take offence at the '<dsig:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#" />’ transform being present.
>


You can control the transforms using the SecureParts Object. See the
following test (testEnvelopedSignatureCreation):

https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/SignatureCreationTest.java

Colm.


>
> Below it the complete signature as generated by my current configuration.
>
> If using the library indirectly from the CXF XmlSecOutInterceptor with the
> following configuration:
>
> final SignatureProperties properties = new SignatureProperties();
>
> /* 1. The entire XML message must be signed.
> /* 2. For the purpose of generating the digest of the main message, the
> inclusive canonicalization algorithm must be used.
> /* 3. For the purpose of generating the signature value, the exclusive
> canonicalization algorithm must be used.
>  */
> properties.setSignatureC14nMethod(XMLSecurityConstants.NS_C14N_EXCL);
>
> /* 4. The syntax for an enveloped signature must be used.
>  * 5. For hashing purposes the SHA256 algorithm must be used.
>  */
> properties.setSignatureDigestAlgo(XMLSecurityConstants.NS_XENC_SHA256);
>
> /* 6. For signature purposes the RSAWithSHA256 algorithm must be used. RSA
> keys must be 2,048 bits long.
>  */
> properties.setSignatureAlgo(XMLSecurityConstants.NS_XMLDSIG_RSASHA256);
>
> /* 7. The public key must be referenced using a fingerprint of an X.509
> certificate. The fingerprint must be
>  * calculated according to the following formula HEX(SHA-1(DER
> certificate)).
>  */
> properties.setSignatureKeyIdType("KeyName");
>
>
> Looking for some pointer to get this done, if it is configuration that
> would be great. If this needs some modifications in the code i would be
> happy with some pointers in the right direction.
>
> Thanks!
>
> Hugo
>
>
>
>
>   <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
> Id="G1345d174-e9d2-4a6f-b573-8b750773b2ee">
>     <dsig:SignedInfo>
>       <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/
> 2001/10/xml-exc-c14n#" />
>       <dsig:SignatureMethod Algorithm="http://www.w3.org/
> 2001/04/xmldsig-more#rsa-sha256" />
>       <dsig:Reference URI="#G0f49a5bd-86ed-4e12-8146-57f584a5f6c1">
>         <dsig:Transforms>
>           <dsig:Transform Algorithm="http://www.w3.org/
> 2000/09/xmldsig#enveloped-signature" />
>           <dsig:Transform Algorithm="http://www.w3.org/
> 2001/10/xml-exc-c14n#" />
>         </dsig:Transforms>
>         <dsig:DigestMethod Algorithm="http://www.w3.org/
> 2001/04/xmlenc#sha256" />
>         <dsig:DigestValue>AtXiXRQ7sLparlwtp9PwFcUmdzR8Xs
> JenVNxy3Ulue4=</dsig:DigestValue>
>       </dsig:Reference>
>     </dsig:SignedInfo>
>     <dsig:SignatureValue>I+qG/S2HV+1c9a6quuH15cooZHslLG+
> GlyWgvnzn83DYGh6tgG4c2sKgUMy3OuES3raw8dczf02Q
> THvwztwoMl7136Ca2M9/Qyc/BRhW7fVoMqMzkppHcTtFFB/
> V7Q3D9k8VquqdPuGwFb+rPSgQfdxe
> owB00/OGt5eXcMcpLERvbK6t9iRbg6ykLBGgc0VLQSYbxcA4FgBe1RTOFbuUadq9Nz
> 4qVxXmZyTY
> rH/kdmOIvsL1yrCmhQ2EqVw8XalNVBoamu2T3WCxPWDSvZrvJ0Hf7bp0K6hd/
> aF7vRwaYzklDA0Z
> F1XAUMctYXnBNFc5yjeyrCEGiEmkLYsafcP3AQ==
> </dsig:SignatureValue>
>     <dsig:KeyInfo Id="Gf05095c8-a7ea-47bb-8d68-80f5481ea9e3">
>       <dsig:KeyName>B1E1820D3DC7D8E57F80AF11B96874
> 9380A5D1EB</dsig:KeyName>
>     </dsig:KeyInfo>
>   </dsig:Signature>
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com