[EMAIL PROTECTED] wrote:
Hi,
I am trying to verify the following XML digital signature:
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; xmlns:C="http://www.routeone.com/namespace.messaging.CreditApplication#"; xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext";>
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#Body">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>niQfM6RR1CP+V1Puf9FlaXRNcFQ=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>EQjU1zV9WpsCj0+tTJ6pYw4YjM3Ir+OgWsCGijjKGZ1kkNOgWlFkdbDbmb8wzcAaYHVVJrplVpOVC05jd4cX7N9doFDDjRhKobaYUogRErJV86wWpsZ4iP77/DqPy0Egw9laycMv0BxxoWgeW3TQ11EioKiA/sx1nIEudaQRlWjlkeWiU7U+8eCVzWYMNkuh/kEhMo8CqYxpoOFSELRLIuMzT/gcrqvbesTUVkuYXSSs4ZTL9wzYfAYZpyk4ES7WpD7lT6/bW741S9DjJq/4H/bP8kkyBxku9sRIYF5DHXDIwbcj7SWbyZ/por+vmxGI2jR3xByxMEGo+FK2MHDDtQ==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate/>
<X509IssuerSerial>
<X509IssuerName>OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network</X509IssuerName>
<X509SerialNumber>77581175974713717168815171532918991769</X509SerialNumber>
</X509IssuerSerial></X509Data></KeyInfo></Signature>
Because I have the public certificate from the partner, I was hoping to use addStorageResolver method of KeyInfo to install a StorageResolver with the public certificate to help with decryption. The Resolver-Mania docs tell me the following:
"If there is only key material identification information like a ds:KeyName or the serial number of the Certificate, the KeyResolver must use the StorageResolvers to query the available keys and certificates to find the correct one."
Here is my code, hacked from the VerifySignature class:
XMLSignature signature = new XMLSignature(sigElement, f.toURL().toString());
signature.addResourceResolver(new OfflineResolver());
// begin hack
InputStream inStream = new FileInputStream("c:\\temp\\RouteOne\\New RouteOne DSig_SSL.cer");
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream);
inStream.close();
// end hack
// XMLUtils.outputDOMc14nWithComments(signature.getElement(), System.out);
KeyInfo ki = signature.getKeyInfo();
ki.addStorageResolver(new StorageResolver(cert));
if (ki != null) {
if (ki.containsX509Data()) {
System.out
.println("Could find a X509Data element in the KeyInfo");
}
cert = signature.getKeyInfo().getX509Certificate();
From looking at the code, it doesn't look like the X509CertificateResolver is attempting to query the available keys (my public certificate). Here is some logging and the inevitable stack trace:
211 [main] DEBUG org.apache.xml.security.algorithms.SignatureAlgorithm - Create URI "http://www.w3.org/2000/09/xmldsig#rsa-sha1"; class "org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1"
211 [main] DEBUG org.apache.xml.security.algorithms.JCEMapper - Request for URI http://www.w3.org/2000/09/xmldsig#rsa-sha1
261 [main] DEBUG org.apache.xml.security.algorithms.JCEMapper - Found SHA1WithRSAEncryption from provider BC
271 [main] DEBUG org.apache.xml.security.algorithms.implementations.SignatureBaseRSA - Created SignatureDSA using SHA1WithRSAEncryption BC
301 [main] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("KeyInfo", "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
321 [main] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("X509Data", "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
331 [main] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("X509Certificate", "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
331 [main] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("X509IssuerSerial", "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
X509Data(0)="Certificate IssuerSerial "
Could find a X509Data element in the KeyInfo
331 [main] DEBUG org.apache.xml.security.keys.KeyInfo - Start getX509CertificateFromInternalResolvers() with 0 resolvers
331 [main] DEBUG org.apache.xml.security.keys.KeyInfo - I couldn't find a X509Certificate using the per-KeyInfo key resolvers
331 [main] DEBUG org.apache.xml.security.keys.KeyInfo - Start getX509CertificateFromStaticResolvers() with 7 resolvers
331 [main] DEBUG org.apache.xml.security.keys.keyresolver.implementations.RSAKeyValueResolver - Can I resolve X509Data
331 [main] DEBUG org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver - Can I resolve X509Data?
341 [main] DEBUG org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver - Yes Sir, I can
341 [main] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("X509Certificate", "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
java.lang.NullPointerException
at org.apache.xml.security.utils.ElementProxy.getBytesFromTextChild(Unknown Source)
at org.apache.xml.security.keys.content.x509.XMLX509Certificate.getCertificateBytes(Unknown Source)
at org.apache.xml.security.keys.content.x509.XMLX509Certificate.getX509Certificate(Unknown Source)
at org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver.engineResolveX509Certificate(Unknown Source)
at org.apache.xml.security.keys.keyresolver.KeyResolver.resolveX509Certificate(Unknown Source)
at org.apache.xml.security.keys.KeyInfo.getX509CertificateFromStaticResolvers(Unknown Source)
at org.apache.xml.security.keys.KeyInfo.getX509Certificate(Unknown Source)
at org.apache.xml.security.samples.signature.VerifySignature.main(VerifySignature.java:155)
Am I reading the usage docs incorrectly, or do I need to implement some custom stuff? Any pointers would be very helpful.
Regards, Matthew Hanson
Marshall & Ilsley Corporation
Office: (608) 252-5987
Fax: (608) 252-5811
[EMAIL PROTECTED]
What version of xml-sec are you using? Thnx,
Raul
