santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nicholas G Harlow <nhar...@us.ibm.com>
Subject RE: Enveloped signature on a non-root document element
Date Tue, 19 Jul 2005 19:53:47 GMT
Hi there,



Here is the code I'm using to generate the signature (the variable docRoot 
is actually the element I want to have signed):
public synchronized void createEnvelopedSignature(OutputStream out, 
Document doc, Node docRoot, PrivateKey signingKey, PublicKey publicKey, 
                        Certificate cert, String baseURI) throws 
DigitalSignatureException{
                try{
                        //Adapted from Apache Sample Code -- 
CreateSignature.java
 
Constants.setSignatureSpecNSprefix(NamespaceConstants.NSPREFIX_SCHEMA_DS);
                        XMLSignature sig = new XMLSignature(doc, baseURI, 
XMLSignature.ALGO_ID_SIGNATURE_DSA);
                        docRoot.appendChild(sig.getElement());
 System.out.println("Document:\n"+XMLUtil.getString(doc,true));
                        Transforms transforms = new Transforms(doc);
 transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);  
 transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
 
                if(baseURI != null){
                        final Node finalRoot = docRoot;
                        IdResolver.registerElementById((Element)docRoot, 
baseURI);
                        sig.addResourceResolver(new ResourceResolverSpi(){
                                public XMLSignatureInput 
engineResolve(Attr attr, String baseURI){
                                        System.out.println("Returning RST 
Root:\n\n" +XMLUtil.getString(finalRoot, true));
                                        return new 
XMLSignatureInput(finalRoot);
                                }
                                public boolean engineCanResolve(Attr attr, 
String baseURI){
                                        return true;
                                }
                        });
                 }
                 else{
                        baseURI = "";
                 }
                 sig.addDocument("#"+baseURI, transforms, 
Constants.ALGO_ID_DIGEST_SHA1);

                 sig.addKeyInfo((X509Certificate)cert);
                 sig.addKeyInfo(cert.getPublicKey());
                 sig.sign(signingKey);
 
                 if(out != null){
                        XMLUtils.outputDOM(doc, out);
                 }
                }
                catch(Exception e){
                        throw new DigitalSignatureException(e);
                }
        }

Here is the entire input document (after I have added the signature 
element, but before I have called the sign method):

<soapenv:Envelope 
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" 
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" 
xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <soapenv:Header/>
   <soapenv:Body>
      <wst:RequestSecurityToken 
wsu:Id="RST-uuid30a49fde-0105-fd36-ae1d-ef26bf445416" 
xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
         <wsp:AppliesTo 
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" 
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
            <wsa:EndpointReference>
               <wsa:Address>
                  some-appliesto
               </wsa:Address>
            </wsa:EndpointReference>
         </wsp:AppliesTo>
         <wst:Issuer 
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" 
xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
            <wsa:Address>
                        some-issuer
            </wsa:Address>
         </wst:Issuer>
         <wst:Base>
            <wss:UsernameToken 
xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
               <wss:Username>
                  foobar
               </wss:Username>
               <wss:Password>
                  ******
               </wss:Password>
               <wsu:Created 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                  2005-07-19T19:49:17Z
               </wsu:Created>
            </wss:UsernameToken>
         </wst:Base>
         <wst:RequestType>
            http://schemas.xmlsoap.org/ws/2005/02/security/trust/Validate
         </wst:RequestType>
         <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
               <ds:CanonicalizationMethod 
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
               <ds:SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1" 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
            </ds:SignedInfo>
            <ds:SignatureValue 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
         </ds:Signature>
      </wst:RequestSecurityToken>
   </soapenv:Body>
</soapenv:Envelope>




"Seetharama Rao Durbha \(sdurbha\)" <sdurbha@cisco.com>
07/19/2005 11:52 AM
Please respond to security-dev
 
        To:     <security-dev@xml.apache.org>
        cc: 
        Subject:        RE: Enveloped signature on a non-root document 
element


I presume that wst:RequestSecurityToken is not your root, though in the 
sample you pasted, it is the root element.
 
Can you share the piece of code you have for this and the input xml?
 

From: Nicholas G Harlow [mailto:nharlow@us.ibm.com] 
Sent: Tuesday, July 19, 2005 11:38 AM
To: security-dev@xml.apache.org
Subject: Enveloped signature on a non-root document element
 

Hello, 

I am trying to add an enveloped signature to a particular element of a 
document.  The element is not the root element of the document.  The 
problem is that the signature element generated has no digest value.  I 
have tried using element id attributes to make this work, but clearly I am 
missing some key step.  Can anyone tell what actual classes/calls I need 
to use/make in order for me to succeed in what I am trying to do.  I will 
be grateful for any insights.  Thanks. 

Nick 


I have pasted the xml below with the result I am getting: 

<wst:RequestSecurityToken 
wsu:Id="RST-uuid30512502-0105-f0b5-0b04-86339ffce1f5" xmlns:wst="
http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
"> 
   <wsp:AppliesTo xmlns:wsa="
http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsp="
http://schemas.xmlsoap.org/ws/2004/09/policy"> 
      <wsa:EndpointReference> 
         <wsa:Address> 
            some-appliesto 
         </wsa:Address> 
      </wsa:EndpointReference> 
   </wsp:AppliesTo> 
   <wst:Issuer xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing
" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"> 
      <wsa:Address> 
         some-issuer 
      </wsa:Address> 
   </wst:Issuer> 
   <wst:Base> 
      <wss:UsernameToken xmlns:wss="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
"> 
         <wss:Username> 
            foobar 
         </wss:Username> 
         <wss:Password> 
            ******** 
         </wss:Password> 
         <wsu:Created xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
"> 
            2005-07-19T18:18:06Z 
         </wsu:Created> 
      </wss:UsernameToken> 
   </wst:Base> 
   <wst:RequestType> 
      http://schemas.xmlsoap.org/ws/2005/02/security/trust/Validate 
   </wst:RequestType> 
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
      <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
         <ds:CanonicalizationMethod Algorithm="
http://www.w3.org/TR/2001/REC-xml-c14n-20010315" xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"/> 
         <ds:SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#dsa-sha1" xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"/> 
         <ds:Reference URI="#RST-uuid30512502-0105-f0b5-0b04-86339ffce1f5" 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
            <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
               <ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"/> 
               <ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"/> 
            </ds:Transforms> 
            <ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"/> 
            <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#
"/> 
         </ds:Reference> 
      </ds:SignedInfo> 
      <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> 
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
         <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
            <ds:X509Certificate xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"> 
 
MIIC9jCCArQCBDruqiowCwYHKoZIzjgEAwUAMGExCzAJBgNVBAYTAkRFMR0wGwYDVQQKExRVbml2 

ZXJzaXR5IG9mIFNpZWdlbjEQMA4GA1UECxMHRkIxMk5VRTEhMB8GA1UEAxMYQ2hyaXN0aWFuIEdl 

dWVyLVBvbGxtYW5uMB4XDTAxMDUwMTEyMjA1OFoXDTA2MTAyMjEyMjA1OFowYTELMAkGA1UEBhMC 

REUxHTAbBgNVBAoTFFVuaXZlcnNpdHkgb2YgU2llZ2VuMRAwDgYDVQQLEwdGQjEyTlVFMSEwHwYD 

VQQDExhDaHJpc3RpYW4gR2V1ZXItUG9sbG1hbm4wggG3MIIBLAYHKoZIzjgEATCCAR8CgYEA/X9T 

gR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuAHTRv 

8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOuK2HX 

Ku/yIgMZndFIAccCFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QKBgQD34aCF1ps93su8q1w2uFe5eZSv 

u/o66oL5V0wLPQeCZ1FZV4661FlP5nEHEIGAtEkWcSPoTCgWE7fPCTKMyKbhPBZ6i1R8jSjgo64e 

K7OmdZFuo38L+iE1YvH7YnoBJDvMpPG+qFGQiaiD3+Fa5Z8GkotmXoB7VSVkAUw7/s9JKgOBhAAC 

gYASWfn+G1k/nWntj9jX7Nk5JKaiLZ9BLR16eJJxqff33THLfdGs98Xmh2oRWZVh9PMV8oTP3hpR 

cRipjZUZVEIqsBlOGTVLCg4H5TJ81JWOiprh+mkhClNqUr8l5Hu7FBSvQB6inryeva7j0aKNiIvK 

8vfHTiUZpnyNRhkveBlM0jALBgcqhkjOOAQDBQADLwAwLAIUPDd/UmB9GeHqvGjny30Bvjt0AkUC 

FA9ab72kKuB5geYGeckbBrcgPnZk 
            </ds:X509Certificate> 
         </ds:X509Data> 
         <ds:KeyValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
            <ds:DSAKeyValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 

               <ds:P xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
 
/X9TgR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuA 

HTRv8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOu 

K2HXKu/yIgMZndFIAcc= 
               </ds:P> 
               <ds:Q xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
                  l2BQjxUjC8yykrmCouuEC/BYHPU= 
               </ds:Q> 
               <ds:G xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
 
9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3 

zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKL 

Zl6Ae1UlZAFMO/7PSSo= 
               </ds:G> 
               <ds:Y xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
 
Eln5/htZP51p7Y/Y1+zZOSSmoi2fQS0deniScan3990xy33RrPfF5odqEVmVYfTzFfKEz94aUXEY 

qY2VGVRCKrAZThk1SwoOB+UyfNSVjoqa4fppIQpTalK/JeR7uxQUr0Aeop68nr2u49GijYiLyvL3 

x04lGaZ8jUYZL3gZTNI= 
               </ds:Y> 
            </ds:DSAKeyValue> 
         </ds:KeyValue> 
      </ds:KeyInfo> 
   </ds:Signature> 
</wst:RequestSecurityToken>

Mime
View raw message