X509Data vs CertificateValues

Hello,
I am currently studying how to implement XadES XL for detached signatures over XML documents.
I've been doing some research: I read the XMLDSIG specification, the XadES specification, and I've
been wondering something:
-in the XMLDSIG specification, it is clearly stated that the X509Data element can contain a full
certification chain, in the form of a series of X509Certificate elements. There's even an example:
<X509Data> 
       
       <X509Certificate>MIICXTCCA..</X509Certificate>
       
       <X509Certificate>MIICPzCCA...</X509Certificate>
       
       <X509Certificate>MIICSTCCA...</X509Certificate>
</X509Data>-in the XadES specification, it is said that any certificate of which the data is already contained
within the KeyInfo element does NOT need to be present in the CertificateValues element:
+In principle, the CertificateValues element contains the full set of certificates that have been used to validate the electronic signature, including the signer's certificate. However, it is not necessary to include one of those certificates into this property, if the certificate is already present in the ds:KeyInfo element of the signature.+
So, it follows logically that when the X509Data contains the full certification chain,
the CertificateValues element becomes either empty, or redundant, and thus worthless.
Isn't this some sort of a clash between the specifications?
I find it a bit confusing to have the CertificateValues element in case there lacks some
information inside the X509Data, because it means that when validating you have first
to check if there's everything you need in the X509Data:
if no :
you must determine what is missing and put it in the CertificateValues element
if yes:
you don't need the CertificateValues element at all.
I think it would have been simpler to impose a particular behavior from one these two:
-put the full certification chain in the X509Data
or
-put only the signing certificate in the X509Data
That way when validating you would know exactly what to expect and what to do.
Now this is only my feeling and I'm still quite new to digital signatures, so may be
I've missed some points.
Is there something I didn't understand in the specifications? Are my interpretations
correct?
What should I do in my implementation? (I have to do both signing and validating)
Regards,
Fab

I'm using the Java API developed by Sean Mullan and co. to implement XadES, so I thought that some people here might have done it before, and then be able to answer my question, or tell me how they interpreted the specifications in their cases.
Anyone who has used the API to put XadES into practice should be able to tell.

Similar Messages

CC-e: Etapa não está em ordem

Olá pessoal,
Estamos implementando a CC-e, e realizamos todas as configurações no ECC, e estamos no SP20 do GRC.
No ECC a CC-e é criada normalmente e enviada ao GRC, porém a mesma fica no monitor GRC e não é enviada à SEFAZ...
Quando checamos a aba de "síntese de status" do monitor de evento da CC-e, a mesma fica com DUAS linhas conforme abaixo:
Status     Atividade     Ctg.proc.     Descrição do status     Texto info
Assinar evento          Criação          Etapa não está em ordem     Em branco
Criar CC-e          Criação          Etapa em ordem
Quando checamos a aba de "Histórico", a mesma fica com TRÊS linhas conforme abaixo:
Atividade     Ctg.proc.     Descrição do status     Texto info                                                            Data de execução     Usuário     Status
Assinar evento     Criação          Etapa não está em ordem     SAP NetWeaver PI notifica erro ao assinar o evento.                                   13.12.2011 16:44     PISUPER     Etapa não está em ordem
Assinar evento     Criação          Etapa em ordem          Em Branco                                                            13.12.2011 16:44     PISUPER     Etapa em ordem
Criar CC-e     Criação          Etapa em ordem          Evento do tipo 110110 para 31111220146676000367550010000658121905067763 é criado com o nº sequencial 01     13.12.2011 16:44     PISUPER     Etapa em ordem
Na grid com informações gerais sobre a CC-e, as colunas que são preenchidas ficam descritas conforme abaixo:
Coluna Status global: incorreto
Coluna Zugriffsschlüssel: 31111220146676000367550010000658121905067763
Coluna Tipo de um evento: 110110
Coluna Nº sequencial de um evento: 1 (para todas as CC-es fica 1)
Coluna Momento da emissão: 13.12.2011 15:16
Coluna Momento do registro: 13.12.2011 15:16
Coluna Nº sequencial de um evento: 1
Coluna Region des Ausstellers: 31
Coluna Ausstellungsart: 1
Coluna Systemumgebung SEFAZ: 2
Coluna Nº ID fiscal (CNPJ): 20146676000367
Coluna Momento da emissão: 2011-12-13T15:16:39-02:00
Coluna Status: 02
Coluna Booleano: X
Coluna Registro da hora: 13.12.2011 17:16:52,2310000
Coluna Eventos: ctg.proc.: ISSUING
Coluna Eventos: etapa proc.: EVENTSIN
Coluna Status: 02
Coluna GUID: 00000000000000000000000000000000
Coluna Registro da hora: 13.12.2011 17:16:39,8000000
Coluna Registro da hora: *00.00.0000 00:00:00,000000
Coluna Tipo de um evento (texto): CC-e
Na SXI_MONITOR (SOAP-Header / Error), fica com erro conforme abaixo:
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
- 
- <SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="">
<SAP:Category>XIAdapter</SAP:Category>
<SAP:Code area="BPE_ADAPTER">MESSAGE_NOT_USED</SAP:Code>
<SAP:P1 />
<SAP:P2 />
<SAP:P3 />
<SAP:P4 />
<SAP:AdditionalText />
<SAP:ApplicationFaultMessage namespace="" />
<SAP:Stack>Message interface is not used by this process</SAP:Stack>
<SAP:Retry>M</SAP:Retry>
</SAP:Error>
Na SXI_MONITOR (Payloads / MainDocument ( application/xml )), fica com erro conforme abaixo:
<?xml version="1.0" encoding="utf-8" ?>
- <n0:SignEvent xmlns:n0="http://sap.com/xi/NFE/006" xmlns:prx="urn:sap.com:proxy:PID:/1SAI/TAS80E97F9FB00E4B4CED3E:701:2011/06/16" xmlns:n1="http://www.portalfiscal.inf.br/nfe" xmlns:n2="http://www.w3.org/2000/09/xmldsig#">
<n0:KeyStoreView>CERTIFICADO</n0:KeyStoreView>
<n0:KeyStoreEntry>CERTIFICADO</n0:KeyStoreEntry>
<n0:EventID>E125BA771517E9F19D6100155D001537</n0:EventID>
- <n1:evento versao="1.00">
- <n1:infEvento Id="ID1101103111122014667600036755001000065812190506776301">
<n1:cOrgao>31</n1:cOrgao>
<n1:tpAmb>2</n1:tpAmb>
<n1:CNPJ>20146676000367</n1:CNPJ>
<n1:chNFe>31111220146676000367550010000658121905067763</n1:chNFe>
<n1:dhEvento>2011-12-13T16:44:17-02:00</n1:dhEvento>
<n1:tpEvento>110110</n1:tpEvento>
<n1:nSeqEvento>1</n1:nSeqEvento>
<n1:verEvento>1.00</n1:verEvento>
- <n1:detEvento versao="1.00">
<n1:descEvento>Carta de Correcao</n1:descEvento>
<n1:xCorrecao>teste de criacao da carta de correcao eletronica</n1:xCorrecao>
<n1:xCondUso>A Carta de Correcao e disciplinada pelo paragrafo 1o-A do art. 7o do Convenio S/N, de 15 de dezembro de 1970 e pode ser utilizada para regularizacao de erro ocorrido na emissao de documento fiscal, desde que o erro nao esteja relacionado com: I - as variaveis que determinam o valor do imposto tais como: base de calculo, aliquota, diferenca de preco, quantidade, valor da operacao ou da prestacao; II - a correcao de dados cadastrais que implique mudanca do remetente ou do destinatario; III - a data de emissao ou de saida.</n1:xCondUso>
</n1:detEvento>
</n1:infEvento>
- <n2:Signature>
- <n2:SignedInfo>
<n2:CanonicalizationMethod Algorithm="" />
<n2:SignatureMethod Algorithm="" />
- <n2:Reference URI="">
<n2:Transforms />
<n2:DigestMethod Algorithm="" />
<n2:DigestValue />
</n2:Reference>
</n2:SignedInfo>
<n2:SignatureValue />
- <n2:KeyInfo>
- <n2:X509Data>
<n2:X509Certificate />
</n2:X509Data>
</n2:KeyInfo>
</n2:Signature>
</n1:evento>
</n0:SignEvent>
Alguém poderia nos auxiliar?
Obrigado e abraços.
Mateus.

Pessoal, resolvi editar e inserir a primeira postagem pois ficou desconfigurada... segue abaixo:
Estamos implementando a CC-e, e realizamos todas as configurações no ECC, e estamos no SP20 do GRC.
No ECC a CC-e é criada normalmente e enviada ao GRC, porém a mesma fica no monitor GRC e não é enviada à SEFAZ...
Quando checamos a aba de "síntese de status" do monitor de evento da CC-e, a mesma fica com DUAS linhas conforme abaixo:
>>>>>>> LINHA 1:
Status: Assinar evento
Atividade: Criação
Ctg.proc.: Etapa não está em ordem
>>>>>>> LINHA 2:
Status: Criar CC-e
Atividade: Criação
Ctg.proc.: Etapa em ordem
Quando checamos a aba de "Histórico", a mesma fica com TRÊS linhas conforme abaixo:
>>>>>>> LINHA 1:
Atividade: Assinar evento
Ctg.proc.: Criação
Descrição do status: Etapa não está em ordem
Texto info: SAP NetWeaver PI notifica erro ao assinar o evento.
Satus: Etapa não está em ordem
>>>>>>> LINHA 2:
Atividade: Assinar evento
Ctg.proc.: Criação
Descrição do status: Etapa em ordem
Texto info: Em Branco
Satus: Etapa em ordem
>>>>>>> LINHA 3:
Atividade: Criar CC-e
Ctg.proc.: Criação
Descrição do status: Etapa em ordem
Texto info: Evento do tipo 110110 para 31111220146676000367550010000658121905067763 é criado com o nº sequencial 01
Satus: Etapa em ordem
Na grid com informações gerais sobre a CC-e, as colunas que são preenchidas ficam descritas conforme abaixo:
Coluna Status global: incorreto
Coluna Zugriffsschlüssel: 31111220146676000367550010000658121905067763
Coluna Tipo de um evento: 110110
Coluna Nº sequencial de um evento: 1 (para todas as CC-es fica 1)
Coluna Momento da emissão: 13.12.2011 15:16
Coluna Momento do registro: 13.12.2011 15:16
Coluna Nº sequencial de um evento: 1
Coluna Region des Ausstellers: 31
Coluna Ausstellungsart: 1
Coluna Systemumgebung SEFAZ: 2
Coluna Nº ID fiscal (CNPJ): 20146676000367
Coluna Momento da emissão: 2011-12-13T15:16:39-02:00
Coluna Status: 02
Coluna Booleano: X
Coluna Registro da hora: 13.12.2011 17:16:52,2310000
Coluna Eventos: ctg.proc.: ISSUING
Coluna Eventos: etapa proc.: EVENTSIN
Coluna Status: 02
Coluna GUID: 00000000000000000000000000000000
Coluna Registro da hora: 13.12.2011 17:16:39,8000000
Coluna Registro da hora: *00.00.0000 00:00:00,000000
Coluna Tipo de um evento (texto): CC-e
Na SXI_MONITOR (SOAP-Header / Error), vejam algums descritivos:
<SAP:Code area="BPE_ADAPTER">MESSAGE_NOT_USED</SAP:Code>
<SAP:ApplicationFaultMessage namespace="" />
<SAP:Stack>Message interface is not used by this process</SAP:Stack>
Alguém poderia nos auxiliar?
Muito obrigado e abraços.
Mateus.

Error when loggong on for external ID "": Error during SAML 2.0 logon

Hi,
I'm getting be below error when trying to use SAML SSO for a ABAP Webdynpro page on a NW 7.4 system. When I access the page, it redirects to the identity provider, comes back to the page and it shows the logon page. I'm looking for any ideas of things I could look at.
N SAML20 SP (client 400): Incoming Response
N SAML20 Binding:          POST
N SAML20 IdP Name:         http://xxxxxx/adfs/services/trust
N SAML20 Status Code:      urn:oasis:names:tc:SAML:2.0:status:Responder
N SAML20 SP (client 400): Default ACS endpoint: https://xxxxxx/sap/saml2/sp/acs/400 , old default ACS endpoint
N SAML-Trace: CALL 'SAML login': SY-SUBRC = 222 , PWDCHG = 0
N *** ERROR => SAML-Trace: Path = /sap/bc/webdynpro/sap/oauth2_authority [sign.c       16519]
N {root-id=005056AD26DF1ED4B69880FF4BE51F68}_{conn-id=005056AD26DF1ED4B69880FF4BE53F68}_1
N *** ERROR => SAML-Trace: Returncode = 222 [sign.c       16519]
N *** ERROR => SAML-Trace: Message class = SAML number = 011 [sign.c       16519]
N *** ERROR => SAML-Trace: Message = Error when logging on for external ID "": Error during SAML 2.0 logon [sign.c       16519]
I have updated the service to use alternate logon procedure and added the handler CL_HTTP_EXT_SAML20
I have added the identity provider through transaction SAML2, but it does not seem to be working.
Here is a decrypted SAML assertion:
<samlp:Response ID="_9c844d84-8117-4851-8270-aeb12e935daf"
Version="2.0"
IssueInstant="2015-04-02T00:21:06.477Z"
Destination="https://xxxxxxxxx/sap/saml2/sp/acs/400"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="S005056ad-26df-1ed4-b699-c4c630853f68"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://xxxxxxxx.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_9c844d84-8117-4851-8270-aeb12e935daf">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>08HK08VLpJC23JoQs+p+oHbDBvjRF+9NwBeowmlFTrY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>xxxxxxx</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIFPjCCBCagAwIBAgIHAMFKH58TFzANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMS0wKwYDVQQLEyRodHRwOi8vY2VydHMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS8xMzAxBgNVBAMTKkdvIERhZGR5IFNlY3VyZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjAeFw0xNDAxMjMxOTM3MThaFw0xNzAxMjMxOTM3MThaMEIxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEdMBsGA1UEAxMUZnNwcm94eTItZGV2LmlndC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAM13/bboldFRmDGK3QBbxlDREoGuQEUWeroZCDM/tH7Rk+AjgXbc4pkon13EwKi7q9brzkBMCY3HH9Ep2BUHjopydy+AWQH9vjLK2wXD/+6T4FCG1i8Kt+lRrcxRWUugnBuK+BRgxEJDz7ap8KvcRk6ERWQrx5Co8K7ey5nEqjapCDJQg3Yrkxo2pEWGBKSIXXmpU+CgK03y4HOW19/rmdcyLThjchn+Jgxe8obL4tiVk4D/X36wOqtV/1cnIjGak/px/p1oQEGD5PC7F3FIZConhUu7PJDLmioqdGcimZvFiZK6xQJyzy90lm0dHRT1qhkC9TTsGvAAMCh/gn41xAgMBAAGjggHEMIIBwDAPBgNVHRMBAf8EBTADAQEAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5nb2RhZGR5LmNvbS9nZGlnMnMxLTExLmNybDBTBgNVHSAETDBKMEgGC2CGSAGG/W0BBxcBMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS8wdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZGlnMi5jcnQwHwYDVR0jBBgwFoAUQMK9J47MNIMwojPX+2yz8LQsgM4wOQYDVR0RBDIwMIIUZnNwcm94eTItZGV2LmlndC5jb22CGHd3dy5mc3Byb3h5Mi1kZXYuaWd0LmNvbTAdBgNVHQ4EFgQUMRTW5O0fpR4kET2ED84QAS6ZXBowDQYJKoZIhvcNAQELBQADggEBAKCQfnSSA1gs6qyYKqAqQKhhRRhC4wMtZJLZUmMGPe2q+QM4dQxJgrFy2OVG6I4dXFrxINGlPdJVVXBKtLn9Fm2t0Cb8lAV3rLruEfRJTDK6MeDFOD5qXgU4higpuDGrAmqKvMIOk7VJA0gPbW4lasgqGQXzOspZCmCIWwOqcIDZRr0wo09QLidegr/phjZMzuy8IO0U1w7U6MX767qcl3RGcqRwpquMtMiaw5ROx9v3DK3JOemlqQwKy/uzzBohzYln6AYim8cnZMvfaKDLYNwE0+Rg6nmemlf6PXOjE3Uisc71v3uFstWsXzUPhDeQlycFzPDT4t4srIaxdMrEs3w=</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive" />
</samlp:StatusCode>
</samlp:Status>
</samlp:Response>

Hi Brian,
I am not sure but you could check below thread and couple of sap note.
Single Sign On - Sharepoint 2010 to SAP using ADFS
1799402 - Automatic account creation for SAML 2.0 SP
1257108 - Collective Note: Analyzing issues with Single Sign On (SSO)
It may help you to resolve / identify the cause of the issue.
BR
AKJ

WCF client consumes JAVA web service - should I use WCF or just create a custom parser/message factory?

We've a business partner who requires us to create a service request message with a SAML 2.0 assertion. The partner's supplied two certificates and a test harness for their JAVA webservice.
I've created a WCF client with a `CustomBinding` to try and recreate the request and consume the service, but I'm getting so frustrated with the nuances of WCF (and the lack of intrinsic support for SAML 2.0) I'm wondering am I better off using something like
a `WebClient` or `HttpWebRequest` and encrypting/building & signing the XML web request and doing the same for the response. I know there's a lot of work involved on this but at least I'd be in full control.
Your advice would be very much appreciated, what I'm working with is displayed below
**Note: I was supplied with a SoapUI Test harness for the Java service**
**The vendor supplied me with this request (ran though SOAPUI and extracted via Fiddler)**
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<SOAP-ENV:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<xenc:EncryptedKey Id="EncKeyId-29B98C291D1FDFB39113352984774895">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=test_server</ds:X509IssuerName>
<ds:X509SerialNumber>12356789</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>

</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#EncDataId-3"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-29B98C291D1FDFB39113352984773591" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> </wsse:BinarySecurityToken>
<ds:Signature Id="Signature-1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>

</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>

</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-29B98C291D1FDFB39113352984773792">
<wsse:SecurityTokenReference wsu:Id="STRId-29B98C291D1FDFB39113352984773893" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Reference URI="#CertId-29B98C291D1FDFB39113352984773591" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
<saml:Assertion ID="_54d0c8395de26c3e44730df2c9e8d3e9" IssueInstant="2012-02-17T10:40:36.806Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>CN=test_client</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_54d0c8395de26c3e44730df2c9e8d3e9">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>

</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>

</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>

</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml:NameID>
</saml:Subject>
<saml:Conditions NotBefore="2012-02-17T10:40:21.806Z" NotOnOrAfter="2012-02-17T10:41:06.806Z"/>
</saml:Assertion>
<wsa:Action SOAP-ENV:mustUnderstand="1">http://www.xxxxxxx.xxx/ws/schemas/xxxxxx1/xxxx/xxxxxxxxxxxxxx</wsa:Action>
<wsa:MessageID SOAP-ENV:mustUnderstand="1">uuid:bffc27ba-68d9-44e6-b1f0-e2f852df7715</wsa:MessageID>
</SOAP-ENV:Header>
<SOAP-ENV:Body wsu:Id="id-2" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<xenc:EncryptedData Id="EncDataId-3" Type="http://www.w3.org/2001/04/xmlenc#Content">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="#EncKeyId-29B98C291D1FDFB39113352984774895"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>

</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
**This is as close as I've gotten with my WCF client. Issues I can immediatley is that the `<o:SecurityTokenReference>` element should contain the Issuer and Serial, instead it contains a `KeyIdentifier` element?**
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1" u:Id="_3"/>
<a:MessageID u:Id="_4">urn:uuid:fc8ef84b-dbf5-4150-a0c3-d4cc986333d1</a:MessageID>
<ActivityId CorrelationId="a9e1fec4-32bc-4633-909e-3d601c809b3c" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">d1909115-8922-46f3-a96c-db15bf91c599</ActivityId>
<a:ReplyTo u:Id="_5">
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo27oY4/3mnBOry0YL4StqvcAAAAA0UM+eVt4fU2AOe9/B3lPDZNf/2HmAuNEvzAoW0eKVSUACQAA</VsDebuggerCausalityData>
<a:To s:mustUnderstand="1" u:Id="_6">https://localhost:8089/ws</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="uuid-e5592f06-32af-40fb-996e-a0a469c7ed5e-2">
<u:Created>2012-04-24T20:41:50.447Z</u:Created>
<u:Expires>2012-04-24T20:46:50.447Z</u:Expires>
</u:Timestamp>
<e:EncryptedKey Id="uuid-e5592f06-32af-40fb-996e-a0a469c7ed5e-1" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">lU10DQn4lSpE4fRpE9gslm5QDt0=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>

</e:CipherValue>
</e:CipherData>
<e:ReferenceList>
<e:DataReference URI="#_2"/>
<e:DataReference URI="#_7"/>
<e:DataReference URI="#_8"/>
</e:ReferenceList>
</e:EncryptedKey>
<o:BinarySecurityToken u:Id="uuid-fad0c01f-ab4b-4a5f-bec6-93aa8c2d5a52-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"></o:BinarySecurityToken>
<e:EncryptedData Id="_7" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<e:CipherData>
<e:CipherValue>

</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
<e:EncryptedData Id="_8" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<e:CipherData>
<e:CipherValue></e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</o:Security>
</s:Header>
<s:Body u:Id="_1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<e:CipherData>
<e:CipherValue></e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>
Using this configuration for the WCF CustomBinding
<system.serviceModel>
<bindings>
<customBinding>
<binding name="WSHttpBinding_IEnquiryRequest" >
<transactionFlow />
<security defaultAlgorithmSuite="TripleDesRsa15"
authenticationMode="MutualCertificate"
messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
requireDerivedKeys="false"
>
<secureConversationBootstrap authenticationMode="CertificateOverTransport"
messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
requireDerivedKeys="false" />
</security>
<textMessageEncoding messageVersion="Soap11WSAddressing10" />

<httpsTransport requireClientCertificate="true" />
</binding>
</customBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="certBehaviour">
<clientCredentials>

<clientCertificate x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="My" findValue="test_client" />
<serviceCertificate>
<defaultCertificate x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="My" findValue="test_server"/>
<authentication revocationMode="NoCheck" certificateValidationMode="None" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint
address="https://localhost:8089/pvs/ws"
binding="customBinding"
bindingConfiguration="WSHttpBinding_IEnquiryRequest"
contract="XXXService.enquiryRequest"
name="WSHttpBinding_IEnquiryRequest"
behaviorConfiguration="certBehaviour"
>
<identity>
<dns value="test_server"/>
</identity>
</endpoint>
</client>
</system.serviceModel>
I've no idea how to insert the SAML 2.0 assertion in there before it's signed. That and the Key Issuer/serial issue above is where my main problems lie with the request.
Any and all help appreciated

Yaron,
Thanks a million for your response, think you hit the nail on the head there. Actually figured out the first part myself this morning, I've retrieved the SymmetricSecurityBindingElement object from the binding configured in the app.config and set it explicitly,
just as you've defined. Couldnt figure out how to do this yesterday for some reason! Here's the code for anyone that's interested:
//Get custom binding reference from app.config
CustomBinding binding = new CustomBinding("bindingNameInConfig");
// Reference the symmetric security element
SymmetricSecurityBindingElement securityBindingElement = binding.Elements.Find<SymmetricSecurityBindingElement>();
// Get the x509ProtectionParams from the security element
X509SecurityTokenParameters tokenParameters = new X509SecurityTokenParameters();
tokenParameters.X509ReferenceStyle = X509KeyIdentifierClauseType.IssuerSerial;
tokenParameters.RequireDerivedKeys = false;
tokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToInitiator;
// Set the X509SecurityTokenParameters to point to the one's just configured. This is for symetric encryption, for asymetric this line needs to change
securityBindingElement.ProtectionTokenParameters = tokenParameters;
Are you sure that SAML assertion is not signed? That makes things a lot easier! Do you think the following approach will work when inserting in the SAML 2.0 assertion? :
Create a class that inherits from IClientMessageInspector and insert the SAML as shown below
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.ServiceModel;
using System.ServiceModel.Channels;
using System.ServiceModel.Description;
using System.ServiceModel.Dispatcher;
using System.Text;
using System.Xml;
using Microsoft.IdentityModel.Protocols.XmlSignature;
namespace TestClient.Application
class Saml20Extension : IClientMessageInspector, IEndpointBehavior
#region Implementation of IClientMessageInspector
public object BeforeSendRequest(ref Message request, IClientChannel channel)
MessageBuffer buffer = request.CreateBufferedCopy(int.MaxValue);
// ** Add the SAML Assertion XML here **
request = buffer.CreateMessage();
return null;
public void AfterReceiveReply(ref Message reply, object correlationState)
MessageBuffer buffer = reply.CreateBufferedCopy(Int32.MaxValue);
// ** REMOVE THE SAML ASSERTION HERE **
reply = buffer.CreateMessage();
#endregion
#region Implementation of IEndpointBehavior
public void AddBindingParameters(ServiceEndpoint endpoint, System.ServiceModel.Channels.BindingParameterCollection bindingParameters)
public void ApplyClientBehavior(ServiceEndpoint endpoint, ClientRuntime clientRuntime)
// Add this implementation to the inspectors.
clientRuntime.MessageInspectors.Add(this);
public void ApplyDispatchBehavior(ServiceEndpoint endpoint, EndpointDispatcher endpointDispatcher)
public void Validate(ServiceEndpoint endpoint)
#endregion
Also, There's a second signature being inserted into my WCF request that I need to replace with the SAML insertion - how do i get rid of the second signature?? (see updated request below)
POST https://localhost:8089/pvs/ws HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: ""
Host: localhost:8089
Content-Length: 6720
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1" u:Id="_3"/>
<a:MessageID u:Id="_4">urn:uuid:84dc0bb8-13fd-4e90-84c4-ed1e6e831801</a:MessageID>
<ActivityId CorrelationId="07e0df62-d40a-4e24-aacc-12e626f80e8b" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">40077c44-d415-4567-99a1-1ea610c41d94</ActivityId>
<a:ReplyTo u:Id="_5">
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo1f0ZJ98FOxIvULl0pmGv/wAAAAAEGu5/G7VNkia/XbStJDa+ldqi+8xxdtAiBL+Y8vCqa0ACQAA</VsDebuggerCausalityData>
<a:To s:mustUnderstand="1" u:Id="_6">https://localhost:8089/pvs/ws</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<e:EncryptedKey Id="uuid-5b1de37e-ea76-4f75-b268-ebb63b554c11-1" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>CN=test_server</X509IssuerName>
<X509SerialNumber>123456789</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue></e:CipherValue>
</e:CipherData>
<e:ReferenceList>
<e:DataReference URI="#_2"/>
</e:ReferenceList>
</e:EncryptedKey>
<o:BinarySecurityToken u:Id="uuid-d62ff21f-7e9b-460d-a0ee-d5fad221427d-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIBpzCCARCgAwIBAgIETzKMfzANBgkqhkiG9w0BAQUFADAYMRYwFAYDVQQDDA10ZXN0X2ZhY2lsaXR5MB4XDTEyMDIwODE0NTM1MVoXDTE3MDIwODE0NTM1MVowGDEWMBQGA1UEAwwNdGVzdF9mYWNpbGl0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvzdwlxcpwRKGzLvpqYoS4NEbhbx/jV6Z6kyXgJ0IWLZAW20oWmxPwumsqkKr6bWX2NWbGrka6w1e9+iZFBKiBq5zzxJKusCJQtPjuYwjaTGjVTFnixHp9sKnjIEprKyarceG00WzCVdtuI1NpNp8dgemzA6FFt1ESwwELq+rKvECAwEAATANBgkqhkiG9w0BAQUFAAOBgQAokX6HZhhEj7Bfo0Z8ZeoZeYFB8pHrN5A6927cJx17EXWVv0Mwn/+fDgTAhtsN9DB68CFNejox8mM0+KewjsgT4z80YxMHGlpM13z4c8+iMiQcJ7cISScTBaTONOtDqK1WNtci8biNjnLn7+4Z4fw17jlttN0dPHC3fvGywh6TkQ==</o:BinarySecurityToken>
<Signature Id="_0" xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>

</DigestValue>
</Reference>
<Reference URI="#_3">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>

</DigestValue>
</Reference>
<Reference URI="#_4">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>

</DigestValue>
</Reference>
<Reference URI="#_5">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>

</DigestValue>
</Reference>
<Reference URI="#_6">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>

</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>

</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<o:Reference ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" URI="#uuid-5b1de37e-ea76-4f75-b268-ebb63b554c11-1"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>

</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>

</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-d62ff21f-7e9b-460d-a0ee-d5fad221427d-1"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body u:Id="_1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<e:CipherData>
<e:CipherValue>

</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>

ORA-07445 in the alert log when inserting into table with XMLType column

I'm trying to insert an xml-document into a table with a schema-based XMLType column. When I try to insert a row (using plsql-developer) - oracle is busy for a few seconds and then the connection to oracle is lost.
Below you''ll find the following to recreate the problem:
a) contents from the alert log
b) create script for the table
c) the before-insert trigger
d) the xml-schema
e) code for registering the schema
f) the test program
g) platform information
Alert Log:
Fri Aug 17 00:44:11 2007
Errors in file /oracle/app/oracle/product/10.2.0/db_1/admin/dntspilot2/udump/dntspilot2_ora_13807.trc:
ORA-07445: exception encountered: core dump [SIGSEGV] [Address not mapped to object] [475177] [] [] []
Create script for the table:
CREATE TABLE "DNTSB"."SIGNATURETABLE"
(     "XML_DOCUMENT" "SYS"."XMLTYPE" ,
"TS" TIMESTAMP (6) WITH TIME ZONE NOT NULL ENABLE
) XMLTYPE COLUMN "XML_DOCUMENT" XMLSCHEMA "http://www.sporfori.fo/schemas/www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd" ELEMENT "Object"
ROWDEPENDENCIES ;
Before-insert trigger:
create or replace trigger BIS_SIGNATURETABLE
before insert on signaturetable
for each row
declare
-- local variables here
l_sigtab_rec signaturetable%rowtype;
begin
if (:new.xml_document is not null) then
:new.xml_document.schemavalidate();
end if;
l_sigtab_rec.xml_document := :new.xml_document;
end BIS_SIGNATURETABLE2;
XML-Schema (xmldsig-core-schema.xsd):
=====================================================================================
<?xml version="1.0" encoding="utf-8"?>

<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xdb="http://xmlns.oracle.com/xdb"
targetNamespace="http://www.w3.org/2000/09/xmldsig#" version="0.1" elementFormDefault="qualified">

<xs:simpleType name="CryptoBinary">
<xs:restriction base="xs:base64Binary">
</xs:restriction>
</xs:simpleType>

<xs:element name="Signature" type="ds:SignatureType"/>
<xs:complexType name="SignatureType">
<xs:sequence>
<xs:element ref="ds:SignedInfo"/>
<xs:element ref="ds:SignatureValue"/>
<xs:element ref="ds:KeyInfo" minOccurs="0"/>
<xs:element ref="ds:Object" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="Id" type="xs:ID" use="optional"/>
</xs:complexType>
<xs:element name="SignatureValue" type="ds:SignatureValueType"/>
<xs:complexType name="SignatureValueType">
<xs:simpleContent>
<xs:extension base="xs:base64Binary">
<xs:attribute name="Id" type="xs:ID" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>

<xs:element name="SignedInfo" type="ds:SignedInfoType"/>
<xs:complexType name="SignedInfoType">
<xs:sequence>
<xs:element ref="ds:CanonicalizationMethod"/>
<xs:element ref="ds:SignatureMethod"/>
<xs:element ref="ds:Reference" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="Id" type="xs:ID" use="optional"/>
</xs:complexType>
<xs:element name="CanonicalizationMethod" type="ds:CanonicalizationMethodType"/>
<xs:complexType name="CanonicalizationMethodType" mixed="true">
<xs:sequence>
<xs:any namespace="##any" minOccurs="0" maxOccurs="unbounded"/>

</xs:sequence>
<xs:attribute name="Algorithm" type="xs:anyURI" use="required"/>
</xs:complexType>
<xs:element name="SignatureMethod" type="ds:SignatureMethodType"/>
<xs:complexType name="SignatureMethodType" mixed="true">
<xs:sequence>
<xs:element name="HMACOutputLength" minOccurs="0" type="ds:HMACOutputLengthType"/>
<xs:any namespace="##other" minOccurs="0" maxOccurs="unbounded"/>

</xs:sequence>
<xs:attribute name="Algorithm" type="xs:anyURI" use="required"/>
</xs:complexType>

<xs:element name="Reference" type="ds:ReferenceType"/>
<xs:complexType name="ReferenceType">
<xs:sequence>
<xs:element ref="ds:Transforms" minOccurs="0"/>
<xs:element ref="ds:DigestMethod"/>
<xs:element ref="ds:DigestValue"/>
</xs:sequence>
<xs:attribute name="Id" type="xs:ID" use="optional"/>
<xs:attribute name="URI" type="xs:anyURI" use="optional"/>
<xs:attribute name="Type" type="xs:anyURI" use="optional"/>
</xs:complexType>
<xs:element name="Transforms" type="ds:TransformsType"/>
<xs:complexType name="TransformsType">
<xs:sequence>
<xs:element ref="ds:Transform" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:element name="Transform" type="ds:TransformType"/>
<xs:complexType name="TransformType" mixed="true">
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:any namespace="##other" processContents="lax"/>

<xs:element name="XPath" type="xs:string"/>
</xs:choice>
<xs:attribute name="Algorithm" type="xs:anyURI" use="required"/>
</xs:complexType>

<xs:element name="DigestMethod" type="ds:DigestMethodType"/>
<xs:complexType name="DigestMethodType" mixed="true">
<xs:sequence>
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="Algorithm" type="xs:anyURI" use="required"/>
</xs:complexType>
<xs:element name="DigestValue" type="ds:DigestValueType"/>
<xs:simpleType name="DigestValueType">
<xs:restriction base="xs:base64Binary"/>
</xs:simpleType>


<xs:element name="KeyInfo" type="ds:KeyInfoType"/>
<xs:complexType name="KeyInfoType" mixed="true">
<xs:choice maxOccurs="unbounded">
<xs:element ref="ds:KeyName"/>
<xs:element ref="ds:KeyValue"/>
<xs:element ref="ds:RetrievalMethod"/>
<xs:element ref="ds:X509Data"/>
<xs:element ref="ds:PGPData"/>
<xs:element ref="ds:SPKIData"/>
<xs:element ref="ds:MgmtData"/>
<xs:any processContents="lax" namespace="##other"/>

</xs:choice>
<xs:attribute name="Id" type="xs:ID" use="optional"/>
</xs:complexType>
<xs:element name="KeyName" type="xs:string"/>
<xs:element name="MgmtData" type="xs:string"/>
<xs:element name="KeyValue" type="ds:KeyValueType"/>
<xs:complexType name="KeyValueType" mixed="true">
<xs:choice>
<xs:element ref="ds:DSAKeyValue"/>
<xs:element ref="ds:RSAKeyValue"/>
<xs:any namespace="##other" processContents="lax"/>
</xs:choice>
</xs:complexType>
<xs:element name="RetrievalMethod" type="ds:RetrievalMethodType"/>
<xs:complexType name="RetrievalMethodType">
<xs:sequence>
<xs:element ref="ds:Transforms" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="URI" type="xs:anyURI"/>
<xs:attribute name="Type" type="xs:anyURI" use="optional"/>
</xs:complexType>

<xs:element name="X509Data" type="ds:X509DataType"/>
<xs:complexType name="X509DataType">
<xs:sequence maxOccurs="unbounded">
<xs:choice>
<xs:element name="X509IssuerSerial" type="ds:X509IssuerSerialType"/>
<xs:element name="X509SKI" type="xs:base64Binary"/>
<xs:element name="X509SubjectName" type="xs:string"/>
<xs:element name="X509Certificate" type="xs:base64Binary"/>
<xs:element name="X509CRL" type="xs:base64Binary"/>
<xs:any namespace="##other" processContents="lax"/>
</xs:choice>
</xs:sequence>
</xs:complexType>
<xs:complexType name="X509IssuerSerialType">
<xs:sequence>
<xs:element name="X509IssuerName" type="xs:string"/>
<xs:element name="X509SerialNumber" type="xs:integer"/>
</xs:sequence>
</xs:complexType>


<xs:element name="PGPData" type="ds:PGPDataType"/>
<xs:complexType name="PGPDataType">
<xs:choice>
<xs:sequence>
<xs:element name="PGPKeyID" type="xs:base64Binary"/>
<xs:element name="PGPKeyPacket" type="xs:base64Binary" minOccurs="0"/>
<xs:any namespace="##other" processContents="lax" minOccurs="0"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:sequence>
<xs:element name="PGPKeyPacket" type="xs:base64Binary"/>
<xs:any namespace="##other" processContents="lax" minOccurs="0"
maxOccurs="unbounded"/>
</xs:sequence>
</xs:choice>
</xs:complexType>


<xs:element name="SPKIData" type="ds:SPKIDataType"/>
<xs:complexType name="SPKIDataType">
<xs:sequence maxOccurs="unbounded">
<xs:element name="SPKISexp" type="xs:base64Binary"/>
<xs:any namespace="##other" processContents="lax" minOccurs="0"/>
</xs:sequence>
</xs:complexType>



<xs:element name="Object" type="ds:ObjectType"/>
<xs:complexType name="ObjectType" mixed="true">
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:any namespace="##any" processContents="lax"/>
</xs:sequence>
<xs:attribute name="Id" type="xs:ID" use="optional"/>
<xs:attribute name="MimeType" type="xs:string" use="optional"/> 
<xs:attribute name="Encoding" type="xs:anyURI" use="optional"/>
</xs:complexType>
<xs:element name="Manifest" type="ds:ManifestType"/>
<xs:complexType name="ManifestType">
<xs:sequence>
<xs:element ref="ds:Reference" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="Id" type="xs:ID" use="optional"/>
</xs:complexType>
<xs:element name="SignatureProperties" type="ds:SignaturePropertiesType"/>
<xs:complexType name="SignaturePropertiesType">
<xs:sequence>
<xs:element ref="ds:SignatureProperty" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="Id" type="xs:ID" use="optional"/>
</xs:complexType>
<xs:element name="SignatureProperty" type="ds:SignaturePropertyType"/>
<xs:complexType name="SignaturePropertyType" mixed="true">
<xs:choice maxOccurs="unbounded">
<xs:any namespace="##other" processContents="lax"/>

</xs:choice>
<xs:attribute name="Target" type="xs:anyURI" use="required"/>
<xs:attribute name="Id" type="xs:ID" use="optional"/>
</xs:complexType>


<xs:simpleType name="HMACOutputLengthType">
<xs:restriction base="xs:integer"/>
</xs:simpleType>

<xs:element name="DSAKeyValue" type="ds:DSAKeyValueType"/>
<xs:complexType name="DSAKeyValueType">
<xs:sequence>
<xs:sequence minOccurs="0">
<xs:element name="P" type="ds:CryptoBinary"/>
<xs:element name="Q" type="ds:CryptoBinary"/>
</xs:sequence>
<xs:element name="G" type="ds:CryptoBinary" minOccurs="0"/>
<xs:element name="Y" type="ds:CryptoBinary"/>
<xs:element name="J" type="ds:CryptoBinary" minOccurs="0"/>
<xs:sequence minOccurs="0">
<xs:element name="Seed" type="ds:CryptoBinary"/>
<xs:element name="PgenCounter" type="ds:CryptoBinary"/>
</xs:sequence>
</xs:sequence>
</xs:complexType>
<xs:element name="RSAKeyValue" type="ds:RSAKeyValueType"/>
<xs:complexType name="RSAKeyValueType">
<xs:sequence>
<xs:element name="Modulus" type="ds:CryptoBinary"/>
<xs:element name="Exponent" type="ds:CryptoBinary"/>
</xs:sequence>
</xs:complexType>


</xs:schema>
===============================================================================
Code for registering the xml-schema
begin
dbms_xmlschema.deleteSchema('http://xmlns.oracle.com/xdb/schemas/DNTSB/www.sporfori.fo/schemas/www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd',
dbms_xmlschema.DELETE_CASCADE_FORCE);
end;
begin
DBMS_XMLSCHEMA.REGISTERURI(
schemaurl => 'http://www.sporfori.fo/schemas/www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd',
schemadocuri => 'http://www.sporfori.fo/schemas/www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd',
local => TRUE,
gentypes => TRUE,
genbean => FALSE,
gentables => TRUE,
force => FALSE,
owner => 'DNTSB',
options => 0);
end;
Test program
-- Created on 17-07-2006 by EEJ
declare
XML_TEXT3 CLOB := '<Object xmlns="http://www.w3.org/2000/09/xmldsig#">
                              <SignatureProperties>
                                   <SignatureProperty Target="">
                                        <Timestamp xmlns="http://www.sporfori.fo/schemas/dnts/general/2006/11/14">2007-05-10T12:00:00-05:00</Timestamp>
                                   </SignatureProperty>
                              </SignatureProperties>
                         </Object>';
xmldoc xmltype;
begin
xmldoc := xmltype(xml_text3);
insert into signaturetable
(xml_document, ts)
values
(xmldoc, current_timestamp);
end;
Platform information
Operating system:
-bash-3.00$ uname -a
SunOS dntsdb 5.10 Generic_125101-09 i86pc i386 i86pc
SQLPlus:
SQL*Plus: Release 10.2.0.3.0 - Production on Fri Aug 17 00:15:13 2007
Copyright (c) 1982, 2006, Oracle. All Rights Reserved.
Enter password:
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Production
With the Partitioning and Data Mining options
Kind Regards,
Eyðun

You should report this in a service request on http://metalink.oracle.com.
It is a shame that you put all the effort here to describe your problem, but on the other hand you can now also copy & paste the question to Oracle Support.
Because you are using 10.2.0.3; I am guessing that you have a valid service contract...

Error when calling the business services with Encryption - MustUnderstand h

I was getting this error when i invoke my business service through Oracle Service Bus Console:
*<faultstring>*
*MustUnderstand headers:[{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood*
*</faultstring>*
*<faultcode>SOAP-ENV:MustUnderstand</faultcode>*
<soapenv:Envelope      xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
     <soap:Header      xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
     </soap:Header>
     <soapenv:Body>
     <ger:gerarHashSenha      xmlns:ger="http://www.abc.com.br/SomeService">
     
     <arg0>string</arg0>
     </ger:gerarHashSenha>
     </soapenv:Body>
     </soapenv:Envelope>
     <soapenv:Envelope      xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
     <soap:Header      xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
     <wsse:Security      soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
     <ns1:EncryptedKey      Id="FLTGqSbFbsmt2Q2l" xmlns:ns1="http://www.w3.org/2001/04/xmlenc#">
     <ns1:EncryptionMethod      Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
     <ns2:KeyInfo      xmlns:ns2="http://www.w3.org/2000/09/xmldsig#">
     <wsse:SecurityTokenReference      wsu:Id="str_a6QZHoS8oRqxbtgS" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
     <ns2:X509Data>
     <ns2:X509IssuerSerial>
     <ns2:X509IssuerName>
     CN=SerasaACGlobal,OU=Serasa Autoridade Certificadora Global,O=Serasa,C=BR
     </ns2:X509IssuerName>
     <ns2:X509SerialNumber>5023300869337873804</ns2:X509SerialNumber>
     </ns2:X509IssuerSerial>
     </ns2:X509Data>
     </wsse:SecurityTokenReference>
     </ns2:KeyInfo>
     <ns1:CipherData>
     <ns1:CipherValue>
     l3um2rVftq5ddA24DPNpZpofHEcmCha9ZBraglFKKzTpL+PhKmRmAyaJC2V5xWqBssxQGRDWhN9z+eHP8ENLMDP/mlHRw89WWQ7VkATSAd+k8ny/lesTLO7RUuLAiPlueOYUN8vpD4BJcI/lL/8jL0utMrQ7k+fhELDnBMB0lIY=
     </ns1:CipherValue>
     </ns1:CipherData>
     <ns1:ReferenceList>
     <ns1:DataReference      URI="#Ak1K01RK8B6RKDn3"/>
     </ns1:ReferenceList>
     </ns1:EncryptedKey>
     </wsse:Security>
     </soap:Header>
     <soapenv:Body>
     <ns1:EncryptedData      Id="Ak1K01RK8B6RKDn3" Type="http://www.w3.org/2001/04/xmlenc#Content" MimeType="text/xml" Encoding="UTF-8" xmlns:ns1="http://www.w3.org/2001/04/xmlenc#">
     <ns1:EncryptionMethod      Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
     <ns1:CipherData>
     <ns1:CipherValue>
     RMu5vmRk3KczXzx57Wc8sIcdBDySyGOL4P0VrN+rwOjOcqc3ALCGbxu9VlRB4nJJTDb/1wxuh+lJlnBEgwS+7q1JVDuA81HDSqq4oPtqhQ2wYVMyxOY0YVm2Tj8ntUdTYh0OQrPg0TwmSsi3UUnuKDPR9tQqmZvHc+DF+j8yI71nSN4WPp1MVBr8E7Z7B9sPBDlI7Bp9n68=
     </ns1:CipherValue>
     </ns1:CipherData>
     </ns1:EncryptedData>
     </soapenv:Body>
     </soapenv:Envelope>
     Response Document
The invocation resulted in an error: Internal Server Error.
     <S:Envelope      xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
     <S:Body>
     <SOAP-ENV:Fault      xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
     <faultstring>
     MustUnderstand headers:[{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood
     </faultstring>
     <faultcode>SOAP-ENV:MustUnderstand</faultcode>
     </SOAP-ENV:Fault>
     </S:Body>
     </S:Envelope>
     Response Metadata
     <con:metadata      xmlns:con="http://www.bea.com/wli/sb/test/config">
     <tran:headers      xsi:type="http:HttpResponseHeaders" xmlns:http="http://www.bea.com/wli/sb/transports/http" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
     <tran:user-header      name="Set-Cookie" value="JSESSIONID=YypvL1RGdHs3fRGs3RSwvGrdQpzhTyY6FJ0z6VK1tRtLhR5L9V7S!-778340443; path=/"/>
     <tran:user-header      name="X-Powered-By" value="Servlet/2.5 JSP/2.1"/>
     <http:Cache-Control>no-cache="Set-Cookie"</http:Cache-Control>
     <http:Content-Type>text/xml;charset="utf-8"</http:Content-Type>
     <http:Date>Fri, 28 May 2010 00:41:40 GMT</http:Date>
     <http:Transfer-Encoding>chunked</http:Transfer-Encoding>
     </tran:headers>
     <tran:response-code      xmlns:tran="http://www.bea.com/wli/sb/transports">2</tran:response-code>
     <tran:response-message      xmlns:tran="http://www.bea.com/wli/sb/transports">Internal Server Error</tran:response-message>
     <tran:encoding      xmlns:tran="http://www.bea.com/wli/sb/transports">utf-8</tran:encoding>
     <http:http-response-code      xmlns:http="http://www.bea.com/wli/sb/transports/http">500</http:http-response-code>
     </con:metadata>
Edited by: victorjabur on May 27, 2010 5:48 PM

I've the same issue... did someone come across. OTN moderators please answer to this.

Validating a digital signature in an xml

Hi,
Im working on validating a digital signature from an xml file . Im using the below code to get the value of signature node from the xml file.
NodeList nl = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
I'm getting it as nodelist object . When i try to get the length of the signature element it says 0 and hence it throws me an exception .
I have to pass this nodeliest object to validate the xml file. Im attaching the xml file as well as the progarm to validate the xml file . Can somebody help me on this.
Validate.java
import javax.xml.crypto.*;
import javax.xml.crypto.dsig.*;
import javax.xml.crypto.dom.*;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.*;
import java.io.File;
import java.io.FileInputStream;
import java.security.*;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
import org.w3c.dom.NodeList;
* This is a simple example of validating an XML
* Signature using the JSR 105 API. It assumes the key needed to
* validate the signature is contained in a KeyValue KeyInfo.
public class Validate {
public static void main(String[] args) throws Exception {
try
File file = new File("c:\\test.xml");
// Instantiate the document to be validated
     DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
     DocumentBuilder db = dbf.newDocumentBuilder();
     dbf.setNamespaceAware(true);
     //Document doc = dbf.newDocumentBuilder().parse(new FileInputStream("C://signature.xml"));
Document doc = db.parse(file);
     // Find Signature element
NodeList nl = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
System.out.println("the nodelist value is"+nl);
          if (nl.getLength() == 0) {
     throw new Exception("Cannot find Signature element");
     // Create a DOM XMLSignatureFactory that will be used to unmarshal the
     // document containing the XMLSignature
     XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
     // Create a DOMValidateContext and specify a KeyValue KeySelector
// and document context
     //DOMValidateContext valContext = new DOMValidateContext
     // (new KeyValueKeySelector(), nl.item(0));
     DOMValidateContext valContext = new DOMValidateContext
(new KeyValueKeySelector(), nl.item(0));
          // unmarshal the XMLSignature
     XMLSignature signature = fac.unmarshalXMLSignature(valContext);
     // Validate the XMLSignature (generated above)
     boolean coreValidity = signature.validate(valContext);
     // Check core validation status
     if (coreValidity == false) {
     System.err.println("Signature failed core validation");
     boolean sv = signature.getSignatureValue().validate(valContext);
     System.out.println("signature validation status: " + sv);
     // check the validation status of each Reference
     Iterator i = signature.getSignedInfo().getReferences().iterator();
     for (int j=0; i.hasNext(); j++) {
          boolean refValid =
          ((Reference) i.next()).validate(valContext);
          System.out.println("ref["+j+"] validity status: " + refValid);
     } else {
     System.out.println("Signature passed core validation");
catch (Exception e)
     e.printStackTrace();
* KeySelector which retrieves the public key out of the
* KeyValue element and returns it.
* NOTE: If the key algorithm doesn't match signature algorithm,
* then the public key will be ignored.
private static class KeyValueKeySelector extends KeySelector {
     public KeySelectorResult select(KeyInfo keyInfo,
KeySelector.Purpose purpose,
AlgorithmMethod method,
XMLCryptoContext context)
throws KeySelectorException {
if (keyInfo == null) {
          throw new KeySelectorException("Null KeyInfo object!");
SignatureMethod sm = (SignatureMethod) method;
List list = keyInfo.getContent();
for (int i = 0; i < list.size(); i++) {
          XMLStructure xmlStructure = (XMLStructure) list.get(i);
     if (xmlStructure instanceof KeyValue) {
PublicKey pk = null;
try {
pk = ((KeyValue)xmlStructure).getPublicKey();
} catch (KeyException ke) {
throw new KeySelectorException(ke);
// make sure algorithm is compatible with method
if (algEquals(sm.getAlgorithm(), pk.getAlgorithm())) {
return new SimpleKeySelectorResult(pk);
throw new KeySelectorException("No KeyValue element found!");
//@@@FIXME: this should also work for key types other than DSA/RSA
     static boolean algEquals(String algURI, String algName) {
if (algName.equalsIgnoreCase("DSA") &&
          algURI.equalsIgnoreCase(SignatureMethod.DSA_SHA1)) {
          return true;
} else if (algName.equalsIgnoreCase("RSA") &&
algURI.equalsIgnoreCase(SignatureMethod.RSA_SHA1)) {
          return true;
} else {
          return false;
private static class SimpleKeySelectorResult implements KeySelectorResult {
     private PublicKey pk;
     SimpleKeySelectorResult(PublicKey pk) {
     this.pk = pk;
     public Key getKey() { return pk; }
test.xml
<?xml version="1.0" encoding="UTF-8"?><Signature XMLNS="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#CWRT"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>VWmTb6knCBXhNjDLp6w5aX79AW4=</DigestValue></Reference><Reference URI="js/weatherData.js"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>aRyqMcnVA7UsxHaq3VPjIzKnR30=</DigestValue></Reference><Reference URI="js/accuweather.js"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>NKBau43TGuOTSwOiFLtC7xgeUxk=</DigestValue></Reference><Reference URI="js/location.js"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>SNowBnKItayjP8hVg2a+qlrNnl4=</DigestValue></Reference><Reference URI="index.html"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>ImhqtDT/KgYLUMwhzBjxo7kX16c=</DigestValue></Reference><Reference URI="images/bg_fade_current.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>6YBFwLJdH7wLSLwgheOzTgLxe0g=</DigestValue></Reference><Reference URI="images/setdefault.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>VD9Ay9DjNvHoCt4QpWI6H5gHo84=</DigestValue></Reference><Reference URI="images/bg_portrait.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>eMNhpeowX/LaxFhZ0choyWoGdnU=</DigestValue></Reference><Reference URI="images/form_bg.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>xRsfhpWI8R21vXcPd73EJ0SPg4c=</DigestValue></Reference><Reference URI="images/nav_hourly_off.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>7tBjRZQ6PC5uVRg8J5bAFTmBS4s=</DigestValue></Reference><Reference URI="images/bg_landscape.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>nTZ9DoZPW1UgjEvE3WfSBt3DdYA=</DigestValue></Reference><Reference URI="images/nav_maps_off.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>ywLUlQ+DCMuybGr2YLYDQx85jJw=</DigestValue></Reference><Reference URI="images/nav_graph_off.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>853j9KcFEpuI5c8e5+0TEpmU33U=</DigestValue></Reference><Reference URI="images/label_forecast.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>2feKnZklWElbyqItqq5Q1bZRtn4=</DigestValue></Reference><Reference URI="images/bg_fade_content_wide.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>GDFP4Tcu96NBOCo9qRw7K25l8as=</DigestValue></Reference><Reference URI="images/btn_getlocation.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>sJajd6TTV4VyB2ibMRl8hM4cV+8=</DigestValue></Reference><Reference URI="images/bg_fade_home.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>joxnBor/RV5uvqc+SiNU613+W6U=</DigestValue></Reference><Reference URI="images/label_hourly.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>uinbV5pKm/XFwNsBjI21m0tYkhs=</DigestValue></Reference><Reference URI="images/wxicons/33.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>X8HvsFhHLUr3624myAcox9QyagQ=</DigestValue></Reference><Reference URI="images/wxicons/37.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>ldJztK5xrBf3UOyRkSN9zFAootc=</DigestValue></Reference><Reference URI="images/wxicons/13.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>bAah/tMqPUVrXis2iiOZLYo4jRw=</DigestValue></Reference><Reference URI="images/wxicons/16.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>UZ2CKfWZN/FCLnILVz8bIXWlRAA=</DigestValue></Reference><Reference URI="images/wxicons/19.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>jRL/Ea5Dcj7DpvKOHnqGvUmpw4Q=</DigestValue></Reference><Reference URI="images/wxicons/18.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>76si6qIfm8bAPKBRIQCQScg0Mow=</DigestValue></Reference><Reference URI="images/wxicons/44.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>HkCAXti0I181Pjqkw2QNTjXN6/8=</DigestValue></Reference><Reference URI="images/wxicons/08.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>OAvQ6xMeMXCFznUUMZyL1frgJQk=</DigestValue></Reference><Reference URI="images/wxicons/20.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>BavTiifJ1XKhQx/AO4Y2PywHi+w=</DigestValue></Reference><Reference URI="images/wxicons/12.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>NNVCA+3eTGXWUXGjO1G4qoPPDaU=</DigestValue></Reference><Reference URI="images/wxicons/36.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>5Wy7pMJKjwc+fdL0+ez3OrhZ/WY=</DigestValue></Reference><Reference URI="images/wxicons/32.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>GrhBWg3ODd19NHkdaEyuzUDYGaQ=</DigestValue></Reference><Reference URI="images/wxicons/25.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>kVSt7ZBsrGBlnRp2mnNd4jzbjdc=</DigestValue></Reference><Reference URI="images/wxicons/29.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>CHkrsHgL9qFAKCgxQfGOaBgCg+A=</DigestValue></Reference><Reference URI="images/wxicons/17.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>SxQBu2aYDFDTD1N6XXcL/Z9r2G0=</DigestValue></Reference><Reference URI="images/wxicons/05.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>UR0ntm9xdDzhcq9m+EqdcDRhk5I=</DigestValue></Reference><Reference URI="images/wxicons/06.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>XUKHRCVRhhgG7M44QlhzFKulVf0=</DigestValue></Reference><Reference URI="images/wxicons/40.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>0vBrc/yiUz4pE8epTER19nblmCA=</DigestValue></Reference><Reference URI="images/wxicons/41.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>y5a8jOOsS/qPhcEMQV3Aufb/aNE=</DigestValue></Reference><Reference URI="images/wxicons/Thumbs.db"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>pch5wjLWZAPSgNO09d1x7SMayY=</DigestValue></Reference><Reference URI="images/wxicons/14.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>QoLGKWD8MVS0XxCvkvweDmYg1U=</DigestValue></Reference><Reference URI="images/wxicons/42.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>D9K0JzNNrtpryfckrNQNS87y1BQ=</DigestValue></Reference><Reference URI="images/wxicons/43.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>qlRMGFaqLYTej/k3k1wAGL+GWxM=</DigestValue></Reference><Reference URI="images/wxicons/04.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>a2ftn992/Hl3y1wp9IzsLSSqDdk=</DigestValue></Reference><Reference URI="images/wxicons/30.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>6Ad7HYjHxySf33JzQdS/oDTgcno=</DigestValue></Reference><Reference URI="images/wxicons/23.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>LsAfryFOtLhgviUgiOXM3z4lBAA=</DigestValue></Reference><Reference URI="images/wxicons/07.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>bV4gju3kZ780HDNOVP2lHE1TDW4=</DigestValue></Reference><Reference URI="images/wxicons/22.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>AeFmuHupwwVszEvbV94o0rngpCQ=</DigestValue></Reference><Reference URI="images/wxicons/01.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>6DsWdqkV1/ub3FaeUeXvxsQxckA=</DigestValue></Reference><Reference URI="images/wxicons/21.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>Z4W51hSrbkM5N91/F9xwDJwABb0=</DigestValue></Reference><Reference URI="images/wxicons/38.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>Jfl9KECyaQ68D0Fq2iyAHubQYJE=</DigestValue></Reference><Reference URI="images/wxicons/35.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>c1SmObYV0bMJwveQBuyOk/aHjoY=</DigestValue></Reference><Reference URI="images/wxicons/39.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>apdCy1y7Bhx4c8j8xZKpw9sLiHQ=</DigestValue></Reference><Reference URI="images/wxicons/34.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>RlUoSL1kyNF/LNHglKJojfidqDo=</DigestValue></Reference><Reference URI="images/wxicons/24.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>rp274RE36TIQ/cJqykbC1pfma64=</DigestValue></Reference><Reference URI="images/wxicons/31.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>4T9iGJPK46NYQtmGWyvMhFXqefg=</DigestValue></Reference><Reference URI="images/wxicons/15.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>V/kRSkl8RuSLp5XHkK+Ev2qkA/Q=</DigestValue></Reference><Reference URI="images/wxicons/02.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>LnzYacHZQ8dWbBsfY/xIBFf+FhY=</DigestValue></Reference><Reference URI="images/wxicons/26.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>L/fdXr1GduUly+gZoqoHtjSEeug=</DigestValue></Reference><Reference URI="images/wxicons/11.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>5tlEUU8jkLu69GjxyKrj/dlCBnE=</DigestValue></Reference><Reference URI="images/wxicons/03.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>eVam0Q5Ns+f0ivmOFlayoQjFJuQ=</DigestValue></Reference><Reference URI="images/btn_severe_on.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>xkpq8N5rnVv2QUOOPEC3t2UZ3io=</DigestValue></Reference><Reference URI="images/bg_fade_prefs.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>mGtHZB8HWR4Kr46E9ibtgPqkSjg=</DigestValue></Reference><Reference URI="images/btn_previous.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>tYsSyliuIQHfoqX8Ljjd514gjiY=</DigestValue></Reference><Reference URI="images/btn_search.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>Xs3TiHv5GVKqvqKcH4QQTLGeL5M=</DigestValue></Reference><Reference URI="images/nav_calendar_on.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>km6Jeefk1pbxhKPuKdX0tAikn20=</DigestValue></Reference><Reference URI="images/bg_fade_location.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>dsoQD4U3FStFnFCn9IU8XZOnbZ8=</DigestValue></Reference><Reference URI="images/logo_leaf.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>AI6UYnx1653B/rX71hqlXRYayK0=</DigestValue></Reference><Reference URI="images/radar.jpg"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>IEaZz7VDYcwgBHJhTFttbNpSr8=</DigestValue></Reference><Reference URI="images/btn_done.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>VZYygwwnJmzSykTWnC3UMjx7UVU=</DigestValue></Reference><Reference URI="images/Thumbs.db"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>aXryLm/7bU2iLfP6mwM96Q7iFfk=</DigestValue></Reference><Reference URI="images/btn_plus.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>apIaI0Q/XpYkQIZgrE8y4KDpe34=</DigestValue></Reference><Reference URI="images/label_calendar.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>Ek3gLnM9lZCvsJrn49FinTEFoc=</DigestValue></Reference><Reference URI="images/btn_severe_off.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>rMRQheIr8WGukddQsbW79yPUa68=</DigestValue></Reference><Reference URI="images/bg_fade_about_wide.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>exAFOiVOEx5VKUopSxkbRc3RTLc=</DigestValue></Reference><Reference URI="images/btn_removelocation.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>BAAQeIMdUoZumMexhxIJFLOXy8M=</DigestValue></Reference><Reference URI="images/label_weathermap.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>QLd8kSOk/dq9/PtPl3hycoufBGw=</DigestValue></Reference><Reference URI="images/space.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>lPyPvOmX8EoCzEM8iIruq8hfHIE=</DigestValue></Reference><Reference URI="images/btn_magnify.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>3lSDkwWlIMufqacsbJ8dShiDvPc=</DigestValue></Reference><Reference URI="images/btn_next.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>5l3/6rRyibJQXlQdSfopJ4Q9e3o=</DigestValue></Reference><Reference URI="images/bg_fade_current_wide.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>klPlC3aqn33AAxtAzDCksik4CXo=</DigestValue></Reference><Reference URI="images/nav_hourly_on.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>oW7HwXpGfcEz6q1UEixc48IuEf0=</DigestValue></Reference><Reference URI="images/btn_shrink.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>/6ORP54At9CAqkQno9aCvbXCF2E=</DigestValue></Reference><Reference URI="images/bg_cal_date.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>g10327Jhy+CE2XXE62b6Ea6cUZg=</DigestValue></Reference><Reference URI="images/key.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>anFOcEcBGzbkeEsfKJ7+y3S2Y0E=</DigestValue></Reference><Reference URI="images/degree_f.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>QtJd4lj3Gaqm59G0J6TT87N9jLk=</DigestValue></Reference><Reference URI="images/bg_fade_about.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>rYYhIG+rT3f8jPqSuzC65g2BRuE=</DigestValue></Reference><Reference URI="images/degree_c.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>0AwnOwXF+1iAySDhG6u+WKGzmEE=</DigestValue></Reference><Reference URI="images/nav_maps_on.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>B7IsyllFvqC+hrxow9QlM+IdDkQ=</DigestValue></Reference><Reference URI="images/label_graph.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>8dKb7eEM6PKj2NqpJmTIA6d4OZw=</DigestValue></Reference><Reference URI="images/bg_fade_nav.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>0gR7yxY7kUde+5gnApaniAR70c4=</DigestValue></Reference><Reference URI="images/nav_forecast_off.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>T6cSnzVZ6+NYmcJkSxagrBG34VA=</DigestValue></Reference><Reference URI="images/bg_fade_content.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>eAAeix95CFcyTRFP0L37wCTiCT4=</DigestValue></Reference><Reference URI="images/nav_calendar_off.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>+7NYqrzg6E42x4bcSmI7oR+06Ok=</DigestValue></Reference><Reference URI="images/nav_graph_on.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>IuDRMdZ5SGeHtOUrIO6N8Kz2ug0=</DigestValue></Reference><Reference URI="images/logo_accu.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>/uv3wU6UomVHWqNw6FnQYutp19g=</DigestValue></Reference><Reference URI="images/nav_forecast_on.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>x+QqY/MePBUZryW4TH5q+IF1G+g=</DigestValue></Reference><Reference URI="config.xml"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>xo9qqZXg+0DwkCx8Kks9jgMLaLA=</DigestValue></Reference><Reference URI="css/accuweather.css"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>wIZ0bV7p0RmG7GEQzl9GoN+MMEs=</DigestValue></Reference><Reference URI="icon.png"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>vReEx8PURNyRoFZDvLHfXSAW5U=</DigestValue></Reference></SignedInfo><SignatureValue>H6RxXxj0OfpZuhbNHUkm048kZ1uzlGUwQV4TadOvFJ0VKHIyjTcJgzx7ApSUmCTjg/5JaRufBjAzihXmd7UTkq+aVm8smRgHpr3puz0w2wKGhPizO0dz4qfw3U7lqV6eLgSDakRj1jnFgqcMVHI+0k5vvYeVxgUVi6bz2b+IbM=</SignatureValue><Object Id="CWRT"><SignatureProperties xmlns:dsp="http://www.w3.org/2009/xmldsig-properties" ><SignatureProperty Id="profile"><dsp:Profile URI="http://www.w3.org/ns/widgets-digsig#profile" /></SignatureProperty><SignatureProperty Id="role"><dsp:Role URI="http://www.w3.org/ns/widgets-digsig#role-distributor" /></SignatureProperty><SignatureProperty Id="identifier"><dsp:Identifier>{247220a7-f378-4151-83d3-6be32024c0ae}</dsp:Identifier></SignatureProperty></SignatureProperties></Object><KeyInfo><X509Data><X509Certificate>MIICzDCCAjWgAwIBAgIBADANBgkqhkiG9w0BAQUFADArMRAwDgYDVQQKEwdSRCBD
ZXJ0MRcwFQYDVQQDEw5SRCBDZXJ0aWZpY2F0ZTAeFw0wNDExMTUxMjQyMDZaFw0z
NzA5MjMxMjQyMDZaMCsxEDAOBgNVBAoTB1JEIENlcnQxFzAVBgNVBAMTDlJEIENl
cnRpZmljYXRlMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDLRF+r1FGGkCwT
rb420kbnAps7gi1yYUcXYUdWeFTuBeQe5eW46Y+LWaA8HMlDdoHRB0FgASisYcFa
gwno9+oFf4AJka4H1gWEs5XTGwAA1s0d8XGh7W7Dt9F5FZij8F7/9Pi6+FhhxZFI
f1DD+yry9D7+Sp+BgdNALe4XOpf25QIBA6OCAQAwgf0wDAYDVR0TBAUwAwEB/zAL
BgNVHQ8EBAMCAoQwHQYDVR0OBBYEFFi/kuGzxhVpjGxe9ZwlxC3fH9jFMFMGA1Ud
IwRMMEqAFFi/kuGzxhVpjGxe9ZwlxC3fH9jFoS+kLTArMRAwDgYDVQQKEwdSRCBD
ZXJ0MRcwFQYDVQQDEw5SRCBDZXJ0aWZpY2F0ZYIBADBsBgNVHSAEZTBjMGEGBFUd
IAAwWTATBggrBgEFBQcCARYHaHR0cDovLzBCBggrBgEFBQcCAjA2GjRGb3IgUiZE
IHVzYWdlIG9ubHkuIFRoaXMgY2VydGlmaWNhdGUgaXMgbm90IHRydXN0ZWQuMA0G
CSqGSIb3DQEBBQUAA4GBAHGB4RQMAgBdeT2hxfOr6f2nA/dZm+M5yX5daUtZnET9
Ed0A9sazLawfN2G1KFQT9kxEParAyoAkpbMAsRrnRz/9cM3OHgFm/NiKRnf50DpT
7oCx0I/65mVD2kt+xXE62/Ii5KPnTufIkPi2uLvURCia1tTS8JmJ8dtxDGyQt8BR</X509Certificate></X509Data></KeyInfo></Signature>

>
// Instantiate the document to be validated
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
DocumentBuilder db = dbf.newDocumentBuilder();
dbf.setNamespaceAware(true);
Document doc = db.parse(file);Your problem is that you've instantiated the DocumentBuilder before you've made the factory namespace aware. As a result, does not know against which namespace it is parsing the XML file.
Change the lines of code to have the factory be namespace-aware before you instantiate the DocumentBuilder and then parse the class. You'll get past your "node not found" error to receive a number of other errors which you need to correct.
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
Document doc = dbf.newDocumentBuilder().parse(file);As a practice when generating an XML document, you should try to validate it inside an IDE like Netbeans/Eclipse before trying to do anything with the document to ensure you've not only got a well-formed XML document, but also one that is "schema-conformant. Your XML signature is not (the Object element cannot come before the KeyInfo element, and the SignatureProperty element is missing the required Target attribute); as a result your Signature element will fail to pass validation even if your code is correct. A cursory review of the XML Signature specs and its XSD is always helpful: [http://www.w3.org/TR/xmldsig-core/].
Finally, please use the {code} tag for source-code to make it readable. Thanks.
Arshad Noor
StrongAuth, Inc.

Problem verifying xml signature

We have a problem with verifying XML Signatures which are part of a SOAP message. Thanks a lot for helping! Hope my problem is understandable - otherwise ask.
We use the following enviroment:
Java6
Axis 2 V1.2 with XML Beans
Step 1:
The Java 6 XML Signature is an enveloped signature over an element called payload with exclusive XML canonicalization. We sign the payload and send the payload including signature to the server. At first I discovered the following namespace problem.
DigesterOutputstream Create Signature:
FEINER: <Payload Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDAyNDAwPC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:34D51D9DE4B7A19DD411938151524022</MessageID><Timestamp><Created>UNDO</Created></Timestamp></Payload>
DigesterOutput Verify Signature:
FEINER: <Payload xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDAyNDAwPC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:34D51D9DE4B7A19DD411938151524022</MessageID><Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><Created>UNDO</Created></Timestamp></Payload>
31.10.2007 08:25:48 org.jcp.xml.dsig.internal.dom.DOMReference validate
FEIN: Expected digest: 71PfJ/xxn38TtQrpZOpRdqTZsBw=
31.10.2007 08:25:48 org.jcp.xml.dsig.internal.dom.DOMReference validate
FEIN: Actual digest: B1Qdei/0yW1mqR2T50LXKFfxhl0=
Soap request with payload:
<?xml version='1.0' encoding='utf-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><TelematikHeader xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1"><MessageID>urn:uuid:34D51D9DE4B7A19DD411938151524022</MessageID><ConversationID /><ServiceLocalization><Type>VSD</Type><Provider>101575519</Provider></ServiceLocalization><MessageType><Component>VSD</Component><Operation>PerformUpdates</Operation></MessageType><RoleDataProcessor /></TelematikHeader><TransportHeader xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1"><InterfaceVersion>0.0.24.3</InterfaceVersion></TransportHeader></soapenv:Header><soapenv:Body><TelematikExecute xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1"><Payload Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDAyNDAwPC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:34D51D9DE4B7A19DD411938151524022</MessageID><Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><Created>UNDO</Created></Timestamp><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#c623c3be-529b-4d6d-8f1e-a4a29660f344"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>71PfJ/xxn38TtQrpZOpRdqTZsBw=</DigestValue></Reference></SignedInfo><SignatureValue>FuhOdrz9kHR0MeAUq9Rxkg6w++7foR77s9AYQUQxb8qPJ44Ba6By8R/H+CCn5JP5cPFz8/mGOgOD NGKLgZp66xbVSWe1UeehmZLH1a2kvHsx/VvYo3Lr5foHsl6YikUBMXCBdhI4ukKJTuwBOK/7m3lu 7Zl07SFo0zWL73gUTxc=</SignatureValue><KeyInfo><X509Data><X509SubjectName>CN=Harris Knafla,OU=IP,O=TK,ST=Hamburg,C=DE</X509SubjectName><X509Certificate>MIIC0DCCAjmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCREUxEDAOBgNVBAgT B0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxCzAJBgNVBAoTAlRLMQswCQYDVQQLEwJJUDEUMBIG A1UEAxMLTmlscyBLbmFmbGExKjAoBgkqhkiG9w0BCQEWG0RyLk5pbHMuS25hZmxhQHRrLW9ubGlu ZS5kZTAeFw0wNzA2MjkxNzQ2MzBaFw0wODA2MjgxNzQ2MzBaMFExCzAJBgNVBAYTAkRFMRAwDgYD VQQIEwdIYW1idXJnMQswCQYDVQQKEwJUSzELMAkGA1UECxMCSVAxFjAUBgNVBAMTDUhhcnJpcyBL bmFmbGEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMjAnKFGjXjbPbi4X1vnI/H7ArNfayv HO7+QbuV1FqIR+aZuAYZeR5v0s8NKyGOcMxscAQk59ZrdfqaaIiwtcXk2fNHphtSVqLqR4NLWO2q xJKXwBcAxIn7byjq/DqjiUr5nmw1cMWJtK1xwB6pVMvCv97KGg2Z8peronBxg6mVAgMBAAGjezB5 MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl MB0GA1UdDgQWBBRaMTzoUhWt1wguyvPlPuUUV8VRtTAfBgNVHSMEGDAWgBQuZ2A4G1XF+GvL7vai Zst6RUCqYjANBgkqhkiG9w0BAQUFAAOBgQAr3rtJIVNchr3pMEfFcSzbJJWo/c0LRkUnWkP1gD6f MqLoLFUbl8k6tKJ9V4P0Oe2BODRIfNyTFjKLzD1lHAFFRz9pzYUx+hq4VDWooA3MsewNDDyJwupi vlmHcM+Y8Cv97q9pERiqAY88TRMZxntl/b98W61KARAO+HUDhTnA1g==</X509Certificate></X509Data></KeyInfo></Signature></Payload></TelematikExecute></soapenv:Body></soapenv:Envelope>
The problem is the namespaces under the elements payload and timestamp. For verification the namespaces are inherited from parent element. I wonder why this happens - I thought this should not happen when using exclusive canonicalization, or?
Step 2:
Then I added the namespaces before creating the signature , e.g.
payloadElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns", "http://ws.gematik.de/Schema/Telematik/Transport/V1");
for all attributes that are not part of the create signature log. Then the xml signature was verify successfully when I tested this against my own server. See log files:
DigesterOutputstream for create signature:
31.10.2007 11:16:00 org.jcp.xml.dsig.internal.DigesterOutputStream write
FEINER: <Payload xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDMwMjI5PC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:9E0D31C48FDB63BBCD11938257462232</MessageID><Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><Created>UNDO</Created></Timestamp></Payload>
DigesterOutputstream verify signature:
31.10.2007 11:19:00 org.jcp.xml.dsig.internal.DigesterOutputStream write
FEINER: <Payload xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDMwMjI5PC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:9E0D31C48FDB63BBCD11938257462232</MessageID><Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><Created>UNDO</Created></Timestamp></Payload>
The whole soap request:
<?xml version='1.0' encoding='utf-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1"><wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-3596382">MIIC0DCCAjmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCREUxEDAOBgNVBAgTB0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxCzAJBgNVBAoTAlRLMQswCQYDVQQLEwJJUDEUMBIGA1UEAxMLTmlscyBLbmFmbGExKjAoBgkqhkiG9w0BCQEWG0RyLk5pbHMuS25hZmxhQHRrLW9ubGluZS5kZTAeFw0wNzA2MjkxNzQ2MzBaFw0wODA2MjgxNzQ2MzBaMFExCzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdIYW1idXJnMQswCQYDVQQKEwJUSzELMAkGA1UECxMCSVAxFjAUBgNVBAMTDUhhcnJpcyBLbmFmbGEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMjAnKFGjXjbPbi4X1vnI/H7ArNfayvHO7+QbuV1FqIR+aZuAYZeR5v0s8NKyGOcMxscAQk59ZrdfqaaIiwtcXk2fNHphtSVqLqR4NLWO2qxJKXwBcAxIn7byjq/DqjiUr5nmw1cMWJtK1xwB6pVMvCv97KGg2Z8peronBxg6mVAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRaMTzoUhWt1wguyvPlPuUUV8VRtTAfBgNVHSMEGDAWgBQuZ2A4G1XF+GvL7vaiZst6RUCqYjANBgkqhkiG9w0BAQUFAAOBgQAr3rtJIVNchr3pMEfFcSzbJJWo/c0LRkUnWkP1gD6fMqLoLFUbl8k6tKJ9V4P0Oe2BODRIfNyTFjKLzD1lHAFFRz9pzYUx+hq4VDWooA3MsewNDDyJwupivlmHcM+Y8Cv97q9pERiqAY88TRMZxntl/b98W61KARAO+HUDhTnA1g==</wsse:BinarySecurityToken><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-8331318"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#id-28000914"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>Q2LregRFO//cXlkcThu9Bx0jal4=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-10464309"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>BX651XEWk4u4pGgshQhocYxPkSo=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#Timestamp-7651652"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>ezisLn/pGWNqMHbT6UlHyM4Ez64=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> Xl4SSEwrtyUnsqf8xOmfzojLLU18tOrikOhK+HRyqHqv0lPF+AqANLU6yygNdhbfI5qyef9BLr6I CmSPIX4QQR+Hq45l/Ewa+M2K1OOjqvBUGYyQqrKCqUFtsISr9xPudB8ZmaVfaUu5chjIvy/sPYYx TuYv2Ma6uEwek1YZpbE= </ds:SignatureValue> <ds:KeyInfo Id="KeyId-1823783"> <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-17125267"><wsse:Reference URI="#CertId-3596382" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /></wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature><wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-7651652"><wsu:Created>2007-10-31T10:16:00.474Z</wsu:Created><wsu:Expires>2007-10-31T10:21:00.474Z</wsu:Expires></wsu:Timestamp></wsse:Security><TelematikHeader xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-10464309"><MessageID>urn:uuid:9E0D31C48FDB63BBCD11938257462232</MessageID><ConversationID /><ServiceLocalization><Type>VSD</Type><Provider>101575519</Provider></ServiceLocalization><MessageType><Component>VSD</Component><Operation>PerformUpdates</Operation></MessageType><RoleDataProcessor /></TelematikHeader><TransportHeader xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1"><InterfaceVersion>0.0.24.3</InterfaceVersion></TransportHeader></soapenv:Header><soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-28000914"><TelematikExecute xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1"><Payload Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDMwMjI5PC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:9E0D31C48FDB63BBCD11938257462232</MessageID><Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><Created>UNDO</Created></Timestamp><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#c623c3be-529b-4d6d-8f1e-a4a29660f344"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>XHIiHK4NYczByvAJSZH8u3hSvuQ=</DigestValue></Reference></SignedInfo><SignatureValue>JQnTQJ1TidrMuWmSmpHE3ZR5M728A3tlvKjrM3GxFPuy5YOmmybxR0T7xe72WSdWsqvFT9QGE+iP GL5POuc3s8lLc1QGZRKhZvjHAKFldDNyxAMWRL7ZXmhpjsRXT3HethKWew3669SKjJFkZ1IYEnZz QrJOmgt1MMjWx99CgaQ=</SignatureValue><KeyInfo><X509Data><X509SubjectName>CN=Harris Knafla,OU=IP,O=TK,ST=Hamburg,C=DE</X509SubjectName><X509Certificate>MIIC0DCCAjmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCREUxEDAOBgNVBAgT B0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxCzAJBgNVBAoTAlRLMQswCQYDVQQLEwJJUDEUMBIG A1UEAxMLTmlscyBLbmFmbGExKjAoBgkqhkiG9w0BCQEWG0RyLk5pbHMuS25hZmxhQHRrLW9ubGlu ZS5kZTAeFw0wNzA2MjkxNzQ2MzBaFw0wODA2MjgxNzQ2MzBaMFExCzAJBgNVBAYTAkRFMRAwDgYD VQQIEwdIYW1idXJnMQswCQYDVQQKEwJUSzELMAkGA1UECxMCSVAxFjAUBgNVBAMTDUhhcnJpcyBL bmFmbGEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMjAnKFGjXjbPbi4X1vnI/H7ArNfayv HO7+QbuV1FqIR+aZuAYZeR5v0s8NKyGOcMxscAQk59ZrdfqaaIiwtcXk2fNHphtSVqLqR4NLWO2q xJKXwBcAxIn7byjq/DqjiUr5nmw1cMWJtK1xwB6pVMvCv97KGg2Z8peronBxg6mVAgMBAAGjezB5 MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl MB0GA1UdDgQWBBRaMTzoUhWt1wguyvPlPuUUV8VRtTAfBgNVHSMEGDAWgBQuZ2A4G1XF+GvL7vai Zst6RUCqYjANBgkqhkiG9w0BAQUFAAOBgQAr3rtJIVNchr3pMEfFcSzbJJWo/c0LRkUnWkP1gD6f MqLoLFUbl8k6tKJ9V4P0Oe2BODRIfNyTFjKLzD1lHAFFRz9pzYUx+hq4VDWooA3MsewNDDyJwupi vlmHcM+Y8Cv97q9pERiqAY88TRMZxntl/b98W61KARAO+HUDhTnA1g==</X509Certificate></X509Data></KeyInfo></Signature></Payload></TelematikExecute></soapenv:Body></soapenv:Envelope>
As you can see in the soap request on top of the xml signature there is a Webservice Security signature (WSSE) over three elements. This should be no problem altough WSSE adds the wsu:id attribute to the body element. WSSE was omitted in step 1 for simplicity.
I wonder that the attributes which have been set to the payloadElement are not part of the actual message. But it works!
Step 3:
The same request was sent to an external webservice server and the server reports a xml signature verification problem. I don't have any logs or further information. But I have to get this to work against this server.
Java Files for Create + Verify Signature. For Create I get a DOM Node from a XML Bean. For step 1 the attribute setting should be in comments. I use VerifySignature for step 1 + 2.
SignPayload.java:
package de.tk.signature;
import java.io.ByteArrayOutputStream;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.OutputStream;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.xml.crypto.dsig.CanonicalizationMethod;
import javax.xml.crypto.dsig.DigestMethod;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.SignatureMethod;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.Transform;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.dsig.spec.ExcC14NParameterSpec;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;
import org.apache.xmlbeans.XmlObject;
import de.tk.schemaTools.TkSchemaHandler;
import de.tk.util.ClientProperties;
public class SignPayload {
     public static void signDocument(XmlObject telematikExecuteXmlObject, String payloadId) {
          try {
               // get Document
               org.w3c.dom.Node node = telematikExecuteXmlObject.getDomNode();
               Document documentTo = node.getOwnerDocument();
               XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
               Reference ref = fac.newReference("#"+payloadId, fac.newDigestMethod(DigestMethod.SHA1, null), Collections.singletonList(fac
                         .newTransform(Transform.ENVELOPED, (TransformParameterSpec) null)), null, null);
               // Create the SignedInfo.
               SignedInfo si = fac.newSignedInfo(fac.newCanonicalizationMethod(CanonicalizationMethod.EXCLUSIVE, (C14NMethodParameterSpec) null), fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null),
                         Collections.singletonList(ref));
               KeyStore keyStore = KeyStore.getInstance("JKS");
               String keyStoreFilename = ClientProperties.getKeystorefile();
               FileInputStream keyStoreFile = new FileInputStream(keyStoreFilename);
               keyStore.load(keyStoreFile, "storePwd".toCharArray());
               keyStoreFile.close();
               KeyStore.PrivateKeyEntry keyEntry = (KeyStore.PrivateKeyEntry) keyStore.getEntry("harris", new KeyStore.PasswordProtection("keyPwd".toCharArray()));
               X509Certificate cert = (X509Certificate) keyEntry.getCertificate();
               // Create the KeyInfo containing the X509Data.
               KeyInfoFactory kif = fac.getKeyInfoFactory();
               List x509Content = new ArrayList();
               x509Content.add(cert.getSubjectX500Principal().getName());
               x509Content.add(cert);
               X509Data xd = kif.newX509Data(x509Content);
               KeyInfo ki = kif.newKeyInfo(Collections.singletonList(xd));
               Node payloadNode = new TkSchemaHandler().getNode(documentTo, "Payload");
               String prefix = payloadNode.getPrefix();
               NamedNodeMap nameNodeMap = payloadNode.getAttributes();
               // String baseUri = payloadNode.getBaseURI(); not implemented
               boolean attributes = payloadNode.hasAttributes();
               Element payloadElement = (Element) payloadNode;
               //xmlns is the prefix and first parameter the namespaceURI
               // xmlns existiert ohne WSSE, beim Create XMLOutputter ausgegeben
               payloadElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns", "http://ws.gematik.de/Schema/Telematik/Transport/V1");
               // existiert ohne WSSE
               // bei Create nicht; aber bei Verify im DigestOutputter mit drin
               payloadElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:soapenv", "http://schemas.xmlsoap.org/soap/envelope/");
               // existiert nur bei WSSE
               payloadElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:wsu", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
               Node timestampNode = new TkSchemaHandler().getNode(documentTo, "Timestamp");
               Element timestampElement = (Element) timestampNode;
               // existiert ohne WSSE
               // beim Create Outputter angegeben sowie beim Verify
               timestampElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
               // existiert nur bei WSSE, war wohl nur notwendig da bei WSSE Signature auf falschen Timestamp zugegriffen worden ist.
               // Create a DOMSignContext and specify the RSA PrivateKey and
               // location of the resulting XMLSignature's parent element.
               DOMSignContext dsc = new DOMSignContext(keyEntry.getPrivateKey(),payloadNode);
               // Create the XMLSignature, but don't sign it yet.
               XMLSignature signature = fac.newXMLSignature(si, ki);
               // DomInfo.visualize(document);
               SAXBuilderDemo2.print(documentTo);
               // Marshal, generate, and sign the enveloped signature.
               signature.sign(dsc);
          } catch (Exception exc) {
               throw new RuntimeException(exc.getMessage());
VerifySignature.java:
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.OutputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import javax.xml.crypto.dsig.CanonicalizationMethod;
import javax.xml.crypto.dsig.DigestMethod;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.SignatureMethod;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.Transform;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.w3c.dom.Document;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
public class VerifySignature {
     * @param args
     public static void main(String[] args) {
          // TODO Auto-generated method stub
          try {
               String filename = args[0];
               System.out.println("Verify Document: " + filename);
               XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
               DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
               dbf.setNamespaceAware(true);
               Document doc = dbf
               .newDocumentBuilder()
               .parse(
                         new FileInputStream(filename));
//               Find Signature element.
//               NodeList nl =
//               doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
               Node node = TkSchemaHandler.getNode(doc,"/*[local-name()='Envelope' and namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/']/*[local-name()='Body' and namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/'][1]/*[local-name()='TelematikExecute' and namespace-uri()='http://ws.gematik.de/Schema/Telematik/Transport/V1'][1]/*[local-name()='Payload' and namespace-uri()='http://ws.gematik.de/Schema/Telematik/Transport/V1'][1]/*[local-name()='Signature' and namespace-uri()='http://www.w3.org/2000/09/xmldsig#'][1]");
               if (nl.getLength() == 0) {
               throw new Exception("Cannot find Signature element");
               Node node = nl.item(0); */
//               Create a DOMValidateContext and specify a KeySelector
//               and document context.
               DOMValidateContext valContext = new DOMValidateContext
               (new X509KeySelector(), node);
//               Unmarshal the XMLSignature.
               XMLSignature signature = fac.unmarshalXMLSignature(valContext);
//               Validate the XMLSignature.
               boolean coreValidity = signature.validate(valContext);
               // sample 6
//               Check core validation status.
               if (coreValidity == false) {
               System.err.println("Signature failed core validation");
               boolean sv = signature.getSignatureValue().validate(valContext);
               System.out.println("signature validation status: " + sv);
               if (sv == false) {
               // Check the validation status of each Reference.
               Iterator i = signature.getSignedInfo().getReferences().iterator();
               for (int j=0; i.hasNext(); j++) {
               boolean refValid = ((Reference) i.next()).validate(valContext);
               System.out.println("ref["+j+"] validity status: " + refValid);
               } else {
               System.out.println("OK! Signature passed core validation!");
          } catch (Exception exc) {
               exc.printStackTrace();
Questions:
1. Do I really have to set all the namespace attributes? I thought with exclusive xml this should not be necessary. Is there any other solution?
2. Do you think I got all the settings right in SignPayload.java?
Thanks a lot in advance.
Cheers !
Nils

It seems to be a bug with the JDK you are using. What is the JDK version you are using?

Making a PDF Form secure for emailing

I have created an enrollment form with LiveCyle. The employer will send the application to a new employee for them to fill out and they would like it emailed back to them. I tried the submit button but that doesn't work because while the information they input is received in a .xml file the electronic signature does not transfer which is required. Can I set it up encrypted so that only the information that is input is encrypted? I am VERY new to creating forms and using LiveCycle. Thank you!

The way I think you are trying it in Reader won't give you want you need. If you want to hide the data in the XML email submission (from email submit button), you need the newer capabilities in Designer 10.x to encrypt the submission. The XML contents will look like this after it is encrypted:
<?xml version="1.0" encoding="UTF-8"?>
<xfa:data xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/"
><EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Id="encrypteddata_2" Type="http://www.w3.org/2001/04/xmlenc#Element"
><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"
/><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"
><EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#"
><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
/><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"
><X509Data
><X509Certificate
>MIICRTCCAa6gAwIBAgIKNvzDsAiaeyPYFDANBgkqhkiG9w0BAQUFADBTMREwDwYDVQQDEwhKb2hu
IERvZTEJMAcGA1UEChMAMQkwBwYDVQQLEwAxGzAZBgkqhkiG9w0BCQEWDGpkb2VAYWJjLmNvbTEL
MAkGA1UEBhMCVVMwHhcNMTExMTAzMjA1MjAwWhcNMTYxMTAzMjA1MjAwWjBTMREwDwYDVQQDEwhK
b2huIERvZTEJMAcGA1UEChMAMQkwBwYDVQQLEwAxGzAZBgkqhkiG9w0BCQEWDGpkb2VAYWJjLmNv
bTELMAkGA1UEBhMCVVMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL12YAntp+1ZzsNpew5H
+s5fwLjK3TdiFfMrJuV1jEG2xlvJPOvKujSeR+4iHlBTQbYxkZ5nvhkwQi9KDgeriuMjg/TclkJP
CD0h//4fnP4tQqTUAZ92r6nMRqFxviEhysETMQl01SGDUlmSjhvWJctPU+krq+wwuwVbPJgU8Iu5
AgMBAAGjIDAeMA8GCSqGSIb3LwEBCgQCBQAwCwYDVR0PBAQDAgSQMA0GCSqGSIb3DQEBBQUAA4GB
AK+TIhyZZtYtxrVz5lq/zl8mczRnUCsJcapXJhY/oJnN2izALPAYnA4eBr7LBbl1Hf12op+LJuoU
j5FHhB+eQzKlhqkC/alFwmGdxCBYUfpZKWGBUuuW+00mTCStsmTIaSi/XS6K+Y5+0fqAJ48y56lb
o/kjbxSjzHWszfeOzafF</X509Certificate
></X509Data
></KeyInfo
><CipherData
><CipherValue
>ADk2Kxut+M84Pi4B1ZC9znKFCz2rAfHYZNZ76fWK/eRE5QMC0NhCnQ5gFfrOLU9Wl/5FOTZMwQab
F1PjdKaVys0TjOR51HH1A6D/ZUf7baBQ1XnKRW5kQR8xePwwDaRoyBopF8+XeWA6d8yRXvyZdLJa
Hju2/gUR/M2HArKCtso=</CipherValue
></CipherData
></EncryptedKey
></KeyInfo
><CipherData
><CipherValue
>uiKSewcq2Of8cIk7hRnjFmOpTo+XxN6AZM5PyT+k2d1mUuBlbJWxCk37EFiwVHRH5n4oOQkuFFhv
+jopOPQLbthkdhiDzWHmAJhstaPcbvA=</CipherValue
></CipherData
><EncryptionProperties
><EncryptionProperty xfa:processingRule="replacementContent"
><form1
/></EncryptionProperty
></EncryptionProperties
></EncryptedData
><signatures
><Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="datasignature_2"
><SignedInfo
><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"
/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
/><Reference URI="#idbfea09cc-7f34-11e1-9c29-002710682eb5" Type="http://www.w3.org/2000/09/xmldsig#SignatureProperties"
><Transforms
><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"
/></Transforms
><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/><DigestValue
>O9E5XR6E+tkicSPa6HTZgkE9qhE=</DigestValue
></Reference
><Reference URI=""
><Transforms
><Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2"
><XPath xmlns="http://www.w3.org/2002/06/xmldsig-filter2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Filter="intersect"
>here()/ancestor::dsig:Signature[1]/../..//. |
here()/ancestor::dsig:Signature[1]/../..//@* |
here()/ancestor::dsig:Signature[1]/../..//namespace::*</XPath
></Transform
><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"
/></Transforms
><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/><DigestValue
>v9suUKmCN2M3JeTTr2y5/L6ZY64=</DigestValue
></Reference
></SignedInfo
><SignatureValue
>DYCW4mlxVOr+EmleCo56aohSGw93gtk2Wc5Rb7zlB8ukTSC9lozQM1rGLv4GykpQ+Ln+XhKCzVqv
Z7jcISv2l+1rWWpBSyhve+szoWSoY90SEtPUwnJMwxeOy6fOyGx5MWCqVj6D308Pcu2dw7r3UMqc
i6rSWUezvsPjfCBrcW8=</SignatureValue
><KeyInfo
><X509Data
><X509Certificate
>MIICRTCCAa6gAwIBAgIKNvzDsAiaeyPYFDANBgkqhkiG9w0BAQUFADBTMREwDwYDVQQDEwhKb2hu
IERvZTEJMAcGA1UEChMAMQkwBwYDVQQLEwAxGzAZBgkqhkiG9w0BCQEWDGpkb2VAYWJjLmNvbTEL
MAkGA1UEBhMCVVMwHhcNMTExMTAzMjA1MjAwWhcNMTYxMTAzMjA1MjAwWjBTMREwDwYDVQQDEwhK
b2huIERvZTEJMAcGA1UEChMAMQkwBwYDVQQLEwAxGzAZBgkqhkiG9w0BCQEWDGpkb2VAYWJjLmNv
bTELMAkGA1UEBhMCVVMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL12YAntp+1ZzsNpew5H
+s5fwLjK3TdiFfMrJuV1jEG2xlvJPOvKujSeR+4iHlBTQbYxkZ5nvhkwQi9KDgeriuMjg/TclkJP
CD0h//4fnP4tQqTUAZ92r6nMRqFxviEhysETMQl01SGDUlmSjhvWJctPU+krq+wwuwVbPJgU8Iu5
AgMBAAGjIDAeMA8GCSqGSIb3LwEBCgQCBQAwCwYDVR0PBAQDAgSQMA0GCSqGSIb3DQEBBQUAA4GB
AK+TIhyZZtYtxrVz5lq/zl8mczRnUCsJcapXJhY/oJnN2izALPAYnA4eBr7LBbl1Hf12op+LJuoU
j5FHhB+eQzKlhqkC/alFwmGdxCBYUfpZKWGBUuuW+00mTCStsmTIaSi/XS6K+Y5+0fqAJ48y56lb
o/kjbxSjzHWszfeOzafF</X509Certificate
></X509Data
></KeyInfo
><Object
><SignatureProperties Id="idbfea09cc-7f34-11e1-9c29-002710682eb5"
><SignatureProperty Target="datasignature_2"
><PROP_Sig xmlns="http://ns.adobe.com/pdf/2006" type="cabinet"
><M type="text"
>D:20120405113353-04'00'</M
><Name type="text"
>John</Name
></PROP_Sig
></SignatureProperty
></SignatureProperties
></Object
></Signature
></signatures
></xfa:data
>
In the Designer version you have (8.2), you only have the capability to sign the data or the entire form, which will not hide its values in the XML file that gets sent.

Not validating signature with jsr 105

Hi all.
I'm using the libraries of jsr105 xmldsig.jar and SunXmlSec-1.0.jar for signing a SAML token. I can sign the document apparently without problems but when I try to validate it in the same server that signed it simply I can't.
This is my code for creating the signature:
String providerName = System.getProperty("jsr105Provider", "org.jcp.xml.dsig.internal.dom.XMLDSigRI");
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM",(Provider) Class.forName(providerName).newInstance());
     Reference ref = fac.newReference
     ("", fac.newDigestMethod(DigestMethod.SHA1, null),
     Collections.singletonList
     (fac.newTransform
     (Transform.ENVELOPED, (TransformParameterSpec) null)),
     null, null);
     SignedInfo si = fac.newSignedInfo
     (fac.newCanonicalizationMethod
     (CanonicalizationMethod.INCLUSIVE,
     (C14NMethodParameterSpec) null),
     fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null),
     Collections.singletonList(ref));
     KeyStore ks2 = KeyStore.getInstance(KeyStore.getDefaultType());
     ks2.load(new FileInputStream("C:\\KM\\keystore"), "".toCharArray());
     X509Certificate cert = (X509Certificate) pkEntry.getCertificate();
     KeyInfoFactory kif = fac.getKeyInfoFactory();
     List x509Content = new ArrayList();
     x509Content.add(cert.getSubjectX500Principal().getName());
     x509Content.add(cert);
     X509Data xd = kif.newX509Data(x509Content);
     KeyInfo ki = kif.newKeyInfo(Collections.singletonList(xd));
     DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
     dbf.setNamespaceAware(true);
     Document doc = dbf.newDocumentBuilder().parse(ad.newInputStream());
     doc.normalizeDocument();
     DOMSignContext dsc = new DOMSignContext
     (pkEntry.getPrivateKey(), doc.getDocumentElement());
     XMLSignature signature = fac.newXMLSignature(si, ki);
     dsc.setDefaultNamespacePrefix("ds");
     signature.sign(dsc);
As you can see, I have added the prefix "ds" in it. Plus, the namespace won't appear in enveloping document (saml2:assertion in my case) but in the envelope of my message.
And this is my code for validating:
OMElementImpl ghj=(OMElementImpl)XMLUtils.toOM((doc.getDocumentElement()));
assertdoc=AssertionDocument.Factory.parse(ghj.getXMLStreamReader());
assertdoc2=AssertionDocument.Factory.parse(node,options);
assertdoc3=(OMElementImpl)XMLUtils.toOM((XMLUtils.newDocument(assertdoc2.newInputStream(options)).getDocumentElement()));
asdo=AssertionDocument.Factory.parse(ghj.getXMLStreamReader());
SignatureDocument sido=SignatureDocument.Factory.newInstance();
sido.setSignature(asdo.getAssertion().getSignature());
// The code above will take the signature document from the assertion document. It's made using xmlbeans with axis2
DOMValidateContext valContext = new DOMValidateContext      (cert.getPublicKey(), sido.newDomNode());
XMLSignature signature2 = fac.unmarshalXMLSignature(valContext);
boolean coreValidity = signature2.validate(valContext);
boolean coreValidity2 = signature2.getSignatureValue().validate(valContext);
The result is that coreValidity2 is true but coreValidity is false. I don't know where the problem could be.
Could someone help me?This is very important for me. Thanks in advance.
EDIT: I have added the next code to see if references were ok as well:
Iterator i = signature.getSignedInfo().getReferences().iterator();
     for (int j=0; i.hasNext(); j++) {
     boolean refValid = ((Reference) i.next()).validate(valContext);
     throw new Exception("ref["+j+"] validity status: " + refValid);
and the validity status is true (there was only one referenc so forget about the for loop). So if references and signature are ok. How I can get a false in boolean coreValidity = signature2.validate(valContext); ?
Thank you very much for your cooperation.
Message was edited by:
the_killer_tomato

Hi SindhuCT,
I can't speak for PDF-XChange Viewer as to whether or not they are correctly processing the signature. The only thing I can point out is you are hashing the bytes from the beginning of the file (byte 0) to byte 569. Then you are leaving a hole for the signature from byte 570 through byte 6416. You are then hashing from byte 6417 and marching off another 400 bytes which gets you to byte 6817. Finally you are telling Acrobat/Reader to leave a hole from byte 6817 to the end of the file at byte 7830. The problem is your got byte 6817 on both sides of the fence, as part of the signed data and as part of the second unsigned portion of the file. That's probably where your problem lies.
Yes, the PDF specification does say you can include other ranges, but it also says that it's not recommended because you are not going to be checking for all changes to the document. The specification says you should sign the entire file, less the hole for the signature contents.
Steve

Pls advice me how to add X509IssuerSerial to SOAP

Hi Java expert guys...
I'm trying to make signed soap message.
So I made my programming code like the below.
{color:#333333}*FileInputStream fis = new FileInputStream("d:\\signCert.der");*
CertificateFactory cf = CertificateFactory.getInstance( "X.509" );
X509Certificate cert = (X509Certificate)cf.generateCertificate(fis);
sig.addKeyInfo(cert.getPublicKey());
sig.addKeyInfo(cert);{color}
But I just get the below without X509IssuerSerial.
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue> <ds:Modulus>0kAPK6BMhiMTVia+XwXYDLhdD1+ZDcb86r17js68IzbbZYgUwMeu2yEe8zx+/pZsBD3jM89XaGWEeHTBo/QOQa0ZgBm135P4ce+7fhksL8UyanVXR/evzLyghTFaHK22jOkZWlcs2R85UnVH561qO+WMxK59aRvYF06IXlRaDW8=
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
{color:#0000ff}<ds:X509Data>
<ds:X509Certificate>MIIFXjCCBEagAw.....
</ds:X509Certificate>
</ds:X509Data>{color}
</ds:KeyInfo>
I cannot find out the way to add X509IssuerSerial in the above <ds:X509Data> like the below.
{color:#0000ff}<ds:X509Data>{color}
{color:#ff0000}*<ds:X509IssuerSerial>*
*<ds:X509IssuerName>ou=ttt,ou=LicensedCA,o=ttt,c=KR</ds:X509IssuerName>*
*<ds:X509SerialNumber>123456</ds:X509SerialNumber>*
*</ds:X509IssuerSerial>*{color}
{color:#0000ff}<ds:X509SubjectName>cnxxx,ou=xxx,ou=LicensedCA,o=xxx,c=KR</ds:X509SubjectName>
<ds:X509Certificate>MIIFXjCCBEagAw.....
</ds:X509Certificate>
</ds:X509Data>
{color}{color:#000000}If there are someone who know this, pls advice me.
Thanks...{color}

Hi SG,
BUT WHEN I ENTER THE NAME OF THE WEB REPORT BRD_MM_01 AFTER OPENING THE REPORT , I WAS CLICKING ON PUBLISH---> AS BEX BROAD CASTER AND NEW SCREEN COMES WITH LOGON DETAILS
AFTER ENTERING THE LOGON DETAILS IT IS SHOWING ME THE SETTINGS FOR NEW USERS LIKE CREATE SETTINGS.
I WAS NOT ABLE TO ADD THE NEW USERS IN THAT BECUASE AFTER ENTERING THE USERNAEM AND MAIL ID'S IT'S GIVING ME THE MESSAGE LIKE THESE USERS ARE NOT VALID BW USERS.
BUT FOR AUTOMATIC BROADCAST OF THIS REPORT NO NEED OR BW USER I.E. I CAN BROAD CAST THIS REPORT TO ANY USER (RIGHT OR NOT)
AND ALSO IT IS ASKING ME THE ROLE OF THE USER ALSO.
PLEASE ADVICE ME .
THANKS IN ADVANCE,
REGARDS,
KUMAR.

Urgent -please- how can I insert my context into proxy request ?

here is par of my request after I have transformed it, to the bs request.
Routed Service
          Route to: "SkatEtilAndelsbogAnmeldelseSvarService"
     $outbound:
     <con:endpoint      name="BusinessService$dk.skat.etil$bz$SkatEtilAndelsbogAnmeldelseSvarService" xmlns:con="http://www.bea.com/wli/sb/context">
     <con:service>
     <con:operation>getAnmeldelseKvitteringModtag</con:operation>
     </con:service>
     <con:transport>
     <con:mode>request-response</con:mode>
     <con:qualityOfService>best-effort</con:qualityOfService>
     <con:request      xsi:type="http:HttpRequestMetaData" xmlns:http="http://www.bea.com/wli/sb/transports/http" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
     <tran:headers      xsi:type="http:HttpRequestHeaders" xmlns:tran="http://www.bea.com/wli/sb/transports">
     <http:Content-Type>text/xml</http:Content-Type>
     <http:SOAPAction>
     "http://skat.dk/etil/2011/02/11/getAnmeldelseKvitteringModtag"
     </http:SOAPAction>
     </tran:headers>
     </con:request>
     </con:transport>
     <con:security>
     <con:doOutboundWss>true</con:doOutboundWss>
     </con:security>
     </con:endpoint>
     $body (request):
     <soapenv:Body      xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
     <ns:Kontekst      xmlns:ns20="http://skat.dk/etil/2011/02/11/" xmlns:ns="http://rep.oio.dk/cpr.dk/xml/schemas/core/2005/03/18/">
     <TransaktionsID>34c768d8-4f6d-4194-93b7-e77ffa8c76e6</TransaktionsID>
     <TransaktionsTid>2011-06-30T14:40:15.105+02:00</TransaktionsTid>
     </ns:Kontekst>
     <ns:AnmeldelseKvitteringModtag_I      xmlns:ns="http://skat.dk/etil/2011/02/11/">
     <ns1:AnmeldelseKvitteringModtag      xmlns:ns1="http://rep.oio.dk/tinglysning.dk/svarservice/message/anmeldelse/1/">
my problem is how can I insert the
<ns:Kontekst      xmlns:ns20="http://skat.dk/etil/2011/02/11/" xmlns:ns="http://rep.oio.dk/cpr.dk/xml/schemas/core/2005/03/18/">
     <TransaktionsID>34c768d8-4f6d-4194-93b7-e77ffa8c76e6</TransaktionsID>
     <TransaktionsTid>2011-06-30T14:40:15.105+02:00</TransaktionsTid>
     </ns:Kontekst>
inside
<ns:AnmeldelseKvitteringModtag_I      xmlns:ns="http://skat.dk/etil/2011/02/11/">
The context is generated using this:
<ns:Kontekst xmlns:ns20="http://skat.dk/etil/2011/02/11/">
<TransaktionsID>{fn-bea:uuid()}</TransaktionsID>
<TransaktionsTid>{fn:current-dateTime()}</TransaktionsTid>
</ns:Kontekst>

request before context:
<ns2:AnmeldelseKvitteringModtag xmlns:ns="http://rep.oio.dk/tinglysning.dk/schema/model/1/" xmlns:ns1="http://rep.oio.dk/tinglysning.dk/schema/anmeldelse/1/" xmlns:xd="http://www.w3.org/2000/09/xmldsig#" xmlns:ns2="http://rep.oio.dk/tinglysning.dk/svarservice/message/anmeldelse/1/">
<ns:AnmeldelseIdentifikator>string</ns:AnmeldelseIdentifikator>
<ns:AktoerReference>
<ns:AktoerID>string</ns:AktoerID>
<ns:KorrelationID>string</ns:KorrelationID>
</ns:AktoerReference>

<ns:SagsReference>string</ns:SagsReference>
<ns1:KoeIndikator>false</ns1:KoeIndikator>
<ns1:ProeveTinglysningIndikator>true</ns1:ProeveTinglysningIndikator>
<xd:Signature Id="string">
<xd:SignedInfo Id="string">
<xd:CanonicalizationMethod Algorithm="http://www.your.org/aeoliam/quae">
ventos

<AnyElement/>
verrantque
</xd:CanonicalizationMethod>
<xd:SignatureMethod Algorithm="http://www.sample.org/turbine/circum">
regemque

<xd:HMACOutputLength>100</xd:HMACOutputLength>
nimborum

<AnyElement/>
fremunt
</xd:SignatureMethod>

<xd:Reference Id="string" URI="http://www.my.com/profundum/sceptra" Type="http://www.test.com/iovis/flammato">

<xd:Transforms>

<xd:Transform Algorithm="http://www.sample.com/bella/nubibus">
flammas


<AnyElement/>
<xd:XPath>string</xd:XPath>
ac
</xd:Transform>
</xd:Transforms>
<xd:DigestMethod Algorithm="http://www.my.com/ac/caelumque">
speluncis

<AnyElement/>
circum
</xd:DigestMethod>
<xd:DigestValue>YXJpcw==</xd:DigestValue>
</xd:Reference>
</xd:SignedInfo>
<xd:SignatureValue Id="string">Y29uaXVueA==</xd:SignatureValue>

<xd:KeyInfo Id="string">
praeterea

<xd:KeyName>string</xd:KeyName>
<xd:KeyValue>
arce

<xd:DSAKeyValue>
<xd:P>Y2xhdXN0cmE=</xd:P>
<xd:Q>Y2lyY3Vt</xd:Q>

<xd:G>aW1wZXJpbw==</xd:G>
<xd:Y>Y2VydG8=</xd:Y>

<xd:J>cXVpc3F1YW0=</xd:J>
<xd:Seed>ZXQ=</xd:Seed>
<xd:PgenCounter>YWM=</xd:PgenCounter>
</xd:DSAKeyValue>
<xd:RSAKeyValue>
<xd:Modulus>ZmV0YQ==</xd:Modulus>
<xd:Exponent>YWM=</xd:Exponent>
</xd:RSAKeyValue>

<AnyElement/>
sed
</xd:KeyValue>
<xd:RetrievalMethod URI="http://www.test.org/pectore/austris" Type="http://www.your.gov/certo/dare">

<xd:Transforms>

<xd:Transform Algorithm="http://www.any.com/volutans/dedit">
faciat


<AnyElement/>
<xd:XPath>string</xd:XPath>
magno
</xd:Transform>
</xd:Transforms>
</xd:RetrievalMethod>
<xd:X509Data>

<xd:X509IssuerSerial>
<xd:X509IssuerName>string</xd:X509IssuerName>
<xd:X509SerialNumber>100</xd:X509SerialNumber>
</xd:X509IssuerSerial>
<xd:X509SKI>ZXQ=</xd:X509SKI>
<xd:X509SubjectName>string</xd:X509SubjectName>
<xd:X509Certificate>YWM=</xd:X509Certificate>
<xd:X509CRL>ZXQ=</xd:X509CRL>

<AnyElement/>
</xd:X509Data>
<xd:PGPData>

<xd:PGPKeyID>cmVnZW1xdWU=</xd:PGPKeyID>

<xd:PGPKeyPacket>YW5ub3M=</xd:PGPKeyPacket>

<AnyElement/>
<xd:PGPKeyPacket>aW5maXhpdA==</xd:PGPKeyPacket>

<AnyElement/>
</xd:PGPData>
<xd:SPKIData>
<xd:SPKISexp>dmVudG9z</xd:SPKISexp>

<AnyElement/>
</xd:SPKIData>
<xd:MgmtData>string</xd:MgmtData>

<AnyElement/>
tenens
</xd:KeyInfo>

<xd:Object Id="string" MimeType="string" Encoding="http://www.my.org/rapidum/habenas">
insuper

<AnyElement/>
mollitque
</xd:Object>
</xd:Signature>
</ns2:AnmeldelseKvitteringModtag>
This is after the transformation.
Routed Service
          Route to: "SkatEtilAndelsbogAnmeldelseSvarService"
     $outbound:
     <con:endpoint      name="BusinessService$dk.skat.etil$bz$SkatEtilAndelsbogAnmeldelseSvarService" xmlns:con="http://www.bea.com/wli/sb/context">
     <con:service>
     <con:operation>getAnmeldelseKvitteringModtag</con:operation>
     </con:service>
     <con:transport>
     <con:mode>request-response</con:mode>
     <con:qualityOfService>best-effort</con:qualityOfService>
     <con:request      xsi:type="http:HttpRequestMetaData" xmlns:http="http://www.bea.com/wli/sb/transports/http" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
     <tran:headers      xsi:type="http:HttpRequestHeaders" xmlns:tran="http://www.bea.com/wli/sb/transports">
     <http:Content-Type>text/xml</http:Content-Type>
     <http:SOAPAction>
     "http://skat.dk/etil/2011/02/11/getAnmeldelseKvitteringModtag"
     </http:SOAPAction>
     </tran:headers>
     </con:request>
     </con:transport>
     <con:security>
     <con:doOutboundWss>true</con:doOutboundWss>
     </con:security>
     </con:endpoint>
     $body (request):
     <soapenv:Body      xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
     <ns:Kontekst      xmlns:ns20="http://skat.dk/etil/2011/02/11/" xmlns:ns="http://rep.oio.dk/cpr.dk/xml/schemas/core/2005/03/18/">
     <TransaktionsID>93235d7a-131d-45a7-a36b-34fd9c83343f</TransaktionsID>
     <TransaktionsTid>2011-06-30T15:35:55.567+02:00</TransaktionsTid>
     </ns:Kontekst>
     <ns:AnmeldelseKvitteringModtag_I      xmlns:ns="http://skat.dk/etil/2011/02/11/">
     <ns1:AnmeldelseKvitteringModtag      xmlns:ns1="http://rep.oio.dk/tinglysning.dk/svarservice/message/anmeldelse/1/">
     <ns2:AnmeldelseIdentifikator      xmlns:ns2="http://rep.oio.dk/tinglysning.dk/schema/model/1/">string</ns2:AnmeldelseIdentifikator>
     <ns2:AktoerReference      xmlns:ns2="http://rep.oio.dk/tinglysning.dk/schema/model/1/">
     <ns3:AktoerID      xmlns:ns1="http://rep.oio.dk/tinglysning.dk/schema/anmeldelse/1/" xmlns:ns="http://rep.oio.dk/tinglysning.dk/schema/model/1/" xmlns:ns2="http://rep.oio.dk/tinglysning.dk/svarservice/message/anmeldelse/1/" xmlns:xd="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="http://rep.oio.dk/tinglysning.dk/schema/model/1/">string</ns3:AktoerID>
     <ns3:KorrelationID      xmlns:ns1="http://rep.oio.dk/tinglysning.dk/schema/anmeldelse/1/" xmlns:ns="http://rep.oio.dk/tinglysning.dk/schema/model/1/" xmlns:ns2="http://rep.oio.dk/tinglysning.dk/svarservice/message/anmeldelse/1/" xmlns:xd="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="http://rep.oio.dk/tinglysning.dk/schema/model/1/">string</ns3:KorrelationID>
     </ns2:AktoerReference>
     <ns2:SagsReference      xmlns:ns2="http://rep.oio.dk/tinglysning.dk/schema/model/1/">string</ns2:SagsReference>
     <ns2:KoeIndikator      xmlns:ns2="http://rep.oio.dk/tinglysning.dk/schema/anmeldelse/1/">false</ns2:KoeIndikator>
     <ns2:ProeveTinglysningIndikator      xmlns:ns2="http://rep.oio.dk/tinglysning.dk/schema/anmeldelse/1/">true</ns2:ProeveTinglysningIndikator>
     <xd:Signature      Id="string" xmlns:xd="http://www.w3.org/2000/09/xmldsig#">
     <xd:SignedInfo      Id="string" xmlns:ns1="http://rep.oio.dk/tinglysning.dk/schema/anmeldelse/1/" xmlns:ns="http://rep.oio.dk/tinglysning.dk/schema/model/1/" xmlns:ns2="http://rep.oio.dk/tinglysning.dk/svarservice/message/anmeldelse/1/">
     <xd:CanonicalizationMethod      Algorithm="http://www.your.org/aeoliam/quae">
     ventos
     
     <AnyElement/>
     verrantque
     </xd:CanonicalizationMethod>
     <xd:SignatureMethod      Algorithm="http://www.sample.org/turbine/circum">
     regemque
     
     <xd:HMACOutputLength>100</xd:HMACOutputLength>
     nimborum
     
     <AnyElement/>
     fremunt
     </xd:SignatureMethod>
     
     <xd:Reference      Id="string" URI="http://www.my.com/profundum/sceptra" Type="http://www.test.com/iovis/flammato">
     
     <xd:Transforms>
     
     <xd:Transform      Algorithm="http://www.sample.com/bella/nubibus">
     flammas
     
     
     <AnyElement/>
     <xd:XPath>string</xd:XPath>
     ac
     </xd:Transform>
     </xd:Transforms>
     <xd:DigestMethod      Algorithm="http://www.my.com/ac/caelumque">
     speluncis
     
     <AnyElement/>
     circum
     </xd:DigestMethod>
     <xd:DigestValue>YXJpcw==</xd:DigestValue>
     </xd:Reference>
     </xd:SignedInfo>
     <xd:SignatureValue      Id="string" xmlns:ns1="http://rep.oio.dk/tinglysning.dk/schema/anmeldelse/1/" xmlns:ns="http://rep.oio.dk/tinglysning.dk/schema/model/1/" xmlns:ns2="http://rep.oio.dk/tinglysning.dk/svarservice/message/anmeldelse/1/">Y29uaXVueA==</xd:SignatureValue>
     
     <xd:KeyInfo      Id="string" xmlns:ns1="http://rep.oio.dk/tinglysning.dk/schema/anmeldelse/1/" xmlns:ns="http://rep.oio.dk/tinglysning.dk/schema/model/1/" xmlns:ns2="http://rep.oio.dk/tinglysning.dk/svarservice/message/anmeldelse/1/">
     praeterea
     
     <xd:KeyName>string</xd:KeyName>
     <xd:KeyValue>
     arce
     
     <xd:DSAKeyValue>
     <xd:P>Y2xhdXN0cmE=</xd:P>
     <xd:Q>Y2lyY3Vt</xd:Q>
     
     <xd:G>aW1wZXJpbw==</xd:G>
     <xd:Y>Y2VydG8=</xd:Y>
     
     <xd:J>cXVpc3F1YW0=</xd:J>
     <xd:Seed>ZXQ=</xd:Seed>
     <xd:PgenCounter>YWM=</xd:PgenCounter>
     </xd:DSAKeyValue>
     <xd:RSAKeyValue>
     <xd:Modulus>ZmV0YQ==</xd:Modulus>
     <xd:Exponent>YWM=</xd:Exponent>
     </xd:RSAKeyValue>
     
     <AnyElement/>
     sed
     </xd:KeyValue>
     <xd:RetrievalMethod      URI="http://www.test.org/pectore/austris" Type="http://www.your.gov/certo/dare">
     
     <xd:Transforms>
     
     <xd:Transform      Algorithm="http://www.any.com/volutans/dedit">
     faciat
     
     
     <AnyElement/>
     <xd:XPath>string</xd:XPath>
     magno
     </xd:Transform>
     </xd:Transforms>
     </xd:RetrievalMethod>
     <xd:X509Data>
     
     <xd:X509IssuerSerial>
     <xd:X509IssuerName>string</xd:X509IssuerName>
     <xd:X509SerialNumber>100</xd:X509SerialNumber>
     </xd:X509IssuerSerial>
     <xd:X509SKI>ZXQ=</xd:X509SKI>
     <xd:X509SubjectName>string</xd:X509SubjectName>
     <xd:X509Certificate>YWM=</xd:X509Certificate>
     <xd:X509CRL>ZXQ=</xd:X509CRL>
     
     <AnyElement/>
     </xd:X509Data>
     <xd:PGPData>
     
     <xd:PGPKeyID>cmVnZW1xdWU=</xd:PGPKeyID>
     
     <xd:PGPKeyPacket>YW5ub3M=</xd:PGPKeyPacket>
     
     <AnyElement/>
     <xd:PGPKeyPacket>aW5maXhpdA==</xd:PGPKeyPacket>
     
     <AnyElement/>
     </xd:PGPData>
     <xd:SPKIData>
     <xd:SPKISexp>dmVudG9z</xd:SPKISexp>
     
     <AnyElement/>
     </xd:SPKIData>
     <xd:MgmtData>string</xd:MgmtData>
     
     <AnyElement/>
     tenens
     </xd:KeyInfo>
     
     <xd:Object      Id="string" MimeType="string" Encoding="http://www.my.org/rapidum/habenas" xmlns:ns1="http://rep.oio.dk/tinglysning.dk/schema/anmeldelse/1/" xmlns:ns="http://rep.oio.dk/tinglysning.dk/schema/model/1/" xmlns:ns2="http://rep.oio.dk/tinglysning.dk/svarservice/message/anmeldelse/1/">
     insuper
     
     <AnyElement/>
     mollitque
     </xd:Object>
     </xd:Signature>
     </ns1:AnmeldelseKvitteringModtag>
     </ns:AnmeldelseKvitteringModtag_I>
     </soapenv:Body>

XMLSig: validating an XML document incl. all certificates

Hello,
I have created a XML document signed with a certificate. I have added whole certification chain (first entry the users certificate, last CA) in the document:
X509Data x509d = kif.newX509Data(Arrays.asList(myChain));
ki = kif.newKeyInfo(Collections.singletonList(x509d));
...The document validates perfectly with XMLSignature.validate method but I am not sure if this method validates the certificates. I suppose not.
Are there any standard processes to validate X509 certification chain from XML-signed document? Or do I have to retrive and verify all certificates myself? If so how? I have my very own KeySelector but I do not have idea how to use it to retreive my certificates:
    private static class X509CertKeySelector extends KeySelector {
        @SuppressWarnings({"LoopStatementThatDoesntLoop"})
        public KeySelectorResult select(KeyInfo keyInfo,
                                        KeySelector.Purpose purpose,
                                        AlgorithmMethod method,
                                        XMLCryptoContext context)
                throws KeySelectorException {
            if (keyInfo == null) {
                throw new KeySelectorException("Null KeyInfo object!");
            List list = keyInfo.getContent();
            for (Object aList : list) {
                XMLStructure xmlStructure = (XMLStructure) aList;
                if (xmlStructure instanceof X509Data) {
                    try {
                        X509Data xd = (X509Data) xmlStructure;
                        X509Certificate[] certs = (X509Certificate[]) xd.getContent().toArray(new X509Certificate[0]);
                        return new X509CertChainSelectorResult(certs);
                    } catch (ClassCastException e) {
                        throw new KeySelectorException("X509Data must contain X509 certificate list", e);
                } else {
                    throw new KeySelectorException("KeyInfo doesn`t contain X509Data");
            throw new KeySelectorException("No KeyValue element found!");
    private static class X509CertChainSelectorResult implements KeySelectorResult {
        private X509Certificate[] certificates;
        X509CertChainSelectorResult(X509Certificate[] certs) {
            this.certificates = certs;
            for (X509Certificate c: certificates) {
                System.out.println(c);
        public X509Certificate[] getCertificates() {
            return certificates;
        public Key getKey() {
            if (certificates != null && certificates.length > 0) {
                PublicKey publicKey = certificates[0].getPublicKey();
                return publicKey;
            } else
                return null;
    }ps - the certificates are stored in BASE64 encoding, I would prefer something "nicer" XMLSig allows to store certificates in the XML-way... whats the trick to store the certification chain in the XML human-readable format?

Verifying
the chain (with the root certificate in a secure
store) is only part of the whole verifying process.
You also need to verify that the signature is over
the correct data, and that the correct
transformations have taken place. This is missing
from the documentation. You might also need a CRL or
other way to revoke certificates, depending on the
usage of the library.Thank you but what you mean with correct data and transformation? XMLDigSig will do it for me, wont it? You are abolutely right with CRLs, in my TODO list... :-D

SOAP 1.2 web service fails when SOAP header has digital signatures

Hi,
When we upgraded our JAX-RPC web services from SOAP 1.1 to SOAP 1.2, they started failing with the following response.
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header>
<env:Upgrade>
<env:SupportedEnvelope xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"
qname="soap12:Envelope"/>
</env:Upgrade>
</env:Header>
<env:Body>
<env:Fault xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<faultcode>env:VersionMismatch</faultcode>
<faultstring>Version Mismatch</faultstring>
<faultactor>http://schemas.xmlsoap.org/soap/actor/next</faultactor>
</env:Fault>
</env:Body>
</env:Envelope>
The following two errors were in log.xml
An error occurred for port: {http://xxx.xxx.xxx/xxx/1.0/ws/TestService}TestServicePort: oracle.j2ee.ws.common.soap.fault.SOAP11VersionMismatchException: Version Mismatch.
Unable to determine operation id from SOAP Message.
We use web service handlers to add and verify digital signatures. The request message seems to be making it to the web service but is failing before reaching the web service handler which verifies the digital signature.
Everything works fine when we don't add the digital signatures. The SOAP message without the digital signature doesn't have the SOAP header. I've listed the SOAP message with the digital signature below.
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"
     xmlns:ns0="http://xxx.xxx.xxx/1.4/"
     xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
     <env:Header>
          <wsse:Security
               xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
               <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:SignedInfo>
                         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:CanonicalizationMethod>
                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
                         <ds:Reference URI="#Body">
                              <ds:Transforms>
                                   <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:Transform>
                              </ds:Transforms>
                              <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
                              <ds:DigestValue>...</ds:DigestValue>
                         </ds:Reference>
                    </ds:SignedInfo>
                    <ds:SignatureValue>
                    </ds:SignatureValue>
                    <ds:KeyInfo>
                         <ds:X509Data>
                              <ds:X509Certificate>
                              </ds:X509Certificate>
                         </ds:X509Data>
                         <ds:KeyValue>
                              <ds:RSAKeyValue>
                                   <ds:Modulus>
                                   </ds:Modulus>
                                   <ds:Exponent>AQAB</ds:Exponent>
                              </ds:RSAKeyValue>
                         </ds:KeyValue>
                    </ds:KeyInfo>
               </ds:Signature>
          </wsse:Security>
     </env:Header>
     <env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body">
          <ns0:SearchRequestMessage
               xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:gml="http://www.opengis.net/gml"
               xmlns:xxx="http://xxx.xxx.xxxl/1.4/"
               xmlns:ns5="http://www.w3.org/1999/xlink"
               >
               <xxx:SearchCriteria itemsPerPage="10" maxTimeOut="180000" startIndex="1" startPage="1" totalResults="25">
               </xxx:SearchCriteria>
          </ns0:SearchRequestMessage>
     </env:Body>
</env:Envelope>
We are using Oracle AS 10.1.3.3.0, WSDL 1.1, and SOAP 1.2. Everything works fine with WSDL 1.1 and SOAP 1.1.

Take a look 'How to Use a Custom Serializer with Oracle Application Server Web Services' [1].
In your case, you should be looking at BeanMultiRefSerializer (org.apache.soap.encoding.soapenc), which will serialize your data using href and providing a way to deal with cycles.
All the best,
Eric
[1] http://www.oracle.com/technology/tech/webservices/htdocs/samples/serialize/index.html

Verify signature on SAML assertion

I've already asked this question on StackOverflow (http://stackoverflow.com/questions/25394137/verify-signature-on-saml-assertion), but I'm hoping to get a better response here. I'm trying to validate some SAML that looks like this:
<samlp2:Response Destination="http://www.testhabaGoba.com" ID="ResponseId_934151edfe060ceec3067670c2f0f1ea" IssueInstant="2013-09-24T14:33:29.507Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
</ds:Signature>
<saml2:Assertion ID="SamlAssertion-05fd8af7f2c9972e69cdbca612d3f3b8" IssueInstant="2013-09-24T14:33:29.496Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
</ds:Signature>
</saml2:Assertion>
</samlp2:Response>
The signature on the response always passes, but the signature on the assertion always fails. Even when I use a SAML that doesn't sign the response the assertion signature fails. Here's a condensed version of the code I'm using:
foreach (XmlElement node in xmlDoc.SelectNodes("//*[local-name()='Signature']"))
{// Verify this Signature block
SignedXml signedXml = new SignedXml(node.ParentNode as XmlElement);
signedXml.LoadXml(node);
KeyInfoX509Data x509Data = signedXml.Signature.KeyInfo.OfType<KeyInfoX509Data>().First();
// Verify certificate
X509Certificate2 cert = x509Data.Certificates[0] as X509Certificate2;
log.Info(string.Format("Cert s/n: {0}", cert.SerialNumber));
VerifyX509Chain(cert);// Custom method
// Check for approval
X509Store store = new X509Store(StoreName.TrustedPublisher, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection collection = store.Certificates.Find(X509FindType.FindBySerialNumber, cert.SerialNumber, true);
Debug.Assert(collection.Count == 1);// Standing in for brevity
// Verify signature
signedXml.CheckSignature(cert, true);
Everything works except the CheckSignature method. It's the only thing that fails and it always fails the SAML assertion. What am I doing wrong?

Hello Matthew T. Ricks,
Personally after reading your post I don't think this issue is related to this forum "Discuss and ask questions about the C# programming language, IDE, libraries, samples, and tools."
The problem is due to SAML assertion fail and I read something like this
http://docs.oracle.com/cd/E21455_01/common/tutorials/authn_saml_xml_sig.html to konw what is SAML and how it works. I will recommend you consult SAML related forum to ask this question.
Regards,
Barry
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

X509Data vs CertificateValues

Similar Messages

Maybe you are looking for