Thanks - I appreciate the help. I believe I may have found the issue! If you notice, the XML input KeyInfo element has a X509Certificate child that has no text. I downloaded the source and see that ElementProxy.getBytesFromTextChild attempts to get the Text of the certificate and uses Text.getData(). I am assuming Text is null in this case. I am unsure if I can request a change from our vendor to remove this unneeded X509Certificate element.
Has anyone ever encountered this?
Regards,
Matthew Hanson
Marshall & Ilsley Corporation
Office: (608) 252-5987
Fax: (608) 252-5811
[EMAIL PROTECTED]
| "Raul Benito" <[EMAIL PROTECTED]>
12/01/2004 07:31 AM
|
To: [EMAIL PROTECTED] cc: Subject: Re: X509CertificateResolver Does Not Use My StorageResolver |
> Raul - did my information answer your question? Is there any additional
> information that you need?
>
> Regards,
> Matthew Hanson
>
> Marshall & Ilsley Corporation
> Office: (608) 252-5987
> Fax: (608) 252-5811
> [EMAIL PROTECTED]
>
>
>
Sorry I'm going to take a look at it whenever I have time, ;). I asked you
the version to know if there is a regresion in the 1.2RC. But I will try
to give you answer soon.
Raul
http://r-bg.com
>
> [EMAIL PROTECTED]
> 11/30/2004 07:18 AM
> Please respond to security-dev
>
>
> To: [EMAIL PROTECTED]
> cc:
> Subject: Re: X509CertificateResolver Does Not Use My
> StorageResolver
>
>
>
> I am using xml-security 1.1.0 with JDK 1.4.2. Sorry for not including
> that in the post.
>
> Regards,
> Matthew Hanson
>
> Marshall & Ilsley Corporation
> Office: (608) 252-5987
> Fax: (608) 252-5811
> [EMAIL PROTECTED]
>
>
>
> Raul Benito <[EMAIL PROTECTED]>
> 11/29/2004 06:53 PM
> Please respond to security-dev
>
> To: [EMAIL PROTECTED]
> cc:
> Subject: Re: X509CertificateResolver Does Not Use My
> StorageResolver
>
>
>
> [EMAIL PROTECTED] wrote:
>
>>
>> Hi,
>>
>> I am trying to verify the following XML digital signature:
>>
>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"
>> xmlns:C="http://www.routeone.com/namespace.messaging.CreditApplication#"
>> xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext">
>> <SignedInfo>
>> <CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> <SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>> <Reference URI="#Body">
>> <Transforms>
>> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> </Transforms>
>> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <DigestValue>niQfM6RR1CP+V1Puf9FlaXRNcFQ=</DigestValue>
>> </Reference>
>> </SignedInfo>
>>
>>
> <SignatureValue>EQjU1zV9WpsCj0+tTJ6pYw4YjM3Ir+OgWsCGijjKGZ1kkNOgWlFkdbDbmb8wzcAaYHVVJrplVpOVC05jd4cX7N9doFDDjRhKobaYUogRErJV86wWpsZ4iP77/DqPy0Egw9laycMv0BxxoWgeW3TQ11EioKiA/sx1nIEudaQRlWjlkeWiU7U+8eCVzWYMNkuh/kEhMo8CqYxpoOFSELRLIuMzT/gcrqvbesTUVkuYXSSs4ZTL9wzYfAYZpyk4ES7WpD7lT6/bW741S9DjJq/4H/bP8kkyBxku9sRIYF5DHXDIwbcj7SWbyZ/por+vmxGI2jR3xByxMEGo+FK2MHDDtQ==</SignatureValue>
>
>>
>> <KeyInfo>
>> <X509Data>
>> <X509Certificate/>
>> <X509IssuerSerial>
>> <X509IssuerName>OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY
>> LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3,
>> OU="VeriSign, Inc.", O=VeriSign Trust Network</X509IssuerName>
>>
> <X509SerialNumber>77581175974713717168815171532918991769</X509SerialNumber>
>
>>
>> </X509IssuerSerial></X509Data></KeyInfo></Signature>
>>
>> Because I have the public certificate from the partner, I was hoping
>> to use addStorageResolver method of KeyInfo to install a
>> StorageResolver with the public certificate to help with decryption.
>> The Resolver-Mania docs tell me the following:
>>
>> "If there is only key material identification information like a
>> ds:KeyName or the serial number of the Certificate, the KeyResolver
>> must use the StorageResolvers to query the available keys and
>> certificates to find the correct one."
>>
>> Here is my code, hacked from the VerifySignature class:
>>
>> XMLSignature signature = new XMLSignature(sigElement,
>> f.toURL().toString());
>>
>> signature.addResourceResolver(new OfflineResolver());
>>
>> // begin hack
>> InputStream inStream = new
>> FileInputStream("c:\\temp\\RouteOne\\New RouteOne DSig_SSL.cer");
>> CertificateFactory cf =
> CertificateFactory.getInstance("X.509");
>> X509Certificate cert =
>> (X509Certificate)cf.generateCertificate(inStream);
>> inStream.close();
>> // end hack
>>
>> // XMLUtils.outputDOMc14nWithComments(signature.getElement(),
>> System.out);
>> KeyInfo ki = signature.getKeyInfo();
>> ki.addStorageResolver(new StorageResolver(cert));
>> if (ki != null) {
>> if (ki.containsX509Data()) {
>> System.out
>> .println("Could find a X509Data element in the
>> KeyInfo");
>> }
>>
>> cert = signature.getKeyInfo().getX509Certificate();
>>
>> From looking at the code, it doesn't look like the
>> X509CertificateResolver is attempting to query the available keys (my
>> public certificate). Here is some logging and the inevitable stack
>> trace:
>>
>> 211 [main] DEBUG org.apache.xml.security.algorithms.SignatureAlgorithm
>> - Create URI "http://www.w3.org/2000/09/xmldsig#rsa-sha1" class
>>
> "org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1"
>
>>
>> 211 [main] DEBUG org.apache.xml.security.algorithms.JCEMapper -
>> Request for URI http://www.w3.org/2000/09/xmldsig#rsa-sha1
>> 261 [main] DEBUG org.apache.xml.security.algorithms.JCEMapper - Found
>> SHA1WithRSAEncryption from provider BC
>> 271 [main] DEBUG
>> org.apache.xml.security.algorithms.implementations.SignatureBaseRSA -
>> Created SignatureDSA using SHA1WithRSAEncryption BC
>> 301 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
>> setElement("KeyInfo",
>> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
>> 321 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
>> setElement("X509Data",
>> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
>> 331 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
>> setElement("X509Certificate",
>> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
>> 331 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
>> setElement("X509IssuerSerial",
>> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
>> X509Data(0)="Certificate IssuerSerial "
>> Could find a X509Data element in the KeyInfo
>> 331 [main] DEBUG org.apache.xml.security.keys.KeyInfo - Start
>> getX509CertificateFromInternalResolvers() with 0 resolvers
>> 331 [main] DEBUG org.apache.xml.security.keys.KeyInfo - I couldn't
>> find a X509Certificate using the per-KeyInfo key resolvers
>> 331 [main] DEBUG org.apache.xml.security.keys.KeyInfo - Start
>> getX509CertificateFromStaticResolvers() with 7 resolvers
>> 331 [main] DEBUG
>>
> org.apache.xml.security.keys.keyresolver.implementations.RSAKeyValueResolver
>
>> - Can I resolve X509Data
>> 331 [main] DEBUG
>>
> org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver
>
>> - Can I resolve X509Data?
>> 341 [main] DEBUG
>>
> org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver
>
>> - Yes Sir, I can
>> 341 [main] DEBUG org.apache.xml.security.utils.ElementProxy -
>> setElement("X509Certificate",
>> "file:/C:/eclipse/workspace/RouteOne/XML/R1_Signed_Sample.xml")
>> java.lang.NullPointerException
>> at
>> org.apache.xml.security.utils.ElementProxy.getBytesFromTextChild(Unknown
>
>> Source)
>> at
>>
> org.apache.xml.security.keys.content.x509.XMLX509Certificate.getCertificateBytes(Unknown
>
>> Source)
>> at
>>
> org.apache.xml.security.keys.content.x509.XMLX509Certificate.getX509Certificate(Unknown
>
>> Source)
>> at
>>
> org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolver.engineResolveX509Certificate(Unknown
>
>> Source)
>> at
>>
> org.apache.xml.security.keys.keyresolver.KeyResolver.resolveX509Certificate(Unknown
>
>> Source)
>> at
>>
> org.apache.xml.security.keys.KeyInfo.getX509CertificateFromStaticResolvers(Unknown
>
>> Source)
>> at
>> org.apache.xml.security.keys.KeyInfo.getX509Certificate(Unknown Source)
>> at
>>
> org.apache.xml.security.samples.signature.VerifySignature.main(VerifySignature.java:155)
>
>>
>>
>> Am I reading the usage docs incorrectly, or do I need to implement
>> some custom stuff? Any pointers would be very helpful.
>>
>> Regards,
>> Matthew Hanson
>>
>> Marshall & Ilsley Corporation
>> Office: (608) 252-5987
>> Fax: (608) 252-5811
>> [EMAIL PROTECTED]
>
> What version of xml-sec are you using?
> Thnx,
>
> Raul
>
>
>
>
>
