Re: X509CertificateResolver Does Not Use My StorageResolver

Tue, 30 Nov 2004 05:19:27 -0800


I am using xml-security 1.1.0 with JDK 1.4.2.  Sorry for not including that in the post.

Regards,
Matthew Hanson

Marshall & Ilsley Corporation
Office:  (608) 252-5987
Fax:      (608) 252-5811
[EMAIL PROTECTED]


Raul Benito <[EMAIL PROTECTED]>

11/29/2004 06:53 PM
Please respond to security-dev

       
        To:        [EMAIL PROTECTED]
        cc:        
        Subject:        Re: X509CertificateResolver Does Not Use My StorageResolver



[EMAIL PROTECTED] wrote:

>
> Hi,
>
> I am trying to verify the following XML digital signature:
>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"
> xmlns:C="http://www.routeone.com/namespace.messaging.CreditApplication#"
> xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext">
> <SignedInfo>
>   <CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>   <SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>   <Reference URI="#Body">
>     <Transforms>
>       <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>     </Transforms>
>     <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>     <DigestValue>niQfM6RR1CP+V1Puf9FlaXRNcFQ=</DigestValue>
>   </Reference>
> </SignedInfo>
>    
> <SignatureValue>EQjU1zV9WpsCj0+tTJ6pYw4YjM3Ir+OgWsCGijjKGZ1kkNOgWlFkdbDbmb8wzcAaYHVVJrplVpOVC05jd4cX7N9doFDDjRhKobaYUogRErJV86wWpsZ4iP77/DqPy0Egw9laycMv0BxxoWgeW3TQ11EioKiA/sx1nIEudaQRlWjlkeWiU7U+8eCVzWYMNkuh/kEhMo8CqYxpoOFSELRLIuMzT/gcrqvbesTUVkuYXSSs4ZTL9wzYfAYZpyk4ES7WpD7lT6/bW741S9DjJq/4H/bP8kkyBxku9sRIYF5DHXDIwbcj7SWbyZ/por+vmxGI2jR3xByxMEGo+FK2MHDDtQ==</SignatureValue>
>
> <KeyInfo>
> <X509Data>
> <X509Certificate/>
> <X509IssuerSerial>
> <X509IssuerName>OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY
> LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3,
> OU="VeriSign, Inc.", O=VeriSign Trust Network</X509IssuerName>
> <X509SerialNumber>77581175974713717168815171532918991769</X509SerialNumber>
>
> </X509IssuerSerial></X509Data></KeyInfo></Signature>
>
> Because I have the public certificate from the partner, I was hoping
> to use addStorageResolver method of KeyInfo to install a
> StorageResolver with the public certificate to help with decryption.
>  The Resolver-Mania docs tell me the following:
>
> "If there is only key material identification information like a
> ds:KeyName or the serial number of the Certificate, the KeyResolver
> must use the StorageResolvers to query the available keys and
> certificates to find the correct one."
>
> Here is my code, hacked from the VerifySignature class:
>
>          XMLSignature signature = new XMLSignature(sigElement,
>                                                    f.toURL().toString());
>
>          signature.addResourceResolver(new OfflineResolver());
>          
>          // begin hack
>          InputStream inStream = new
> FileInputStream("c:\\temp\\RouteOne\\New RouteOne DSig_SSL.cer");
>          CertificateFactory cf = CertificateFactory.getInstance("X.509");
>          X509Certificate cert =
> (X509Certificate)cf.generateCertificate(inStream);
>          inStream.close();
>          // end hack
>
>          // XMLUtils.outputDOMc14nWithComments(signature.getElement(),
> System.out);
>          KeyInfo ki = signature.getKeyInfo();
>          ki.addStorageResolver(new StorageResolver(cert));
>          if (ki != null) {
>             if (ki.containsX509Data()) {
>                System.out
>                   .println("Could find a X509Data element in the
> KeyInfo");
>             }
>
>             cert = signature.getKeyInfo().getX509Certificate();
>
> From looking at the code, it doesn't look like the
> X509CertificateResolver is attempting to query the available keys (my
> public certificate).  Here is some logging and the inevitable stack
> trace:
>
> 211 [main] DEBUG org.apache.xml.security.algorithms.SignatureAlgorithm
>  - Create URI "http://www.w3.org/2000/09/xmldsig#rsa-sha1" class
> "org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1"
>
> 211 [main] DEBUG org.apache.xml.security.algorithms.JCEMapper  -
> Request for URI http://www.w3.org/2000/09/xmldsig#rsa-sha1
> 261 [main] DEBUG org.apache.xml.security.algorithms.JCEMapper  - Found
> SHA1WithRSAEncryption from provider BC
> 271 [main] DEBUG
> org.apache.xml.security.algorithms.implementations.SignatureBaseRSA  -
> Created SignatureDSA using SHA1WithRSAEncryption BC
> 301 [main] DEBUG org.apache.xml.security.utils.ElementProxy  -
> setElement("KeyInfo",
> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
> 321 [main] DEBUG org.apache.xml.security.utils.ElementProxy  -
> setElement("X509Data",
> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
> 331 [main] DEBUG org.apache.xml.security.utils.ElementProxy  -
> setElement("X509Certificate",
> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
> 331 [main] DEBUG org.apache.xml.security.utils.ElementProxy  -
> setElement("X509IssuerSerial",
> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
> X509Data(0)="Certificate IssuerSerial "
> Could find a X509Data element in the KeyInfo
> 331 [main] DEBUG org.apache.xml.security.keys.KeyInfo  - Start
> getX509CertificateFromInternalResolvers() with 0 resolvers
> 331 [main] DEBUG org.apache.xml.security.keys.KeyInfo  - I couldn't
> find a X509Certificate using the per-KeyInfo key resolvers
> 331 [main] DEBUG org.apache.xml.security.keys.KeyInfo  - Start
> getX509CertificateFromStaticResolvers() with 7 resolvers
> 331 [main] DEBUG
> org.apache.xml.security.keys.keyresolver.implementations.RSAKeyValueResolver
>  - Can I resolve X509Data
> 331 [main] DEBUG
> org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver
>  - Can I resolve X509Data?
> 341 [main] DEBUG
> org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver
>  - Yes Sir, I can
> 341 [main] DEBUG org.apache.xml.security.utils.ElementProxy  -
> setElement("X509Certificate",
> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
> java.lang.NullPointerException
>         at
> org.apache.xml.security.utils.ElementProxy.getBytesFromTextChild(Unknown
> Source)
>         at
> org.apache.xml.security.keys.content.x509.XMLX509Certificate.getCertificateBytes(Unknown
> Source)
>         at
> org.apache.xml.security.keys.content.x509.XMLX509Certificate.getX509Certificate(Unknown
> Source)
>         at
> org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver.engineResolveX509Certificate(Unknown
> Source)
>         at
> org.apache.xml.security.keys.keyresolver.KeyResolver.resolveX509Certificate(Unknown
> Source)
>         at
> org.apache.xml.security.keys.KeyInfo.getX509CertificateFromStaticResolvers(Unknown
> Source)
>         at
> org.apache.xml.security.keys.KeyInfo.getX509Certificate(Unknown Source)
>         at
> org.apache.xml.security.samples.signature.VerifySignature.main(VerifySignature.java:155)
>
>
> Am I reading the usage docs incorrectly, or do I need to implement
> some custom stuff?  Any pointers would be very helpful.
>
> Regards,
> Matthew Hanson
>
> Marshall & Ilsley Corporation
> Office:  (608) 252-5987
> Fax:      (608) 252-5811
> [EMAIL PROTECTED]

What version of xml-sec are you using?
Thnx,

Raul


Reply via email to