Markus I'm not a JDOM expert, well I have never use it. But It seems
to me that the JDOM is not creating a DOM tree namespace-aware. To see
what it means instead of
DOMOutputter outputter = new DOMOutputter();
return outputter.output(jdomDoc);
Just write to a ByteArray or a String, a parse it again with
DocumentBuilder.parse with the DocumentBuilder namespace aware.
Regards,
Raul
On 9/4/06, Markus Werner <[EMAIL PROTECTED]> wrote:
Hi Raul,
the client side uses Apache XML Security for Java 1.3.0 [1].
The XML-Document is created using JDOM first and then it is translated
into a org.w3c.Document using the following function:
public org.w3c.dom.Document convertToDOM(Document jdomDoc)
throws JDOMException
{
DOMOutputter outputter = new DOMOutputter();
return outputter.output(jdomDoc);
}
The resulting DOM-Document will then be signed, which leads in a
resulting output as shown below. It is not possible to create the
DOM-document directly in my implementation, i.e. the workaround using
JDOM first is necessary.
I extended the convertion function as follows:
public static Document convertToJDOM(org.w3c.dom.Document domDoc)
throws JDOMException, ParserConfigurationException
{
javax.xml.parsers.DocumentBuilderFactory dbf =
javax.xml.parsers.DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
javax.xml.parsers.DocumentBuilder db = dbf.newDocumentBuilder();
org.w3c.dom.Document doc = db.newDocument();
// input missing link here
DOMBuilder builder = new DOMBuilder();
return builder.build(domDoc);
}
But I wasn't able to fill the missing link between the DocumentBuilder
and the final org.w3c.Document. Would anyone please be so kind and help
me with that?
Thank you in advance,
Markus.
--
[1] http://xml.apache.org/security/dist/java-library/
Raul Benito schrieb:
> Hi Markus,
>
> The output from the server side is correct. In the client, What
> version of xmlsec are you using?. Are you creating the
> org.w3c.Document namespace aware?
>
> Regards,
>
> Raul
>
> On 9/2/06, Markus Werner <[EMAIL PROTECTED]> wrote:
>> Hi Sean,
>>
>> The server processes exactly the same message, since it is sent by the
>> client to the server. Here is the abbreviated message I send to the
>> server:
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";>
>> <soap:Body>
>> <xmks:RegisterRequest xmlns:xmks="http://www.w3.org/2002/03/xkms#";
>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; [snip]>
>> [snip]
>> <xmks:PrototypeKeyBinding Id="_foobar">
>> [snip]
>> </xmks:PrototypeKeyBinding>
>> <xmks:Authentication>
>> <xmks:KeyBindingAuthentication>
>> <ds:Signature>
>> <ds:SignedInfo>
>> <ds:CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
>> <ds:SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"; />
>> <ds:Reference URI="#_foobar">
>> <ds:Transforms>
>> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
>> </ds:Transforms>
>> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
>> <ds:DigestValue>FQcqlzTyFLwFBdJb5tgN1Vd3H+g=</ds:DigestValue>
>> </ds:Reference>
>> </ds:SignedInfo>
>> <ds:SignatureValue>VchVOu8J+qwBuRTVjxECrV5xH+I=</ds:SignatureValue>
>> <ds:KeyInfo>
>> <ds:KeyName>XKMSInteropClient</ds:KeyName>
>> </ds:KeyInfo>
>> </ds:Signature>
>> </xmks:KeyBindingAuthentication>
>> </xmks:Authentication>
>> </xmks:RegisterRequest>
>> </soap:Body>
>> </soap:Envelope>
>>
>> The server calculates the following digest input:
>>
>> <xmks:PrototypeKeyBinding xmlns:xmks="http://www.w3.org/2002/03/xkms#";
>> Id="_foobar">[snip]</xmks:PrototypeKeyBinding>
>>
>> while the client calculates the following digest input:
>>
>> <xmks:PrototypeKeyBinding Id="_foobar">[snip]</xmks:PrototypeKeyBinding>
>>
>> The server-side uses another implementation of XML Signature that I
>> don't know. The only thing I know is, that it is not Apache XML Security.
>>
>> TIA,
>> Markus.
>>
>>
>> Sean Mullan wrote:
>> > I don't have enough information, but it sounds like when canonicalizing
>> > on the client, it doesn't find the namespace definition for foo. Is it
>> > defined by an ancestor of the bar element on the server but not on the
>> > client?
>> >
>> > --Sean
>> >
>> > Markus Werner wrote:
>> >> Hi Sean,
>> >>
>> >> thank you for your reply. The following lines of code provide the
>> >> expected result:
>> >>
>> >> SignedInfo signedInfo = sig.getSignedInfo();
>> >> for (int i = 0; i < signedInfo.getLength(); i++) {
>> >> Reference reference = signedInfo.item(i);
>> >> // System.out.println(reference.getContentsAfterTransformation());
>> >> System.out.println(new String(reference.getReferencedBytes()));
>> >> }
>> >>
>> >> The client-side output is something like the following:
>> >>
>> >> <foo:bar Id="ref0815">rest is the same</foo:bar>
>> >>
>> >> while the server-side output is as follows:
>> >>
>> >> <foo:bar xmlns:foo="http://www.asdf.org/foo#"; Id="ref0815">
>> >> rest is the same</foo:bar>
>> >>
>> >> Both outputs seem to be correctly canonicalized, but the digest
>> input on
>> >> the server-side includes some addidional namespace-declaration in the
>> >> opening tag of <foo:bar>.
>> >>
>> >> What can cause this?
>> >>
>> >> Thank you in advance,
>> >> Markus.
>> >>
>> >>
>> >> Sean Mullan schrieb:
>> >>> I would try calling Reference.getContentsAfterTransformation
>> (returns an
>> >>> XMLSignatureInput) or Reference.getReferencedBytes (returns a
>> byte[]),
>> >>> each of which return the dereferenced and transformed contents
>> before it
>> >>> is digested. I haven't really used those methods so I'm hoping
>> someone
>> >>> on the list that is more familiar with them will send you some sample
>> >>> code.
>> >>>
>> >>> --Sean
>> >>>
>> >>> Markus Werner wrote:
>> >>>> Hi,
>> >>>>
>> >>>> first of all, I'm relatively new to Apache XML Security, so
>> please be
>> >>>> patient :-)
>> >>>>
>> >>>> My job is to sign an element inside a DOM-Document with the help
>> of a
>> >>>> secretKey. Let the element that should be signed be called <Foo> and
>> >>>> its
>> >>>> Id be "id" in beneath code snippet. The signature should be a
>> detached
>> >>>> signature.
>> >>>>
>> >>>>
>> ---------------------------------------------------------------------
>> >>>> private static Document sign(
>> >>>> Document doc, String id, SecretKey secretKey)
>> >>>> throws Exception
>> >>>> {
>> >>>> XMLSignature sig = new XMLSignature(doc, baseURI,
>> >>>> XMLSignature.ALGO_ID_MAC_HMAC_SHA1,
>> >>>> Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
>> >>>>
>> >>>> Node root = doc.getFirstChild();
>> >>>> root.appendChild(sig.getElement());
>> >>>>
>> >>>> Transforms transforms = new Transforms(doc);
>> >>>> transforms.addTransform(
>> >>>> Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
>> >>>>
>> >>>> sig.addDocument("#" + id, transforms,
>> >>>> Constants.ALGO_ID_DIGEST_SHA1);
>> >>>> sig.sign(secretKey);
>> >>>>
>> >>>> return doc;
>> >>>> }
>> >>>>
>> ---------------------------------------------------------------------
>> >>>>
>> >>>> I'm working here on the client-side and the server responds, that
>> there
>> >>>> is something wrong with the digest value of the signed reference
>> while
>> >>>> the SignedInfo is correctly digested.
>> >>>>
>> >>>> To get sure what went wrong we have to compare the digest inputs
>> (value
>> >>>> after canonicalization) on both sides. I already got the
>> canonicalized
>> >>>> Element as String from the server-side and I should do the same
>> with my
>> >>>> implementation.
>> >>>>
>> >>>> When I use the following lines of code to save the document
>> immediately
>> >>>> before signing it I get the whole document in a canonicalized form.
>> >>>>
>> >>>> FileOutputStream f = new FileOutputStream("test.xml");
>> >>>> XMLUtils.outputDOMc14nWithComments(doc, f);
>> >>>>
>> >>>> But I only need the canonicalized form of the referenced element
>> <Foo>.
>> >>>> Is there some way to dump the canonical form of a Reference to a
>> log or
>> >>>> stdout?
>> >>>>
>> >>>> Best regards,
>> >>>> Markus.
>>
>
>
--
http://r-bg.com
