Bear in mind that the streaming XML Signature implementation is far less
flexible than the DOM implementation. So perhaps you want to use the DOM
implementation instead if the consumer is "picky" about positioning and
attributes.


> First of all their implementation expects the signature element to be the
> last element in the resulting xml document. See the example below, can this
> be done with a configuration?
>


Yes. The XMLSecurityProperties Object has a setSignaturePosition(int)
method which controls where the Signature is output for the streaming code.
By default it will be in the first position (0).


>
> <xml..>
> <root>
>   <payload>….</payload>
>   <Signature>…</Signature>
> </root>
>
> Second they don’t accept Ids in the root and signature element and expect
> the Reference URI to be an empty string.
>

IDs are generated by default. I guess we could add a switch to avoid adding
an Id to the Signature Element in XMLSecurityProperties. I think for the
enveloped case as well we could just use "" and avoid adding an Id to the
enveloping Element.


>
> And they also seem to take offence at the '<dsig:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"; />’ transform being present.
>


You can control the transforms using the SecureParts Object. See the
following test (testEnvelopedSignatureCreation):

https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/stax/signature/SignatureCreationTest.java

Colm.


>
> Below it the complete signature as generated by my current configuration.
>
> If using the library indirectly from the CXF XmlSecOutInterceptor with the
> following configuration:
>
> final SignatureProperties properties = new SignatureProperties();
>
> /* 1. The entire XML message must be signed.
> /* 2. For the purpose of generating the digest of the main message, the
> inclusive canonicalization algorithm must be used.
> /* 3. For the purpose of generating the signature value, the exclusive
> canonicalization algorithm must be used.
>  */
> properties.setSignatureC14nMethod(XMLSecurityConstants.NS_C14N_EXCL);
>
> /* 4. The syntax for an enveloped signature must be used.
>  * 5. For hashing purposes the SHA256 algorithm must be used.
>  */
> properties.setSignatureDigestAlgo(XMLSecurityConstants.NS_XENC_SHA256);
>
> /* 6. For signature purposes the RSAWithSHA256 algorithm must be used. RSA
> keys must be 2,048 bits long.
>  */
> properties.setSignatureAlgo(XMLSecurityConstants.NS_XMLDSIG_RSASHA256);
>
> /* 7. The public key must be referenced using a fingerprint of an X.509
> certificate. The fingerprint must be
>  * calculated according to the following formula HEX(SHA-1(DER
> certificate)).
>  */
> properties.setSignatureKeyIdType("KeyName");
>
>
> Looking for some pointer to get this done, if it is configuration that
> would be great. If this needs some modifications in the code i would be
> happy with some pointers in the right direction.
>
> Thanks!
>
> Hugo
>
>
>
>
>   <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";
> Id="G1345d174-e9d2-4a6f-b573-8b750773b2ee">
>     <dsig:SignedInfo>
>       <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/
> 2001/10/xml-exc-c14n#" />
>       <dsig:SignatureMethod Algorithm="http://www.w3.org/
> 2001/04/xmldsig-more#rsa-sha256" />
>       <dsig:Reference URI="#G0f49a5bd-86ed-4e12-8146-57f584a5f6c1">
>         <dsig:Transforms>
>           <dsig:Transform Algorithm="http://www.w3.org/
> 2000/09/xmldsig#enveloped-signature" />
>           <dsig:Transform Algorithm="http://www.w3.org/
> 2001/10/xml-exc-c14n#" />
>         </dsig:Transforms>
>         <dsig:DigestMethod Algorithm="http://www.w3.org/
> 2001/04/xmlenc#sha256" />
>         <dsig:DigestValue>AtXiXRQ7sLparlwtp9PwFcUmdzR8Xs
> JenVNxy3Ulue4=</dsig:DigestValue>
>       </dsig:Reference>
>     </dsig:SignedInfo>
>     <dsig:SignatureValue>I+qG/S2HV+1c9a6quuH15cooZHslLG+
> GlyWgvnzn83DYGh6tgG4c2sKgUMy3OuES3raw8dczf02Q
> THvwztwoMl7136Ca2M9/Qyc/BRhW7fVoMqMzkppHcTtFFB/
> V7Q3D9k8VquqdPuGwFb+rPSgQfdxe
> owB00/OGt5eXcMcpLERvbK6t9iRbg6ykLBGgc0VLQSYbxcA4FgBe1RTOFbuUadq9Nz
> 4qVxXmZyTY
> rH/kdmOIvsL1yrCmhQ2EqVw8XalNVBoamu2T3WCxPWDSvZrvJ0Hf7bp0K6hd/
> aF7vRwaYzklDA0Z
> F1XAUMctYXnBNFc5yjeyrCEGiEmkLYsafcP3AQ==
> </dsig:SignatureValue>
>     <dsig:KeyInfo Id="Gf05095c8-a7ea-47bb-8d68-80f5481ea9e3">
>       <dsig:KeyName>B1E1820D3DC7D8E57F80AF11B96874
> 9380A5D1EB</dsig:KeyName>
>     </dsig:KeyInfo>
>   </dsig:Signature>
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Reply via email to