santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Werner <>
Subject Re: dumping the canonical form of a Reference to a log or stdout
Date Sat, 02 Sep 2006 07:28:48 GMT
Hi Sean,

The server processes exactly the same message, since it is sent by the
client to the server. Here is the abbreviated message I send to the server:

<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="">
<xmks:RegisterRequest xmlns:xmks=""
xmlns:ds="" [snip]>
<xmks:PrototypeKeyBinding Id="_foobar">
Algorithm="" />
Algorithm="" />
<ds:Reference URI="#_foobar">
<ds:Transform Algorithm="" />
<ds:DigestMethod Algorithm="" />

The server calculates the following digest input:

<xmks:PrototypeKeyBinding xmlns:xmks=""

while the client calculates the following digest input:

<xmks:PrototypeKeyBinding Id="_foobar">[snip]</xmks:PrototypeKeyBinding>

The server-side uses another implementation of XML Signature that I
don't know. The only thing I know is, that it is not Apache XML Security.


Sean Mullan wrote:
> I don't have enough information, but it sounds like when canonicalizing
> on the client, it doesn't find the namespace definition for foo. Is it
> defined by an ancestor of the bar element on the server but not on the
> client?
> --Sean
> Markus Werner wrote:
>> Hi Sean,
>> thank you for your reply. The following lines of code provide the
>> expected result:
>> SignedInfo signedInfo = sig.getSignedInfo();
>> for (int i = 0; i < signedInfo.getLength(); i++) {
>>    Reference reference = signedInfo.item(i);
>>    // System.out.println(reference.getContentsAfterTransformation());
>>    System.out.println(new String(reference.getReferencedBytes()));
>> }
>> The client-side output is something like the following:
>> <foo:bar Id="ref0815">rest is the same</foo:bar>
>> while the server-side output is as follows:
>> <foo:bar xmlns:foo="" Id="ref0815">
>>     rest is the same</foo:bar>
>> Both outputs seem to be correctly canonicalized, but the digest input on
>> the server-side includes some addidional namespace-declaration in the
>> opening tag of <foo:bar>.
>> What can cause this?
>> Thank you in advance,
>> Markus.
>> Sean Mullan schrieb:
>>> I would try calling Reference.getContentsAfterTransformation (returns an
>>> XMLSignatureInput) or Reference.getReferencedBytes (returns a byte[]),
>>> each of which return the dereferenced and transformed contents before it
>>> is digested. I haven't really used those methods so I'm hoping someone
>>> on the list that is more familiar with them will send you some sample
>>> code.
>>> --Sean
>>> Markus Werner wrote:
>>>> Hi,
>>>> first of all, I'm relatively new to Apache XML Security, so please be
>>>> patient   :-)
>>>> My job is to sign an element inside a DOM-Document with the help of a
>>>> secretKey. Let the element that should be signed be called <Foo> and
>>>> its
>>>> Id be "id" in beneath code snippet. The signature should be a detached
>>>> signature.
>>>> ---------------------------------------------------------------------
>>>> private static Document sign(
>>>>     Document doc, String id, SecretKey secretKey)
>>>> throws Exception
>>>> {
>>>>   XMLSignature sig = new XMLSignature(doc, baseURI,
>>>>           XMLSignature.ALGO_ID_MAC_HMAC_SHA1,
>>>>           Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
>>>>   Node root = doc.getFirstChild();
>>>>   root.appendChild(sig.getElement());
>>>>   Transforms transforms = new Transforms(doc);
>>>>   transforms.addTransform(
>>>>       Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
>>>>   sig.addDocument("#" + id, transforms,
>>>>       Constants.ALGO_ID_DIGEST_SHA1);
>>>>   sig.sign(secretKey);
>>>>   return doc;
>>>> }
>>>> ---------------------------------------------------------------------
>>>> I'm working here on the client-side and the server responds, that there
>>>> is something wrong with the digest value of the signed reference while
>>>> the SignedInfo is correctly digested.
>>>> To get sure what went wrong we have to compare the digest inputs (value
>>>> after canonicalization) on both sides. I already got the canonicalized
>>>> Element as String from the server-side and I should do the same with my
>>>> implementation.
>>>> When I use the following lines of code to save the document immediately
>>>> before signing it I get the whole document in a canonicalized form.
>>>>   FileOutputStream f = new FileOutputStream("test.xml");
>>>>   XMLUtils.outputDOMc14nWithComments(doc, f);
>>>> But I only need the canonicalized form of the referenced element <Foo>.
>>>> Is there some way to dump the canonical form of a Reference to a log or
>>>> stdout?
>>>> Best regards,
>>>> Markus.

View raw message