> Raul - did my information answer your question? Is there any additional > information that you need? > > Regards, > Matthew Hanson > > Marshall & Ilsley Corporation > Office: (608) 252-5987 > Fax: (608) 252-5811 > [EMAIL PROTECTED] > > > Sorry I'm going to take a look at it whenever I have time, ;). I asked you the version to know if there is a regresion in the 1.2RC. But I will try to give you answer soon.
Raul http://r-bg.com > > [EMAIL PROTECTED] > 11/30/2004 07:18 AM > Please respond to security-dev > > > To: [EMAIL PROTECTED] > cc: > Subject: Re: X509CertificateResolver Does Not Use My > StorageResolver > > > > I am using xml-security 1.1.0 with JDK 1.4.2. Sorry for not including > that in the post. > > Regards, > Matthew Hanson > > Marshall & Ilsley Corporation > Office: (608) 252-5987 > Fax: (608) 252-5811 > [EMAIL PROTECTED] > > > > Raul Benito <[EMAIL PROTECTED]> > 11/29/2004 06:53 PM > Please respond to security-dev > > To: [EMAIL PROTECTED] > cc: > Subject: Re: X509CertificateResolver Does Not Use My > StorageResolver > > > > [EMAIL PROTECTED] wrote: > >> >> Hi, >> >> I am trying to verify the following XML digital signature: >> >> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; >> xmlns:C="http://www.routeone.com/namespace.messaging.CreditApplication#"; >> xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext";> >> <SignedInfo> >> <CanonicalizationMethod >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> >> <SignatureMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> >> <Reference URI="#Body"> >> <Transforms> >> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> >> </Transforms> >> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >> <DigestValue>niQfM6RR1CP+V1Puf9FlaXRNcFQ=</DigestValue> >> </Reference> >> </SignedInfo> >> >> > <SignatureValue>EQjU1zV9WpsCj0+tTJ6pYw4YjM3Ir+OgWsCGijjKGZ1kkNOgWlFkdbDbmb8wzcAaYHVVJrplVpOVC05jd4cX7N9doFDDjRhKobaYUogRErJV86wWpsZ4iP77/DqPy0Egw9laycMv0BxxoWgeW3TQ11EioKiA/sx1nIEudaQRlWjlkeWiU7U+8eCVzWYMNkuh/kEhMo8CqYxpoOFSELRLIuMzT/gcrqvbesTUVkuYXSSs4ZTL9wzYfAYZpyk4ES7WpD7lT6/bW741S9DjJq/4H/bP8kkyBxku9sRIYF5DHXDIwbcj7SWbyZ/por+vmxGI2jR3xByxMEGo+FK2MHDDtQ==</SignatureValue> > >> >> <KeyInfo> >> <X509Data> >> <X509Certificate/> >> <X509IssuerSerial> >> <X509IssuerName>OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY >> LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, >> OU="VeriSign, Inc.", O=VeriSign Trust Network</X509IssuerName> >> > <X509SerialNumber>77581175974713717168815171532918991769</X509SerialNumber> > >> >> </X509IssuerSerial></X509Data></KeyInfo></Signature> >> >> Because I have the public certificate from the partner, I was hoping >> to use addStorageResolver method of KeyInfo to install a >> StorageResolver with the public certificate to help with decryption. >> The Resolver-Mania docs tell me the following: >> >> "If there is only key material identification information like a >> ds:KeyName or the serial number of the Certificate, the KeyResolver >> must use the StorageResolvers to query the available keys and >> certificates to find the correct one." >> >> Here is my code, hacked from the VerifySignature class: >> >> XMLSignature signature = new XMLSignature(sigElement, >> f.toURL().toString()); >> >> signature.addResourceResolver(new OfflineResolver()); >> >> // begin hack >> InputStream inStream = new >> FileInputStream("c:\\temp\\RouteOne\\New RouteOne DSig_SSL.cer"); >> CertificateFactory cf = > CertificateFactory.getInstance("X.509"); >> X509Certificate cert = >> (X509Certificate)cf.generateCertificate(inStream); >> inStream.close(); >> // end hack >> >> // XMLUtils.outputDOMc14nWithComments(signature.getElement(), >> System.out); >> KeyInfo ki = signature.getKeyInfo(); >> ki.addStorageResolver(new StorageResolver(cert)); >> if (ki != null) { >> if (ki.containsX509Data()) { >> System.out >> .println("Could find a X509Data element in the >> KeyInfo"); >> } >> >> cert = signature.getKeyInfo().getX509Certificate(); >> >> From looking at the code, it doesn't look like the >> X509CertificateResolver is attempting to query the available keys (my >> public certificate). Here is some logging and the inevitable stack >> trace: >> >> 211 [main] DEBUG org.apache.xml.security.algorithms.SignatureAlgorithm >> - Create URI "http://www.w3.org/2000/09/xmldsig#rsa-sha1"; class >> > "org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1" > >> >> 211 [main] DEBUG org.apache.xml.security.algorithms.JCEMapper - >> Request for URI http://www.w3.org/2000/09/xmldsig#rsa-sha1 >> 261 [main] DEBUG org.apache.xml.security.algorithms.JCEMapper - Found >> SHA1WithRSAEncryption from provider BC >> 271 [main] DEBUG >> org.apache.xml.security.algorithms.implementations.SignatureBaseRSA - >> Created SignatureDSA using SHA1WithRSAEncryption BC >> 301 [main] DEBUG org.apache.xml.security.utils.ElementProxy - >> setElement("KeyInfo", >> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml") >> 321 [main] DEBUG org.apache.xml.security.utils.ElementProxy - >> setElement("X509Data", >> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml") >> 331 [main] DEBUG org.apache.xml.security.utils.ElementProxy - >> setElement("X509Certificate", >> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml") >> 331 [main] DEBUG org.apache.xml.security.utils.ElementProxy - >> setElement("X509IssuerSerial", >> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml") >> X509Data(0)="Certificate IssuerSerial " >> Could find a X509Data element in the KeyInfo >> 331 [main] DEBUG org.apache.xml.security.keys.KeyInfo - Start >> getX509CertificateFromInternalResolvers() with 0 resolvers >> 331 [main] DEBUG org.apache.xml.security.keys.KeyInfo - I couldn't >> find a X509Certificate using the per-KeyInfo key resolvers >> 331 [main] DEBUG org.apache.xml.security.keys.KeyInfo - Start >> getX509CertificateFromStaticResolvers() with 7 resolvers >> 331 [main] DEBUG >> > org.apache.xml.security.keys.keyresolver.implementations.RSAKeyValueResolver > >> - Can I resolve X509Data >> 331 [main] DEBUG >> > org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver > >> - Can I resolve X509Data? >> 341 [main] DEBUG >> > org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver > >> - Yes Sir, I can >> 341 [main] DEBUG org.apache.xml.security.utils.ElementProxy - >> setElement("X509Certificate", >> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml") >> java.lang.NullPointerException >> at >> org.apache.xml.security.utils.ElementProxy.getBytesFromTextChild(Unknown > >> Source) >> at >> > org.apache.xml.security.keys.content.x509.XMLX509Certificate.getCertificateBytes(Unknown > >> Source) >> at >> > org.apache.xml.security.keys.content.x509.XMLX509Certificate.getX509Certificate(Unknown > >> Source) >> at >> > org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver.engineResolveX509Certificate(Unknown > >> Source) >> at >> > org.apache.xml.security.keys.keyresolver.KeyResolver.resolveX509Certificate(Unknown > >> Source) >> at >> > org.apache.xml.security.keys.KeyInfo.getX509CertificateFromStaticResolvers(Unknown > >> Source) >> at >> org.apache.xml.security.keys.KeyInfo.getX509Certificate(Unknown Source) >> at >> > org.apache.xml.security.samples.signature.VerifySignature.main(VerifySignature.java:155) > >> >> >> Am I reading the usage docs incorrectly, or do I need to implement >> some custom stuff? Any pointers would be very helpful. >> >> Regards, >> Matthew Hanson >> >> Marshall & Ilsley Corporation >> Office: (608) 252-5987 >> Fax: (608) 252-5811 >> [EMAIL PROTECTED] > > What version of xml-sec are you using? > Thnx, > > Raul > > > > >
