Hi all,
I have a strange issue regarding the canoncicalization
of a XML Document containing a XML signature. This
canonicalization is required to insert a signature
value of the whole document at the end of the document.
If I don't insert the XML signature in my document
the canonicalization is ok. If I insert the XML
signature the canonicalization failed : some parts
of the document is not canonicalized.
Here is the input/output of the canonicalization.
And also the code that do the exclusive c14n canonicalization.
and the xml signature
Any clue ?
Thanks in advance for any answers/help.
Cédric
Input of the canonicalization :
-----------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<roap:roResponse status="Success"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
xmlns:o-dd="http://odrl.net/1.1/ODREL-DD";
xmlns:o-ex="http://odrl.net/1.1/ODREL-EX";
xmlns:roap="urn:oma:bac:dldrm:roap-1.0"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
xmlns:xsi="http://www/w3.org/2001/XMLSchema-instance";>
<deviceID>
<keyIdentifier xsi:type="roap:X509SPKIHash">
<hash>DegpKHcvpl96B92Vw/5jkUyXRd4=</hash>
</keyIdentifier>
</deviceID>
<riID>
<keyIdentifier xsi:type="roap:X509SPKIHash">
<hash>sk+4JImZCG+IV4/c+Pw9FeAbhuc=</hash>
</keyIdentifier>
</riID>
<Nonce>327612312</Nonce>
<protectedRO>
<ro id="1" stateful="true" version="1.0">
<riID>
<keyIdentifier xsi:type="roap:X509SPKIHash">
<hash>sk+4JImZCG+IV4/c+Pw9FeAbhuc=</hash>
</keyIdentifier>
</riID>
<o-ex:rights o-ex:id="REL0">
<o-ex:context>
<o-dd:version>2.0</o-dd:version>
</o-ex:context>
<o-ex:agreement>
<o-ex:asset>
<o-ex:context>
<o-dd:version>2.0</o-dd:version>
<o-dd:uid>cid:[EMAIL PROTECTED]</o-dd:uid>
</o-ex:context>
<o-ex:digest>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>OV1+vvou4r5fEKDBvpI3eztkYNM=</ds:DigestValue>
</o-ex:digest>
<ds:KeyInfo>
<xenc:EncryptedKey>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes128"/>
<xenc:CipherData>
<xenc:CipherValue>Epp1k8KfMBqg+SYNCiZSwr1OVmuZHZiP</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
<ds:RetrievalMethod
ds:URI="K_REK_and_K_MAC_984511788"/>
</ds:KeyInfo>
</o-ex:asset>
<o-ex:permission>
<o-dd:play>
<o-ex:constraint>
<o-dd:count>3</o-dd:count>
</o-ex:constraint>
</o-dd:play>
</o-ex:permission>
</o-ex:agreement>
</o-ex:rights>
<encKey id="K_REK_and_K_MAC_984511788">
<xenc:EncryptionMethod
Algorithm="http://www.rsasecurity.com/rsalabs/xmlpkcs-1#rsaes-kem-kdf2-kw-ae
s128"/>
<ds:KeyInfo>
<roap:X509SPKIHash>
<hash>DegpKHcvpl96B92Vw/5jkUyXRd4=</hash>
</roap:X509SPKIHash>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>LV+KUMGjcr/f8QejPkUcYjHw5mRvxxE+thVnweQgk/Kv28qPZZ9XrEXbKj
48YkefWHXviZWKon7Wc9dbTft+Rdib2HuFb5l8N50hXAQXFfQAf/BpGdz+sVna8UODthK4Ftp4yw
3ciVmFUCg31NmkUYgl8ItSwvPKBTZrLLUb8wnRUXRoyy7WBxUt75Q8sWVj2reZBoQJN3l8gJx5nj
bZ60iiDTf5gyzx</xenc:CipherValue>
</xenc:CipherData>
</encKey>
</ro>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<ds:Reference URI="#1">
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>IRoycDtXfjqE/ZW+oeoxyvKaej8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>jggZZU/GpMAI/Sg0dcIYiMdeNL8=</ds:SignatureValue>
<ds:KeyInfo>
<ds:RetrievalMethod URI="#K_REK_and_K_MAC_984511788"/>
</ds:KeyInfo>
</ds:Signature>
</protectedRO>
<certificateChain>
<certificate>MIICXTCCAcYCAQIwDQYJKoZIhvcNAQEFBQAwezELMAkGA1UEBhMCZnIxETAPBgN
VBAgTCEdSRU5PQkxFMRMwEQYDVQQHEwpNT05UQk9OTk9UMREwDwYDVQQKEwhJTk9WQVRFTDEQMA4
GA1UECxMHRFJNVEVBTTEfMB0GA1UEAxMWU1VCIENBIEZPUiBSSSBPTUFEUk1WMjAeFw0wNDA1Mjg
wODQ1MjhaFw0xNTA1MDEwODQ1MjhaMHMxCzAJBgNVBAYTAkZSMREwDwYDVQQIEwhHUkVOT0JMRTE
TMBEGA1UEBxMKTU9OVEJPTk5PVDEQMA4GA1UEChMHRFJNVEVBTTELMAkGA1UECxMCUkkxHTAbBgN
VBAMTFENFUi4gRk9SIFJJIE9NQURSTVYyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMYTY
jrPe8/lvp+5mdefXNnji23soZAe+oNJK8+5JBeJ6mNKWvjzgr4BJAnXaCwLncyOJxBeovAiAPXFk
D/54FrWMOpO9Oa5oZliCseEAQL082VDnAMN0rrPgt5aREjd2DIpO96dieMYbyvDXIMrLf+iGVH+K
UKVyN51gw0O4v1QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI7s6ZygePOS21yWxUZflLvTe96BERl
Qbroj6Hiic3jLyE4nYuvbuoDoXRiiuzcNbWPRSqJkabBvcB8+8yi1NuIe6/SoiKjNpCZKNl8wX47
cAiBv+DEBnBkH/9LpFOllD1hDRqNj2Tx5k9l53DR7+qb6WHrrB6vLTCESU2wqlm/q</certifica
te>
<certificate>MIIC4zCCAcsCAQEwDQYJKoZIhvcNAQEFBQAweDELMAkGA1UEBhMCRlIxETAPBgN
VBAgTCEdSRU5PQkxFMRMwEQYDVQQHEwpNT05UQk9OTk9UMQwwCgYDVQQKEwNTRlIxETAPBgNVBAs
TCElOT1ZBVEVMMSAwHgYDVQQDExdST09UIENBIEZPUiBSSSBPTUFEUk1WMjAeFw0wNDA1MjgwODQ
xMDVaFw0xNTA1MDkwODQxMDVaMHsxCzAJBgNVBAYTAmZyMREwDwYDVQQIEwhHUkVOT0JMRTETMBE
GA1UEBxMKTU9OVEJPTk5PVDERMA8GA1UEChMISU5PVkFURUwxEDAOBgNVBAsTB0RSTVRFQU0xHzA
dBgNVBAMTFlNVQiBDQSBGT1IgUkkgT01BRFJNVjIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoG
BANUS8I0gXPWIPTVnj2BotBNht+EdZh1MhSZ1DCKPeV7EOk7pCi2IGJRByTxIV6PAAabo1BKo+LD
dfw9bfj20K3sdExd6KIm3lk0eFTw4mg7al8I0wUzIvUqJl/yxiiYfSjEAEhM0VhcgokqMkVCZ8Za
XceWUXIhohX6dafJfPKdFAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAA5Kfglfd6z0phqk56Y758S
/XhPa18jy2VvnIxk27G/Wp5OZvmtL5kyppJBZISkNrKbFtKmyoJkGjDj/wxCTFyb3nuxXZBBtjEr
x8YsopGPs+dXe7v/gAaCYkDAAIuiAxa5FigPKkbZi/62MkHWcqE06Gf7b9O9cHx7xfKn9Snjvkwk
jpbrMKZhpHI8ar1AgNy9UHxUsT5n0paHv7h3qnNEkQlTH7IYsfb6QsXADw1qswrI4xapyy7VszS0
1S3i1H1WhxytC/R7qzoP0c8kQW+T0H/vTAwTojsoNeOq9H6exRUSogz2jD4PNREt9bQyCfqARFhm
QKZ5ipLL/DbXL/tg=</certificate>
</certificateChain>
</roap:roResponse>
Output of the canonicalization :
----------------------------------
<roap:roResponse xmlns:roap="urn:oma:bac:dldrm:roap-1.0"
status="Success"><deviceID><keyIdentifier
xsi:type="roap:X509SPKIHash"><hash>DegpKHcvpl96B92Vw/5jkUyXRd4=</hash></keyI
dentifier></deviceID><riID><keyIdentifier
xsi:type="roap:X509SPKIHash"><hash>sk+4JImZCG+IV4/c+Pw9FeAbhuc=</hash></keyI
dentifier></riID><Nonce>327612312</Nonce><protectedRO><ro id="1"
stateful="true" version="1.0"><riID><keyIdentifier
xsi:type="roap:X509SPKIHash"><hash>sk+4JImZCG+IV4/c+Pw9FeAbhuc=</hash></keyI
dentifier></riID><o-ex:rights xmlns:o-ex="http://odrl.net/1.1/ODREL-EX";
o-ex:id="REL0">
<o-ex:context>
<o-dd:version
xmlns:o-dd="http://odrl.net/1.1/ODREL-DD";>2.0</o-dd:version>
</o-ex:context>
<o-ex:agreement>
<o-ex:asset>
<o-ex:context>
<o-dd:version
xmlns:o-dd="http://odrl.net/1.1/ODREL-DD";>2.0</o-dd:version>
<o-dd:uid
xmlns:o-dd="http://odrl.net/1.1/ODREL-DD";>cid:[EMAIL PROTECTED]</o-dd:u
id>
</o-ex:context>
<o-ex:digest>
<ds:DigestMethod
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>OV1+vvou4r5fEKDBvpI3eztkYNM=</
ds:DigestValue>
</o-ex:digest>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<xenc:EncryptedKey
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes128";></xenc:EncryptionMeth
od>
<xenc:CipherData>
<xenc:CipherValue>Epp1k8KfMBqg+SYNCiZSwr1OVmuZHZiP</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
<ds:RetrievalMethod
ds:URI="K_REK_and_K_MAC_984511788"></ds:RetrievalMethod>
</ds:KeyInfo>
</o-ex:asset>
<o-ex:permission>
<o-dd:play xmlns:o-dd="http://odrl.net/1.1/ODREL-DD";>
<o-ex:constraint>
<o-dd:count>3</o-dd:count>
</o-ex:constraint>
</o-dd:play>
</o-ex:permission>
</o-ex:agreement>
</o-ex:rights><encKey id="K_REK_and_K_MAC_984511788"><xenc:EncryptionMethod
Algorithm="http://www.rsasecurity.com/rsalabs/xmlpkcs-1#rsaes-kem-kdf2-kw-ae
s128"></xenc:EncryptionMethod><ds:KeyInfo><roap:X509SPKIHash><hash>DegpKHcvp
l96B92Vw/5jkUyXRd4=</hash></roap:X509SPKIHash></ds:KeyInfo><xenc:CipherData>
<xenc:CipherValue>LV+KUMGjcr/f8QejPkUcYjHw5mRvxxE+thVnweQgk/Kv28qPZZ9XrEXbKj
48YkefWHXviZWKon7Wc9dbTft+Rdib2HuFb5l8N50hXAQXFfQAf/BpGdz+sVna8UODthK4Ftp4yw
3ciVmFUCg31NmkUYgl8ItSwvPKBTZrLLUb8wnRUXRoyy7WBxUt75Q8sWVj2reZBoQJN3l8gJx5nj
bZ60iiDTf5gyzx</xenc:CipherValue></xenc:CipherData></encKey></ro><ds:Signatu
re xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMet
hod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1";></ds:SignatureMethod
>
<ds:Reference URI="#1">
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>IRoycDtXfjqE/ZW+oeoxyvKaej8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>jggZZU/GpMAI/Sg0dcIYiMdeNL8=</ds:SignatureValue>
<ds:KeyInfo>
<ds:RetrievalMethod URI="#K_REK_and_K_MAC_984511788"></ds:RetrievalMethod>
</ds:KeyInfo>
</ds:Signature></protectedRO><certificateChain><certificate>MIICXTCCAcYCAQIw
DQYJKoZIhvcNAQEFBQAwezELMAkGA1UEBhMCZnIxETAPBgNVBAgTCEdSRU5PQkxFMRMwEQYDVQQH
EwpNT05UQk9OTk9UMREwDwYDVQQKEwhJTk9WQVRFTDEQMA4GA1UECxMHRFJNVEVBTTEfMB0GA1UE
AxMWU1VCIENBIEZPUiBSSSBPTUFEUk1WMjAeFw0wNDA1MjgwODQ1MjhaFw0xNTA1MDEwODQ1Mjha
MHMxCzAJBgNVBAYTAkZSMREwDwYDVQQIEwhHUkVOT0JMRTETMBEGA1UEBxMKTU9OVEJPTk5PVDEQ
MA4GA1UEChMHRFJNVEVBTTELMAkGA1UECxMCUkkxHTAbBgNVBAMTFENFUi4gRk9SIFJJIE9NQURS
TVYyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMYTYjrPe8/lvp+5mdefXNnji23soZAe+o
NJK8+5JBeJ6mNKWvjzgr4BJAnXaCwLncyOJxBeovAiAPXFkD/54FrWMOpO9Oa5oZliCseEAQL082
VDnAMN0rrPgt5aREjd2DIpO96dieMYbyvDXIMrLf+iGVH+KUKVyN51gw0O4v1QIDAQABMA0GCSqG
SIb3DQEBBQUAA4GBAI7s6ZygePOS21yWxUZflLvTe96BERlQbroj6Hiic3jLyE4nYuvbuoDoXRii
uzcNbWPRSqJkabBvcB8+8yi1NuIe6/SoiKjNpCZKNl8wX47cAiBv+DEBnBkH/9LpFOllD1hDRqNj
2Tx5k9l53DR7+qb6WHrrB6vLTCESU2wqlm/q</certificate><certificate>MIIC4zCCAcsCA
QEwDQYJKoZIhvcNAQEFBQAweDELMAkGA1UEBhMCRlIxETAPBgNVBAgTCEdSRU5PQkxFMRMwEQYDV
QQHEwpNT05UQk9OTk9UMQwwCgYDVQQKEwNTRlIxETAPBgNVBAsTCElOT1ZBVEVMMSAwHgYDVQQDE
xdST09UIENBIEZPUiBSSSBPTUFEUk1WMjAeFw0wNDA1MjgwODQxMDVaFw0xNTA1MDkwODQxMDVaM
HsxCzAJBgNVBAYTAmZyMREwDwYDVQQIEwhHUkVOT0JMRTETMBEGA1UEBxMKTU9OVEJPTk5PVDERM
A8GA1UEChMISU5PVkFURUwxEDAOBgNVBAsTB0RSTVRFQU0xHzAdBgNVBAMTFlNVQiBDQSBGT1IgU
kkgT01BRFJNVjIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANUS8I0gXPWIPTVnj2BotBNht
+EdZh1MhSZ1DCKPeV7EOk7pCi2IGJRByTxIV6PAAabo1BKo+LDdfw9bfj20K3sdExd6KIm3lk0eF
Tw4mg7al8I0wUzIvUqJl/yxiiYfSjEAEhM0VhcgokqMkVCZ8ZaXceWUXIhohX6dafJfPKdFAgMBA
AEwDQYJKoZIhvcNAQEFBQADggEBAA5Kfglfd6z0phqk56Y758S/XhPa18jy2VvnIxk27G/Wp5OZv
mtL5kyppJBZISkNrKbFtKmyoJkGjDj/wxCTFyb3nuxXZBBtjErx8YsopGPs+dXe7v/gAaCYkDAAI
uiAxa5FigPKkbZi/62MkHWcqE06Gf7b9O9cHx7xfKn9SnjvkwkjpbrMKZhpHI8ar1AgNy9UHxUsT
5n0paHv7h3qnNEkQlTH7IYsfb6QsXADw1qswrI4xapyy7VszS01S3i1H1WhxytC/R7qzoP0c8kQW
+T0H/vTAwTojsoNeOq9H6exRUSogz2jD4PNREt9bQyCfqARFhmQKZ5ipLL/DbXL/tg=</certifi
cate></certificateChain></roap:roResponse>
The code that do the canonicalization and sign at
the end of the document construction process :
---------------------------------------------------
try
{
// Open keystore
ks = KeyStore.getInstance("JKS");
fis = new FileInputStream(riKeystore);
ks.load(fis, passwd.toCharArray());
// Get private key from key store
log.info("extracting the RI's private Key from the keystore
file for alias : ");
privateKey = (java.security.interfaces.RSAPrivateKey)
ks.getKey(privateKeyAlias, passwd.toCharArray());
// Get modulus and exponent of the provate Key
modulus = privateKey.getModulus();
exponent = privateKey.getPrivateExponent();
log.debug("modulus of the private key is : " + modulus);
log.debug("exponent of the private key is : " + exponent);
canonicalize =
Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
byte[] data = canonicalize.canonicalizeSubtree(doc);
try
{
javax.xml.parsers.DocumentBuilderFactory dbf =
javax.xml.parsers.DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
javax.xml.parsers.DocumentBuilder db =
dbf.newDocumentBuilder();
ByteArrayOutputStream ee = new ByteArrayOutputStream();
//XMLUtils.outputDOM(doc3, ee);
XMLUtils.outputDOMc14nWithComments(doc, ee);
Document inputDoc = db.parse(new
ByteArrayInputStream(ee.toByteArray()));
////////////
StringWriter strOut = new StringWriter();
OutputFormat format = new OutputFormat();
format.setIndenting(true);
XMLSerializer XMLSerial = new XMLSerializer(strOut,
format);
XMLSerial.asDOMSerializer().serialize(inputDoc);
log.debug("2 pass doc=" + strOut.toString());
log.debug("2 pass doc canonicalized=" + new
String(data));
}
catch (Exception e) {}
// Intialize signature
rsaKeyParam = new RSAKeyParameters(true, modulus, exponent);
signer = new PSSSigner(rsaEngine, sha1Digest, 20);
signer.init(true, new ParametersWithRandom(rsaKeyParam,
secureRand));
signer.update(data, 0, data.length);
//Computing signature
sig = signer.generateSignature();
signature = doc.createElement("signature");
signature.appendChild(doc.createTextNode(new
String(Base64.encode(sig), "ASCII")));
Element root = doc.getDocumentElement();
root.appendChild(signature);
}
The code that do the XML Signature during the documents
construction process :
---------------------------------------------------
// Starting the Mac calculation
log.info("starting Mac calculation"); // Canonicalize the
doc
Element nscontext = XMLUtils.createDSctx(doc, "ds",
Constants.SignatureSpecNS);
try
{
Node signedInfo = XPathAPI.selectSingleNode(doc,
"//ds:SignedInfo", nscontext);
}
catch (TransformerException e){
}
XMLSignature sig = new XMLSignature(doc, (String) null,
XMLSignature.ALGO_ID_MAC_HMAC_SHA1,
Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
protectedRO.appendChild(sig.getElement());
sig.addDocument("#" + referenceURI, (Transforms) null,
Constants.ALGO_ID_DIGEST_SHA1);
// using the MAc key to sign the ROPlayload
sig.sign(mac);
if (retrievalMethodURI != null)
retrieveMethod = new RetrievalMethod(doc, "#" +
retrievalMethodURI, (Transforms) null, (String) null);
if (retrieveMethod == null)
log .error("retrieveMethod is null");
else
sig.getKeyInfo().add(retrieveMethod);
log.info("Mac tag is inserted into the ROPayload");
<?xml version="1.0" encoding="UTF-8"?>
<roap:roResponse status="Success"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
xmlns:o-dd="http://odrl.net/1.1/ODREL-DD";
xmlns:o-ex="http://odrl.net/1.1/ODREL-EX";
xmlns:roap="urn:oma:bac:dldrm:roap-1.0"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
xmlns:xsi="http://www/w3.org/2001/XMLSchema-instance";>
<deviceID>
<keyIdentifier xsi:type="roap:X509SPKIHash">
<hash>DegpKHcvpl96B92Vw/5jkUyXRd4=</hash>
</keyIdentifier>
</deviceID>
<riID>
<keyIdentifier xsi:type="roap:X509SPKIHash">
<hash>sk+4JImZCG+IV4/c+Pw9FeAbhuc=</hash>
</keyIdentifier>
</riID>
<Nonce>327612312</Nonce>
<protectedRO>
<ro id="1" stateful="true" version="1.0">
<riID>
<keyIdentifier xsi:type="roap:X509SPKIHash">
<hash>sk+4JImZCG+IV4/c+Pw9FeAbhuc=</hash>
</keyIdentifier>
</riID>
<o-ex:rights o-ex:id="REL0">
<o-ex:context>
<o-dd:version>2.0</o-dd:version>
</o-ex:context>
<o-ex:agreement>
<o-ex:asset>
<o-ex:context>
<o-dd:version>2.0</o-dd:version>
<o-dd:uid>cid:[EMAIL PROTECTED]</o-dd:uid>
</o-ex:context>
<o-ex:digest>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>OV1+vvou4r5fEKDBvpI3eztkYNM=</ds:DigestValue>
</o-ex:digest>
<ds:KeyInfo>
<xenc:EncryptedKey>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes128"/>
<xenc:CipherData>
<xenc:CipherValue>Epp1k8KfMBqg+SYNCiZSwr1OVmuZHZiP</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
<ds:RetrievalMethod
ds:URI="K_REK_and_K_MAC_984511788"/>
</ds:KeyInfo>
</o-ex:asset>
<o-ex:permission>
<o-dd:play>
<o-ex:constraint>
<o-dd:count>3</o-dd:count>
</o-ex:constraint>
</o-dd:play>
</o-ex:permission>
</o-ex:agreement>
</o-ex:rights>
<encKey id="K_REK_and_K_MAC_984511788">
<xenc:EncryptionMethod
Algorithm="http://www.rsasecurity.com/rsalabs/xmlpkcs-1#rsaes-kem-kdf2-kw-aes128"/>
<ds:KeyInfo>
<roap:X509SPKIHash>
<hash>DegpKHcvpl96B92Vw/5jkUyXRd4=</hash>
</roap:X509SPKIHash>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>LV+KUMGjcr/f8QejPkUcYjHw5mRvxxE+thVnweQgk/Kv28qPZZ9XrEXbKj48YkefWHXviZWKon7Wc9dbTft+Rdib2HuFb5l8N50hXAQXFfQAf/BpGdz+sVna8UODthK4Ftp4yw3ciVmFUCg31NmkUYgl8ItSwvPKBTZrLLUb8wnRUXRoyy7WBxUt75Q8sWVj2reZBoQJN3l8gJx5njbZ60iiDTf5gyzx</xenc:CipherValue>
</xenc:CipherData>
</encKey>
</ro>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<ds:Reference URI="#1">
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>IRoycDtXfjqE/ZW+oeoxyvKaej8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>jggZZU/GpMAI/Sg0dcIYiMdeNL8=</ds:SignatureValue>
<ds:KeyInfo>
<ds:RetrievalMethod URI="#K_REK_and_K_MAC_984511788"/>
</ds:KeyInfo>
</ds:Signature>
</protectedRO>
<certificateChain>
<certificate>MIICXTCCAcYCAQIwDQYJKoZIhvcNAQEFBQAwezELMAkGA1UEBhMCZnIxETAPBgNVBAgTCEdSRU5PQkxFMRMwEQYDVQQHEwpNT05UQk9OTk9UMREwDwYDVQQKEwhJTk9WQVRFTDEQMA4GA1UECxMHRFJNVEVBTTEfMB0GA1UEAxMWU1VCIENBIEZPUiBSSSBPTUFEUk1WMjAeFw0wNDA1MjgwODQ1MjhaFw0xNTA1MDEwODQ1MjhaMHMxCzAJBgNVBAYTAkZSMREwDwYDVQQIEwhHUkVOT0JMRTETMBEGA1UEBxMKTU9OVEJPTk5PVDEQMA4GA1UEChMHRFJNVEVBTTELMAkGA1UECxMCUkkxHTAbBgNVBAMTFENFUi4gRk9SIFJJIE9NQURSTVYyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMYTYjrPe8/lvp+5mdefXNnji23soZAe+oNJK8+5JBeJ6mNKWvjzgr4BJAnXaCwLncyOJxBeovAiAPXFkD/54FrWMOpO9Oa5oZliCseEAQL082VDnAMN0rrPgt5aREjd2DIpO96dieMYbyvDXIMrLf+iGVH+KUKVyN51gw0O4v1QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI7s6ZygePOS21yWxUZflLvTe96BERlQbroj6Hiic3jLyE4nYuvbuoDoXRiiuzcNbWPRSqJkabBvcB8+8yi1NuIe6/SoiKjNpCZKNl8wX47cAiBv+DEBnBkH/9LpFOllD1hDRqNj2Tx5k9l53DR7+qb6WHrrB6vLTCESU2wqlm/q</certificate>
<certificate>MIIC4zCCAcsCAQEwDQYJKoZIhvcNAQEFBQAweDELMAkGA1UEBhMCRlIxETAPBgNVBAgTCEdSRU5PQkxFMRMwEQYDVQQHEwpNT05UQk9OTk9UMQwwCgYDVQQKEwNTRlIxETAPBgNVBAsTCElOT1ZBVEVMMSAwHgYDVQQDExdST09UIENBIEZPUiBSSSBPTUFEUk1WMjAeFw0wNDA1MjgwODQxMDVaFw0xNTA1MDkwODQxMDVaMHsxCzAJBgNVBAYTAmZyMREwDwYDVQQIEwhHUkVOT0JMRTETMBEGA1UEBxMKTU9OVEJPTk5PVDERMA8GA1UEChMISU5PVkFURUwxEDAOBgNVBAsTB0RSTVRFQU0xHzAdBgNVBAMTFlNVQiBDQSBGT1IgUkkgT01BRFJNVjIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANUS8I0gXPWIPTVnj2BotBNht+EdZh1MhSZ1DCKPeV7EOk7pCi2IGJRByTxIV6PAAabo1BKo+LDdfw9bfj20K3sdExd6KIm3lk0eFTw4mg7al8I0wUzIvUqJl/yxiiYfSjEAEhM0VhcgokqMkVCZ8ZaXceWUXIhohX6dafJfPKdFAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAA5Kfglfd6z0phqk56Y758S/XhPa18jy2VvnIxk27G/Wp5OZvmtL5kyppJBZISkNrKbFtKmyoJkGjDj/wxCTFyb3nuxXZBBtjErx8YsopGPs+dXe7v/gAaCYkDAAIuiAxa5FigPKkbZi/62MkHWcqE06Gf7b9O9cHx7xfKn9SnjvkwkjpbrMKZhpHI8ar1AgNy9UHxUsT5n0paHv7h3qnNEkQlTH7IYsfb6QsXADw1qswrI4xapyy7VszS01S3i1H1WhxytC/R7qzoP0c8kQW+T0H/vTAwTojsoNeOq9H6exRUSogz2jD4PNREt9bQyCfqARFhmQKZ5ipLL/DbXL/tg=</certificate>
</certificateChain>
</roap:roResponse><roap:roResponse xmlns:roap="urn:oma:bac:dldrm:roap-1.0"
status="Success"><deviceID><keyIdentifier
xsi:type="roap:X509SPKIHash"><hash>DegpKHcvpl96B92Vw/5jkUyXRd4=</hash></keyIdentifier></deviceID><riID><keyIdentifier
xsi:type="roap:X509SPKIHash"><hash>sk+4JImZCG+IV4/c+Pw9FeAbhuc=</hash></keyIdentifier></riID><Nonce>327612312</Nonce><protectedRO><ro
id="1" stateful="true" version="1.0"><riID><keyIdentifier
xsi:type="roap:X509SPKIHash"><hash>sk+4JImZCG+IV4/c+Pw9FeAbhuc=</hash></keyIdentifier></riID><o-ex:rights
xmlns:o-ex="http://odrl.net/1.1/ODREL-EX"; o-ex:id="REL0">
<o-ex:context>
<o-dd:version
xmlns:o-dd="http://odrl.net/1.1/ODREL-DD";>2.0</o-dd:version>
</o-ex:context>
<o-ex:agreement>
<o-ex:asset>
<o-ex:context>
<o-dd:version
xmlns:o-dd="http://odrl.net/1.1/ODREL-DD";>2.0</o-dd:version>
<o-dd:uid xmlns:o-dd="http://odrl.net/1.1/ODREL-DD";>cid:[EMAIL
PROTECTED]</o-dd:uid>
</o-ex:context>
<o-ex:digest>
<ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>OV1+vvou4r5fEKDBvpI3eztkYNM=</ds:DigestValue>
</o-ex:digest>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<xenc:EncryptedKey
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes128";></xenc:EncryptionMethod>
<xenc:CipherData>
<xenc:CipherValue>Epp1k8KfMBqg+SYNCiZSwr1OVmuZHZiP</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
<ds:RetrievalMethod
ds:URI="K_REK_and_K_MAC_984511788"></ds:RetrievalMethod>
</ds:KeyInfo>
</o-ex:asset>
<o-ex:permission>
<o-dd:play xmlns:o-dd="http://odrl.net/1.1/ODREL-DD";>
<o-ex:constraint>
<o-dd:count>3</o-dd:count>
</o-ex:constraint>
</o-dd:play>
</o-ex:permission>
</o-ex:agreement>
</o-ex:rights><encKey id="K_REK_and_K_MAC_984511788"><xenc:EncryptionMethod
Algorithm="http://www.rsasecurity.com/rsalabs/xmlpkcs-1#rsaes-kem-kdf2-kw-aes128";></xenc:EncryptionMethod><ds:KeyInfo><roap:X509SPKIHash><hash>DegpKHcvpl96B92Vw/5jkUyXRd4=</hash></roap:X509SPKIHash></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>LV+KUMGjcr/f8QejPkUcYjHw5mRvxxE+thVnweQgk/Kv28qPZZ9XrEXbKj48YkefWHXviZWKon7Wc9dbTft+Rdib2HuFb5l8N50hXAQXFfQAf/BpGdz+sVna8UODthK4Ftp4yw3ciVmFUCg31NmkUYgl8ItSwvPKBTZrLLUb8wnRUXRoyy7WBxUt75Q8sWVj2reZBoQJN3l8gJx5njbZ60iiDTf5gyzx</xenc:CipherValue></xenc:CipherData></encKey></ro><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1";></ds:SignatureMethod>
<ds:Reference URI="#1">
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>IRoycDtXfjqE/ZW+oeoxyvKaej8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>jggZZU/GpMAI/Sg0dcIYiMdeNL8=</ds:SignatureValue>
<ds:KeyInfo>
<ds:RetrievalMethod URI="#K_REK_and_K_MAC_984511788"></ds:RetrievalMethod>
</ds:KeyInfo>
</ds:Signature></protectedRO><certificateChain><certificate>MIICXTCCAcYCAQIwDQYJKoZIhvcNAQEFBQAwezELMAkGA1UEBhMCZnIxETAPBgNVBAgTCEdSRU5PQkxFMRMwEQYDVQQHEwpNT05UQk9OTk9UMREwDwYDVQQKEwhJTk9WQVRFTDEQMA4GA1UECxMHRFJNVEVBTTEfMB0GA1UEAxMWU1VCIENBIEZPUiBSSSBPTUFEUk1WMjAeFw0wNDA1MjgwODQ1MjhaFw0xNTA1MDEwODQ1MjhaMHMxCzAJBgNVBAYTAkZSMREwDwYDVQQIEwhHUkVOT0JMRTETMBEGA1UEBxMKTU9OVEJPTk5PVDEQMA4GA1UEChMHRFJNVEVBTTELMAkGA1UECxMCUkkxHTAbBgNVBAMTFENFUi4gRk9SIFJJIE9NQURSTVYyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMYTYjrPe8/lvp+5mdefXNnji23soZAe+oNJK8+5JBeJ6mNKWvjzgr4BJAnXaCwLncyOJxBeovAiAPXFkD/54FrWMOpO9Oa5oZliCseEAQL082VDnAMN0rrPgt5aREjd2DIpO96dieMYbyvDXIMrLf+iGVH+KUKVyN51gw0O4v1QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI7s6ZygePOS21yWxUZflLvTe96BERlQbroj6Hiic3jLyE4nYuvbuoDoXRiiuzcNbWPRSqJkabBvcB8+8yi1NuIe6/SoiKjNpCZKNl8wX47cAiBv+DEBnBkH/9LpFOllD1hDRqNj2Tx5k9l53DR7+qb6WHrrB6vLTCESU2wqlm/q</certificate><certificate>MIIC4zCCAcsCAQEwDQYJKoZIhvcNAQEFBQAweDELMAkGA1UEBhMCRlIxETAPBgNVBAgTCEdSRU5PQkxFMRMwEQYDVQQHEwpNT05UQk9OTk9UMQwwCgYDVQQKEwNTRlIxETAPBgNVBAsTCElOT1ZBVEVMMSAwHgYDVQQDExdST09UIENBIEZPUiBSSSBPTUFEUk1WMjAeFw0wNDA1MjgwODQxMDVaFw0xNTA1MDkwODQxMDVaMHsxCzAJBgNVBAYTAmZyMREwDwYDVQQIEwhHUkVOT0JMRTETMBEGA1UEBxMKTU9OVEJPTk5PVDERMA8GA1UEChMISU5PVkFURUwxEDAOBgNVBAsTB0RSTVRFQU0xHzAdBgNVBAMTFlNVQiBDQSBGT1IgUkkgT01BRFJNVjIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANUS8I0gXPWIPTVnj2BotBNht+EdZh1MhSZ1DCKPeV7EOk7pCi2IGJRByTxIV6PAAabo1BKo+LDdfw9bfj20K3sdExd6KIm3lk0eFTw4mg7al8I0wUzIvUqJl/yxiiYfSjEAEhM0VhcgokqMkVCZ8ZaXceWUXIhohX6dafJfPKdFAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAA5Kfglfd6z0phqk56Y758S/XhPa18jy2VvnIxk27G/Wp5OZvmtL5kyppJBZISkNrKbFtKmyoJkGjDj/wxCTFyb3nuxXZBBtjErx8YsopGPs+dXe7v/gAaCYkDAAIuiAxa5FigPKkbZi/62MkHWcqE06Gf7b9O9cHx7xfKn9SnjvkwkjpbrMKZhpHI8ar1AgNy9UHxUsT5n0paHv7h3qnNEkQlTH7IYsfb6QsXADw1qswrI4xapyy7VszS01S3i1H1WhxytC/R7qzoP0c8kQW+T0H/vTAwTojsoNeOq9H6exRUSogz2jD4PNREt9bQyCfqARFhmQKZ5ipLL/DbXL/tg=</certificate></certificateChain></roap:roResponse> if (securityLevel >= 0)
{
Canonicalizer canonicalize = null;
KeyStore ks = null;
FileInputStream fis = null;
String privateKeyAlias = "RI";
RSAPrivateKey privateKey = null;
RSAKeyParameters rsaKeyParam = null;
RSAEngine rsaEngine = new RSAEngine();
SHA1Digest sha1Digest = new SHA1Digest();
SecureRandom secureRand = new SecureRandom();
PSSSigner signer = null;
byte[] sig = null;
BigInteger modulus = null;
BigInteger exponent = null;
Element signature = null;
try
{
// Open keystore
ks = KeyStore.getInstance("JKS");
fis = new FileInputStream(riKeystore);
ks.load(fis, passwd.toCharArray());
// Get private key from key store
log.info("extracting the RI's private Key from the keystore
file for alias : ");
privateKey = (java.security.interfaces.RSAPrivateKey)
ks.getKey(privateKeyAlias, passwd.toCharArray());
// Get modulus and exponent of the provate Key
modulus = privateKey.getModulus();
exponent = privateKey.getPrivateExponent();
log.debug("modulus of the private key is : " + modulus);
log.debug("exponent of the private key is : " + exponent);
canonicalize =
Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
byte[] data = canonicalize.canonicalizeSubtree(doc);
try
{
javax.xml.parsers.DocumentBuilderFactory dbf =
javax.xml.parsers.DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
javax.xml.parsers.DocumentBuilder db =
dbf.newDocumentBuilder();
ByteArrayOutputStream ee = new ByteArrayOutputStream();
//XMLUtils.outputDOM(doc3, ee);
XMLUtils.outputDOMc14nWithComments(doc, ee);
Document inputDoc = db.parse(new
ByteArrayInputStream(ee.toByteArray()));
////////////
StringWriter strOut = new StringWriter();
OutputFormat format = new OutputFormat();
format.setIndenting(true);
XMLSerializer XMLSerial = new XMLSerializer(strOut, format);
XMLSerial.asDOMSerializer().serialize(inputDoc);
log.debug("2 pass doc=" + strOut.toString());
log.debug("2 pass doc canonicalized=" + new String(data));
}
catch (Exception e) {}
// Intialize signature
rsaKeyParam = new RSAKeyParameters(true, modulus, exponent);
signer = new PSSSigner(rsaEngine, sha1Digest, 20);
signer.init(true, new ParametersWithRandom(rsaKeyParam,
secureRand));
signer.update(data, 0, data.length);
//Computing signature
sig = signer.generateSignature();
signature = doc.createElement("signature");
signature.appendChild(doc.createTextNode(new
String(Base64.encode(sig), "ASCII")));
Element root = doc.getDocumentElement();
root.appendChild(signature);
}
// Starting the Mac calculation
log.info("starting Mac calculation"); // Canonicalize the doc
Element nscontext = XMLUtils.createDSctx(doc, "ds", Constants.SignatureSpecNS);
try
{
Node signedInfo = XPathAPI.selectSingleNode(doc, "//ds:SignedInfo",
nscontext);
}
catch (TransformerException e)
{
}
XMLSignature sig = new XMLSignature(doc, (String) null,
XMLSignature.ALGO_ID_MAC_HMAC_SHA1,
Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
protectedRO.appendChild(sig.getElement());
sig.addDocument("#" + referenceURI, (Transforms) null,
Constants.ALGO_ID_DIGEST_SHA1);
// using the MAc key to sign the ROPlayload
sig.sign(mac);
if (retrievalMethodURI != null)
retrieveMethod = new RetrievalMethod(doc, "#" + retrievalMethodURI,
(Transforms) null, (String) null);
if (retrieveMethod == null)
log .error("retrieveMethod is null");
else
sig.getKeyInfo().add(retrieveMethod);
log.info("Mac tag is inserted into the ROPayload");
