Sorry for the delay answering, I think that your problems will be solved if you include an exclusive tranformation in your reference digesting.
Regards, Raul http://r-bg.com On Tue, 25 Jan 2005 17:07:28 +0100, Cédric POTHIN <[EMAIL PROTECTED]> wrote: > Sorry I forget to say that I use the last source code > from CVS and the associated library. > > Cédric > > -----Message d'origine----- > De : Cédric POTHIN [mailto:[EMAIL PROTECTED] > Envoyé : mardi 25 janvier 2005 15:54 > À : security-dev@xml.apache.org > Objet : Canonicalization problem of XML containing a XML signature > > Hi all, > > I have a strange issue regarding the canoncicalization > of a XML Document containing a XML signature. This > canonicalization is required to insert a signature > value of the whole document at the end of the document. > > If I don't insert the XML signature in my document > the canonicalization is ok. If I insert the XML > signature the canonicalization failed : some parts > of the document is not canonicalized. > > Here is the input/output of the canonicalization. > > And also the code that do the exclusive c14n canonicalization. > and the xml signature > > Any clue ? > > Thanks in advance for any answers/help. > > Cédric > > Input of the canonicalization : > ----------------------------------- > > <?xml version="1.0" encoding="UTF-8"?> > <roap:roResponse status="Success" > xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; > xmlns:o-dd="http://odrl.net/1.1/ODREL-DD"; > xmlns:o-ex="http://odrl.net/1.1/ODREL-EX"; > xmlns:roap="urn:oma:bac:dldrm:roap-1.0" > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; > xmlns:xsi="http://www/w3.org/2001/XMLSchema-instance";> > <deviceID> > <keyIdentifier xsi:type="roap:X509SPKIHash"> > <hash>DegpKHcvpl96B92Vw/5jkUyXRd4=</hash> > </keyIdentifier> > </deviceID> > <riID> > <keyIdentifier xsi:type="roap:X509SPKIHash"> > <hash>sk+4JImZCG+IV4/c+Pw9FeAbhuc=</hash> > </keyIdentifier> > </riID> > <Nonce>327612312</Nonce> > <protectedRO> > <ro id="1" stateful="true" version="1.0"> > <riID> > <keyIdentifier xsi:type="roap:X509SPKIHash"> > <hash>sk+4JImZCG+IV4/c+Pw9FeAbhuc=</hash> > </keyIdentifier> > </riID> > <o-ex:rights o-ex:id="REL0"> > <o-ex:context> > <o-dd:version>2.0</o-dd:version> > </o-ex:context> > <o-ex:agreement> > <o-ex:asset> > <o-ex:context> > <o-dd:version>2.0</o-dd:version> > <o-dd:uid>cid:[EMAIL PROTECTED]</o-dd:uid> > </o-ex:context> > <o-ex:digest> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > <ds:DigestValue>OV1+vvou4r5fEKDBvpI3eztkYNM=</ds:DigestValue> > </o-ex:digest> > <ds:KeyInfo> > <xenc:EncryptedKey> > <xenc:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes128"/> > <xenc:CipherData> > > <xenc:CipherValue>Epp1k8KfMBqg+SYNCiZSwr1OVmuZHZiP</xenc:CipherValue> > </xenc:CipherData> > </xenc:EncryptedKey> > <ds:RetrievalMethod > ds:URI="K_REK_and_K_MAC_984511788"/> > </ds:KeyInfo> > </o-ex:asset> > <o-ex:permission> > <o-dd:play> > <o-ex:constraint> > <o-dd:count>3</o-dd:count> > </o-ex:constraint> > </o-dd:play> > </o-ex:permission> > </o-ex:agreement> > </o-ex:rights> > <encKey id="K_REK_and_K_MAC_984511788"> > <xenc:EncryptionMethod > Algorithm="http://www.rsasecurity.com/rsalabs/xmlpkcs-1#rsaes-kem-kdf2-kw-ae > s128"/> > <ds:KeyInfo> > <roap:X509SPKIHash> > <hash>DegpKHcvpl96B92Vw/5jkUyXRd4=</hash> > </roap:X509SPKIHash> > </ds:KeyInfo> > <xenc:CipherData> > > <xenc:CipherValue>LV+KUMGjcr/f8QejPkUcYjHw5mRvxxE+thVnweQgk/Kv28qPZZ9XrEXbKj > 48YkefWHXviZWKon7Wc9dbTft+Rdib2HuFb5l8N50hXAQXFfQAf/BpGdz+sVna8UODthK4Ftp4yw > 3ciVmFUCg31NmkUYgl8ItSwvPKBTZrLLUb8wnRUXRoyy7WBxUt75Q8sWVj2reZBoQJN3l8gJx5nj > bZ60iiDTf5gyzx</xenc:CipherValue> > </xenc:CipherData> > </encKey> > </ro> > <ds:Signature> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> > <ds:Reference URI="#1"> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > <ds:DigestValue>IRoycDtXfjqE/ZW+oeoxyvKaej8=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > > <ds:SignatureValue>jggZZU/GpMAI/Sg0dcIYiMdeNL8=</ds:SignatureValue> > <ds:KeyInfo> > <ds:RetrievalMethod URI="#K_REK_and_K_MAC_984511788"/> > </ds:KeyInfo> > </ds:Signature> > </protectedRO> > <certificateChain> > > <certificate>MIICXTCCAcYCAQIwDQYJKoZIhvcNAQEFBQAwezELMAkGA1UEBhMCZnIxETAPBgN > VBAgTCEdSRU5PQkxFMRMwEQYDVQQHEwpNT05UQk9OTk9UMREwDwYDVQQKEwhJTk9WQVRFTDEQMA4 > GA1UECxMHRFJNVEVBTTEfMB0GA1UEAxMWU1VCIENBIEZPUiBSSSBPTUFEUk1WMjAeFw0wNDA1Mjg > wODQ1MjhaFw0xNTA1MDEwODQ1MjhaMHMxCzAJBgNVBAYTAkZSMREwDwYDVQQIEwhHUkVOT0JMRTE > TMBEGA1UEBxMKTU9OVEJPTk5PVDEQMA4GA1UEChMHRFJNVEVBTTELMAkGA1UECxMCUkkxHTAbBgN > VBAMTFENFUi4gRk9SIFJJIE9NQURSTVYyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMYTY > jrPe8/lvp+5mdefXNnji23soZAe+oNJK8+5JBeJ6mNKWvjzgr4BJAnXaCwLncyOJxBeovAiAPXFk > D/54FrWMOpO9Oa5oZliCseEAQL082VDnAMN0rrPgt5aREjd2DIpO96dieMYbyvDXIMrLf+iGVH+K > UKVyN51gw0O4v1QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI7s6ZygePOS21yWxUZflLvTe96BERl > Qbroj6Hiic3jLyE4nYuvbuoDoXRiiuzcNbWPRSqJkabBvcB8+8yi1NuIe6/SoiKjNpCZKNl8wX47 > cAiBv+DEBnBkH/9LpFOllD1hDRqNj2Tx5k9l53DR7+qb6WHrrB6vLTCESU2wqlm/q</certifica > te> > > <certificate>MIIC4zCCAcsCAQEwDQYJKoZIhvcNAQEFBQAweDELMAkGA1UEBhMCRlIxETAPBgN > VBAgTCEdSRU5PQkxFMRMwEQYDVQQHEwpNT05UQk9OTk9UMQwwCgYDVQQKEwNTRlIxETAPBgNVBAs > TCElOT1ZBVEVMMSAwHgYDVQQDExdST09UIENBIEZPUiBSSSBPTUFEUk1WMjAeFw0wNDA1MjgwODQ > xMDVaFw0xNTA1MDkwODQxMDVaMHsxCzAJBgNVBAYTAmZyMREwDwYDVQQIEwhHUkVOT0JMRTETMBE > GA1UEBxMKTU9OVEJPTk5PVDERMA8GA1UEChMISU5PVkFURUwxEDAOBgNVBAsTB0RSTVRFQU0xHzA > dBgNVBAMTFlNVQiBDQSBGT1IgUkkgT01BRFJNVjIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoG > BANUS8I0gXPWIPTVnj2BotBNht+EdZh1MhSZ1DCKPeV7EOk7pCi2IGJRByTxIV6PAAabo1BKo+LD > dfw9bfj20K3sdExd6KIm3lk0eFTw4mg7al8I0wUzIvUqJl/yxiiYfSjEAEhM0VhcgokqMkVCZ8Za > XceWUXIhohX6dafJfPKdFAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAA5Kfglfd6z0phqk56Y758S > /XhPa18jy2VvnIxk27G/Wp5OZvmtL5kyppJBZISkNrKbFtKmyoJkGjDj/wxCTFyb3nuxXZBBtjEr > x8YsopGPs+dXe7v/gAaCYkDAAIuiAxa5FigPKkbZi/62MkHWcqE06Gf7b9O9cHx7xfKn9Snjvkwk > jpbrMKZhpHI8ar1AgNy9UHxUsT5n0paHv7h3qnNEkQlTH7IYsfb6QsXADw1qswrI4xapyy7VszS0 > 1S3i1H1WhxytC/R7qzoP0c8kQW+T0H/vTAwTojsoNeOq9H6exRUSogz2jD4PNREt9bQyCfqARFhm > QKZ5ipLL/DbXL/tg=</certificate> > </certificateChain> > </roap:roResponse> > > Output of the canonicalization : > ---------------------------------- > > <roap:roResponse xmlns:roap="urn:oma:bac:dldrm:roap-1.0" > status="Success"><deviceID><keyIdentifier > xsi:type="roap:X509SPKIHash"><hash>DegpKHcvpl96B92Vw/5jkUyXRd4=</hash></keyI > dentifier></deviceID><riID><keyIdentifier > xsi:type="roap:X509SPKIHash"><hash>sk+4JImZCG+IV4/c+Pw9FeAbhuc=</hash></keyI > dentifier></riID><Nonce>327612312</Nonce><protectedRO><ro id="1" > stateful="true" version="1.0"><riID><keyIdentifier > xsi:type="roap:X509SPKIHash"><hash>sk+4JImZCG+IV4/c+Pw9FeAbhuc=</hash></keyI > dentifier></riID><o-ex:rights xmlns:o-ex="http://odrl.net/1.1/ODREL-EX"; > o-ex:id="REL0"> > <o-ex:context> > <o-dd:version > xmlns:o-dd="http://odrl.net/1.1/ODREL-DD";>2.0</o-dd:version> > </o-ex:context> > <o-ex:agreement> > <o-ex:asset> > <o-ex:context> > <o-dd:version > xmlns:o-dd="http://odrl.net/1.1/ODREL-DD";>2.0</o-dd:version> > <o-dd:uid > xmlns:o-dd="http://odrl.net/1.1/ODREL-DD";>cid:[EMAIL PROTECTED]</o-dd:u > id> > </o-ex:context> > <o-ex:digest> > <ds:DigestMethod > xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod> > <ds:DigestValue > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>OV1+vvou4r5fEKDBvpI3eztkYNM=</ > ds:DigestValue> > </o-ex:digest> > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <xenc:EncryptedKey > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> > <xenc:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes128";></xenc:EncryptionMeth > od> > <xenc:CipherData> > > <xenc:CipherValue>Epp1k8KfMBqg+SYNCiZSwr1OVmuZHZiP</xenc:CipherValue> > </xenc:CipherData> > </xenc:EncryptedKey> > <ds:RetrievalMethod > ds:URI="K_REK_and_K_MAC_984511788"></ds:RetrievalMethod> > </ds:KeyInfo> > </o-ex:asset> > <o-ex:permission> > <o-dd:play xmlns:o-dd="http://odrl.net/1.1/ODREL-DD";> > <o-ex:constraint> > <o-dd:count>3</o-dd:count> > </o-ex:constraint> > </o-dd:play> > </o-ex:permission> > </o-ex:agreement> > </o-ex:rights><encKey id="K_REK_and_K_MAC_984511788"><xenc:EncryptionMethod > Algorithm="http://www.rsasecurity.com/rsalabs/xmlpkcs-1#rsaes-kem-kdf2-kw-ae > s128"></xenc:EncryptionMethod><ds:KeyInfo><roap:X509SPKIHash><hash>DegpKHcvp > l96B92Vw/5jkUyXRd4=</hash></roap:X509SPKIHash></ds:KeyInfo><xenc:CipherData> > <xenc:CipherValue>LV+KUMGjcr/f8QejPkUcYjHw5mRvxxE+thVnweQgk/Kv28qPZZ9XrEXbKj > 48YkefWHXviZWKon7Wc9dbTft+Rdib2HuFb5l8N50hXAQXFfQAf/BpGdz+sVna8UODthK4Ftp4yw > 3ciVmFUCg31NmkUYgl8ItSwvPKBTZrLLUb8wnRUXRoyy7WBxUt75Q8sWVj2reZBoQJN3l8gJx5nj > bZ60iiDTf5gyzx</xenc:CipherValue></xenc:CipherData></encKey></ro><ds:Signatu > re xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMet > hod> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1";></ds:SignatureMethod > > > <ds:Reference URI="#1"> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod> > <ds:DigestValue>IRoycDtXfjqE/ZW+oeoxyvKaej8=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue>jggZZU/GpMAI/Sg0dcIYiMdeNL8=</ds:SignatureValue> > <ds:KeyInfo> > <ds:RetrievalMethod URI="#K_REK_and_K_MAC_984511788"></ds:RetrievalMethod> > </ds:KeyInfo> > </ds:Signature></protectedRO><certificateChain><certificate>MIICXTCCAcYCAQIw > DQYJKoZIhvcNAQEFBQAwezELMAkGA1UEBhMCZnIxETAPBgNVBAgTCEdSRU5PQkxFMRMwEQYDVQQH > EwpNT05UQk9OTk9UMREwDwYDVQQKEwhJTk9WQVRFTDEQMA4GA1UECxMHRFJNVEVBTTEfMB0GA1UE > AxMWU1VCIENBIEZPUiBSSSBPTUFEUk1WMjAeFw0wNDA1MjgwODQ1MjhaFw0xNTA1MDEwODQ1Mjha > MHMxCzAJBgNVBAYTAkZSMREwDwYDVQQIEwhHUkVOT0JMRTETMBEGA1UEBxMKTU9OVEJPTk5PVDEQ > MA4GA1UEChMHRFJNVEVBTTELMAkGA1UECxMCUkkxHTAbBgNVBAMTFENFUi4gRk9SIFJJIE9NQURS > TVYyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMYTYjrPe8/lvp+5mdefXNnji23soZAe+o > NJK8+5JBeJ6mNKWvjzgr4BJAnXaCwLncyOJxBeovAiAPXFkD/54FrWMOpO9Oa5oZliCseEAQL082 > VDnAMN0rrPgt5aREjd2DIpO96dieMYbyvDXIMrLf+iGVH+KUKVyN51gw0O4v1QIDAQABMA0GCSqG > SIb3DQEBBQUAA4GBAI7s6ZygePOS21yWxUZflLvTe96BERlQbroj6Hiic3jLyE4nYuvbuoDoXRii > uzcNbWPRSqJkabBvcB8+8yi1NuIe6/SoiKjNpCZKNl8wX47cAiBv+DEBnBkH/9LpFOllD1hDRqNj > 2Tx5k9l53DR7+qb6WHrrB6vLTCESU2wqlm/q</certificate><certificate>MIIC4zCCAcsCA > QEwDQYJKoZIhvcNAQEFBQAweDELMAkGA1UEBhMCRlIxETAPBgNVBAgTCEdSRU5PQkxFMRMwEQYDV > QQHEwpNT05UQk9OTk9UMQwwCgYDVQQKEwNTRlIxETAPBgNVBAsTCElOT1ZBVEVMMSAwHgYDVQQDE > xdST09UIENBIEZPUiBSSSBPTUFEUk1WMjAeFw0wNDA1MjgwODQxMDVaFw0xNTA1MDkwODQxMDVaM > HsxCzAJBgNVBAYTAmZyMREwDwYDVQQIEwhHUkVOT0JMRTETMBEGA1UEBxMKTU9OVEJPTk5PVDERM > A8GA1UEChMISU5PVkFURUwxEDAOBgNVBAsTB0RSTVRFQU0xHzAdBgNVBAMTFlNVQiBDQSBGT1IgU > kkgT01BRFJNVjIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANUS8I0gXPWIPTVnj2BotBNht > +EdZh1MhSZ1DCKPeV7EOk7pCi2IGJRByTxIV6PAAabo1BKo+LDdfw9bfj20K3sdExd6KIm3lk0eF > Tw4mg7al8I0wUzIvUqJl/yxiiYfSjEAEhM0VhcgokqMkVCZ8ZaXceWUXIhohX6dafJfPKdFAgMBA > AEwDQYJKoZIhvcNAQEFBQADggEBAA5Kfglfd6z0phqk56Y758S/XhPa18jy2VvnIxk27G/Wp5OZv > mtL5kyppJBZISkNrKbFtKmyoJkGjDj/wxCTFyb3nuxXZBBtjErx8YsopGPs+dXe7v/gAaCYkDAAI > uiAxa5FigPKkbZi/62MkHWcqE06Gf7b9O9cHx7xfKn9SnjvkwkjpbrMKZhpHI8ar1AgNy9UHxUsT > 5n0paHv7h3qnNEkQlTH7IYsfb6QsXADw1qswrI4xapyy7VszS01S3i1H1WhxytC/R7qzoP0c8kQW > +T0H/vTAwTojsoNeOq9H6exRUSogz2jD4PNREt9bQyCfqARFhmQKZ5ipLL/DbXL/tg=</certifi > cate></certificateChain></roap:roResponse> > > The code that do the canonicalization and sign at > the end of the document construction process : > --------------------------------------------------- > > try > { > // Open keystore > ks = KeyStore.getInstance("JKS"); > fis = new FileInputStream(riKeystore); > ks.load(fis, passwd.toCharArray()); > > // Get private key from key store > log.info("extracting the RI's private Key from the keystore > file for alias : "); > privateKey = (java.security.interfaces.RSAPrivateKey) > ks.getKey(privateKeyAlias, passwd.toCharArray()); > > // Get modulus and exponent of the provate Key > modulus = privateKey.getModulus(); > exponent = privateKey.getPrivateExponent(); > log.debug("modulus of the private key is : " + modulus); > log.debug("exponent of the private key is : " + exponent); > > canonicalize = > Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); > byte[] data = canonicalize.canonicalizeSubtree(doc); > > try > { > javax.xml.parsers.DocumentBuilderFactory dbf = > javax.xml.parsers.DocumentBuilderFactory.newInstance(); > dbf.setNamespaceAware(true); > javax.xml.parsers.DocumentBuilder db = > dbf.newDocumentBuilder(); > ByteArrayOutputStream ee = new ByteArrayOutputStream(); > //XMLUtils.outputDOM(doc3, ee); > XMLUtils.outputDOMc14nWithComments(doc, ee); > Document inputDoc = db.parse(new > ByteArrayInputStream(ee.toByteArray())); > //////////// > StringWriter strOut = new StringWriter(); > OutputFormat format = new OutputFormat(); > format.setIndenting(true); > XMLSerializer XMLSerial = new XMLSerializer(strOut, > format); > XMLSerial.asDOMSerializer().serialize(inputDoc); > log.debug("2 pass doc=" + strOut.toString()); > log.debug("2 pass doc canonicalized=" + new > String(data)); > } > catch (Exception e) {} > > // Intialize signature > rsaKeyParam = new RSAKeyParameters(true, modulus, exponent); > signer = new PSSSigner(rsaEngine, sha1Digest, 20); > signer.init(true, new ParametersWithRandom(rsaKeyParam, > secureRand)); > > signer.update(data, 0, data.length); > > //Computing signature > sig = signer.generateSignature(); > signature = doc.createElement("signature"); > signature.appendChild(doc.createTextNode(new > String(Base64.encode(sig), "ASCII"))); > Element root = doc.getDocumentElement(); > root.appendChild(signature); > } > > The code that do the XML Signature during the documents > construction process : > --------------------------------------------------- > > // Starting the Mac calculation > log.info("starting Mac calculation"); // Canonicalize the > doc > Element nscontext = XMLUtils.createDSctx(doc, "ds", > Constants.SignatureSpecNS); > try > { > Node signedInfo = XPathAPI.selectSingleNode(doc, > "//ds:SignedInfo", nscontext); > } > catch (TransformerException e){ > > } > > XMLSignature sig = new XMLSignature(doc, (String) null, > XMLSignature.ALGO_ID_MAC_HMAC_SHA1, > Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); > > protectedRO.appendChild(sig.getElement()); > > sig.addDocument("#" + referenceURI, (Transforms) null, > Constants.ALGO_ID_DIGEST_SHA1); > // using the MAc key to sign the ROPlayload > sig.sign(mac); > if (retrievalMethodURI != null) > retrieveMethod = new RetrievalMethod(doc, "#" + > retrievalMethodURI, (Transforms) null, (String) null); > if (retrieveMethod == null) > log .error("retrieveMethod is null"); > else > sig.getKeyInfo().add(retrieveMethod); > log.info("Mac tag is inserted into the ROPayload"); > >
