Hi there,
Here is the code I'm using to generate the signature (the variable docRoot is actually the element I want to have signed):
public synchronized void createEnvelopedSignature(OutputStream out, Document doc, Node docRoot, PrivateKey signingKey, PublicKey publicKey,
Certificate cert, String baseURI) throws DigitalSignatureException{
try{
//Adapted from Apache Sample Code -- CreateSignature.java
Constants.setSignatureSpecNSprefix(NamespaceConstants.NSPREFIX_SCHEMA_DS);
XMLSignature sig = new XMLSignature(doc, baseURI, XMLSignature.ALGO_ID_SIGNATURE_DSA);
docRoot.appendChild(sig.getElement());
System.out.println("Document:\n"+XMLUtil.getString(doc,true));
Transforms transforms = new Transforms(doc);
transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
if(baseURI != null){
final Node finalRoot = docRoot;
IdResolver.registerElementById((Element)docRoot, baseURI);
sig.addResourceResolver(new ResourceResolverSpi(){
public XMLSignatureInput engineResolve(Attr attr, String baseURI){
System.out.println("Returning RST Root:\n\n" +XMLUtil.getString(finalRoot, true));
return new XMLSignatureInput(finalRoot);
}
public boolean engineCanResolve(Attr attr, String baseURI){
return true;
}
});
}
else{
baseURI = "";
}
sig.addDocument("#"+baseURI, transforms, Constants.ALGO_ID_DIGEST_SHA1);
sig.addKeyInfo((X509Certificate)cert);
sig.addKeyInfo(cert.getPublicKey());
sig.sign(signingKey);
if(out != null){
XMLUtils.outputDOM(doc, out);
}
}
catch(Exception e){
throw new DigitalSignatureException(e);
}
}
Here is the entire input document (after I have added the signature element, but before I have called the sign method):
<soapenv:Envelope xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header/>
<soapenv:Body>
<wst:RequestSecurityToken wsu:Id="RST-uuid30a49fde-0105-fd36-ae1d-ef26bf445416" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:AppliesTo xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference>
<wsa:Address>
some-appliesto
</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:Issuer xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wsa:Address>
some-issuer
</wsa:Address>
</wst:Issuer>
<wst:Base>
<wss:UsernameToken xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wss:Username>
foobar
</wss:Username>
<wss:Password>
******
</wss:Password>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
2005-07-19T19:49:17Z
</wsu:Created>
</wss:UsernameToken>
</wst:Base>
<wst:RequestType>
http://schemas.xmlsoap.org/ws/2005/02/security/trust/Validate
</wst:RequestType>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</ds:Signature>
</wst:RequestSecurityToken>
</soapenv:Body>
</soapenv:Envelope>
| "Seetharama Rao Durbha \(sdurbha\)"
<[EMAIL PROTECTED]>
07/19/2005 11:52 AM
|
To: <security-dev@xml.apache.org> cc: Subject: RE: Enveloped signature on a non-root document element |
I presume that wst:RequestSecurityToken is not your root, though in the sample you pasted, it is the root element.
Can you share the piece of code you have for this and the input xml?
From: Nicholas G Harlow [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 19, 2005 11:38 AM
To: security-dev@xml.apache.org
Subject: Enveloped signature on a non-root document element
Hello,
I am trying to add an enveloped signature to a particular element of a document. The element is not the root element of the document. The problem is that the signature element generated has no digest value. I have tried using element id attributes to make this work, but clearly I am missing some key step. Can anyone tell what actual classes/calls I need to use/make in order for me to succeed in what I am trying to do. I will be grateful for any insights. Thanks.
Nick
I have pasted the xml below with the result I am getting:
<wst:RequestSecurityToken wsu:Id="RST-uuid30512502-0105-f0b5-0b04-86339ffce1f5" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:AppliesTo xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference>
<wsa:Address>
some-appliesto
</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:Issuer xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wsa:Address>
some-issuer
</wsa:Address>
</wst:Issuer>
<wst:Base>
<wss:UsernameToken xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wss:Username>
foobar
</wss:Username>
<wss:Password>
********
</wss:Password>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
2005-07-19T18:18:06Z
</wsu:Created>
</wss:UsernameToken>
</wst:Base>
<wst:RequestType>
http://schemas.xmlsoap.org/ws/2005/02/security/trust/Validate
</wst:RequestType>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Reference URI="#RST-uuid30512502-0105-f0b5-0b04-86339ffce1f5" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
MIIC9jCCArQCBDruqiowCwYHKoZIzjgEAwUAMGExCzAJBgNVBAYTAkRFMR0wGwYDVQQKExRVbml2
ZXJzaXR5IG9mIFNpZWdlbjEQMA4GA1UECxMHRkIxMk5VRTEhMB8GA1UEAxMYQ2hyaXN0aWFuIEdl
dWVyLVBvbGxtYW5uMB4XDTAxMDUwMTEyMjA1OFoXDTA2MTAyMjEyMjA1OFowYTELMAkGA1UEBhMC
REUxHTAbBgNVBAoTFFVuaXZlcnNpdHkgb2YgU2llZ2VuMRAwDgYDVQQLEwdGQjEyTlVFMSEwHwYD
VQQDExhDaHJpc3RpYW4gR2V1ZXItUG9sbG1hbm4wggG3MIIBLAYHKoZIzjgEATCCAR8CgYEA/X9T
gR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuAHTRv
8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOuK2HX
Ku/yIgMZndFIAccCFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QKBgQD34aCF1ps93su8q1w2uFe5eZSv
u/o66oL5V0wLPQeCZ1FZV4661FlP5nEHEIGAtEkWcSPoTCgWE7fPCTKMyKbhPBZ6i1R8jSjgo64e
K7OmdZFuo38L+iE1YvH7YnoBJDvMpPG+qFGQiaiD3+Fa5Z8GkotmXoB7VSVkAUw7/s9JKgOBhAAC
gYASWfn+G1k/nWntj9jX7Nk5JKaiLZ9BLR16eJJxqff33THLfdGs98Xmh2oRWZVh9PMV8oTP3hpR
cRipjZUZVEIqsBlOGTVLCg4H5TJ81JWOiprh+mkhClNqUr8l5Hu7FBSvQB6inryeva7j0aKNiIvK
8vfHTiUZpnyNRhkveBlM0jALBgcqhkjOOAQDBQADLwAwLAIUPDd/UmB9GeHqvGjny30Bvjt0AkUC
FA9ab72kKuB5geYGeckbBrcgPnZk
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:DSAKeyValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:P xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
/X9TgR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuA
HTRv8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOu
K2HXKu/yIgMZndFIAcc=
</ds:P>
<ds:Q xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
l2BQjxUjC8yykrmCouuEC/BYHPU=
</ds:Q>
<ds:G xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3
zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKL
Zl6Ae1UlZAFMO/7PSSo=
</ds:G>
<ds:Y xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
Eln5/htZP51p7Y/Y1+zZOSSmoi2fQS0deniScan3990xy33RrPfF5odqEVmVYfTzFfKEz94aUXEY
qY2VGVRCKrAZThk1SwoOB+UyfNSVjoqa4fppIQpTalK/JeR7uxQUr0Aeop68nr2u49GijYiLyvL3
x04lGaZ8jUYZL3gZTNI=
</ds:Y>
</ds:DSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
</wst:RequestSecurityToken>
