santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hugo Trippaers <trip...@gmail.com>
Subject Question on specific document requirements
Date Wed, 12 Oct 2016 20:55:57 GMT
Hey folks,

Hope this is the right place to ask this, but i’m working on an interface to a system with
some specific requirements i haven’t figured out yet. I’ve got some of them covered so
far (they use KeyName as key identifier for example), but i have a few remaining things i
need to solve and i would like to know if those are possible to configure with the current
version of the santuario library.

First of all their implementation expects the signature element to be the last element in
the resulting xml document. See the example below, can this be done with a configuration?

<xml..>
<root>
  <payload>….</payload>
  <Signature>…</Signature>
</root>

Second they don’t accept Ids in the root and signature element and expect the Reference
URI to be an empty string.

And they also seem to take offence at the '<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
/>’ transform being present.

Below it the complete signature as generated by my current configuration. 

If using the library indirectly from the CXF XmlSecOutInterceptor with the following configuration:

final SignatureProperties properties = new SignatureProperties();

/* 1. The entire XML message must be signed.
/* 2. For the purpose of generating the digest of the main message, the inclusive canonicalization
algorithm must be used.
/* 3. For the purpose of generating the signature value, the exclusive canonicalization algorithm
must be used.
 */
properties.setSignatureC14nMethod(XMLSecurityConstants.NS_C14N_EXCL);

/* 4. The syntax for an enveloped signature must be used.
 * 5. For hashing purposes the SHA256 algorithm must be used.
 */
properties.setSignatureDigestAlgo(XMLSecurityConstants.NS_XENC_SHA256);

/* 6. For signature purposes the RSAWithSHA256 algorithm must be used. RSA keys must be 2,048
bits long.
 */
properties.setSignatureAlgo(XMLSecurityConstants.NS_XMLDSIG_RSASHA256);

/* 7. The public key must be referenced using a fingerprint of an X.509 certificate. The fingerprint
must be
 * calculated according to the following formula HEX(SHA-1(DER certificate)).
 */
properties.setSignatureKeyIdType("KeyName");


Looking for some pointer to get this done, if it is configuration that would be great. If
this needs some modifications in the code i would be happy with some pointers in the right
direction.

Thanks!

Hugo




  <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Id="G1345d174-e9d2-4a6f-b573-8b750773b2ee">
    <dsig:SignedInfo>
      <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
      <dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
/>
      <dsig:Reference URI="#G0f49a5bd-86ed-4e12-8146-57f584a5f6c1">
        <dsig:Transforms>
          <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
/>
          <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </dsig:Transforms>
        <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
        <dsig:DigestValue>AtXiXRQ7sLparlwtp9PwFcUmdzR8XsJenVNxy3Ulue4=</dsig:DigestValue>
      </dsig:Reference>
    </dsig:SignedInfo>
    <dsig:SignatureValue>I+qG/S2HV+1c9a6quuH15cooZHslLG+GlyWgvnzn83DYGh6tgG4c2sKgUMy3OuES3raw8dczf02Q
THvwztwoMl7136Ca2M9/Qyc/BRhW7fVoMqMzkppHcTtFFB/V7Q3D9k8VquqdPuGwFb+rPSgQfdxe
owB00/OGt5eXcMcpLERvbK6t9iRbg6ykLBGgc0VLQSYbxcA4FgBe1RTOFbuUadq9Nz4qVxXmZyTY
rH/kdmOIvsL1yrCmhQ2EqVw8XalNVBoamu2T3WCxPWDSvZrvJ0Hf7bp0K6hd/aF7vRwaYzklDA0Z
F1XAUMctYXnBNFc5yjeyrCEGiEmkLYsafcP3AQ==
</dsig:SignatureValue>
    <dsig:KeyInfo Id="Gf05095c8-a7ea-47bb-8d68-80f5481ea9e3">
      <dsig:KeyName>B1E1820D3DC7D8E57F80AF11B968749380A5D1EB</dsig:KeyName>
    </dsig:KeyInfo>
  </dsig:Signature>


Mime
View raw message