Extending XML Signature Schemes

Hello,
currently I am doing some research in the area of signatures.
However, I want to do an performance evaluation using the JCA with some not yet implemented algorithms.
My question is if there is a tutorial or how-to which explains how the JCA framework can be extended to support new Hash-Functions & Signatureschemes or even better some sample code?
Greetings,
Kai

XML Signature defines an XML syntax for digital signatures.
Depending upon your OWSM policy your XML signature may change.

Similar Messages

  • Problem verifying xml signature

    We have a problem with verifying XML Signatures which are part of a SOAP message. Thanks a lot for helping! Hope my problem is understandable - otherwise ask.
    We use the following enviroment:
    Java6
    Axis 2 V1.2 with XML Beans
    Step 1:
    The Java 6 XML Signature is an enveloped signature over an element called payload with exclusive XML canonicalization. We sign the payload and send the payload including signature to the server. At first I discovered the following namespace problem.
    DigesterOutputstream Create Signature:
    FEINER: <Payload Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDAyNDAwPC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:34D51D9DE4B7A19DD411938151524022</MessageID><Timestamp><Created>UNDO</Created></Timestamp></Payload>
    DigesterOutput Verify Signature:
    FEINER: <Payload xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDAyNDAwPC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:34D51D9DE4B7A19DD411938151524022</MessageID><Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><Created>UNDO</Created></Timestamp></Payload>
    31.10.2007 08:25:48 org.jcp.xml.dsig.internal.dom.DOMReference validate
    FEIN: Expected digest: 71PfJ/xxn38TtQrpZOpRdqTZsBw=
    31.10.2007 08:25:48 org.jcp.xml.dsig.internal.dom.DOMReference validate
    FEIN: Actual digest: B1Qdei/0yW1mqR2T50LXKFfxhl0=
    Soap request with payload:
    <?xml version='1.0' encoding='utf-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><TelematikHeader xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1"><MessageID>urn:uuid:34D51D9DE4B7A19DD411938151524022</MessageID><ConversationID /><ServiceLocalization><Type>VSD</Type><Provider>101575519</Provider></ServiceLocalization><MessageType><Component>VSD</Component><Operation>PerformUpdates</Operation></MessageType><RoleDataProcessor /></TelematikHeader><TransportHeader xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1"><InterfaceVersion>0.0.24.3</InterfaceVersion></TransportHeader></soapenv:Header><soapenv:Body><TelematikExecute xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1"><Payload Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDAyNDAwPC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:34D51D9DE4B7A19DD411938151524022</MessageID><Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><Created>UNDO</Created></Timestamp><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#c623c3be-529b-4d6d-8f1e-a4a29660f344"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>71PfJ/xxn38TtQrpZOpRdqTZsBw=</DigestValue></Reference></SignedInfo><SignatureValue>FuhOdrz9kHR0MeAUq9Rxkg6w++7foR77s9AYQUQxb8qPJ44Ba6By8R/H+CCn5JP5cPFz8/mGOgOD NGKLgZp66xbVSWe1UeehmZLH1a2kvHsx/VvYo3Lr5foHsl6YikUBMXCBdhI4ukKJTuwBOK/7m3lu 7Zl07SFo0zWL73gUTxc=</SignatureValue><KeyInfo><X509Data><X509SubjectName>CN=Harris Knafla,OU=IP,O=TK,ST=Hamburg,C=DE</X509SubjectName><X509Certificate>MIIC0DCCAjmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCREUxEDAOBgNVBAgT B0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxCzAJBgNVBAoTAlRLMQswCQYDVQQLEwJJUDEUMBIG A1UEAxMLTmlscyBLbmFmbGExKjAoBgkqhkiG9w0BCQEWG0RyLk5pbHMuS25hZmxhQHRrLW9ubGlu ZS5kZTAeFw0wNzA2MjkxNzQ2MzBaFw0wODA2MjgxNzQ2MzBaMFExCzAJBgNVBAYTAkRFMRAwDgYD VQQIEwdIYW1idXJnMQswCQYDVQQKEwJUSzELMAkGA1UECxMCSVAxFjAUBgNVBAMTDUhhcnJpcyBL bmFmbGEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMjAnKFGjXjbPbi4X1vnI/H7ArNfayv HO7+QbuV1FqIR+aZuAYZeR5v0s8NKyGOcMxscAQk59ZrdfqaaIiwtcXk2fNHphtSVqLqR4NLWO2q xJKXwBcAxIn7byjq/DqjiUr5nmw1cMWJtK1xwB6pVMvCv97KGg2Z8peronBxg6mVAgMBAAGjezB5 MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl MB0GA1UdDgQWBBRaMTzoUhWt1wguyvPlPuUUV8VRtTAfBgNVHSMEGDAWgBQuZ2A4G1XF+GvL7vai Zst6RUCqYjANBgkqhkiG9w0BAQUFAAOBgQAr3rtJIVNchr3pMEfFcSzbJJWo/c0LRkUnWkP1gD6f MqLoLFUbl8k6tKJ9V4P0Oe2BODRIfNyTFjKLzD1lHAFFRz9pzYUx+hq4VDWooA3MsewNDDyJwupi vlmHcM+Y8Cv97q9pERiqAY88TRMZxntl/b98W61KARAO+HUDhTnA1g==</X509Certificate></X509Data></KeyInfo></Signature></Payload></TelematikExecute></soapenv:Body></soapenv:Envelope>     
    The problem is the namespaces under the elements payload and timestamp. For verification the namespaces are inherited from parent element. I wonder why this happens - I thought this should not happen when using exclusive canonicalization, or?
    Step 2:
    Then I added the namespaces before creating the signature , e.g.
    payloadElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns", "http://ws.gematik.de/Schema/Telematik/Transport/V1");
    for all attributes that are not part of the create signature log. Then the xml signature was verify successfully when I tested this against my own server. See log files:
    DigesterOutputstream for create signature:
    31.10.2007 11:16:00 org.jcp.xml.dsig.internal.DigesterOutputStream write
    FEINER: <Payload xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDMwMjI5PC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:9E0D31C48FDB63BBCD11938257462232</MessageID><Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><Created>UNDO</Created></Timestamp></Payload>
    DigesterOutputstream verify signature:
    31.10.2007 11:19:00 org.jcp.xml.dsig.internal.DigesterOutputStream write
    FEINER: <Payload xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDMwMjI5PC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:9E0D31C48FDB63BBCD11938257462232</MessageID><Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><Created>UNDO</Created></Timestamp></Payload>
    The whole soap request:
    <?xml version='1.0' encoding='utf-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1"><wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-3596382">MIIC0DCCAjmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCREUxEDAOBgNVBAgTB0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxCzAJBgNVBAoTAlRLMQswCQYDVQQLEwJJUDEUMBIGA1UEAxMLTmlscyBLbmFmbGExKjAoBgkqhkiG9w0BCQEWG0RyLk5pbHMuS25hZmxhQHRrLW9ubGluZS5kZTAeFw0wNzA2MjkxNzQ2MzBaFw0wODA2MjgxNzQ2MzBaMFExCzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdIYW1idXJnMQswCQYDVQQKEwJUSzELMAkGA1UECxMCSVAxFjAUBgNVBAMTDUhhcnJpcyBLbmFmbGEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMjAnKFGjXjbPbi4X1vnI/H7ArNfayvHO7+QbuV1FqIR+aZuAYZeR5v0s8NKyGOcMxscAQk59ZrdfqaaIiwtcXk2fNHphtSVqLqR4NLWO2qxJKXwBcAxIn7byjq/DqjiUr5nmw1cMWJtK1xwB6pVMvCv97KGg2Z8peronBxg6mVAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRaMTzoUhWt1wguyvPlPuUUV8VRtTAfBgNVHSMEGDAWgBQuZ2A4G1XF+GvL7vaiZst6RUCqYjANBgkqhkiG9w0BAQUFAAOBgQAr3rtJIVNchr3pMEfFcSzbJJWo/c0LRkUnWkP1gD6fMqLoLFUbl8k6tKJ9V4P0Oe2BODRIfNyTFjKLzD1lHAFFRz9pzYUx+hq4VDWooA3MsewNDDyJwupivlmHcM+Y8Cv97q9pERiqAY88TRMZxntl/b98W61KARAO+HUDhTnA1g==</wsse:BinarySecurityToken><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-8331318"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#id-28000914"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>Q2LregRFO//cXlkcThu9Bx0jal4=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-10464309"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>BX651XEWk4u4pGgshQhocYxPkSo=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#Timestamp-7651652"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>ezisLn/pGWNqMHbT6UlHyM4Ez64=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> Xl4SSEwrtyUnsqf8xOmfzojLLU18tOrikOhK+HRyqHqv0lPF+AqANLU6yygNdhbfI5qyef9BLr6I CmSPIX4QQR+Hq45l/Ewa+M2K1OOjqvBUGYyQqrKCqUFtsISr9xPudB8ZmaVfaUu5chjIvy/sPYYx TuYv2Ma6uEwek1YZpbE= </ds:SignatureValue> <ds:KeyInfo Id="KeyId-1823783"> <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-17125267"><wsse:Reference URI="#CertId-3596382" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /></wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature><wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-7651652"><wsu:Created>2007-10-31T10:16:00.474Z</wsu:Created><wsu:Expires>2007-10-31T10:21:00.474Z</wsu:Expires></wsu:Timestamp></wsse:Security><TelematikHeader xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-10464309"><MessageID>urn:uuid:9E0D31C48FDB63BBCD11938257462232</MessageID><ConversationID /><ServiceLocalization><Type>VSD</Type><Provider>101575519</Provider></ServiceLocalization><MessageType><Component>VSD</Component><Operation>PerformUpdates</Operation></MessageType><RoleDataProcessor /></TelematikHeader><TransportHeader xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1"><InterfaceVersion>0.0.24.3</InterfaceVersion></TransportHeader></soapenv:Header><soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-28000914"><TelematikExecute xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1"><Payload Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDMwMjI5PC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:9E0D31C48FDB63BBCD11938257462232</MessageID><Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><Created>UNDO</Created></Timestamp><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#c623c3be-529b-4d6d-8f1e-a4a29660f344"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>XHIiHK4NYczByvAJSZH8u3hSvuQ=</DigestValue></Reference></SignedInfo><SignatureValue>JQnTQJ1TidrMuWmSmpHE3ZR5M728A3tlvKjrM3GxFPuy5YOmmybxR0T7xe72WSdWsqvFT9QGE+iP GL5POuc3s8lLc1QGZRKhZvjHAKFldDNyxAMWRL7ZXmhpjsRXT3HethKWew3669SKjJFkZ1IYEnZz QrJOmgt1MMjWx99CgaQ=</SignatureValue><KeyInfo><X509Data><X509SubjectName>CN=Harris Knafla,OU=IP,O=TK,ST=Hamburg,C=DE</X509SubjectName><X509Certificate>MIIC0DCCAjmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCREUxEDAOBgNVBAgT B0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxCzAJBgNVBAoTAlRLMQswCQYDVQQLEwJJUDEUMBIG A1UEAxMLTmlscyBLbmFmbGExKjAoBgkqhkiG9w0BCQEWG0RyLk5pbHMuS25hZmxhQHRrLW9ubGlu ZS5kZTAeFw0wNzA2MjkxNzQ2MzBaFw0wODA2MjgxNzQ2MzBaMFExCzAJBgNVBAYTAkRFMRAwDgYD VQQIEwdIYW1idXJnMQswCQYDVQQKEwJUSzELMAkGA1UECxMCSVAxFjAUBgNVBAMTDUhhcnJpcyBL bmFmbGEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMjAnKFGjXjbPbi4X1vnI/H7ArNfayv HO7+QbuV1FqIR+aZuAYZeR5v0s8NKyGOcMxscAQk59ZrdfqaaIiwtcXk2fNHphtSVqLqR4NLWO2q xJKXwBcAxIn7byjq/DqjiUr5nmw1cMWJtK1xwB6pVMvCv97KGg2Z8peronBxg6mVAgMBAAGjezB5 MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl MB0GA1UdDgQWBBRaMTzoUhWt1wguyvPlPuUUV8VRtTAfBgNVHSMEGDAWgBQuZ2A4G1XF+GvL7vai Zst6RUCqYjANBgkqhkiG9w0BAQUFAAOBgQAr3rtJIVNchr3pMEfFcSzbJJWo/c0LRkUnWkP1gD6f MqLoLFUbl8k6tKJ9V4P0Oe2BODRIfNyTFjKLzD1lHAFFRz9pzYUx+hq4VDWooA3MsewNDDyJwupi vlmHcM+Y8Cv97q9pERiqAY88TRMZxntl/b98W61KARAO+HUDhTnA1g==</X509Certificate></X509Data></KeyInfo></Signature></Payload></TelematikExecute></soapenv:Body></soapenv:Envelope>
    As you can see in the soap request on top of the xml signature there is a Webservice Security signature (WSSE) over three elements. This should be no problem altough WSSE adds the wsu:id attribute to the body element. WSSE was omitted in step 1 for simplicity.
    I wonder that the attributes which have been set to the payloadElement are not part of the actual message. But it works!
    Step 3:
    The same request was sent to an external webservice server and the server reports a xml signature verification problem. I don't have any logs or further information. But I have to get this to work against this server.
    Java Files for Create + Verify Signature. For Create I get a DOM Node from a XML Bean. For step 1 the attribute setting should be in comments. I use VerifySignature for step 1 + 2.
    SignPayload.java:
    package de.tk.signature;
    import java.io.ByteArrayOutputStream;
    import java.io.FileInputStream;
    import java.io.FileOutputStream;
    import java.io.OutputStream;
    import java.security.KeyStore;
    import java.security.cert.X509Certificate;
    import java.util.ArrayList;
    import java.util.Collections;
    import java.util.List;
    import javax.xml.crypto.dsig.CanonicalizationMethod;
    import javax.xml.crypto.dsig.DigestMethod;
    import javax.xml.crypto.dsig.Reference;
    import javax.xml.crypto.dsig.SignatureMethod;
    import javax.xml.crypto.dsig.SignedInfo;
    import javax.xml.crypto.dsig.Transform;
    import javax.xml.crypto.dsig.XMLSignature;
    import javax.xml.crypto.dsig.XMLSignatureFactory;
    import javax.xml.crypto.dsig.dom.DOMSignContext;
    import javax.xml.crypto.dsig.keyinfo.KeyInfo;
    import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
    import javax.xml.crypto.dsig.keyinfo.X509Data;
    import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
    import javax.xml.crypto.dsig.spec.ExcC14NParameterSpec;
    import javax.xml.crypto.dsig.spec.TransformParameterSpec;
    import javax.xml.parsers.DocumentBuilderFactory;
    import javax.xml.transform.OutputKeys;
    import javax.xml.transform.Transformer;
    import javax.xml.transform.TransformerFactory;
    import javax.xml.transform.dom.DOMSource;
    import javax.xml.transform.stream.StreamResult;
    import org.w3c.dom.Document;
    import org.w3c.dom.Element;
    import org.w3c.dom.NamedNodeMap;
    import org.w3c.dom.Node;
    import org.apache.xmlbeans.XmlObject;
    import de.tk.schemaTools.TkSchemaHandler;
    import de.tk.util.ClientProperties;
    public class SignPayload {
         public static void signDocument(XmlObject telematikExecuteXmlObject, String payloadId) {
              try {
                   // get Document
                   org.w3c.dom.Node node = telematikExecuteXmlObject.getDomNode();
                   Document documentTo = node.getOwnerDocument();
                   XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
                   Reference ref = fac.newReference("#"+payloadId, fac.newDigestMethod(DigestMethod.SHA1, null), Collections.singletonList(fac
                             .newTransform(Transform.ENVELOPED, (TransformParameterSpec) null)), null, null);
                   // Create the SignedInfo.
                   SignedInfo si = fac.newSignedInfo(fac.newCanonicalizationMethod(CanonicalizationMethod.EXCLUSIVE, (C14NMethodParameterSpec) null), fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null),
                             Collections.singletonList(ref));
                   KeyStore keyStore = KeyStore.getInstance("JKS");
                   String keyStoreFilename = ClientProperties.getKeystorefile();
                   FileInputStream keyStoreFile = new FileInputStream(keyStoreFilename);
                   keyStore.load(keyStoreFile, "storePwd".toCharArray());
                   keyStoreFile.close();
                   KeyStore.PrivateKeyEntry keyEntry = (KeyStore.PrivateKeyEntry) keyStore.getEntry("harris", new KeyStore.PasswordProtection("keyPwd".toCharArray()));
                   X509Certificate cert = (X509Certificate) keyEntry.getCertificate();
                   // Create the KeyInfo containing the X509Data.
                   KeyInfoFactory kif = fac.getKeyInfoFactory();
                   List x509Content = new ArrayList();
                   x509Content.add(cert.getSubjectX500Principal().getName());
                   x509Content.add(cert);
                   X509Data xd = kif.newX509Data(x509Content);
                   KeyInfo ki = kif.newKeyInfo(Collections.singletonList(xd));
                   Node payloadNode = new TkSchemaHandler().getNode(documentTo, "Payload");
                   String prefix = payloadNode.getPrefix();
                   NamedNodeMap nameNodeMap = payloadNode.getAttributes();
                   // String baseUri = payloadNode.getBaseURI(); not implemented
                   boolean attributes = payloadNode.hasAttributes();
                   Element payloadElement = (Element) payloadNode;
                   //xmlns is the prefix and first parameter the namespaceURI
                   // xmlns existiert ohne WSSE, beim Create XMLOutputter ausgegeben
                   payloadElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns", "http://ws.gematik.de/Schema/Telematik/Transport/V1");
                   // existiert ohne WSSE
                   // bei Create nicht; aber bei Verify im DigestOutputter mit drin
                   payloadElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:soapenv", "http://schemas.xmlsoap.org/soap/envelope/");
                   // existiert nur bei WSSE
                   payloadElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:wsu", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
                   Node timestampNode = new TkSchemaHandler().getNode(documentTo, "Timestamp");
                   Element timestampElement = (Element) timestampNode;
                   // existiert ohne WSSE
                   // beim Create Outputter angegeben sowie beim Verify
                   timestampElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
                   // existiert nur bei WSSE, war wohl nur notwendig da bei WSSE Signature auf falschen Timestamp zugegriffen worden ist.
                   // Create a DOMSignContext and specify the RSA PrivateKey and
                   // location of the resulting XMLSignature's parent element.
                   DOMSignContext dsc = new DOMSignContext(keyEntry.getPrivateKey(),payloadNode);
                   // Create the XMLSignature, but don't sign it yet.
                   XMLSignature signature = fac.newXMLSignature(si, ki);
                   // DomInfo.visualize(document);
                   SAXBuilderDemo2.print(documentTo);
                   // Marshal, generate, and sign the enveloped signature.
                   signature.sign(dsc);
              } catch (Exception exc) {
                   throw new RuntimeException(exc.getMessage());
    VerifySignature.java:
    import java.io.FileInputStream;
    import java.io.FileOutputStream;
    import java.io.OutputStream;
    import java.security.Key;
    import java.security.KeyStore;
    import java.security.cert.X509Certificate;
    import java.util.ArrayList;
    import java.util.Collections;
    import java.util.Enumeration;
    import java.util.Iterator;
    import java.util.List;
    import javax.xml.crypto.dsig.CanonicalizationMethod;
    import javax.xml.crypto.dsig.DigestMethod;
    import javax.xml.crypto.dsig.Reference;
    import javax.xml.crypto.dsig.SignatureMethod;
    import javax.xml.crypto.dsig.SignedInfo;
    import javax.xml.crypto.dsig.Transform;
    import javax.xml.crypto.dsig.XMLSignature;
    import javax.xml.crypto.dsig.XMLSignatureFactory;
    import javax.xml.crypto.dsig.dom.DOMSignContext;
    import javax.xml.crypto.dsig.dom.DOMValidateContext;
    import javax.xml.crypto.dsig.keyinfo.KeyInfo;
    import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
    import javax.xml.crypto.dsig.keyinfo.X509Data;
    import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
    import javax.xml.crypto.dsig.spec.TransformParameterSpec;
    import javax.xml.parsers.DocumentBuilderFactory;
    import javax.xml.transform.Transformer;
    import javax.xml.transform.TransformerFactory;
    import javax.xml.transform.dom.DOMSource;
    import javax.xml.transform.stream.StreamResult;
    import org.w3c.dom.Document;
    import org.w3c.dom.Node;
    import org.w3c.dom.NodeList;
    public class VerifySignature {
         * @param args
         public static void main(String[] args) {
              // TODO Auto-generated method stub
              try {
                   String filename = args[0];
                   System.out.println("Verify Document: " + filename);
                   XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
                   DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
                   dbf.setNamespaceAware(true);
                   Document doc = dbf
                   .newDocumentBuilder()
                   .parse(
                             new FileInputStream(filename));
    //               Find Signature element.
    //               NodeList nl =
    //               doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
                   Node node = TkSchemaHandler.getNode(doc,"/*[local-name()='Envelope' and namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/']/*[local-name()='Body' and namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/'][1]/*[local-name()='TelematikExecute' and namespace-uri()='http://ws.gematik.de/Schema/Telematik/Transport/V1'][1]/*[local-name()='Payload' and namespace-uri()='http://ws.gematik.de/Schema/Telematik/Transport/V1'][1]/*[local-name()='Signature' and namespace-uri()='http://www.w3.org/2000/09/xmldsig#'][1]");
                   if (nl.getLength() == 0) {
                   throw new Exception("Cannot find Signature element");
                   Node node = nl.item(0); */
    //               Create a DOMValidateContext and specify a KeySelector
    //               and document context.
                   DOMValidateContext valContext = new DOMValidateContext
                   (new X509KeySelector(), node);
    //               Unmarshal the XMLSignature.
                   XMLSignature signature = fac.unmarshalXMLSignature(valContext);
    //               Validate the XMLSignature.
                   boolean coreValidity = signature.validate(valContext);
                   // sample 6
    //               Check core validation status.
                   if (coreValidity == false) {
                   System.err.println("Signature failed core validation");
                   boolean sv = signature.getSignatureValue().validate(valContext);
                   System.out.println("signature validation status: " + sv);
                   if (sv == false) {
                   // Check the validation status of each Reference.
                   Iterator i = signature.getSignedInfo().getReferences().iterator();
                   for (int j=0; i.hasNext(); j++) {
                   boolean refValid = ((Reference) i.next()).validate(valContext);
                   System.out.println("ref["+j+"] validity status: " + refValid);
                   } else {
                   System.out.println("OK! Signature passed core validation!");
              } catch (Exception exc) {
                   exc.printStackTrace();
    Questions:
    1. Do I really have to set all the namespace attributes? I thought with exclusive xml this should not be necessary. Is there any other solution?
    2. Do you think I got all the settings right in SignPayload.java?
    Thanks a lot in advance.
    Cheers !
    Nils

    It seems to be a bug with the JDK you are using. What is the JDK version you are using?

  • Error in validating XML against schema

    Hi am getting some critical errors while Validating XML against schema
    error is:
    cvc-elt.1: Cannot find the declaration of element 'position' , here <position> is my root element.
    my code is as follows:
    package com.glemser.xmLabeling.library.component.spl;
    import com.documentum.com.DfClientX;
    import com.documentum.com.IDfClientX;
    import com.documentum.fc.client.IDfClient;
    import com.documentum.fc.client.IDfSession;
    import com.documentum.fc.client.IDfSessionManager;
    import com.glemser.common.helper.OperationHelper;
    import org.xml.sax.*;
    import org.xml.sax.helpers.DefaultHandler;
    import javax.xml.parsers.ParserConfigurationException;
    import javax.xml.parsers.SAXParserFactory;
    import java.io.CharArrayWriter;
    import java.io.IOException;
    import java.io.InputStream;
    public class Test {
    static IDfSession m_session;
    public static void main(String[] args) {
    try {
         new Test().validate();
    } catch (Exception e) {
    e.printStackTrace();
    private XMLReader xmlReader;
    private DefaultHandler handler; // Defines the handler for this parser
    private boolean valid = true;
    public void validate() {
    try {
    SetXML setXML = new SetXML();
    OperationHelper operation = new OperationHelper();
    String splObjPath = "C://Documents and Settings/dparikh/My Documents/xmLabelingStage/Test.xml";//operation.executeExportOperation(m_session, new DfId(m_objectId), true);
    SAXParserFactory spf = SAXParserFactory.newInstance();
    spf.setNamespaceAware(false);
    spf.setValidating(true);
    spf.setFeature("http://xml.org/sax/features/validation", true);
    spf.setFeature("http://apache.org/xml/features/validation/schema", true);
    spf.setFeature("http://apache.org/xml/features/validation/schema-full-checking", true);
    if (spf.isValidating()) {
    System.out.println("The parser is validating");
    javax.xml.parsers.SAXParser sp = spf.newSAXParser();
    sp.setProperty("http://java.sun.com/xml/jaxp/properties/schemaLanguage", "http://www.w3.org/2001/XMLSchema");
    sp.setProperty("http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation", "file://C:/Documents and Settings/dparikh/My Documents/xmLabelingStage/Test.xsd");
    System.out.println("The parser is validating1");
    //Create XMLReader
    xmlReader = sp.getXMLReader();
    xmlReader.setFeature("http://apache.org/xml/features/validation/schema", true);
    xmlReader.setEntityResolver(new SchemaLoader());
    ContentHandler cHandler = new MyDefaultHandler();
    ErrorHandler eHandler = new MyDefaultHandler();
    xmlReader.setContentHandler(cHandler);
    xmlReader.setErrorHandler(eHandler);
    System.out.println("The parser is validating2");
    parseDocument(splObjPath);
    } catch (SAXException se) {
    se.printStackTrace();
    } catch (ParserConfigurationException e) {
    e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
    public void parseDocument(String xmlFile) {
    try {
    xmlReader.parse(xmlFile);
    if (valid) {
    System.out.println("Document is valid!");
    } catch (SAXException e) {
    e.printStackTrace();
    } catch (IOException e) {
    e.printStackTrace();
    } catch (Exception e) {
    e.printStackTrace();
    class MyDefaultHandler extends DefaultHandler {
    private CharArrayWriter buff = new CharArrayWriter();
    private String errMessage = "";
    /* With a handler class, just override the methods you need to use
    // Start Error Handler code here
    public void warning(SAXParseException e) {
    System.out.println("Warning Line " + e.getLineNumber() + ": " + e.getMessage() + "\n");
    public void error(SAXParseException e) {
    errMessage = new String("Error Line " + e.getLineNumber() + ": " + e.getMessage() + "\n");
    System.out.println(errMessage);
    valid = false;
    public void fatalError(SAXParseException e) {
    errMessage = new String("Error Line " + e.getLineNumber() + ": " + e.getMessage() + "\n");
    System.out.println(errMessage);
    valid = false;
    public class SchemaLoader implements EntityResolver {
    public static final String FILE_SCHEME = "file://";
    public InputSource resolveEntity(String publicId, String systemId) throws SAXException {
    if (systemId.startsWith(FILE_SCHEME)) {
    String filename = systemId.substring(FILE_SCHEME.length());
    InputStream stream = SchemaLoader.class.getClassLoader().getResourceAsStream(filename);
    return new InputSource(stream);
    } else {
    return null;
    My XML and XSD are as below:
    <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <xsd:element name="position" minOccurs="0" maxOccurs="unbounded">
    <xsd:complexType>
    <xsd:sequence>
    <xsd:element name="position_number" type="xsd:string"/>
    <xsd:element name="position_title" type="xsd:string"/>
    <xsd:element name="report_to_position" type="xsd:string"/>
    <xsd:element name="incumbent" type="xsd:string"/>
    <xsd:element name="operation" type="xsd:string"/>
    </xsd:sequence>
    </xsd:complexType>
    </xsd:element>
    </xsd:schema>
    <position xsi:schemaLocation="Test.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <position_number>12345</position_number>
    <position_title>Sr. Engr</position_title>
    <report_to_position>23456</report_to_position>
    <incumbent>23456</incumbent>
    <operation>INSERT</operation>
    </position
    Please help me out

    --> Could not find cached enumeration value Custom.CI.Enum.PeripheralDevice.Printer for property Type, class BMC.Custom.CI.PeripheralDevice in enumeration cache.
    You must specify either the Name or Guid of an enumeration of type Custom.CI.Enum.PeripheralDevice.Type.
    Be sure that you are specifying the Name property of the enumeration value you want to set, and not the DisplayName; the Internal Name is something like "IncidentCategoryEnum.Category" for out of the box enumerations, or ENUM.210ADA2282FDABC3210ADA2282FDABC
    for enumerations created in the console.
    you can check this by finding the enumeration in the XML or by using the the
    SMLets commandlet
    Get-SCSMEnumeration | ?{$_.DisplayName –eq “Printer”}
    and then checking your value with
    Get-SCSMEnumeration -Name "ENUM.210ADA2282FDABC3210ADA2282FDABC"
    and see if you get the right displayname back

  • XML Signatures - How To ?

    I need of help how to organize a XML structure for hierarchical (nested) signature scheme. For example:
    Signed Object 1: O1
    Signatures Level 1:
    - S1.1 signs O1;
    - S1.2 signs O1;
    Signature Level 2:
    - S2.1 signs O1, S1.1 and S1.2
    - S2.2 signs O1, S1.1 and S1.2
    Signature Level 3:
    - S3.1 signs O1, S2.1 and S2.2.
    Maybe it is good to combine the signature of different levels in Manifest, but I don't know how to do that.
    Any help?

    Hi,
    There are 3 variant:
    1. Using only references;
    2. Using XPath;
    3. Using Manifest.
    The clear for me which is simple and easy for realization is the 1st variant.
    I can't find any examples for using of Manifest, so I don't know how to implement it.
    XPath is very complicated for me.
    So, the References are my way.

  • JAXB Messing up my XML Signatures

    I have a requirement to sign an XML message.
    Currently our schemas (being ISO20022) have to have the XML signature located in a particular part of the message even though the signature is based on an XPath elsewhere in the message:
    (Ignore the fact that my elements are not iso20022 for now)
    <Message>
         <MessageHeader>
             <Sgntr>
                <!-- XML Signature goes here -->
             </Sgntr>
         </MessageHeader>
         <MessageBody>
              <Document>
              </Document>
         </MessageBody>
    </Message>The XPath signature is based upon is:
    /Message/MessageBody
    The Sgntr element is of type xs:any
    To create the signature I perform the following:
    1) Unmarshall the /Message and parse it into a org.w3c.dom.Document using a javax.xml.parsers.DocumentBuilder
    2) Sign the org.w3c.dom.Document of the message using the code below
    3) I then attached the signature to the pre-marshalled object at the /Message/MessageHeader/Sgntr element and re-marshall the object
    Once marshalled, the Signature now has a bunch of empty xmlns declarations:
    <Signature:Signature xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:Signature="http://www.w3.org/2000/09/xmldsig#">
              <SignedInfo>
                   <ns7:CanonicalizationMethod xmlns="" xmlns:ns7="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
                   <ns7:SignatureMethod xmlns="" xmlns:ns7="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>This is causing me issues when trying to parse the XML with other technologies! It seems the empty xmlns declaration is taken as the default namespace and subsequent namespaces are stripped out.
    When extracting the initial signature it seems fine:
    <?xml version="1.0" encoding="UTF-8"?>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
         <SignedInfo>
              <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
              <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
              <Reference URI="">
                   <Transforms>
                        <Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
                             <XPath>/BPAYResponse/ResponsePayload</XPath>
                        </Transform>
                   </Transforms>
                   <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                   <DigestValue>KPMR+irQuoCGp4fm91XworlhjIc=</DigestValue>
              </Reference>
         </SignedInfo>
         <SignatureValue>NQZwvGrg7p25Q+zoU/xn4nm0PO59KIj8AgxLf4JfsaSbtSXq/5vjgg==</SignatureValue>
         <KeyInfo>
              <KeyValue>
                   <DSAKeyValue>
                        <P>/KaCzo4Syrom78z3EQ5SbbB4sF7ey80etKII864WF64B81uRpH5t9jQTxeEu0ImbzRMqzVDZkVG9xD7nN1kuFw==</P>
                        <Q>li7dzDacuo67Jg7mtqEm2TRuOMU=</Q>
                        <G>Z4Rxsnqc9E7pGknFFH2xqaryRPBaQ01khpMdLRQnG541Awtx/XPaF5Bpsy4pNWMOHCBiNU0NogpsQW5QvnlMpA==</G>
                        <Y>ZjsWue3LCHpbuN9fF6jPKW6zgkjGR84t3X/h18aICc4+RGfob1k7yzuSVqN/uFLt++Vib7r9d8O23dv0GZ+3+g==</Y>
                   </DSAKeyValue>
              </KeyValue>
         </KeyInfo>
    </Signature>Rather than having to extract and relocate the signature, can I just have the signature generated at the point we need it?
    Otherwise how can I prevent the namespaces being re-written by JAXB? What other alternatives are there?
         private Element createSignature(org.w3c.dom.Document xmlDoc) {
              XMLSignatureFactory xmlFactory = XMLSignatureFactory.getInstance("DOM");
              try {
                   KeyPairGenerator kpg = KeyPairGenerator.getInstance("DSA");
                   kpg.initialize(512);
                   KeyPair kp = kpg.generateKeyPair();
                   TransformParameterSpec parms = new XPathFilterParameterSpec("/Message/MessageBody");
                   DOMSignContext context = new DOMSignContext(kp.getPrivate(), xmlDoc.getDocumentElement());
                   javax.xml.crypto.dsig.Reference ref = xmlFactory.newReference("", xmlFactory.newDigestMethod(DigestMethod.SHA1, null),
                             Collections.singletonList(
                                       xmlFactory.newTransform(Transform.XPATH, parms))
                                       , null, null);
                   SignedInfo si = xmlFactory.newSignedInfo
                        (xmlFactory.newCanonicalizationMethod
                                  (CanonicalizationMethod.INCLUSIVE,
                                            (C14NMethodParameterSpec) null),
                                            xmlFactory.newSignatureMethod(SignatureMethod.DSA_SHA1, null),
                                            Collections.singletonList(ref));
                   KeyInfoFactory kif = xmlFactory.getKeyInfoFactory();
                   KeyValue kv = kif.newKeyValue(kp.getPublic());
                   KeyInfo ki = kif.newKeyInfo(Collections.singletonList(kv));
                   XMLSignature signature = xmlFactory.newXMLSignature(si, ki);
                   signature.sign(context);
                   return xmlDoc.getDocumentElement();
              } catch(KeyException e) {
                   // TODO Auto-generated catch block
                   e.printStackTrace();
              } catch (NoSuchAlgorithmException e) {
                   // TODO Auto-generated catch block
                   e.printStackTrace();
              } catch (InvalidAlgorithmParameterException e) {
                   // TODO Auto-generated catch block
                   e.printStackTrace();
              } catch (MarshalException e) {
                   // TODO Auto-generated catch block
                   e.printStackTrace();
              } catch (XMLSignatureException e) {
                   // TODO Auto-generated catch block
                   e.printStackTrace();
              return null;
         }

    Okay, I've been able to adjust the location of the Signature when being signed:
         DOMSignContext context = new DOMSignContext(kp.getPrivate(), xmlDoc.getDocumentElement());
         context.setParent(xmlDoc.getElementsByTagName("MessageHeader").item(0));However, since my Sgntr element is of type "any" I cannot target it as it needs something to exist.

  • Web Service Security with SAML - Invalid XML signature

    Hello together,
    we want to build a scenario where we want to use Web Service Security  with SAML.
    The scenario will be
    WS Client (Java Application) -> WS Adapter -> Integration Engine ->  WS Adapter-> CRM (Web AS ABAP 7.01 SP 3)
    SAP PI release is 7.11 (SP Level 4)
    We want to use the SAML Authentification from WS Client to PI and from PI to Web AS ABAP.
    The SAML authentifications between the WS Client and PI works when there is no SAML auth between PI and CRM.
    But we get following error at calling the CRM system when we want to communicate with SAML:
      <E_TEXT>CX_WS_SECURITY_FAULT:Invalid XML signature</E_TEXT>
    Has somebody an idea of the possible reason for the error.
    Thanks in advance
    Stefan

    Error Messages in the Trace/Log Viewer:
    CX_WS_SECURITY_FAULT : Invalid XML signature | program: CL_ST_CRYPTO==================CP include: CL_ST_CRYPTO==================CM00G line: 48
    A SOAP Runtime Core Exception occurred in method CL_ST_CRYPTO==================CM00G of class CL_ST_CRYPTO==================CP at position id 48  with internal error id 1001  and error text CX_WS_SECURITY_FAULT:Invalid XML signature (fault location is 1  ).
    Invalid XML signature

  • Problem in XML Signature

    Hi,
    i get an Exception in Registering mechanism for XML Signature factory
    it says.
    javax.xml.crypto.NoSuchMechanismException : Cannot find DOM Mechanism type
    I use J2sdk1.4.2_05 with JWSDP 1.4
    Following is the code do let me know where i go wrong.
    import javax.xml.parsers.DocumentBuilderFactory;
    import javax.xml.parsers.DocumentBuilder;
    import org.w3c.dom.Document;
    import javax.xml.crypto.dsig.XMLSignatureFactory;
    import javax.xml.crypto.dsig.dom.DOMSignContext;
    import javax.xml.crypto.dsig.XMLSignatureFactory;
    import javax.xml.crypto.dsig.Reference;
    import javax.xml.crypto.dsig.SignedInfo;
    import javax.xml.crypto.dsig.XMLSignature;
    import javax.xml.crypto.dsig.CanonicalizationMethod;
    import javax.xml.crypto.dsig.Transform;
    import javax.xml.crypto.dsig.DigestMethod;
    import javax.xml.crypto.dsig.SignatureMethod;
    import javax.xml.crypto.*;
    import javax.xml.crypto.dsig.*;
    import javax.xml.crypto.dom.*;
    import java.security.Provider;
    import javax.xml.crypto.dsig.keyinfo.KeyInfo;
    import javax.xml.crypto.dsig.keyinfo.KeyValue;
    import java.security.KeyPairGenerator;
    import java.security.KeyPair;
    import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
    import java.io.FileInputStream;
    import java.util.Collections;
    //author Palani V. Rajan
    // SafeScrypt Ltd
    class XMLSign
    XMLSign(){}
    /*XMLSign(String inputFile)
    public void signTheMarkup(String inputFilePath)
    Document domDoc;
    try{
    System.out.println("Creating DOM");
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    dbf.setNamespaceAware(true);
    DocumentBuilder db = dbf.newDocumentBuilder();
    domDoc = db.parse(new FileInputStream(inputFilePath));
    System.out.println("Generating Key's.....");
    KeyPairGenerator kpg = KeyPairGenerator.getInstance("DSA");
    kpg.initialize(1024);
    KeyPair kp = kpg.generateKeyPair();
    DOMSignContext dsc = new DOMSignContext(kp.getPrivate(), domDoc.getDocumentElement());
    String providerName = System.getProperty("jsr105Provider", "org.jcp.xml.dsig.internal.dom.XMLDSigRI");
    System.out.println("Creating xml sign.....");
    System.out.println("Provider Name "+providerName);
    XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM",(Provider) Class.forName(providerName).newInstance());
    System.out.println("T 1");
    Reference ref = fac.newReference("", fac.newDigestMethod(DigestMethod.SHA1, null),Collections.singletonList(fac.newTransform(Transform.ENVELOPED, null)),null, null);
    System.out.println("T 2");
    SignedInfo si = fac.newSignedInfo(fac.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE_WITH_COMMENTS, null),fac.newSignatureMethod(SignatureMethod.DSA_SHA1, null),Collections.singletonList(ref));
    System.out.println("T 4");
    KeyInfoFactory kif = fac.getKeyInfoFactory();
    KeyValue kv = kif.newKeyValue(kp.getPublic());
    KeyInfo ki = kif.newKeyInfo(Collections.singletonList(kv));
    System.out.println("T 5");
    XMLSignature signature = fac.newXMLSignature(si, ki);
    signature.sign(dsc);
    }catch(Exception e){e.printStackTrace();}
    public static void main(String[] q)
    System.out.println("Creating XML Signatures.....");
    XMLSign xs = new XMLSign();
    xs.signTheMarkup(q[0]);
    Thnx in Advance
    Vinodh

    I have encountered the same problem. I am using Jbuilder 5 with JDK 1.3.0. I copied all the JAR files of jwsdp-1.5 by creating a custom library.
    Even then It didnt work. Can some one who has resolved this please help.
    I have tried running the same code in JDeveloper 10g (10.1.2) and got a same error.
    Regards,
    Srinivas.

  • Problem with XML signature

    Can anybody tell me how to generate an xml signature
    with the base 64 transform(Transform.BASE64)?
    I just can't find any documentation on the web.
    It would be great to provide a small code exemple.
    Thanks
    Antoine

    Thanks for the reply.
    I'm applying appropriate namespaces to the generated xml string. Could it be the probelem?
    this is how the generated xml looks in final stage, I mean after I'm doing some rework on the generated xml.
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#PAYMENTS"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>IXgHx5ioixsJ13jyg767D8UCU9s=</DigestValue></Reference></SignedInfo><SignatureValue>DO+Fngf3h0Q5iDoMq2mZFL+bxL3vY1i1fyqzBbKRPhHlzqWrW2wP3SFHjVzPLXdj92W8hMx9I8Jq
    QBV/D+pUKa32aZB7kPwOGZqR63X+d6Hca58jnTK7+zq8Fzi2DPlE+omQhgT3xeXp/lQpKI8vAgVT
    eX+eylRYTAZDSfDw7qk=</SignatureValue><Object Id="PAYMENTS"><PAYMENTS xmlns=""><Payment><PaymentIdA></PaymentIdA><PaymentIdB>aa</PaymentIdB><SrcBank>bb</SrcBank><SrcAccount>cc</SrcAccount><PayerId>dd</PayerId><PayerName>Dato</PayerName><TaxPayerId>00022023</TaxPayerId><TaxPayerName></TaxPayerName><ReceiverName>mof</ReceiverName><AdditinalInfo>racxa</AdditinalInfo><Amount>521</Amount><TreasuryCode>hello</TreasuryCode><PaymentTime>hi</PaymentTime><PaymentChannel>ib</PaymentChannel></Payment></PAYMENTS></Object></Signature>

  • XSLT Transform in XML Signature: Exception

    Hello,
    I have following problem with an XSLT tranform in my XML signature. Here is the code I use to add XSLT to signature:
    main() {
    DOMStructure stylesheet = new DOMStructure( getStylesheet() );
    XSLTTransformParameterSpec spec = new XSLTTransformParameterSpec( stylesheet );
    transforms.add( fac.newTransform( Transform.XSLT, spec ) );
    private Element getStylesheet() throws Exception {
         String stylesheet = //"<?xml version=\"1.0\"?>" +
                        "<xslt:stylesheet version=\"1.0\" xmlns:xslt=\"http://www.w3.org/1999/XSL/Transform\">\n" +
                        " <xsl:include href=\"http://extern XSLT\" />\n" +
                        " <xslt:template match=\"/\">" +
                        " <xsl:apply-imports />" +
                        " </xslt:template>" +
                        "</xslt:stylesheet>\n";
         DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
         //dbf.setValidating( true );
         return dbf.newDocumentBuilder().parse( new ByteArrayInputStream( stylesheet.getBytes() ) ).getDocumentElement();
    I get following exception:
    javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.dsig.TransformException: com.sun.org.apache.xml.internal.security.transforms.TransformationException: Cannot find xslt:stylesheet in Transform
    Original Exception was com.sun.org.apache.xml.internal.security.transforms.TransformationException: Cannot find xslt:stylesheet in Transform
         at org.jcp.xml.dsig.internal.dom.DOMReference.transform(Unknown Source)
         at org.jcp.xml.dsig.internal.dom.DOMReference.digest(Unknown Source)
         at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.digestReference(Unknown Source)
         at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(Unknown Source)
    In google I cannot find any details what can be wrong.
    Any suggestions?
    Thanks in advance,
    errno

    Thanks for your response. Sorry - I tried both versions with xslt and xsl - doesn't worked -> the error in my post is actually caused through the multiple changes of this part of code. Here once again:
    private Element getStylesheet() throws Exception {
              String stylesheet = //"<?xml version=\"1.0\"?>" +
                                       "<xslt:stylesheet version=\"1.0\" xmlns:xslt=\"http://www.w3.org/1999/XSL/Transform\">\n" +
                                       " <xslt:include href=\"external XSLTl\" />\n" +
                                       " <xslt:template match=\"/\">" +
                                       " <xslt:apply-imports />" +
                                       " </xslt:template>" +
                                       "</xslt:stylesheet>\n";
              DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
              //dbf.setValidating( true );
              return dbf.newDocumentBuilder().parse( new ByteArrayInputStream( stylesheet.getBytes() ) ).getDocumentElement();
    Thanks,
    errno

  • Sap PI - XML signature

    Hi Experts
    We have to digitally Sign and Encrypt and Decrypt an XML file in PI7.11 system using soap adapter
    To have an expert advise
    can I use WSSE or Apache WSS4J or SAML or Apache axis soap adapter
    My requirement is:
    XML Documents shall be signed using XML signature and Use enveloped signatures
    Support RSA signing in conformance with the algorithm indentified by sha1
    Use exclusive canonicalization (with comment or without comments)
    Will WSSE or Wss4j can support the above requirements...Please advise
    Thanking you
    Pooja

    Hi ,
    Thank you for your response...
    I mean when you say java experts can do easily...yes we do have java experts who can develop a source code encrypt and sign the code and give it to us as an ear file
    However I tried deploying EAR file on PI system my converting it into sda file ...no luck ..the file getting converted to ear file and i renamed and tried to deploy using jspm....no luck
    As we cannot import the ear file directly to NWDS to deploy it on PI system ....what we are trying is to get the source code from Java developer and we are developing and EJB and Ear projects by replacing the source code
    and later once deploy using adapter modules we can test it
    My question is:
    Can we configure WSSE on PI as per this link(/people/rajendra.badi/blog/2011/08/24/configuring-wsse-digital-signing-and-encryption-using-sap-pi-711-aae-soap-adapter) and try
    Signing and Enc/Dec
                                                     or
    How to configure and use Apache wss4j and Apache axis soap adapter...can you please forward me some documents on it
    Thanking you
    Pooja

  • XML signature

    Hi All,
                   In one of our interfaces, we are implementing digital signature. We are creating a signature based on the four of all input fields. We are able to sign and sent the message successfully to the target system (Third party system). We are communicating with the target system via webservice and are using SOAP adapter at the receiver side. It's a party communication.
                 But the Third party is unable to verify the signature. I need help from you guys in confirming, whether the digital signatures generated using SAP standards conform to open standards and can be verified by any 3rd party system?
    Note:  We are using SHA algorithm for creating the digital signatures.
    Regards,
    Vishnu.

    Hi Vishnu,
    With XML signatures, the entire XML document becomes case-sensitive.
    Also, extra spaces, between node names might pose to be a problem as well.
    Ensure that the xml message you are sending out, and the message expected by the third party system match in case, and format.
    Would you be able to post the error here?
    Regards,
    Smitha.

  • Web service security: XML signatures and encryption

    Hi users -
    I am trying to figure out how to implement XML signatures and encryption for my web service.  We are only on AS ABAP 7.0, SP 11 - we do not have SOAMANAGER yet.  Yet all documentation I can find on configuring encryption and signatures, references SOAMANAGER.
    Does anyone know of a guide anywhere on implementing XML signatures and encryption for web services pre-SOAMANAGER?  It's listed as supported - but I can't find a thing! Your help is much appreciated!
    Thanks so much!
    Abby

    Hi Users -
    I found the answer to this (although it wasn't one I liked.) It doesn't appear that encryption with XML signatures is supported prior to SP 14.
    I found this information at
    https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/6d19c8ee-0c01-0010-619d-92af980436d7
    page 36
    Hope that saves somebody else some time...
    Thanks!
    Abby

  • Extended xml handling in asynchronous inbound (server) proxy

    Hello,
    I want to activate extended xml handling on an asynchronous inbound server proxy.
    looking at online help:
    http://help.sap.com/saphelp_nwpi71/helpdata/en/73/3f5c3c3906b006e10000000a11402f/frameset.htm
    this should be the code:
      lo_server_context   = cl_proxy_access=>get_server_context( ).
      lo_payload_protocol ?= lo_server_context->get_protocol( if_wsprotocol=>payload ).
      CALL METHOD lo_payload_protocol->set_extended_xml_handling( abap_true ).
    However the controller tables remain empty when executing a scenario to the application system.
    Also adding a static attribute extended_xml_handling does not have the correct result.
    any suggestions???
    Regards,
    Emile

    Hello Emile,
    do you have a solution regarding your problem? If not, here is a good one.
    I think you have inserted the code inside the generated proxy method. Within this method it is a little bit tricky to get the controller structures filled. This could be done by parsing the input data once more... Here is an code example for this:
    ls_input_data-name = 'INPUT'.
    GET REFERENCE OF input INTO ls_input_data-value.
    APPEND ls_input_data TO lt_input_data.
    lo_server_context = cl_proxy_access=>get_server_context( ).
    lo_payload_protocol ?= lo_server_context->get_protocol( if_wsprotocol=>payload ).
    lo_payload_protocol->set_extended_xml_handling( extended_xml_handling = 'X' ).
    lo_payload_handler = lo_payload_protocol->get_payload_handler( '<Name of structure data element>' ).
    lo_payload_input = lo_payload_protocol->get_sent_request_payload( ).
    lo_payload_handler->get_request_data_from_payload(
      EXPORTING
        payload = lo_payload_input
      CHANGING
        request_data = ls_input_data ).
    But a much easier and better way is to insert the following coding within a constructor of the generated Proxy class.
    lo_server_context = cl_proxy_access=>get_server_context( ).
    lo_payload_protocol ?= lo_server_context->get_protocol( if_wsprotocol=>payload ).
    lo_payload_protocol->set_extended_xml_handling( extended_xml_handling = 'X' ).
    As in each standard ABAP class, you can insert your own constructor within proxy classes. If you do so and insert the code in it the controller table will be filled with the needed information.
    Best Regards,
    Lars

  • Extend xml for orders by BBP_SAPXML1_OUT_BADI

    Hi,
    We need to extend xml order export with specifical xml flag. We have some samples for extend catalogs (extend by structure TYPE BBPX1_CATALOG_TRANSMISSION), but we dont have such a structure in the order badi (the structure TYPE BBPX1_PURCHASE_ORDER_MESSAGE do not have any table type bbpx1_item_str to fill specifical flags).
    Could you help us ?
    Thanks in advance,
    Vincent Tanguy

    10.06.2010 - 10:08:01 CET - Reply by SAP
    Dear customer
    please remark note 806127 which describes how to swap user-defined
    fields using SAP-PI/XI. This notes was created based on SRM4.0/5.0 but
    its contect is as well valid for SRM6.0/7.0.
    The exchange of data with the SRM-application is realized by customer
    fields described in note 672960. This is the SRM70 solution instead of
    old customer fields described in note 458591.
    According to note 806127 there are the following steps required
    1.) Use customer enhancements in the Integration Repository to enhance
    the interfaces correspondingly
    for details please see
    http://help.sap.com/saphelp_nw70ehp1/helpdata/en/14/80243b4a66ae0ce10000000a11402f/frameset.htm
    and follow this path
    Design and Configuration Time
    Design
    Designing Interfaces and Proxy Generation
    Developing Message Interfaces
    Data Types
    Data Type Enhancements
    2.) Generate proxies in the SRM system
    3.) Implement the BAdIs in the SRM system (only when the interface
    enhancements do not have the same name as the customer fields)
    In case the new field for your flag has same name in interface
    enhancement and as customer field then the data transport is done
    automatically (move-corresponding like). And you do not have to
    implement the BBP_SAPXML1_OUT_BADI
    kind regards
    Andreas Schaeff
    IMS SRM development support Germany

  • Web Services: XML signatures and encryption 7.0 SP14

    Hi users -
    I am trying to figure out how to implement XML signatures and encryption for my web service.  We are only on AS ABAP 7.0, SP 11 - we do not have SOAMANAGER yet.  Yet all documentation I can find on configuring encryption and signatures, references SOAMANAGER.
    Does anyone know of a guide anywhere on implementing XML signatures and encryption for web services pre-SOAMANAGER?  Your help is much appreciated!
    Thanks so much!
    Abby

    Hi Users -
    I found the answer to this (although it wasn't one I liked.)  It doesn't appear that encryption with XML signatures is supported prior to SP 14.
    I found this information at
    https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/6d19c8ee-0c01-0010-619d-92af980436d7
    page 36
    Hope that saves somebody else some time...
    Thanks!
    Abby

Maybe you are looking for

  • "New Augmented User Recoreds" in WGM not working

    So I was excited with the release of 10.5.3 that importing users to add an iCal server was added to Workgroup Manager, since I have a 10.5 server (that was supposed to be) for iCal among other things, and a 10.4 server hosting files and running as a

  • Crosstab query using  PL/SQL [HELP]

    hi all, i got this output after execute my query: week no | department | item | budget 1 | 0901 | salary | 25000 1 | 0901 | stationery | 5000 1 | 5501 | salary | 45000 2 | 0901 | salary | 25000 2 | 5501 | salary | 25000 2 | 5501 | stationery | 100 i

  • Change FB02 display. Documents with Special GL Posting

    Hello. I've been trying to modify FB02 layout in order to display BSEG-ZFBDT under the additional data section (below the line item information) The problem is that if I do an FB02 with a regular customer document that posted to the reconciliation ac

  • Excel 2011 how do I turn off fixed decimal?

    Excel 2011 how do I turn off fixed decimal?

  • Help me to migrate from asp

    hi, i have experience only with asp until now. i want to start developing in jsp. i have win2k server os and i want to start developing jsp files. i've been told that there are some utility called jRun that enables running jsp files on IIS server. is