Validating detached signature with jsr105
Hi all.
I need to sign a SOAP message and I need to use JSR105. I've created a message with the following code and is signed without problems. However, I can't validate the signature. As you can see the elements that contains the nodes are OMElement (specific for Axis2 SOAP server) that are an instance of Node and Element classes.
The error I get is:
Exception in thread "main" javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.URIReferenceException: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID 1
at org.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:366)
at org.jcp.xml.dsig.internal.dom.DOMReference.validate(DOMReference.java:318)
at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:230)
at SignedSoap.main(SignedSoap.java:272)
Caused by: javax.xml.crypto.URIReferenceException: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID 1
at org.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:84)
at org.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:358)
... 3 more
Caused by: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID 1
at com.sun.org.apache.xml.internal.security.utils.resolver.implementations.ResolverFragment.engineResolve(Unknown Source)
at com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolver.resolve(Unknown Source)
at org.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:77)
... 4 more
javax.xml.crypto.URIReferenceException: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID 1
at org.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:84)
at org.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:358)
at org.jcp.xml.dsig.internal.dom.DOMReference.validate(DOMReference.java:318)
at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:230)
at SignedSoap.main(SignedSoap.java:272)
Caused by: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID 1
at com.sun.org.apache.xml.internal.security.utils.resolver.implementations.ResolverFragment.engineResolve(Unknown Source)
at com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolver.resolve(Unknown Source)
at org.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:77)
... 4 more
My code is as follows
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.Provider;
import java.security.SecureRandom;
import java.util.Calendar;
import java.util.Collections;
import javax.xml.crypto.dsig.*;
import javax.xml.crypto.dom.*;
import javax.xml.crypto.dsig.dom.*;
import javax.xml.crypto.dsig.keyinfo.*;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.soap.*;
import javax.xml.parsers.*;
import javax.xml.transform.*;
import javax.xml.transform.dom.*;
import javax.xml.transform.sax.SAXSource;
import javax.xml.transform.stream.*;
import org.apache.axiom.om.OMAttribute;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMNamespace;
import org.apache.axiom.om.impl.dom.factory.OMDOMFactory;
import org.apache.xmlbeans.impl.piccolo.xml.XMLStreamReader;
import org.w3c.dom.*;
import org.w3c.dom.Node;
import org.xml.sax.InputSource;
//import org.xmlsoap.schemas.soap.encoding.DateTime;
* Construct a SOAP message, sign it and then validate the signature.
* This implementation follows the
* <a ref="http://www.w3.org/TR/SOAP-dsig/">
* W3C Note on digital signatures in SOAP messages
* </a>.
* The validating key is included in the signature.
* DOM Level 2 is used throughout.
* <p>
* The following SOAP message is signed:
* <pre><code>
* <?xml version="1.0" encoding="UTF-8"?>
* <soap-env:Envelope
* xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
* <soap-env:Header>
* <SOAP-SEC:Signature
* mustUnderstand="1"
* xmlns:SOAP-SEC="http://schemas.xmlsoap.org/soap/security/2000-12"/>
* </soap-env:Header>
* <soap-env:Body id="Body">
* <m:GetLastTradePrice xmlns:m="http://wombats.ztrade.com">
* <symbol>SUNW</symbol>
* </m:GetLastTradePrice>
* </soap-env:Body>
* </soap-env:Envelope>
* </code></pre>
public class SignedSoap {
private static boolean debug = false;
public static void main(String[] args) throws Exception {
int argc = args.length;
if (argc == 1) {
if (args[0].equalsIgnoreCase("-help")) {
System.out.println("Usage: SignedSoap [-debug]");
System.out.println(" -debug\tactivates debug messages");
return;
debug = args[0].equalsIgnoreCase("-debug");
// Create the SOAP message
OMDOMFactory omfact=new OMDOMFactory();
//Node nodo1=fd.newDomNode(options);
OMNamespace namespace=omfact.createOMNamespace("http://schemas.xmlsoap.org/soap/security/2000-12", "soapenv");
OMNamespace namespace2=omfact.createOMNamespace("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", "wsu");
OMAttribute attr=omfact.createOMAttribute("mustUnderstand",namespace,"1");
OMAttribute id=omfact.createOMAttribute("id",namespace,"1");
OMAttribute id2=omfact.createOMAttribute("id",namespace,"2");
OMElement sec=omfact.createOMElement("Security", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd","wsse");
OMElement timestamp=omfact.createOMElement("Timestamp",namespace2);
OMElement created=omfact.createOMElement("Created",namespace2);
OMElement expires=omfact.createOMElement("Expires",namespace2);
created.setText("12122007");
expires.setText("12122008");
timestamp.addAttribute(id);
timestamp.addChild(created);
timestamp.addChild(expires);
sec.addChild(timestamp);
System.out.println("Generating the DOM tree...");
// Get input source
org.w3c.dom.Node security = (Node)sec;
//if (debug) {
// dumpDOMDocument(root);
// Generate a DSA key pair
System.out.println("Generating the DSA keypair...");
KeyPairGenerator kpg = KeyPairGenerator.getInstance("DSA");
kpg.initialize(1024, new SecureRandom("not so random".getBytes()));
KeyPair keypair = kpg.generateKeyPair();
// Assemble the signature parts
System.out.println("Preparing the signature...");
String providerName = System.getProperty
("jsr105Provider", "org.jcp.xml.dsig.internal.dom.XMLDSigRI");
XMLSignatureFactory sigFactory = XMLSignatureFactory.getInstance("DOM",
(Provider) Class.forName(providerName).newInstance());
Reference ref = sigFactory.newReference("#1",
sigFactory.newDigestMethod(DigestMethod.SHA1, null));
SignedInfo signedInfo = sigFactory.newSignedInfo(
sigFactory.newCanonicalizationMethod(
CanonicalizationMethod.INCLUSIVE_WITH_COMMENTS,
(C14NMethodParameterSpec) null),
sigFactory.newSignatureMethod(SignatureMethod.DSA_SHA1, null),
Collections.singletonList(ref));
KeyInfoFactory kif = sigFactory.getKeyInfoFactory();
KeyValue kv = kif.newKeyValue(keypair.getPublic());
KeyInfo keyInfo = kif.newKeyInfo(Collections.singletonList(kv));
XMLSignature sig = sigFactory.newXMLSignature(signedInfo, keyInfo);
// Insert XML signature into DOM tree and sign
System.out.println("Signing the SOAP message...");
// Find where to insert signature
Element ts = getFirstChildElement(envelope);
DOMSignContext sigContext =
new DOMSignContext(keypair.getPrivate(), sec);
// Need to distinguish the Signature element in DSIG (from that in SOAP)
sigContext.putNamespacePrefix(XMLSignature.XMLNS, "ds");
// register Body ID attribute getNextSiblingElement(
sigContext.setIdAttributeNS
(ts,
"http://schemas.xmlsoap.org/soap/security/2000-12","id");
sig.sign(sigContext);
if (debug) {
dumpDOMDocument(envelope);
// Validate the XML signature
// Locate the signature element
Element sigElement = getNextSiblingElement(ts);
// Validate the signature using the public key generated above
DOMValidateContext valContext =
new DOMValidateContext(keypair.getPublic(), sigElement);
// register Body ID attribute getNextSiblingElement(
valContext.setIdAttributeNS
(ts,
"http://schemas.xmlsoap.org/soap/security/2000-12","id");
boolean isValid = sig.validate(valContext);
System.out.println("Validating the signature... " +
(isValid ? "valid" : "invalid"));
* Outputs DOM representation to the standard output stream.
* @param root The DOM representation to be outputted
private static void dumpDOMDocument(org.w3c.dom.Node root)
throws TransformerException, TransformerConfigurationException {
System.out.println("\n");
// Create a new transformer object
Transformer transformer =
TransformerFactory.newInstance().newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
// Dump the DOM representation to standard output
transformer.transform(new DOMSource(root), new StreamResult(System.out));
System.out.println("\n");
* Returns the first child element of the specified node, or null if there
* is no such element.
* @param node the node
* @return the first child element of the specified node, or null if there
* is no such element
* @throws NullPointerException if <code>node == null</code>
private static Element getFirstChildElement(org.w3c.dom.Node node) {
org.w3c.dom.Node child = node.getFirstChild();
while (child != null &&
child.getNodeType() != org.w3c.dom.Node.ELEMENT_NODE) {
child = child.getNextSibling();
return (Element) child;
* Returns the next sibling element of the specified node, or null if there
* is no such element.
* @param node the node
* @return the next sibling element of the specified node, or null if there
* is no such element
* @throws NullPointerException if <code>node == null</code>
public static Element getNextSiblingElement(org.w3c.dom.Node node) {
org.w3c.dom.Node sibling = node.getNextSibling();
while (sibling != null &&
sibling.getNodeType() != org.w3c.dom.Node.ELEMENT_NODE) {
sibling = sibling.getNextSibling();
return (Element) sibling;
Thanks in advance
I've done further advancemets. It seems that the element to feed the sign validator MUST be a document AND that the ID attribute has to be registered in it even if has been already located in inner elements of the message. Now my code looks as follows but I'm not validating the reference. The sign itself can validate though.
The problem is the reference validation. Any ideas? Could it be the prefixes or namespaces? I've been making tests changing both but no luck so far.
Thanks in advance.
package _2006_08.sa.liberty;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.Provider;
import java.security.SecureRandom;
import java.util.Calendar;
import java.util.Collections;
import java.util.Iterator;
import javax.xml.crypto.URIDereferencer;
import javax.xml.crypto.URIReference;
import javax.xml.crypto.dsig.*;
import javax.xml.crypto.dom.*;
import javax.xml.crypto.dsig.dom.*;
import javax.xml.crypto.dsig.keyinfo.*;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.soap.*;
import javax.xml.parsers.*;
import javax.xml.transform.*;
import javax.xml.transform.dom.*;
import javax.xml.transform.sax.SAXSource;
import javax.xml.transform.stream.*;
import org.apache.axiom.om.OMAttribute;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMNamespace;
import org.apache.axiom.om.impl.dom.factory.OMDOMFactory;
import org.apache.xmlbeans.impl.piccolo.xml.XMLStreamReader;
import org.oasis_open.docs.wss._2004._01.oasis_200401_wss_wssecurity_secext_1_0_xsd.SecurityDocument;
import org.w3c.dom.*;
import org.w3c.dom.Node;
import org.xml.sax.InputSource;
//import org.xmlsoap.schemas.soap.encoding.DateTime;
* Construct a SOAP message, sign it and then validate the signature.
* This implementation follows the
* <a ref="http://www.w3.org/TR/SOAP-dsig/">
* W3C Note on digital signatures in SOAP messages
* </a>.
* The validating key is included in the signature.
* DOM Level 2 is used throughout.
* <p>
* The following SOAP message is signed:
* <pre><code>
* <?xml version="1.0" encoding="UTF-8"?>
* <soap-env:Envelope
* xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
* <soap-env:Header>
* <SOAP-SEC:Signature
* mustUnderstand="1"
* xmlns:SOAP-SEC="http://schemas.xmlsoap.org/soap/security/2000-12"/>
* </soap-env:Header>
* <soap-env:Body id="Body">
* <m:GetLastTradePrice xmlns:m="http://wombats.ztrade.com">
* <symbol>SUNW</symbol>
* </m:GetLastTradePrice>
* </soap-env:Body>
* </soap-env:Envelope>
* </code></pre>
public class SignedSoap {
private static boolean debug = false;
public static void main(String[] args) throws Exception {
int argc = args.length;
if (argc == 1) {
if (args[0].equalsIgnoreCase("-help")) {
System.out.println("Usage: SignedSoap [-debug]");
System.out.println(" -debug\tactivates debug messages");
return;
debug = args[0].equalsIgnoreCase("-debug");
// Create the SOAP message
System.out.println("Creating the SOAP message...");
SOAPMessage soapMessage = MessageFactory.newInstance().createMessage();
SOAPPart soapPart = soapMessage.getSOAPPart();
SOAPEnvelope soapEnvelope = soapPart.getEnvelope();
if(soapEnvelope instanceof Source){
System.out.println("0");
if(soapEnvelope instanceof Node){
System.out.println("1");
if(soapEnvelope instanceof Element){
System.out.println("2");
if(soapEnvelope instanceof Document){
System.out.println("3");
SOAPHeader soapHeader = soapEnvelope.getHeader();
SOAPHeaderElement headerElement = soapHeader.addHeaderElement(
soapEnvelope.createName("Signature", "SOAP-SEC",
"http://schemas.xmlsoap.org/soap/security/2000-12"));
SOAPBody soapBody = soapEnvelope.getBody();
soapBody.addAttribute(soapEnvelope.createName("id", "SOAP-SEC",
"http://schemas.xmlsoap.org/soap/security/2000-12"), "1");
Name bodyName =soapEnvelope.createName("GetLastTradePrice", "m",
"http://wombats.ztrade.com");
SOAPBodyElement gltp = soapBody.addBodyElement(bodyName);
Name name = soapEnvelope.createName("symbol");
SOAPElement symbol = gltp.addChildElement(name);
symbol.addTextNode("SUNW");
// Generate a DOM representation of the SOAP message
OMDOMFactory omfact=new OMDOMFactory();
//Node nodo1=fd.newDomNode(options);
OMNamespace namespace=omfact.createOMNamespace("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", "wsu");
OMNamespace namespace2=omfact.createOMNamespace("http://www.w3.org/2002/12/soap-envelope", "S");
OMAttribute attr=omfact.createOMAttribute("mustUnderstand",namespace,"1");
OMAttribute id=omfact.createOMAttribute("Id",namespace2,"1");
OMAttribute id2=omfact.createOMAttribute("Id",namespace2,"2");
OMElement sec=omfact.createOMElement("Security", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd","wsse");
OMElement timestamp=omfact.createOMElement("Timestamp",namespace);
OMElement created=omfact.createOMElement("Created",namespace);
OMElement expires=omfact.createOMElement("Expires",namespace);
OMElement frame=omfact.createOMElement("Framework",namespace2);
OMElement signa=omfact.createOMElement("Signature",namespace2);
timestamp.declareDefaultNamespace(namespace.getNamespaceURI());
timestamp.setNamespace(namespace);
Calendar now=Calendar.getInstance();
Calendar exp=Calendar.getInstance();
exp.add(now.MINUTE, 5);
System.out.println("test");
created.setText("created");
expires.setText("expires");
System.out.println("test");
timestamp.addAttribute(id);
System.out.println("test");
timestamp.addChild(created);
timestamp.addChild(expires);
//sec.addChild(signa);
sec.addAttribute(id2);
sec.addChild(timestamp);
//sec.addChild(frame);
//System.out.println(sec.getParent().toString());
System.out.println("Generating the DOM tree...");
// Get input source
Source source = soapPart.getContent();
if(soapPart instanceof Source){
System.out.println("10");
if(soapPart instanceof Node){
System.out.println("11");
if(soapPart instanceof Element){
System.out.println("12");
if(soapPart instanceof Document){
System.out.println("13");
//Source source2 = soapPart.getFirstChild();
//System.out.println(source.toString());
//javax.xml.stream.XMLStreamReader inSource = sec.getXMLStreamReader();
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
DocumentBuilder db = null;
System.out.println("13");
//synchronized (dbf) {
db = dbf.newDocumentBuilder();
System.out.println("13");
Document doc = db.newDocument();
doc.appendChild((Node)sec);
org.w3c.dom.Node root = (org.w3c.dom.Node) doc.getDocumentElement();
System.out.println("13");
System.out.println("13: "+root.getFirstChild().getLocalName());
org.w3c.dom.Node envelope = (Node)sec;//soapPart.getFirstChild();
/* Node) sec;
if (source instanceof DOMSource) {
root = ((DOMSource)source).getNode();
} else if (source instanceof SAXSource) {
InputSource inSource = ((SAXSource)source).getInputSource();
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
DocumentBuilder db = null;
synchronized (dbf) {
db = dbf.newDocumentBuilder();
Document doc = db.parse(inSource);
root = (org.w3c.dom.Node) doc.getDocumentElement();
} else {
System.err.println("error: cannot convert SOAP message (" +
source.getClass().getName() + ") into a W3C DOM tree");
System.exit(-1);
//if (debug) {
// dumpDOMDocument(root);
// Generate a DSA key pair
System.out.println("Generating the DSA keypair...");
KeyPairGenerator kpg = KeyPairGenerator.getInstance("DSA");
kpg.initialize(1024, new SecureRandom("not so random".getBytes()));
KeyPair keypair = kpg.generateKeyPair();
// Assemble the signature parts
System.out.println("Preparing the signature...");
String providerName = System.getProperty
("jsr105Provider", "org.jcp.xml.dsig.internal.dom.XMLDSigRI");
XMLSignatureFactory sigFactory = XMLSignatureFactory.getInstance("DOM",
(Provider) Class.forName(providerName).newInstance());
Reference ref = sigFactory.newReference("#1",
sigFactory.newDigestMethod(DigestMethod.SHA1, null));
SignedInfo signedInfo = sigFactory.newSignedInfo(
sigFactory.newCanonicalizationMethod(
CanonicalizationMethod.INCLUSIVE_WITH_COMMENTS,
(C14NMethodParameterSpec) null),
sigFactory.newSignatureMethod(SignatureMethod.DSA_SHA1, null),
Collections.singletonList(ref));
KeyInfoFactory kif = sigFactory.getKeyInfoFactory();
KeyValue kv = kif.newKeyValue(keypair.getPublic());
KeyInfo keyInfo = kif.newKeyInfo(Collections.singletonList(kv));
XMLSignature sig = sigFactory.newXMLSignature(signedInfo, keyInfo);
// Insert XML signature into DOM tree and sign
System.out.println("Signing the SOAP message...");
// Find where to insert signature
//Element envelope = getFirstChildElement(root);
Element header = getFirstChildElement(envelope);
System.out.println("Signing the SOAP message...");
//System.out.println(header.getLocalName());
DOMSignContext sigContext =
new DOMSignContext(keypair.getPrivate(), envelope);
// Need to distinguish the Signature element in DSIG (from that in SOAP)
System.out.println("Signing the SOAP message...");
sigContext.putNamespacePrefix(XMLSignature.XMLNS, "ds");
// register Body ID attribute getNextSiblingElement(
sigContext.setIdAttributeNS
(header,
"http://www.w3.org/2002/12/soap-envelope","Id");
System.out.println("Signing the SOAP message...");
sig.sign(sigContext);
if (debug) {
dumpDOMDocument(envelope);
// Validate the XML signature
String providerName2 = System.getProperty
("jsr105Provider", "org.jcp.xml.dsig.internal.dom.XMLDSigRI");
XMLSignatureFactory sigFactory2 = XMLSignatureFactory.getInstance("DOM",
(Provider) Class.forName(providerName2).newInstance());
SecurityDocument secdoc=SecurityDocument.Factory.parse(envelope);
System.out.println(secdoc.xmlText());
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
Document doc = dbf.newDocumentBuilder().parse(secdoc.newInputStream());
// Locate the signature element
//Element sigElement = //getFirstChildElement(header);
//getNextSiblingElement(header);
// Validate the signature using the public key generated above
System.out.println(doc.getFirstChild().getLastChild().getLocalName());
DOMValidateContext valContext = new DOMValidateContext
(keypair.getPublic(), doc.getElementsByTagName("ds:Signature").item(0));
valContext.setProperty("javax.xml.crypto.dsig.cacheReference", Boolean.TRUE);
System.out.println(doc.getElementsByTagName("ds:Signature").item(0).getLocalName());
// DOMValidateContext valContext =
// new DOMValidateContext(keypair.getPublic(), sigElement);
// register Body ID attribute getNextSiblingElement(
// System.out.println(header.getNamespaceURI());
//valContext.setIdAttributeNS((Element) doc.
// getElementsByTagNameNS("wsu", "Timestamp").item
//(0), null, "Id");
((Element)doc.getElementsByTagName("wsu:Timestamp").item(0)).setAttributeNS("S", "Id", "1");
((Element)doc.getElementsByTagName("wsu:Timestamp").item(0)).setPrefix("wsu");
valContext.setIdAttributeNS((Element)doc.getElementsByTagName("wsu:Timestamp").item(0),
"http://www.w3.org/2002/12/soap-envelope","Id");
//System.out.println(valContext.getElementById("1").getLocalName());
//valContext.setBaseURI("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
System.out.println("1");
XMLSignature signature = sigFactory2.unmarshalXMLSignature(valContext);
System.out.println("2: "+valContext.getDefaultNamespacePrefix());
System.out.println(valContext.getElementById("1").getLocalName());
//System.out.println(header.getLocalName());
//System.out.println(getNextSiblingElement(header).getLocalName());
//System.out.println(header.getAttribute("id"));
//System.out.println(header.getBaseURI());
if(signature.getSignatureValue().validate(valContext))
System.out.println("Firma OK");
Iterator it = signature.getSignedInfo().getReferences().iterator();
if (((Reference) it.next()).validate(valContext))
System.out.println("ref OK");
boolean isValid = signature.validate(valContext);
System.out.println("Validating the signature... " +
(isValid ? "valid" : "invalid"));
* Outputs DOM representation to the standard output stream.
* @param root The DOM representation to be outputted
private static void dumpDOMDocument(org.w3c.dom.Node root)
throws TransformerException, TransformerConfigurationException {
System.out.println("\n");
// Create a new transformer object
Transformer transformer =
TransformerFactory.newInstance().newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
// Dump the DOM representation to standard output
transformer.transform(new DOMSource(root), new StreamResult(System.out));
System.out.println("\n");
* Returns the first child element of the specified node, or null if there
* is no such element.
* @param node the node
* @return the first child element of the specified node, or null if there
* is no such element
* @throws NullPointerException if <code>node == null</code>
private static Element getFirstChildElement(org.w3c.dom.Node node) {
org.w3c.dom.Node child = node.getFirstChild();
while (child != null &&
child.getNodeType() != org.w3c.dom.Node.ELEMENT_NODE) {
child = child.getNextSibling();
return (Element) child;
* Returns the next sibling element of the specified node, or null if there
* is no such element.
* @param node the node
* @return the next sibling element of the specified node, or null if there
* is no such element
* @throws NullPointerException if <code>node == null</code>
public static Element getNextSiblingElement(org.w3c.dom.Node node) {
org.w3c.dom.Node sibling = node.getNextSibling();
while (sibling != null &&
sibling.getNodeType() != org.w3c.dom.Node.ELEMENT_NODE) {
sibling = sibling.getNextSibling();
return (Element) sibling;
}
Similar Messages
-
S/MIME with Detached Signature
Can anyone provide an example of how to create a PKCS#7 S/MIME message with detached signature (content-type: application/pkcs7-signature)
ThanksIndeed Barney-15E. On receiving a signed (not encrypted) email I knew I had the correct certificate but still could not reply using encryption. Then I discovered that Mail would select the correct (latest) certificate to sign email but the address book picked a different (earlier, although not expired) certificate to match the email address of the recipient.
After removing the 2 incorrect certificates from the keychain the address book picked the correct certificate to show and Mail would be able to send encrypted messages once again. I reproduced this behavior on two different Macs (using same keys though).
My advice would be to look for discrepancies in the certificate shown by the address book. -
Hi,
Im trying to verify the PKCS& detached signature.. Verification is working fine. But if i try to alter or delete certian characters in my signature file its still saying verification success can anybody have a look at this code and help me to sort out this issue. Is there any other way with which i can verify the signature.
Here is the code:
import java.security.Security;
import java.io.*;
import org.bouncycastle.jce.PKCS7SignedData;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import java.util.Arrays;
import java.util.*;
import java.text.SimpleDateFormat;
import java.util.Iterator;
import java.util.List;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.io.FileInputStream;
import javax.security.auth.x500.X500Principal;
import java.lang.*;
import java.io.PrintWriter;
import java.security.cert.*;
import java.util.Vector;
import java.lang.*;
import java.io.IOException;
import java.util.Collection;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.SignerInformationStore;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
class VerifyP7s {
public static void main(String args[]) {
if (args.length < 2)
usage();
//Plug the Provider into the JCA/JCE
Security.addProvider(new BouncyCastleProvider());
FileInputStream freader = null;
//------ Get the content data from file -------------
File f = new File(args[1]) ;
int sizecontent = ((int) f.length());
byte[] bytes = new byte[sizecontent];
try {
freader = new FileInputStream(f);
System.out.print("\nContent Bytes: " + freader.read(bytes, 0, sizecontent));
freader.close();
catch(IOException ioe) {
System.out.println(ioe.toString());
return;
//------ Get the pkcs #7 data from file -------
File p7s = new File(args[0]) ;
int size = ((int) p7s.length());
byte[] bytessig = new byte[size];
try {
freader = new FileInputStream(p7s);
System.out.println(" PKCS#7 bytes: " + freader.read(bytessig, 0, size));
freader.close();
catch(IOException ioe) {
System.out.println(ioe.toString());
return;
// --- Use Bouncy Castle provider to attempt verification of p7s ---
if(isBase64Encoded(bytessig)){
System.out.println("Signature file is BASE64 encoded") ;
try{
sun.misc.BASE64Decoder dec = new sun.misc.BASE64Decoder() ;
byte[] bdecoded = dec.decodeBuffer(new String(bytessig));
if (isVerified(bdecoded, bytes))
System.out.println("Verified pkcs#7 data: \"" + args[0] + "\" as BASE64-encoded DER file\n" +
"against content file \"" + args[1] + "\"") ;
else
System.out.println("Failed to verify " + args[0] + " as valid pkcs#7 detached signature.");
catch(Exception exc) {
System.out.println("Failed to verify " + args[0] + " as valid pkcs#7 detached signature.");
return;
else { //if NOT base64 encoded
if (isVerified(bytessig, bytes))
System.out.println("Verified pkcs#7 data: \"" + args[0] + "\" as binary DER file\n" +
"against content file \"" + args[1] + "\"") ;
else
System.out.println("Failed to verify " + args[0] + " as valid pkcs#7 detached signature.");
private static byte[] toUnicode(byte[] bytes) {
byte[] ucbytes = new byte[2*bytes.length];
for (int j = 0; j< bytes.length; j++) {
ucbytes[2*j] = bytes[j];
ucbytes[2*j+1] = 0x00; //null byte for UNICODE encoding
return ucbytes;
private static final boolean isVerified(byte[] sig, byte[] content) {
try{
PKCS7SignedData pkcs7 = new PKCS7SignedData(sig);
pkcs7.update(content, 0, content.length); // Update checksum
boolean verified = pkcs7.verify(); // Does it add up?
if(!verified) { //see if original data was UNICODE byte encoding
//System.out.println("Original byte content not verified.\nTrying UNICODE encoding ...");
pkcs7 = new PKCS7SignedData(sig);
pkcs7.update(toUnicode(content), 0, 2*content.length);
verified = pkcs7.verify();
if(verified){
System.out.println("\nUNICODE-encoding of signed content was verified.");
return true;
else
//System.out.println("\nCould NOT verify signed detached content");
return false;
else
System.out.println("ANSI-encoding of signed content was verified.");
return true ;
catch(java.security.cert.CRLException crle) {
//System.out.println("crl " + crle.toString());
return false;
catch(java.security.SignatureException sigex) {
//System.out.println("sigexcept " + sigex.toString());
return false;
catch(Exception secex) {
//System.out.println("other exception " + secex.toString());
return false;
private static final boolean isBase64Encoded(byte[] data) {
Arrays.sort(Base64Map);
for (int i=0; i<data.length; i++){
//System.out.println("data[" + i + "] " + (char)data) ;
if( Arrays.binarySearch(Base64Map, (char)data)<0
&& !Character.isWhitespace((char)data) )
return false;
return true;
public String printX509Cert(X509Certificate cert){
try{
String discrt = cert.getPublicKey().toString();
return discrt;
catch(Exception exception)
System.err.println("Exception is: "+exception.getMessage());
String ex = exception.getMessage();
return ex;
private static char[] Base64Map =
{ 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H',
'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P',
'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X',
'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f',
'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n',
'o', 'p', 'q', 'r', 's', 't', 'u', 'v',
'w', 'x', 'y', 'z', '0', '1', '2', '3',
'4', '5', '6', '7', '8', '9', '+', '/', '='
private static void usage() {
System.out.println("Usage:\n java VerifyP7s <pkcs #7 signature file> <contentfile> ") ;
System.exit(1);
Here is my signature file:
MIIEoAYJKoZIhvcNAQcCoIIEkTCCBI0CAQExDjAMBggqhkiG9w0CBQUAMAsGCSqGSIb3DQEHAaCC
A3kwggN1MIICXaADAgECAhBjffJNbUvAx4VWV4qkdNLGMA0GCSqGSIb3DQEBBAUAMDExETAPBgNV
BAoTCFNJRlkgTHRkMRwwGgYDVQQDExNTSUZZIEx0ZCBQcml2YXRlIENBMB4XDTA0MDcyNjAwMDAw
MFoXDTA1MDcyNjIzNTk1OVowgZwxETAPBgNVBAoUCFNJRlkgTHRkMSIwIAYDVQQLFBlIdW1hbiBS
ZXNvdXJjZSBEZXBhcnRtZW50MRswGQYDVQQLFBJFbXBsb3llZUlEIC0gU0YwNjcxGzAZBgNVBAMT
ElN1ZGVlcCBLdW1hciBQLiBLLjEpMCcGCSqGSIb3DQEJARYac3VkZWVwa3VtYXJAc2FmZXNjcnlw
dC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANGOpSIhZEDQ5Z6cxLMpZssi5WWdD0h7
kFWkbXPQk842HqCBFPcClUUWWeT/LJ10VCC9Ff0KrI5lviGl9umnVW+LeCYiI/ksnea/p7tKfOgN
NO+UBoJ4PE5XnUEq03CFWdHhGNfukNqWZiMC+bUX8e6+blFU/6ipUtHmIkIrlNZBAgMBAAGjgaAw
gZ0wCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwEQYJYIZIAYb4QgEBBAQDAgeAMF0GA1UdHwRWMFQw
UqBQoE6GTGh0dHA6Ly9vbnNpdGVjcmwuc2FmZXNjcnlwdC5jb20vU0lGWUx0ZEh1bWFuUmVzb3Vy
Y2VEZXBhcnRtZW50L0xhdGVzdENSTC5jcmwwEQYKYIZIAYb4RQEGCQQDAQH/MA0GCSqGSIb3DQEB
BAUAA4IBAQBpFEGmTHOSfA/SkeC/bvZE3sYpBU0+RG8iSm+DTbP5tiCyWT+L0AidTWDk0ZuXz7yA
eF9NR0OZyxp3/v+OQYn3Q0a1awe+JKnDCD+zayehcPbvD+q79WYHO5Ibm5UA2VnGoBbV3CDhj1qC
lCyqllEKVWk11iB6wu24PzB31uARxkar3cynFNX4P6nxy6vb83W/Wnt8eOMQHI2SiVvJtjU5SwL6
ILrkZfrm7NLcCQY2w7w4/WeFgeb2Ko8hYHSRyvJWwBUyv2ExDGnv0eqHJn6HC+4IE8wzirWre0jY
Y0529u3MfIL0F7lrkuwYnpVa3zE/b2HwCaMrN+TuY/oNkf2YMYHtMIHqAgEBMEUwMTERMA8GA1UE
ChMIU0lGWSBMdGQxHDAaBgNVBAMTE1NJRlkgTHRkIFByaXZhdGUgQ0ECEGN98k1tS8DHhVZXiqR0
0sYwDAYIKoZIhvcNAgUFADANBgkqhkiG9w0BAQEFAASBgDUpkV5Zpi781vTmtydAdOVJ7cecnQ9v
8fdTZwMgz56Q3ZI0pj6+60e8lIafO3mo596eCF2mBsZm2wEO1PhnXPKAQFXWIseDp0GVdmwTp1tH
M2e9fC2bOppNhBKkpZAr26PE6/BIDittE1rM8nJOa+9lzJcDCBBpJM3MdlHjY+8v
My Content file is:
<table width=100%><TR align=center><TH COLSPAN=3>Transfer Funds Request</TH></TR><TR><TD ALIGN=RIGHT><FONT COLOR="#0000FF" SIZE=-1 FACE="Courier">TRANSFER FROM</FONT></TD><TD>..........</TD><TD><FONT SIZE=-1 FACE="Courier"><B>Money Market</B></FONT></TD></TR><TR><TD ALIGN=RIGHT><FONT COLOR="#0000FF" SIZE=-1 FACE="Courier">TRANSFER TO</FONT></TD><TD>..........</TD><TD><FONT SIZE=-1 FACE="Courier"><B>Cash</B></FONT></TD></TR><TR><TD ALIGN=RIGHT><FONT COLOR="#0000FF" SIZE=-1 FACE="Courier">AMOUNT</FONT></TD><TD>..........</TD><TD><FONT SIZE=-1 FACE="Courier"><B>/ \ & \n</B></FONT></TD></TR></table><BR>I am authorizing the transfer of the above funds <B>by digitally signing </B> this request.
Thanx in advance.Your PKCS#7 signature file is dumped by DUMPASN1 as follows:
The verifying code only checks the public key against the data.
If you change some byte of the PKCS#7 data that can "blow up" the ASN.1 structures, you cannot get the public key, so the data would not be verified OK.
But if you change some other byte in the PKCS#7 signature data, it could change some things that are not important to ASN.1 Parsing, like changing 'Human Resource Department' to 'Departamentos de Recursos' that is a string with the same length. So as you don't changed the Public key bytes it's all OK.
If you are concerned about PKCS#7 signature file modification, you can try verifying the signer certificates inside - an additional step, but not difficult to do.
0 30 1184: SEQUENCE {
4 06 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
15 A0 1169: [0] {
19 30 1165: SEQUENCE {
23 02 1: INTEGER 1
26 31 14: SET {
28 30 12: SEQUENCE {
30 06 8: OBJECT IDENTIFIER md5 (1 2 840 113549 2 5)
40 05 0: NULL
42 30 11: SEQUENCE {
44 06 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
55 A0 889: [0] {
59 30 885: SEQUENCE {
63 30 605: SEQUENCE {
67 A0 3: [0] {
69 02 1: INTEGER 2
72 02 16: INTEGER
: 63 7D F2 4D 6D 4B C0 C7 85 56 57 8A A4 74 D2 C6
90 30 13: SEQUENCE {
92 06 9: OBJECT IDENTIFIER
: md5withRSAEncryption (1 2 840 113549 1 1 4)
103 05 0: NULL
105 30 49: SEQUENCE {
107 31 17: SET {
109 30 15: SEQUENCE {
111 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
116 13 8: PrintableString 'SIFY Ltd'
126 31 28: SET {
128 30 26: SEQUENCE {
130 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
135 13 19: PrintableString 'SIFY Ltd Private CA'
156 30 30: SEQUENCE {
158 17 13: UTCTime 26/07/2004 00:00:00 GMT
173 17 13: UTCTime 26/07/2005 23:59:59 GMT
188 30 156: SEQUENCE {
191 31 17: SET {
193 30 15: SEQUENCE {
195 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
200 14 8: TeletexString 'SIFY Ltd'
210 31 34: SET {
212 30 32: SEQUENCE {
214 06 3: OBJECT IDENTIFIER
: organizationalUnitName (2 5 4 11)
219 14 25: TeletexString 'Human Resource Department'
246 31 27: SET {
248 30 25: SEQUENCE {
250 06 3: OBJECT IDENTIFIER
: organizationalUnitName (2 5 4 11)
255 14 18: TeletexString 'EmployeeID - SF067'
275 31 27: SET {
277 30 25: SEQUENCE {
279 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
284 13 18: PrintableString 'Sudeep Kumar P. K.'
304 31 41: SET {
306 30 39: SEQUENCE {
308 06 9: OBJECT IDENTIFIER
: emailAddress (1 2 840 113549 1 9 1)
319 16 26: IA5String '[email protected]'
347 30 159: SEQUENCE {
350 30 13: SEQUENCE {
352 06 9: OBJECT IDENTIFIER
: rsaEncryption (1 2 840 113549 1 1 1)
363 05 0: NULL
365 03 141: BIT STRING, encapsulates {
369 30 137: SEQUENCE {
372 02 129: INTEGER
: 00 D1 8E A5 22 21 64 40 D0 E5 9E 9C C4 B3 29 66
: CB 22 E5 65 9D 0F 48 7B 90 55 A4 6D 73 D0 93 CE
: 36 1E A0 81 14 F7 02 95 45 16 59 E4 FF 2C 9D 74
: 54 20 BD 15 FD 0A AC 8E 65 BE 21 A5 F6 E9 A7 55
: 6F 8B 78 26 22 23 F9 2C 9D E6 BF A7 BB 4A 7C E8
: 0D 34 EF 94 06 82 78 3C 4E 57 9D 41 2A D3 70 85
: 59 D1 E1 18 D7 EE 90 DA 96 66 23 02 F9 B5 17 F1
: EE BE 6E 51 54 FF A8 A9 52 D1 E6 22 42 2B 94 D6
: [ Another 1 bytes skipped ]
504 02 3: INTEGER 65537
509 A3 160: [3] {
512 30 157: SEQUENCE {
515 30 9: SEQUENCE {
517 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
522 04 2: OCTET STRING, encapsulates {
524 30 0: SEQUENCE {}
526 30 11: SEQUENCE {
528 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
533 04 4: OCTET STRING, encapsulates {
535 03 2: BIT STRING 5 unused bits
: '101'B
539 30 17: SEQUENCE {
541 06 9: OBJECT IDENTIFIER
: netscape-cert-type (2 16 840 1 113730 1 1)
552 04 4: OCTET STRING, encapsulates {
554 03 2: BIT STRING 7 unused bits
: '1'B (bit 0)
558 30 93: SEQUENCE {
560 06 3: OBJECT IDENTIFIER
: cRLDistributionPoints (2 5 29 31)
565 04 86: OCTET STRING, encapsulates {
567 30 84: SEQUENCE {
569 30 82: SEQUENCE {
571 A0 80: [0] {
573 A0 78: [0] {
575 86 76: [6]
: 'http://onsitecrl.safescrypt.com/SIFYLtdHumanReso'
: 'urceDepartment/LatestCRL.crl'
653 30 17: SEQUENCE {
655 06 10: OBJECT IDENTIFIER '2 16 840 1 113733 1 6 9'
667 04 3: OCTET STRING, encapsulates {
669 01 1: BOOLEAN TRUE
672 30 13: SEQUENCE {
674 06 9: OBJECT IDENTIFIER
: md5withRSAEncryption (1 2 840 113549 1 1 4)
685 05 0: NULL
687 03 257: BIT STRING
: 69 14 41 A6 4C 73 92 7C 0F D2 91 E0 BF 6E F6 44
: DE C6 29 05 4D 3E 44 6F 22 4A 6F 83 4D B3 F9 B6
: 20 B2 59 3F 8B D0 08 9D 4D 60 E4 D1 9B 97 CF BC
: 80 78 5F 4D 47 43 99 CB 1A 77 FE FF 8E 41 89 F7
: 43 46 B5 6B 07 BE 24 A9 C3 08 3F B3 6B 27 A1 70
: F6 EF 0F EA BB F5 66 07 3B 92 1B 9B 95 00 D9 59
: C6 A0 16 D5 DC 20 E1 8F 5A 82 94 2C AA 96 51 0A
: 55 69 35 D6 20 7A C2 ED B8 3F 30 77 D6 E0 11 C6
: [ Another 128 bytes skipped ]
948 31 237: SET {
951 30 234: SEQUENCE {
954 02 1: INTEGER 1
957 30 69: SEQUENCE {
959 30 49: SEQUENCE {
961 31 17: SET {
963 30 15: SEQUENCE {
965 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
970 13 8: PrintableString 'SIFY Ltd'
980 31 28: SET {
982 30 26: SEQUENCE {
984 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
989 13 19: PrintableString 'SIFY Ltd Private CA'
1010 02 16: INTEGER
: 63 7D F2 4D 6D 4B C0 C7 85 56 57 8A A4 74 D2 C6
1028 30 12: SEQUENCE {
1030 06 8: OBJECT IDENTIFIER md5 (1 2 840 113549 2 5)
1040 05 0: NULL
1042 30 13: SEQUENCE {
1044 06 9: OBJECT IDENTIFIER
: rsaEncryption (1 2 840 113549 1 1 1)
1055 05 0: NULL
1057 04 128: OCTET STRING
: 35 29 91 5E 59 A6 2E FC D6 F4 E6 B7 27 40 74 E5
: 49 ED C7 9C 9D 0F 6F F1 F7 53 67 03 20 CF 9E 90
: DD 92 34 A6 3E BE EB 47 BC 94 86 9F 3B 79 A8 E7
: DE 9E 08 5D A6 06 C6 66 DB 01 0E D4 F8 67 5C F2
: 80 40 55 D6 22 C7 83 A7 41 95 76 6C 13 A7 5B 47
: 33 67 BD 7C 2D 9B 3A 9A 4D 84 12 A4 A5 90 2B DB
: A3 C4 EB F0 48 0E 2B 6D 13 5A CC F2 72 4E 6B EF
: 65 CC 97 03 08 10 69 24 CD CC 76 51 E3 63 EF 2F
: } -
Digital Signatures with SmartCards.
Hi guys,
Has anyone implemented in R/3 digital signatures with smartcards?
Currently I'm at customer side trying to implement digital signatures within workflow processes using ABAP SSF functions. The smartcard devices are already installed, but I can't read the data inside the smartcard, moreover, I can't link the smartcard device with R/3 and I don't know how to do it
I read in some Weblogs and documents that it is necessary a SAP-certified external security product. I believe this external security product is the software that comes inside of smartcard drivers CD. It is something like a little application on which we can sign in data and put our fingerprint.
I guess it is not supposed to develop an interface application between smartcard and R/3! When I started these developments I thought that I only needed to configure some environment variables to connect these devices with R/3 and then develop the ABAP flow logic with SSF Functions - Am I right?
Can anyone provide me some guidelines for this issue?
Thanks in advance,
Ricardo.The SmartCard device is present at the frontend PC - and that's the place where the digital signature operation has to take place. Important is the "What You See Is What You Sign" principle: it has to be ensured that the data that is to be signed (using the private key stored on the SmartCard) is exactly the same as the one that is displayed to the user.
Notice: there is a different scenario where the server is signing the data (after prompting the user for userID and password and validating that information).
The signed data is then transported back to the server where it is stored (to ensure auditibility); usually you'll have to keep the (archived) data for years; the public key need to be archived as well.
Notice: it is possible to attach the certificate (-> public key) which has been used to sign the data to the signed data.
Regards, Wolfgang -
I can't affix my valid digital signature to adobe reader pdf document?
I can't affix my valid digital signature to adobe reader pdf document. When the signature field is clicked, it is not showing my digital ID so that I can sign with it. Why it is not displaying my valid digital ID?
What is your operating system? What is your Reader version? What means "can not"?
Can you post a screenshot of such a message "to buy Adobe XI"? -
Valid Digital signature - error downloading
Itunesetup.exe was blocked because it does not have a valid digital signature that verifies its publisher. How do I get around this?
My neighbor had this problem with her Dell laptop using the operating system Vista. I just installed the service pack 1 and it was able to successfully get Itunes to install.
-
Verify custom plugin signature with Adobe Default Security
Hi,
I have a few questions using Adobe Default Security when verifying a signature.
I've created my own signing plugin which works well. When I verify my signature it states that it is a valid signature, that the document has not been altered and that the certificate is valid. When I remove my plugin and verify the signature with the Adobe Default Security it states that the signature is invalid and that the document has been altered or corrupted. When I use the DocSign sample plugin to verify my signature it states the the signature is unknown and that the integrety has not yet been verified.
My question are:
Why Adobe Default Security telling me the signature is invalid instead of unknown, like the DocSign example?
What can I do so that signature becomes unknown and not invalid when verified with Adobe Default Security?
Why is Adobe Default Security telling me the document has been altered or corrupted, when it has not been changed?
Regards,
MagdaAs this can't be debugged without a copy of your plugin, files, etc. - you will need to open up a formal support ticket for this with our Developer Support.
-
Can't open PDF. Program does not have valid digital signature. No valid Acrobat S/N found.
I recently bought new HP computer with Windows 7. I loaded my Adobe Creative Suite 2 Premium. Illustrator tries to open then just disappears. I can not open PDF's. Get the following message: This program doesn't have valid digital signature that verifies it's signature. No valid Acrobat S/N found. Acrobat will now quit. Then: There is a problem with Adobe Acrobat/Reader. Please exit and try again. When I exit - computer locks up.
These can be frustrating.
Try restarting your PC.
Using a different browser.
There have been reports that this can be due to router problems.
A simple way round it is to get a friend to download the installer for your and put it on a USB stick. -
Pulling my hairs for a valid pdf signature
Using Acrobat Pro 9 with a new server certificate from a different CA I've been trying to put a valid signature in a pdf file. For some reason acrobat is giving me the "Signature is invalid" message with a red cross. When I open the Certificate-details dialog I see a "!" at the bottom with the message "The selected certificate path has errors: Invalid policy constraint". I'm not really sure what this means? which constraints are invalid? Then I read acrobat can make a log file during the validation process so I wondered if this could help, I got something like this (I edited some parts to protect my client):
20110913195706Z:
20110913195706Z: Validating cert graph with 1 chains
20110913195706Z: Validating chain: CertChain_[edit] Length = 5
20110913195706Z: ----ChainBuilder----
20110913195706Z: Processing Certificate: DN: cn=[edit] CA - G2, o=[edit], c=NL Serial: [edit]
20110913195706Z: verification time = 20110913131236+0200
20110913195706Z: Processing Certificate: DN: cn=[edit] - G2, o=[edit], c=NL Serial: [edit]
20110913195706Z: verification time = 20110913131236+0200
20110913195706Z: Processing Certificate: DN: cn=[edit] - G2, o=[edit], c=NL Serial: [edit]
20110913195706Z: verification time = 20110913131236+0200
20110913195706Z: Processing Certificate: DN: cn=[edit] - G2, o=[edit], c=NL Serial: [edit]
20110913195706Z: verification time = 20110913131236+0200
20110913195706Z: Processing Certificate: DN: cn=[edit], ou=[edit], o=[edit], l=[edit], st=[edit], c=NL Serial: [edit]
20110913195706Z: verification time = 20110913131236+0200
20110913195706Z: Chain builder added trouble flags 0x200
20110913195706Z: Finished Chain Validation. TroubleFlags: 200
20110913195706Z:
I'm particularly interested if anyone knows what this line "Chain builder added trouble flags 0x200" means???
Any help is greatly appriciated!Hi lullolullo,
You've come the right place. Signature validation starts with trust. If you don't trust the signer, or one of the certificates in the signing chain then nothing happens. A signature chain looks something like this:
Big Time CA Root Cert
Intermediate Certificate Authority
End-Entity (the signer, or in this case, you)
You have to assign trust to at least one of the certificates in the signature chain. You can either add trust via the Manage Trusted Identities dialog, or, via a preference where you can inherit trust from the Windows Certificate Store (Windows only, no Mac). To see the chain in the signature you are looking at do the following:
Right Mouse Click on the signature
Select Show Signature Properties from the pop-up menu
Click the Show Certificate button on the Signature Properties dialog
The chain is displayed in the tree view on the on the left side of the dialog
If you select the Trust tab and then select the different certificates in the chain view you will be able to see which one is the trust anchor.
Enough about trust, on to Policy Restrictions. When a Certificate Authority (CA) issues certificates they will often add the Certificate Policy extension. You can find this by selecting the Details tab and scrolling the list box for Certificate Policies. The policy is a long dotted number that acts as a marker for a specific set of rules. The rules themselves tend to be published online in a "Certificate Practice Statement" document, but that's getting a little beyond the scope of your problem. The rule might mean something like all certificates issues under this policy constraint are issued to employees of Company XYZ and have to be on a hardware token. That's an example of something you might see, but I'm not saying it the exact scenario you are facing.
The Root CA usually doesn't have a Certificate Policy extension, but all of the certs under it do meaning that this particular chain obeys a specific set of rules.
On to enforcing the rules. Let's say you have Big Time CA that issues certificates for IBM, Microsoft, Apple, and Adobe. Each one of those chains would contain a different Certificate Policy. Now let's say that I've trusted Big Time CA, which means every signature that created that chains up to Big Time CA would be trusted and valid. Now lets say I only want to trust the signatures that come from my fellow Adobe employees. What I would do is add a Policy Restriction to the trust setting, thus making trust more granular.
Next up, where to find the Policy Restriction. Select the Policies tab on the Certificate Viewer. When you are viewing the same certificate that is designated as the trust anchor do you see something in the Policy Restrictions group box? By something I mean data in the Certificate Policies edit field that will appear to be grayed out. If so then the signers certificate, and all of the other certificates in the chain have to have the Certificate Policy Extension with that number in it.
If the restriction is there, you can remove it by going to the Manage Trusted Identities dialog, which you get to from the Advanced menu. From there you need to select Certificates from the Display drop-down list. Find the certificate that corresponds to the trust anchor, selected from the list box, and then click the Edit Trust button. Finally, select the Policy Restrictions tab on the Edit Certificate Trust dialog. However, I'm not advising you to break any company policy if they want the restriction in place.
Steve -
Validation of signature offline
How to parameterize Acrobat Pro X to accept signatures offline?
Checking a signature results in;
"The validity of documentrecognition is UNKNOWN. Author cannot be verifyed"
"The signature is valid, but the revocation of the identity of the one who signes, cannot be confirmed"
(Appologize for the translation of messages beein somewhat off the original, but had to retranslate from Norwegian language, do not know the original English text)
Online this works, but when validating behind firewall with no access to internet, it fails.
Can Acrobat Pro X be parameterized to perform offline validation (and give a valid result if signatures and certificate is up to date)?
Regards
Odd Henning MossigeI need to correct my issue;
I receive a pdf, that I need to verify signature on.
If I do this on an internet computer, it works fine,
but how to verify the signature on a document that is offloaded the internet?
Internet is not available from the system where signature-identification is needed.
from your answer, it seem like this can be obtained if the one signing the document adds info to his signature?
Regards
Odd Henning -
How do I add an email signature with graphic (logo)?
On my iPhone 5 Im trying to add an email signature with logo to my email account.
Firefox doesn't do email, it's a web browser.
If you are using Firefox to access web mail, you need to seek support from your service provider or a forum for that service.
If your problem is with Thunderbird, see this forum for support.
[http://www.mozillamessaging.com/en-US/support/]
or this one
[http://forums.mozillazine.org/viewforum.php?f=39] -
Can't get Struts validator to work with ADF 10.1.3.36.73 in Jdev 10.1.3.0.4
I am attempting to use the "How to Use the Struts Validator Plug-in with JDeveloper 10g" written by Duncan in a JDeveloper 10.1.3.0.4 application with standard model/ViewController projects. I am using JSP/Struts/ADF technologies.
I have performed the below:
Struts Config:
<form-bean name="surveyDataForm" type="oracle.adf.controller.v2.struts.forms.BindingContainerValidationForm" className="oracle.adf.controller.struts.forms.BindingContainerValidationFormConfig"/>
<plug-in className="org.apache.struts.validator.ValidatorPlugIn">
<set-property property="pathnames" value="/WEB-INF/validator-rules.xml,/WEB-INF/validation.xml"/>
</plug-in>
In the validation.xml:
<!DOCTYPE form-validation
PUBLIC "-//Apache Software Foundation//
DTD Commons Validator Rules
Configuration 1.0//EN"
"http://jakarta.apache.org/
commons/dtds/validator_1_0.dtd">
<form-validations>
<formset>
<form name="surveyDataForm">
<field property="EmpName" depends="required">
<arg0 key="survey.name"/>
</field>
<field property="DateOfService" depends="required">
<arg0 key="survey.service.date"/>
</field>
<field property="ReloContractor" depends="required">
<arg0 key="survey.relo.contract"/>
</field>
</form>
</formset>
</form-validations>
And in my JSP, I have:
<script type="text/javascript">
<html:javascript formName="surveyDataForm"/>
</script>
<html:form action="/survey.do" onsubmit="return validateSurveyDataForm(this)">
(The validation-rules.xml was copied from the JDev install jakarta-struts folder).
I can now see the Javascript showing up in my JSP page, but I don't have a method generated for validateSurveyDataForm or any form like this. I didn't think I had to create this. Also, even without the Javascript, the validator is not called because the JBO errors for required are still showing up. The only thing I have not done is included the modelReference in the Form Bean definition in the struts-config.xml. I'm not sure this will work, or even what to populate this with, as the UIModel.xml is replaced by PageDef.xml and DataBindings.cpx changes.
Anyone have any ideas?
ShayOnly have one network; wireless. On it's own, the MacBook can use wifi to surf the net and Apple TV can watch movie previews from Apple via wifi.
It did work about two months ago. I haven't used it since then for home sharing but have used the Apple TV on its own.
I read the Troubleshooting page on Apple Support. It involves turning various things on and off, which I did -
Install blocked does not have a valid digital signature verifying publisher.
Windows XP blocked the install. Error message was:
Unknown Publisher. Does not have a valid digital signature that verifies its puiblisher.That suggests that the installer is getting damaged during the download.
I'd first try downloading an installer from the Apple website using a different web browser:
http://www.apple.com/itunes/download/
If you use Firefox instead of IE for the download (or vice versa), do you get a working installer? -
HTML Signature with logo does not display when read by clients
I have had this problem for a while now. I am using 10.5.6 and Apple Mail to send all of my emails. I have only one signature for my business email account which is a GoogleMail pro account. I have set up a signature to display my business logo which is sent with every email sent using Apple Mail through the business account with Google.
It seems that all of the emails read by clients only show the text in the signature and not the logo??? This is infuriating as the message should display fine. Is Apple Mail incapable of sending signatures with logos? I previously sent message from Google in Safari but Google do not yet allow you to create signatures with logos, which is why I thought Apple Mail would be able to simply do this.
Can anyone suggest a fix or recommend a decent Email Application that will do this. Is Thunderbird any good?Well, note that there is no e-mail client that can ensure that your logo will show up in a message, because the recipient controls how e-mail displays. Some people will have HTML display turned off, which means only a plain-text version of your message will be seen. Other people's clients may not show attached images inline. And if the logo is not attached, but is located on your web site and linked to from the e-mail, most e-mail clients have an option to ensure that such images are not loaded. (The reason: this is a common tactic used by spammers to verify addresses... if your e-mail client tries to load the image that is linked in their system to your e-mail address, then they've hit a good address and will start hammering it hard.) Thus, you need to make sure your signature is acceptable in plain text, since no matter what you do, that's all some people will see.
That said, go to Edit -> Attachments and make sure the Always Send Windows-Friendly Attachments option is checked. This should ensure that any images in your e-mails will be readable to Windows clients. -
Legally valid electronic signatures
My boss has asked me to research legally valid electronic signatures. I was wondering if Adobe provided these so they can be used to sign certain documents for business and banking?
You should checkout Adobe EchoSign:
https://www.echosign.adobe.com
Maybe you are looking for
-
PS CC "Could not complete Video Frames to Layers command because DynamicLink is not available" help?
I'm running Windows 8.1 64-bit, AMD fx-6300, geforce gtx-760, 8gb RAM. All legitimately obtained, before you ask! Really bothered by this, when trying to make a gif, apparently "DynamicLink" is not available. Damn.
-
Update required quantity for material component in Process Order.
Hello. I need update component qty from Z dialog program. The famous BAPI_PROCORD_CHANGE doesn't deal with COMPONENT structure but only HEADER. Then I tried to combine it with an enhancement. I see that in WORKORDER_UPDATE~BEFORE_UPDATE I can't chang
-
Delete delivery document, use: BAPI_OUTB_DELIVERY_CHANGE
hi friends, I want to delete a delivery document. I think BAPI_OUTB_DELIVERY_CHANGE will be useful for my purpose but I cannot find any field indicating the operation type like 'U'pdate, 'D'elete etc. is it the right bapi function or should i use a d
-
How to upload iPhoto albums advice
I and the wife have now got some great storage space in my iCloud account and in particular the other half needs to upload several iPhoto albums for safe keeping whilst we are in process of moving. Is there any method that others have used with succ
-
Why am I unable to open attachments on my HP touchsmart? I have microsoft word.