|
I've attached the soap document signed by .NET (interop_dotnet_sig.xml)
and the certificate (apcert1.cer) to be used for verification. The
reference validation fails for the soap body. Note that the 'ID Type'
attribute used on the soap body is a wsu:Id and hence WssIdResolver
(attached) needs to be registered with the library. Vishal Raul Benito wrote: Hi Vishal, |
<?xml version="1.0" encoding="utf-8"?><soap:Envelope soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"; xmlns:ap="http://namespace.amberpoint.com/amf"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"; xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns=""><soap:Header><wsse:Security soap:mustUnderstand="1"><wsu:Timestamp wsu:Id="Timestamp-2301efcf-5dde-4a37-9ee1-0ca9ff804551"><wsu:Created>2005-04-11T09:25:07Z</wsu:Created><wsu:Expires>2005-04-11T09:30:07Z</wsu:Expires></wsu:Timestamp><wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis! -200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="SecurityToken-87cc4ef6-56af-4461-847e-27391e5fdcf2">MIIEDjCCAvagAwIBAgIBADANBgkqhkiG9w0BAQQFADBnMQswCQYDVQQGEwJVUzEPMA0GA1UECBMGQWxhc2thMRQwEgYDVQQHEwtTcHJpbmdmaWVsZDENMAsGA1UEChMEQWNtZTEOMAwGA1UECxMFRGVtb3MxEjAQBgNVBAMTCUJvYiBBZ2VudDAeFw0wNDAxMDgyMjI4MTNaFw0xNDAxMDUyMjI4MTNaMGcxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZBbGFza2ExFDASBgNVBAcTC1NwcmluZ2ZpZWxkMQ0wCwYDVQQKEwRBY21lMQ4wDAYDVQQLEwVEZW1vczESMBAGA1UEAxMJQm9iIEFnZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm9KFBstMjtX7ql35SaZ2HFlfrvP3YbOHCvehOoOW9i+qb4UbiTlHNDPePzVubsz+GC+PbNEgeoQKqwQhBZd/9Xwlx1wkl+KrwWETrSWIf3p0egASZoD2sf98lXBdfxRXBW6GORl+51cGt5UtuH64BCV4lHO3nP9iTS6wNgyt54X9/WuMHRa3QkY/2cAzqN7ZjEAdijCznGISgD4HwCxemXYHbYEwqUYLbxwEDo5m+2yinxnha0UGAaxxXyjgJmcJ3+GsFlBDz3KIGtRyrKJoJb43L1uIXwj5jA3HzKUddEXNC2gsbzR0iojn8u9ADhzC2yTfOJtwG/jyA7TspVHz7wIDAQABo4HEMIHBMB0GA1UdDgQWBBTNr! Z5EHhaNIxf5KxCDf90ZoqDsDjCBkQYDVR0jBIGJMIGGgBTNrZ5EHhaNIxf5KxCDf90ZoqD sDqFrpGkwZzELMAkGA1UEBhMCVVMxDzANBgNVBAgTBkFsYXNrYTEUMBIGA1UEBxMLU3ByaW5nZmllbGQxDTALBgNVBAoTBEFjbWUxDjAMBgNVBAsTBURlbW9zMRIwEAYDVQQDEwlCb2IgQWdlbnSCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOCAQEAZlrMrV5MHw/GMKozUvzZY0uFZ4u5XvYHVWL77jRgmP84p/Mk29W8WZP/iK9EZOy5njde0/nhb6JfnIh7afbpHZcZQWiwxRQje3VtH4rJttANhrZgyfkU1bDJEIyGnLSpyip5y7/uPMMWh4xQvrE1MivX12Igl+/YxSA768aetRKLrx202aDkI3btZXhwHF+gWSMU2z5R2uNZwKixghUoKhOEo14BBxdevLugsOpE0VC7MFOW2y59xJ9VcPJ9LznFk3+pJqj4Vo/l/TU8uSmyTsPGmVZ7WSOPzVmBt1dld3SWeuvaN7Fucijra/Npc+dKf34dPbRV6dEz/dm/dOV7eg==</wsse:BinarySecurityToken><Signature xmlns="http://www.w3.org/2000/09/xmldsig#";><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /><Reference URI="#com-amberpoint-generated-SignatureRef-element_id-42"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /></Transforms><DigestMethod Algorithm="http://www.w3.org/! 2000/09/xmldsig#sha1" /><DigestValue>TptslSQ695f/cmv/s4a5ffLFaCY=</DigestValue></Reference></SignedInfo><SignatureValue>TIEglnBT6btdMtYpaFHjqC689gA4OIG0vjvrH9WYFP86rHE4Wrwhq8yipyLeKsLjhZhRbjzqKM0ZMDWc3THavsc4NN1fjQnLajBvQj3JTnH0MslnsPUVRVv5LA8NWRkMx7q1NoeZNzmN4dM/ubI69axoeB3ueUQNwFrPfBI6NaJsDsReB9Y419LHlwz1nv3aHIF0HzjNPNeP9JdeWvDHH0qbSNn2gEFtvER+fdKuQerBeVYN5DgJpeF7a9F/zouCSqz98ydnxQbwFHFZnVVhyFL+F+mlrYaLWcojQHZZOD40MCoGApSWzI4O3Hk+HlfkDTA2PJ0dx1bf9XNNdMBpLA==</SignatureValue><KeyInfo><wsse:SecurityTokenReference><wsse:Reference URI="#SecurityToken-87cc4ef6-56af-4461-847e-27391e5fdcf2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; /></wsse:SecurityTokenReference></KeyInfo></Signature></wsse:Security></soap:Header><soap:Body wsu:Id="com-amberpoint-generated-SignatureRef-element_id-42" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";><ap:pingAgent /></soap:Body></soap:Envelope>
apcert1.cer
Description: application/x509-ca-cert
import org.apache.xml.security.utils.resolver.ResourceResolverSpi; import org.apache.xml.security.utils.resolver.ResourceResolverException; import org.apache.xml.security.utils.XMLUtils; import org.apache.xml.security.utils.Constants; import org.apache.xml.security.utils.EncryptionConstants; import org.apache.xml.security.signature.XMLSignatureInput; import org.apache.xpath.XPathAPI;
import org.w3c.dom.Attr;
import org.w3c.dom.Document;
import org.w3c.dom.Node;
import org.w3c.dom.Element;
import java.util.logging.Logger;
import java.util.logging.Level;
import javax.xml.transform.TransformerException;
/**
* Quoting from the WSS spec (and this is what this resource resolver does):
* "When trying to locate an element referenced in a signature,
* the following attributes are considered:
* * Local ID attributes on XML Signature elements
* * Local ID attributes on XML Encryption elements
* * Global wsu:Id attributes on elements"
*/
public class WssIdResolver extends ResourceResolverSpi
{
private static final String CLASS_NAME = "WssIdResolver";
private static final String WSU_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";;
private static Logger logger = Logger.getLogger(CLASS_NAME);
private static boolean fineLogging = logger.isLoggable(Level.FINE);
public XMLSignatureInput engineResolve(Attr attr, String s) throws ResourceResolverException
{
Document doc = attr.getOwnerDocument();
Node selectedElem = null;
String uri = attr.getNodeValue();
String id = uri.substring(1);
selectedElem = getElementById(doc, id);
if (selectedElem == null)
{
logger.severe("Couldn't locate the element with id " + id);
throw new ResourceResolverException("signature.Verification.MissingID", new Object[] {id}, attr, null);
}
if (fineLogging)
logger.fine("Try to catch an Element with ID " + id + " and Element was " + selectedElem);
return new XMLSignatureInput(selectedElem);
}
public boolean engineCanResolve(Attr attr, String s)
{
if (attr == null)
{
if (fineLogging)
logger.fine("Quick fail for null uri");
return false;
}
String uri = attr.getNodeValue();
if ((uri.startsWith("#")))
{
if (fineLogging)
logger.fine("State I can resolve reference: \"" + uri + "\"");
return true;
}
if (fineLogging)
logger.fine("Do not seem to be able to resolve reference: \"" + uri + "\"");
return false;
}
public static Element getElementById(Document doc, String id)
{
Element result = null;
result = getElementByIdInDSNamespace(doc, id);
if (result != null)
{
return result;
}
result = getElementByIdInXENCNamespace(doc, id);
if (result != null)
{
return result;
}
result = getElementByIdInWSUNamespace(doc, id);
if (result != null)
{
return result;
}
return null;
}
private static Element getElementByIdInDSNamespace(Document doc, String id)
{
if (fineLogging)
logger.fine("getElementByIdInDSNamespace() Search for ID " + id);
try
{
Element nscontext =
XMLUtils.createDSctx(doc, "ds",
Constants.SignatureSpecNS);
Element element = (Element) XPathAPI.selectSingleNode(doc,
"//ds:[EMAIL PROTECTED]'" + id + "']", nscontext);
return element;
} catch (TransformerException ex)
{
logger.severe("Xpath transformation exception: " + ex);
}
return null;
}
private static Element getElementByIdInXENCNamespace(Document doc, String id)
{
if (fineLogging)
logger.fine("getElementByIdInXENCNamespace() Search for ID " + id);
try
{
Element nscontext =
XMLUtils.createDSctx(doc, "xenc",
EncryptionConstants.EncryptionSpecNS);
Element element = (Element) XPathAPI.selectSingleNode(doc,
"//xenc:[EMAIL PROTECTED]'" + id + "']", nscontext);
return element;
} catch (TransformerException ex)
{
logger.severe("Xpath transformation exception: " + ex);
}
return null;
}
private static Element getElementByIdInWSUNamespace(Document doc, String id)
{
if (fineLogging)
logger.fine("getElementByIdInWSUNamespace() Search for ID " + id);
try
{
Element nscontext = XMLUtils.createDSctx(doc, "wsu", WSU_NS);
Element element = (Element) XPathAPI.selectSingleNode(doc,
"//[EMAIL PROTECTED]:Id='" + id + "']", nscontext);
return element;
} catch (TransformerException ex)
{
logger.severe("Xpath transformation exception: " + ex);
}
return null;
}
}
