Hi Markus, The output from the server side is correct. In the client, What version of xmlsec are you using?. Are you creating the org.w3c.Document namespace aware?
Regards, Raul On 9/2/06, Markus Werner <[EMAIL PROTECTED]> wrote:
Hi Sean, The server processes exactly the same message, since it is sent by the client to the server. Here is the abbreviated message I send to the server: <?xml version="1.0" encoding="UTF-8"?> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";> <soap:Body> <xmks:RegisterRequest xmlns:xmks="http://www.w3.org/2002/03/xkms#"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; [snip]> [snip] <xmks:PrototypeKeyBinding Id="_foobar"> [snip] </xmks:PrototypeKeyBinding> <xmks:Authentication> <xmks:KeyBindingAuthentication> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"; /> <ds:Reference URI="#_foobar"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <ds:DigestValue>FQcqlzTyFLwFBdJb5tgN1Vd3H+g=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>VchVOu8J+qwBuRTVjxECrV5xH+I=</ds:SignatureValue> <ds:KeyInfo> <ds:KeyName>XKMSInteropClient</ds:KeyName> </ds:KeyInfo> </ds:Signature> </xmks:KeyBindingAuthentication> </xmks:Authentication> </xmks:RegisterRequest> </soap:Body> </soap:Envelope> The server calculates the following digest input: <xmks:PrototypeKeyBinding xmlns:xmks="http://www.w3.org/2002/03/xkms#"; Id="_foobar">[snip]</xmks:PrototypeKeyBinding> while the client calculates the following digest input: <xmks:PrototypeKeyBinding Id="_foobar">[snip]</xmks:PrototypeKeyBinding> The server-side uses another implementation of XML Signature that I don't know. The only thing I know is, that it is not Apache XML Security. TIA, Markus. Sean Mullan wrote: > I don't have enough information, but it sounds like when canonicalizing > on the client, it doesn't find the namespace definition for foo. Is it > defined by an ancestor of the bar element on the server but not on the > client? > > --Sean > > Markus Werner wrote: >> Hi Sean, >> >> thank you for your reply. The following lines of code provide the >> expected result: >> >> SignedInfo signedInfo = sig.getSignedInfo(); >> for (int i = 0; i < signedInfo.getLength(); i++) { >> Reference reference = signedInfo.item(i); >> // System.out.println(reference.getContentsAfterTransformation()); >> System.out.println(new String(reference.getReferencedBytes())); >> } >> >> The client-side output is something like the following: >> >> <foo:bar Id="ref0815">rest is the same</foo:bar> >> >> while the server-side output is as follows: >> >> <foo:bar xmlns:foo="http://www.asdf.org/foo#"; Id="ref0815"> >> rest is the same</foo:bar> >> >> Both outputs seem to be correctly canonicalized, but the digest input on >> the server-side includes some addidional namespace-declaration in the >> opening tag of <foo:bar>. >> >> What can cause this? >> >> Thank you in advance, >> Markus. >> >> >> Sean Mullan schrieb: >>> I would try calling Reference.getContentsAfterTransformation (returns an >>> XMLSignatureInput) or Reference.getReferencedBytes (returns a byte[]), >>> each of which return the dereferenced and transformed contents before it >>> is digested. I haven't really used those methods so I'm hoping someone >>> on the list that is more familiar with them will send you some sample >>> code. >>> >>> --Sean >>> >>> Markus Werner wrote: >>>> Hi, >>>> >>>> first of all, I'm relatively new to Apache XML Security, so please be >>>> patient :-) >>>> >>>> My job is to sign an element inside a DOM-Document with the help of a >>>> secretKey. Let the element that should be signed be called <Foo> and >>>> its >>>> Id be "id" in beneath code snippet. The signature should be a detached >>>> signature. >>>> >>>> --------------------------------------------------------------------- >>>> private static Document sign( >>>> Document doc, String id, SecretKey secretKey) >>>> throws Exception >>>> { >>>> XMLSignature sig = new XMLSignature(doc, baseURI, >>>> XMLSignature.ALGO_ID_MAC_HMAC_SHA1, >>>> Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); >>>> >>>> Node root = doc.getFirstChild(); >>>> root.appendChild(sig.getElement()); >>>> >>>> Transforms transforms = new Transforms(doc); >>>> transforms.addTransform( >>>> Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS); >>>> >>>> sig.addDocument("#" + id, transforms, >>>> Constants.ALGO_ID_DIGEST_SHA1); >>>> sig.sign(secretKey); >>>> >>>> return doc; >>>> } >>>> --------------------------------------------------------------------- >>>> >>>> I'm working here on the client-side and the server responds, that there >>>> is something wrong with the digest value of the signed reference while >>>> the SignedInfo is correctly digested. >>>> >>>> To get sure what went wrong we have to compare the digest inputs (value >>>> after canonicalization) on both sides. I already got the canonicalized >>>> Element as String from the server-side and I should do the same with my >>>> implementation. >>>> >>>> When I use the following lines of code to save the document immediately >>>> before signing it I get the whole document in a canonicalized form. >>>> >>>> FileOutputStream f = new FileOutputStream("test.xml"); >>>> XMLUtils.outputDOMc14nWithComments(doc, f); >>>> >>>> But I only need the canonicalized form of the referenced element <Foo>. >>>> Is there some way to dump the canonical form of a Reference to a log or >>>> stdout? >>>> >>>> Best regards, >>>> Markus.
-- http://r-bg.com
