I don't have enough information, but it sounds like when canonicalizing
on the client, it doesn't find the namespace definition for foo. Is it
defined by an ancestor of the bar element on the server but not on the
client?
--Sean
Markus Werner wrote:
Hi Sean,
thank you for your reply. The following lines of code provide the
expected result:
SignedInfo signedInfo = sig.getSignedInfo();
for (int i = 0; i < signedInfo.getLength(); i++) {
Reference reference = signedInfo.item(i);
// System.out.println(reference.getContentsAfterTransformation());
System.out.println(new String(reference.getReferencedBytes()));
}
The client-side output is something like the following:
<foo:bar Id="ref0815">rest is the same</foo:bar>
while the server-side output is as follows:
<foo:bar xmlns:foo="http://www.asdf.org/foo#"; Id="ref0815">
rest is the same</foo:bar>
Both outputs seem to be correctly canonicalized, but the digest input on
the server-side includes some addidional namespace-declaration in the
opening tag of <foo:bar>.
What can cause this?
Thank you in advance,
Markus.
Sean Mullan schrieb:
I would try calling Reference.getContentsAfterTransformation (returns an
XMLSignatureInput) or Reference.getReferencedBytes (returns a byte[]),
each of which return the dereferenced and transformed contents before it
is digested. I haven't really used those methods so I'm hoping someone
on the list that is more familiar with them will send you some sample code.
--Sean
Markus Werner wrote:
Hi,
first of all, I'm relatively new to Apache XML Security, so please be
patient :-)
My job is to sign an element inside a DOM-Document with the help of a
secretKey. Let the element that should be signed be called <Foo> and its
Id be "id" in beneath code snippet. The signature should be a detached
signature.
---------------------------------------------------------------------
private static Document sign(
Document doc, String id, SecretKey secretKey)
throws Exception
{
XMLSignature sig = new XMLSignature(doc, baseURI,
XMLSignature.ALGO_ID_MAC_HMAC_SHA1,
Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
Node root = doc.getFirstChild();
root.appendChild(sig.getElement());
Transforms transforms = new Transforms(doc);
transforms.addTransform(
Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
sig.addDocument("#" + id, transforms,
Constants.ALGO_ID_DIGEST_SHA1);
sig.sign(secretKey);
return doc;
}
---------------------------------------------------------------------
I'm working here on the client-side and the server responds, that there
is something wrong with the digest value of the signed reference while
the SignedInfo is correctly digested.
To get sure what went wrong we have to compare the digest inputs (value
after canonicalization) on both sides. I already got the canonicalized
Element as String from the server-side and I should do the same with my
implementation.
When I use the following lines of code to save the document immediately
before signing it I get the whole document in a canonicalized form.
FileOutputStream f = new FileOutputStream("test.xml");
XMLUtils.outputDOMc14nWithComments(doc, f);
But I only need the canonicalized form of the referenced element <Foo>.
Is there some way to dump the canonical form of a Reference to a log or
stdout?
Best regards,
Markus.
