santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Werner <markus.wern...@gmx.at>
Subject Re: dumping the canonical form of a Reference to a log or stdout
Date Sat, 02 Sep 2006 07:28:48 GMT
Hi Sean,

The server processes exactly the same message, since it is sent by the
client to the server. Here is the abbreviated message I send to the server:

<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Body>
<xmks:RegisterRequest xmlns:xmks="http://www.w3.org/2002/03/xkms#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" [snip]>
[snip]
<xmks:PrototypeKeyBinding Id="_foobar">
[snip]
</xmks:PrototypeKeyBinding>
<xmks:Authentication>
<xmks:KeyBindingAuthentication>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" />
<ds:Reference URI="#_foobar">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>FQcqlzTyFLwFBdJb5tgN1Vd3H+g=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>VchVOu8J+qwBuRTVjxECrV5xH+I=</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyName>XKMSInteropClient</ds:KeyName>
</ds:KeyInfo>
</ds:Signature>
</xmks:KeyBindingAuthentication>
</xmks:Authentication>
</xmks:RegisterRequest>
</soap:Body>
</soap:Envelope>

The server calculates the following digest input:

<xmks:PrototypeKeyBinding xmlns:xmks="http://www.w3.org/2002/03/xkms#"
Id="_foobar">[snip]</xmks:PrototypeKeyBinding>

while the client calculates the following digest input:

<xmks:PrototypeKeyBinding Id="_foobar">[snip]</xmks:PrototypeKeyBinding>

The server-side uses another implementation of XML Signature that I
don't know. The only thing I know is, that it is not Apache XML Security.

TIA,
Markus.


Sean Mullan wrote:
> I don't have enough information, but it sounds like when canonicalizing
> on the client, it doesn't find the namespace definition for foo. Is it
> defined by an ancestor of the bar element on the server but not on the
> client?
> 
> --Sean
> 
> Markus Werner wrote:
>> Hi Sean,
>>
>> thank you for your reply. The following lines of code provide the
>> expected result:
>>
>> SignedInfo signedInfo = sig.getSignedInfo();
>> for (int i = 0; i < signedInfo.getLength(); i++) {
>>    Reference reference = signedInfo.item(i);
>>    // System.out.println(reference.getContentsAfterTransformation());
>>    System.out.println(new String(reference.getReferencedBytes()));
>> }
>>
>> The client-side output is something like the following:
>>
>> <foo:bar Id="ref0815">rest is the same</foo:bar>
>>
>> while the server-side output is as follows:
>>
>> <foo:bar xmlns:foo="http://www.asdf.org/foo#" Id="ref0815">
>>     rest is the same</foo:bar>
>>
>> Both outputs seem to be correctly canonicalized, but the digest input on
>> the server-side includes some addidional namespace-declaration in the
>> opening tag of <foo:bar>.
>>
>> What can cause this?
>>
>> Thank you in advance,
>> Markus.
>>
>>
>> Sean Mullan schrieb:
>>> I would try calling Reference.getContentsAfterTransformation (returns an
>>> XMLSignatureInput) or Reference.getReferencedBytes (returns a byte[]),
>>> each of which return the dereferenced and transformed contents before it
>>> is digested. I haven't really used those methods so I'm hoping someone
>>> on the list that is more familiar with them will send you some sample
>>> code.
>>>
>>> --Sean
>>>
>>> Markus Werner wrote:
>>>> Hi,
>>>>
>>>> first of all, I'm relatively new to Apache XML Security, so please be
>>>> patient   :-)
>>>>
>>>> My job is to sign an element inside a DOM-Document with the help of a
>>>> secretKey. Let the element that should be signed be called <Foo> and
>>>> its
>>>> Id be "id" in beneath code snippet. The signature should be a detached
>>>> signature.
>>>>
>>>> ---------------------------------------------------------------------
>>>> private static Document sign(
>>>>     Document doc, String id, SecretKey secretKey)
>>>> throws Exception
>>>> {
>>>>   XMLSignature sig = new XMLSignature(doc, baseURI,
>>>>           XMLSignature.ALGO_ID_MAC_HMAC_SHA1,
>>>>           Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
>>>>
>>>>   Node root = doc.getFirstChild();
>>>>   root.appendChild(sig.getElement());
>>>>
>>>>   Transforms transforms = new Transforms(doc);
>>>>   transforms.addTransform(
>>>>       Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
>>>>
>>>>   sig.addDocument("#" + id, transforms,
>>>>       Constants.ALGO_ID_DIGEST_SHA1);
>>>>   sig.sign(secretKey);
>>>>
>>>>   return doc;
>>>> }
>>>> ---------------------------------------------------------------------
>>>>
>>>> I'm working here on the client-side and the server responds, that there
>>>> is something wrong with the digest value of the signed reference while
>>>> the SignedInfo is correctly digested.
>>>>
>>>> To get sure what went wrong we have to compare the digest inputs (value
>>>> after canonicalization) on both sides. I already got the canonicalized
>>>> Element as String from the server-side and I should do the same with my
>>>> implementation.
>>>>
>>>> When I use the following lines of code to save the document immediately
>>>> before signing it I get the whole document in a canonicalized form.
>>>>
>>>>   FileOutputStream f = new FileOutputStream("test.xml");
>>>>   XMLUtils.outputDOMc14nWithComments(doc, f);
>>>>
>>>> But I only need the canonicalized form of the referenced element <Foo>.
>>>> Is there some way to dump the canonical form of a Reference to a log or
>>>> stdout?
>>>>
>>>> Best regards,
>>>> Markus.

Mime
View raw message