XML digital signature validation problem - ArrayIndexOutOfBoundsException

Similar Messages

• Please help me with the digital signature validation problem?

  Please help me with the digital signature validation problem?

  Hi
  Execute the program in the Debuggin mode.
  In the Debugger Window
  Select Breakpoint -> Break point at -> Breakpoint at source code Menu Item and enter the details of the program/include/line no..
  Activate the System Debugger On from the Settings Menu.
  Hope this would help you.
  Murthy
  Edited by: Kalyanam Seetha Rama Murthy on Jul 18, 2008 7:20 AM

• XML digital signature universal validator

  Hello,
  I am looking into the xml digital signaturing and i have a few questions about this:
  1.I wondered if anybody had any idea's for making a universal validator.
  I made this validator that validates an example xml file. But i would like to hava a validator that works on all signed xml files.
  2.Also in the jwsdp examples they create an enveloping signed file from scratch with a sample program. I think with some modifications it should be possible to have a program that does this for random xml files.
  Just use an xml file as input, en get a signed xml file as output file.
  I am looking for ppl with the same problems or solutions.
  Idea's are welcome.

  Nevermind, the xml security suite of IBM takes care of that problem already :)

• Implementing XAdES in Java XML Digital Signature API

  Hi,
  I've got some problems with implementing XAdES standard with Java XML Digital Signature API. Below is a code (SignatureTest1), that produces a digital signature with some XAdES tags placed in <ds:Object> tag. The signature is later validated with a Validator class. Everything works fine, until I set a XAdES namespace (SignatureTest1.xadesNS="http://uri.etsi.org/01903/v1.3.2#"). In this case validation of XAdES elements fails.
  The reason of validation failture is a difference between arguments passed to a digest method when document is being signed and validated. When the document is being signed a log looks like this:
  FINER: Pre-digested input:
  2007-08-21 15:38:44 org.jcp.xml.dsig.internal.DigesterOutputStream write
  FINER: <SignedProperties xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SignP"></SignedProperties>
  2007-08-21 15:38:44 org.jcp.xml.dsig.internal.dom.DOMReference digest
  FINE: Reference object uri = #SignP
  2007-08-21 15:38:44 org.jcp.xml.dsig.internal.dom.DOMReference digest
  FINE: Reference digesting completed,but while validating:
  FINER: Pre-digested input:
  2007-08-21 15:38:44 org.jcp.xml.dsig.internal.DigesterOutputStream write
  FINER: <SignedProperties xmlns="http://uri.etsi.org/01903/v1.3.2#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SignP"></SignedProperties>
  2007-08-21 15:38:44 org.jcp.xml.dsig.internal.dom.DOMReference validate
  FINE: Expected digest: MAQ/vctdkyVHVzoQWnOnQdeBw8g=
  2007-08-21 15:38:44 org.jcp.xml.dsig.internal.dom.DOMReference validate
  FINE: Actual digest: D7WajkF0U5t1GnVJqj9g1IntLQg=
  2007-08-21 15:38:44 org.jcp.xml.dsig.internal.dom.DOMXMLSignature validate
  FINE: Reference[#SignP] is valid: falseHow can I fix this?
  Signer class:
  import java.io.FileInputStream;
  import java.io.FileOutputStream;
  import java.io.OutputStream;
  import java.security.KeyPair;
  import java.security.KeyPairGenerator;
  import java.util.ArrayList;
  import java.util.Collections;
  import java.util.Iterator;
  import java.util.List;
  import javax.xml.crypto.dom.DOMStructure;
  import javax.xml.crypto.dsig.CanonicalizationMethod;
  import javax.xml.crypto.dsig.DigestMethod;
  import javax.xml.crypto.dsig.Reference;
  import javax.xml.crypto.dsig.SignatureMethod;
  import javax.xml.crypto.dsig.SignedInfo;
  import javax.xml.crypto.dsig.Transform;
  import javax.xml.crypto.dsig.XMLObject;
  import javax.xml.crypto.dsig.XMLSignature;
  import javax.xml.crypto.dsig.XMLSignatureFactory;
  import javax.xml.crypto.dsig.dom.DOMSignContext;
  import javax.xml.crypto.dsig.dom.DOMValidateContext;
  import javax.xml.crypto.dsig.keyinfo.KeyInfo;
  import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
  import javax.xml.crypto.dsig.keyinfo.KeyValue;
  import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
  import javax.xml.crypto.dsig.spec.TransformParameterSpec;
  import javax.xml.parsers.DocumentBuilderFactory;
  import javax.xml.transform.Transformer;
  import javax.xml.transform.TransformerFactory;
  import javax.xml.transform.dom.DOMSource;
  import javax.xml.transform.stream.StreamResult;
  import org.w3c.dom.Document;
  import org.w3c.dom.Element;
  import org.w3c.dom.NodeList;
  import com.sun.org.apache.xml.internal.security.utils.IdResolver;
  public class SignatureTest1 {
       public static String xadesNS=null;//"http://uri.etsi.org/01903/v1.3.2#";
       public static String signatureID="Sig1";
       public static String signedPropID="SignP";
       public static void main(String[] arg) {
          try{
            XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
            List<Reference> refs = new ArrayList<Reference>();
            Reference ref1 = fac.newReference
                ("", fac.newDigestMethod(DigestMethod.SHA1, null),
                    Collections.singletonList
                  (fac.newTransform
                 (Transform.ENVELOPED, (TransformParameterSpec) null)),
                 null, null);
            refs.add(ref1);
            Reference ref2 = fac.newReference("#"+signedPropID,fac.newDigestMethod(DigestMethod.SHA1,null),null,"http://uri.etsi.org/01903/v1.3.2#SignedProperties",null);
            refs.add(ref2);
            SignedInfo si = fac.newSignedInfo
                (fac.newCanonicalizationMethod
                 (CanonicalizationMethod.INCLUSIVE_WITH_COMMENTS,
                  (C14NMethodParameterSpec) null),
                 fac.newSignatureMethod(SignatureMethod.DSA_SHA1, null),
                 refs);
           KeyPairGenerator kpg = KeyPairGenerator.getInstance("DSA");
            kpg.initialize(512);
            KeyPair kp = kpg.generateKeyPair();
            KeyInfoFactory kif = fac.getKeyInfoFactory();
            KeyValue kv = kif.newKeyValue(kp.getPublic());
           KeyInfo ki = kif.newKeyInfo(Collections.singletonList(kv));
            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
            dbf.setNamespaceAware(true);
            Document doc =
                dbf.newDocumentBuilder().parse("purchaseOrder.xml");
            DOMSignContext dsc = new DOMSignContext
                (kp.getPrivate(), doc.getDocumentElement());
            dsc.putNamespacePrefix(XMLSignature.XMLNS, "ds");
            Element QPElement = createElement(doc, "QualifyingProperties",null,xadesNS);
          QPElement.setAttributeNS(null, "Target", signatureID);
          Element SPElement = createElement(doc, "SignedProperties", null,xadesNS);
          SPElement.setAttributeNS(null, "Id", signedPropID);
          IdResolver.registerElementById(SPElement, signedPropID);
          QPElement.appendChild(SPElement);
          Element UPElement = createElement(doc, "UnsignedProperties", null,xadesNS);
          QPElement.appendChild(UPElement);
          DOMStructure qualifPropStruct = new DOMStructure(QPElement);
          List<DOMStructure> xmlObj = new ArrayList<DOMStructure>();
          xmlObj.add(qualifPropStruct);
          XMLObject object = fac.newXMLObject(xmlObj,"QualifyingInfos",null,null);
          List objects = Collections.singletonList(object);
          XMLSignature signature = fac.newXMLSignature(si, ki,objects,signatureID,null);
            signature.sign(dsc);
            OutputStream os = new FileOutputStream("signedPurchaseOrder.xml");
            TransformerFactory tf = TransformerFactory.newInstance();
            Transformer trans = tf.newTransformer();
            trans.transform(new DOMSource(doc), new StreamResult(os));
          }catch(Exception e){
               e.printStackTrace();
          try{
          Validator.main(null);
          }catch(Exception e){
               System.out.println("Validator exception");
               e.printStackTrace();
       public static Element createElement(Document doc, String tag,String prefix, String nsURI) {
            String qName = prefix == null ? tag : prefix + ":" + tag;
           return doc.createElementNS(nsURI, qName);
  }Validator class:
  import javax.xml.crypto.*;
  import javax.xml.crypto.dsig.*;
  import javax.xml.crypto.dom.*;
  import javax.xml.crypto.dsig.dom.DOMValidateContext;
  import javax.xml.crypto.dsig.keyinfo.*;
  import java.io.FileInputStream;
  import java.security.*;
  import java.util.Collections;
  import java.util.Iterator;
  import java.util.List;
  import javax.xml.parsers.DocumentBuilderFactory;
  import org.w3c.dom.Document;
  import org.w3c.dom.NodeList;
  * This is a simple example of validating an XML
  * Signature using the JSR 105 API. It assumes the key needed to
  * validate the signature is contained in a KeyValue KeyInfo.
  public class Validator {
      // Synopsis: java Validate [document]
      //       where "document" is the name of a file containing the XML document
      //       to be validated.
      public static void main(String[] args) throws Exception {
       // Instantiate the document to be validated
       DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
       dbf.setNamespaceAware(true);
       Document doc =
              dbf.newDocumentBuilder().parse(new FileInputStream("signedPurchaseOrder.xml"));
       // Find Signature element
       NodeList nl =
           doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
       if (nl.getLength() == 0) {
           throw new Exception("Cannot find Signature element");
       // Create a DOM XMLSignatureFactory that will be used to unmarshal the
       // document containing the XMLSignature
       XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
       // Create a DOMValidateContext and specify a KeyValue KeySelector
          // and document context
       DOMValidateContext valContext = new DOMValidateContext
           (new KeyValueKeySelector(), nl.item(0));
       // unmarshal the XMLSignature
       XMLSignature signature = fac.unmarshalXMLSignature(valContext);
       // Validate the XMLSignature (generated above)
       boolean coreValidity = signature.validate(valContext);
       // Check core validation status
       if (coreValidity == false) {
               System.err.println("Signature failed core validation");
           boolean sv = signature.getSignatureValue().validate(valContext);
           System.out.println("signature validation status: " + sv);
           // check the validation status of each Reference
           Iterator i = signature.getSignedInfo().getReferences().iterator();
           for (int j=0; i.hasNext(); j++) {
            boolean refValid =
                ((Reference) i.next()).validate(valContext);
            System.out.println("ref["+j+"] validity status: " + refValid);
       } else {
               System.out.println("Signature passed core validation");
       * KeySelector which retrieves the public key out of the
       * KeyValue element and returns it.
       * NOTE: If the key algorithm doesn't match signature algorithm,
       * then the public key will be ignored.
      private static class KeyValueKeySelector extends KeySelector {
       public KeySelectorResult select(KeyInfo keyInfo,
                                          KeySelector.Purpose purpose,
                                          AlgorithmMethod method,
                                          XMLCryptoContext context)
              throws KeySelectorException {
              if (keyInfo == null) {
            throw new KeySelectorException("Null KeyInfo object!");
              SignatureMethod sm = (SignatureMethod) method;
              List list = keyInfo.getContent();
              for (int i = 0; i < list.size(); i++) {
            XMLStructure xmlStructure = (XMLStructure) list.get(i);
                   if (xmlStructure instanceof KeyValue) {
                      PublicKey pk = null;
                      try {
                          pk = ((KeyValue)xmlStructure).getPublicKey();
                      } catch (KeyException ke) {
                          throw new KeySelectorException(ke);
                      // make sure algorithm is compatible with method
                      if (algEquals(sm.getAlgorithm(), pk.getAlgorithm())) {
                          return new SimpleKeySelectorResult(pk);
              throw new KeySelectorException("No KeyValue element found!");
          //@@@FIXME: this should also work for key types other than DSA/RSA
       static boolean algEquals(String algURI, String algName) {
              if (algName.equalsIgnoreCase("DSA") &&
            algURI.equalsIgnoreCase(SignatureMethod.DSA_SHA1)) {
            return true;
              } else if (algName.equalsIgnoreCase("RSA") &&
                         algURI.equalsIgnoreCase(SignatureMethod.RSA_SHA1)) {
            return true;
              } else {
            return false;
      private static class SimpleKeySelectorResult implements KeySelectorResult {
       private PublicKey pk;
       SimpleKeySelectorResult(PublicKey pk) {
           this.pk = pk;
       public Key getKey() { return pk; }
  }PurchaseOrder.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <PurchaseOrder>
  <Item number="130046593231">
    <Description>Video Game</Description>
    <Price>10.29</Price>
  </Item>
  <Buyer id="8492340">
    <Name>My Name</Name>
    <Address>
     <Street>One Network Drive</Street>
     <Town>Burlington</Town>
     <State>MA</State>
     <Country>United States</Country>
     <PostalCode>01803</PostalCode>
    </Address>
  </Buyer>
  </PurchaseOrder>signedPurchaseOrder.xml with XAdES namespace:
  <?xml version="1.0" encoding="UTF-8" standalone="no"?><PurchaseOrder>
  <Item number="130046593231">
    <Description>Video Game</Description>
    <Price>10.29</Price>
  </Item>
  <Buyer id="8492340">
    <Name>My Name</Name>
    <Address>
     <Street>One Network Drive</Street>
     <Town>Burlington</Town>
     <State>MA</State>
     <Country>United States</Country>
     <PostalCode>01803</PostalCode>
    </Address>
  </Buyer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Sig1"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/><ds:Reference URI=""><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>tVicGh6V+8cHbVYFIU91o5+L3OQ=</ds:DigestValue></ds:Reference><ds:Reference Type="http://uri.etsi.org/01903/v1.3.2#SignedProperties" URI="#SignP"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>MAQ/vctdkyVHVzoQWnOnQdeBw8g=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>lSgzfZCRIlgrgr6YpNOdB3XWdF9P9TEiXfkNoqUpAru/I7IiyiFWJg==</ds:SignatureValue><ds:KeyInfo><ds:KeyValue><ds:DSAKeyValue><ds:P>/KaCzo4Syrom78z3EQ5SbbB4sF7ey80etKII864WF64B81uRpH5t9jQTxeEu0ImbzRMqzVDZkVG9
  xD7nN1kuFw==</ds:P><ds:Q>li7dzDacuo67Jg7mtqEm2TRuOMU=</ds:Q><ds:G>Z4Rxsnqc9E7pGknFFH2xqaryRPBaQ01khpMdLRQnG541Awtx/XPaF5Bpsy4pNWMOHCBiNU0Nogps
  QW5QvnlMpA==</ds:G><ds:Y>p48gU203NGPcs9UxEQQQzQ19KBtDRGfEs3BDt0cbCRJHMh3EoySpeqOnuTeKLXuFr96nzAPq4BEU
  dNAc7XpDvQ==</ds:Y></ds:DSAKeyValue></ds:KeyValue></ds:KeyInfo><ds:Object Id="QualifyingInfos"><QualifyingProperties Target="Sig1" xmlns="http://uri.etsi.org/01903/v1.3.2#"><SignedProperties Id="SignP"/><UnsignedProperties/></QualifyingProperties></ds:Object></ds:Signature></PurchaseOrder>

  I believe the problem is that you are not explicitly adding the xades namespace
  attribute to the SignedProperties element before generating the signature. Thus,
  the namespace attribute is not visible when canonicalizing, but when you serialize the
  DOM tree to an output stream, (for reasons I'm not entirely sure why), the namespace
  attribute is visible and is added to the SignedProperties element, which breaks the
  signature.
  You must always explicitly add namespace attributes using the Element.setAttributeNS
  method. Try changing the following code from:
  Element SPElement = createElement(doc, "SignedProperties", null,xadesNS);
  to:
  Element SPElement = createElement(doc, "SignedProperties", null,xadesNS);
  SPElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns", xadesNS);

• Digital Signature validation issue in Adapter Module

  Hi guys,
  we have developed an adapter module for digital signature validation, unfortunately, it simetimes work, sometimes doesnt. Strange is, that the same adapter module works for one customer, while for another one doesn't.
  We have sent through some "invalid" messages, which should have been valid at the client, where the module works and theu were flagged as valid. It seems the problem is caused by "special" spanish characters, because validation works for the messages where are only standard chars.
  Any idea, what to check? Java version, system encoding?
  Any help appreciated,
  Olian

  Hi,
  Not really sure about what causes such issues, but if your module coding uses String and byte[] manipulation, are you using explicite encoding when declaring such types ? I remember facing strange issues with XML field values, and "forcing" encoding to "UTF-8" when appropriate, it solved all my errors (string typed object, when converted internally by the JVM, were not always represented by the same bytes object)
  Hope this helps
  Chris

• XML Digital Signature and sun PKCS#11

  Hi,
  I am trying to use xmldsig/xmlsec from Java Web Services Developer's Pack to do signing of XML documents. My goal is to use the keys from the card via sunpkcs11 to perform this signature.
  At this stage, i'm able to get the correct key from the card via sun pkcs 11 (J2SE 5) and able to sign some data with it.
  However, when i try to sign a xml document via xmldsig, i get the error which i believe to occur while trying to read the private key from the card as a string, which results in a "not a byte[]" exception.
  At this stage, are there any ways to configure the xmldsig/xmlsec to use the pkcs11 provider?
  I understand that the current implementation of XML Digital signature is using apache XML libraries. Is the source code for the wsdp downloadable from SUN?
  If not, will it be possible to make use of the open-source apache XML jars, set it up for pkcs11 and use it instead?
  Finally, has anyone done what I'm trying to do? Will be glad to know
  Thank u in advance,
  Louis

  Hello
  Did you resolve yout problem, because i have the same when i try to sign message
  String testData = "Hello World";
  p11KeyStore = KeyStore.getInstance("PKCS11");
  p11KeyStore.load(null, new char[] {'1', '2', '3', '4'});
  sig = Signature.getInstance("SHA1withRSA");
  sig.initSign( (PrivateKey) p11KeyStore.getKey(myAlias, null));
  sig.update(testData.getBytes());
  signatureBytes = sig.sign()
  This code fails and i get java.lang.RuntimeException: Not a byte[]
       at sun.security.pkcs11.wrapper.CK_ATTRIBUTE.getBigInteger(CK_ATTRIBUTE.java:168)
       at sun.security.pkcs11.P11Key$P11RSAPrivateKey.fetchValues(P11Key.java:419)

• Java XML Digital Signature API, how to sign different files

  Hello,
  I need to sign several files: binary and/or xml (in some cases just part of xml), and to implement digitla signatures in xAdes standard. So I'm looking to use Java XML Digital signature API, but can't find any examples, that would cover issues I encountered:
  How to sign binary file?
  Just to sign some simple "aaa.png" file and have it's signature in XML. How in right way to create referece?
  (should it be something like: Reference ref = fac.newReference("aaa.png", fac.newDigestMethod(DigestMethod.SHA1, null), null, null, null); )
  And how to pass file for signing? what to add/change to this code:
  Document doc = dbf.newDocumentBuilder().parse(new FileInputStream("aaa.png"));
  DOMSignContext dsc = new DOMSignContext(keyEntry.getPrivateKey(), doc.getDocumentElement());
  (I have only found some information about needing to "dereference" or so - but no examples, how to make things work.)
  How to sing several different files?
  As I wrote before, several files needs to be signed, but in all examples, it's only one Document object (and only one file), how/where to add more files and if API will be capable to deal with such thing?
  In one of examples what I have to achive was such code:
  <Reference URI="aaa.png" xmlns="http://www.w3.org/2000/09/xmldsig#">
  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
  <DigestValue>8rl/xzjAnE4yQQ2LTBvFTU2JH+c=</DigestValue>
  </Reference>
  If I do write code like: "fac.newReference("aaa.png", <...> );
  I'll get an error during signing: signature.sign(dsc);
  *"java.net.MalformedURLException: no protocol: aaa.png"*
  How to avoid this?
  Also, from exmaple (what to reach) above:
  <Reference URI="aaa.png" xmlns="http://www.w3.org/2000/09/xmldsig#">
  There is additional attribute "xmlns=<...>" - the question is if it is possible to add it by XMLSignatureFactory.newReference ?
  Java API adds a lot of prefixes "ds:" , like:
  <...>
  <ds:Reference URI="file:/D:/try5/SignableMetadata0.xml">
  <ds:Transforms>
  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
  </ds:Transforms>
  <...>
  Is it possible to avoid them?
  Any help on any of these questions would be very appreciated

  Hi,
  I would like to sign a specific part of a xml message [Only the contents under the <Buyer> tag]. I have also pasted the code which i used to do this. I am getting an output xml after the xml is signed, but when I validate the xml , the xml is valid even after I change the xml contents. Could you pls tell me what I am doing wrong here. I want to know whether the xpath implementation which I have done is correct.
  <?xml version="1.0" encoding="UTF-8"?>
  <PurchaseOrder>
  <Item number="130046593231">
  <Description>Video Game</Description>
  <Price>10.29</Price>
  </Item>
  *<Buyer id="8492340">*
  *<Name>My Name</Name>*
  *<Address>*
  *<Street>One Network Drive</Street>*
  *<Town>Burlington</Town>*
  *<State>MA</State>*
  *<Country>United States</Country>*
  *<PostalCode>01803</PostalCode>*
  *</Address>*
  *</Buyer>*</PurchaseOrder>
  // The code which i have used to perform the xpath transformation.
            XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
       XPathFilterParameterSpec xpathFilter = new XPathFilterParameterSpec("PurchaseOrder/Buyer");
            javax.xml.crypto.dsig.Reference ref = fac.newReference
            ("", fac.newDigestMethod(DigestMethod.SHA1, null),
            Collections.singletonList
            (fac.newTransform
            (Transform.XPATH, xpathFilter)),
            null, null);
            SignedInfo si = fac.newSignedInfo
            (fac.newCanonicalizationMethod
            (CanonicalizationMethod.INCLUSIVE,
            (C14NMethodParameterSpec) null),
            fac.newSignatureMethod(SignatureMethod.DSA_SHA1, null),
  Collections.singletonList(ref));
  // Load the KeyStore and get the signing key and certificate.
       KeyStore ks = KeyStore.getInstance("JKS");
       char[] password = "changeme".toCharArray();
       ks.load(new FileInputStream("c:\\KeyStore"), password);
       KeyStore.PrivateKeyEntry keyEntry =
       (KeyStore.PrivateKeyEntry) ks.getEntry
       ("EISKeys", new KeyStore.PasswordProtection(password));
       X509Certificate cert = (X509Certificate) keyEntry.getCertificate();
       // System.out.println("X509Certificate:"+cert);
       // Create the KeyInfo containing the X509Data.
       KeyInfoFactory kif = fac.getKeyInfoFactory();
       List x509Content = new ArrayList();
       x509Content.add(cert.getSubjectX500Principal().getName());
       x509Content.add(cert);
       X509Data xd = kif.newX509Data(x509Content);
       KeyInfo ki = kif.newKeyInfo(Collections.singletonList(xd));
       // Instantiate the document to be signed.
       DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
       dbf.setNamespaceAware(true);
       Document doc = dbf.newDocumentBuilder().parse
       (new FileInputStream("C:\\Life2012\\DigSign\\ACORD_Request.xml"));
       NodeList rootChildList = doc.getDocumentElement().getChildNodes();
       Node bodyNode = null;
       for(int i=0;i<rootChildList.getLength();i++){
            if("Buyer".equalsIgnoreCase(rootChildList.item(i).getLocalName())){
                 bodyNode = rootChildList.item(i);
                 System.out.println("Body Node is obtained"+bodyNode);
                 break;
       // Create a DOMSignContext and specify the RSA PrivateKey and
       // location of the resulting XMLSignature's parent element.
       //DOMSignContext dsc = new DOMSignContext
       // (keyEntry.getPrivateKey(), doc.getDocumentElement());
            // Sign only the body node
       DOMSignContext dsc = new DOMSignContext
       (keyEntry.getPrivateKey(), bodyNode);
       // Create the XMLSignature, but don't sign it yet.
       XMLSignature signature = fac.newXMLSignature(si, ki);
       // Marshal, generate, and sign the enveloped signature.
       signature.sign(dsc);

• How to validate XML Digital Signature with XML DB (o PL/SQL) in Oracle 11g

  Hi,
  Do you know if there is possibility to validate XML Digital Signature using XML DB (or PL/SQL) in Oracle 11g?
  Let say I have CLOB/XMLType containing Digitally Signed XML, and I want to validate, that thsi is proper signature. I also have public key of signer (I could store it in CLOB or file or Oracle wallet).
  Is it possible to do?
  If there is need to install additional component - then which one?
  Regards,
  Paweł

  Hi,
  this is what i got from someone...
  but the links he gave are not opening up...
  u have to place a picture there and have to load the digital signatures as Jpegs on to the server to OA top
  and have to refer them in the XML for dynamically get the signature on the reports
  when u select the properties of the picture placed in the XML template,
  there will be one tab with "URL"... in that u have to give the path for that jpegs
  Pls refer the following documents for enabling digital signature on pdf documents.
  http://iasdocs.us.oracle.com/iasdl/bi_ee/doc/bi.1013/e12187/T421739T481159.htm#5013638    (refer section 'Adding or Designating a Field for Digital Signature'
  http://iasdocs.us.oracle.com/iasdl/bi_ee/doc/bi.1013/e12188/T421739T475591.htm#5013688
  (Implementing a Digital Signature
  Is the BI Publisher installed on your instance of version 10.1.3.4 or higher?
  Pls procure a digital signature as soon as possible. The process can take time. OR we could use any certificate that you already might have OR generate a certificate using Oracle Certificate Authority for demo.

• Xml digital signature api

  hello
  Has anyone tried to use the xml digital signature api on an application deployed on appserver 8.2 bundled with stucio?
  I am trying to,,but it seems i cannot work it out,.Here is what i do,,i ve built a sample application where when i clik a button the following code runs.I have imported the xmldsig.jar file i found on jwsdp-1.5 that includes the needed classes and i am using jdk 1.4.2.07.
  I should mention that when i deploy the application on tomcat 4.1.31 everything works fine and the xml file is properly signed.But it never works on when i run it on appserver.for ANY help i would be grateful!!!!!!!!
  the following code is on the click button action
  ypografi ob2 =new ypografi();
  boolean ok ;
  ok = ob2.ypegrapse("C:/attach.xml");
  the following code is the ypografi.java file
  package dokimi;
  import javax.xml.crypto.*;
  import javax.xml.crypto.dsig.*;
  import javax.xml.crypto.dom.*;
  import javax.xml.crypto.dsig.dom.DOMSignContext;
  import javax.xml.crypto.dsig.keyinfo.*;
  import java.io.FileInputStream;
  import java.io.FileOutputStream;
  import java.io.OutputStream;
  import java.security.*;
  import java.util.Collections;
  import java.util.Iterator;
  import javax.xml.parsers.DocumentBuilderFactory;
  import javax.xml.transform.*;
  import javax.xml.transform.dom.DOMSource;
  import javax.xml.transform.stream.StreamResult;
  import org.w3c.dom.Document;
  public class ypografi {
  /** Creates a new instance of ypografi */
  public ypografi() {
  public boolean ypegrapse(String nameoffile){
  // Create a DOM XMLSignatureFactory that will be used to generate the
            // enveloped signature
       try {     
  String providerName = System.getProperty("jsr105Provider", "org.jcp.xml.dsig.internal.dom.XMLDSigRI");
            XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM",(Provider) Class.forName(providerName).newInstance());
  // Create a Reference to the enveloped document (in this case we are
            // signing the whole document, so a URI of "" signifies that) and
            // also specify the SHA1 digest algorithm and the ENVELOPED Transform.
            Reference ref = fac.newReference("", fac.newDigestMethod(DigestMethod.SHA1, null),Collections.singletonList(fac.newTransform(Transform.ENVELOPED, null)),null, null);
            // Create the SignedInfo
            SignedInfo si = fac.newSignedInfo(fac.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE_WITH_COMMENTS, null),fac.newSignatureMethod(SignatureMethod.DSA_SHA1, null),Collections.singletonList(ref));
  // Create a DSA KeyPair
  KeyPairGenerator kpg = KeyPairGenerator.getInstance("DSA");
            kpg.initialize(512);
  KeyPair kp = kpg.generateKeyPair();
  // Create a KeyValue containing the DSA PublicKey that was generated
            KeyInfoFactory kif = fac.getKeyInfoFactory();
  KeyValue kv = kif.newKeyValue(kp.getPublic());
            // Create a KeyInfo and add the KeyValue to it
  KeyInfo ki = kif.newKeyInfo(Collections.singletonList(kv));
            // Instantiate the document to be signed
            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
            dbf.setNamespaceAware(true);
            Document doc = dbf.newDocumentBuilder().parse(new FileInputStream(nameoffile));
  // Create a DOMSignContext and specify the DSA PrivateKey and
  // location of the resulting XMLSignature's parent element
            DOMSignContext dsc = new DOMSignContext(kp.getPrivate(), doc.getDocumentElement());
            // Create the XMLSignature (but don't sign it yet)
            XMLSignature signature = fac.newXMLSignature(si, ki);
  // Marshal, generate (and sign) the enveloped signature
  signature.sign(dsc);
            // output the resulting document
            OutputStream os;
       os = new FileOutputStream(nameoffile);
            TransformerFactory tf = TransformerFactory.newInstance();
            Transformer trans = tf.newTransformer();
            trans.transform(new DOMSource(doc), new StreamResult(os));
  }catch(Exception e){
  System.out.println(e);
  return false;
  return true;
  }

  Something like this should work:
          Text text = doc.createTextNode("testContent");
          SignatureProperty sp = fac.newSignatureProperty
              (Collections.singletonList(new DOMStructure(text)),
              "#testTarget", "testID");
          SignatureProperties sps = fac.newSignatureProperties
              (Collections.singletonList(sp), null);
          objs.add(fac.newXMLObject(Collections.singletonList(sps), null,
              null, null));

• XML digital signature XAdES support

  Are there any plans for supporting XaDES Advanced electronic signature as specified by ETSI TS 101-93?
  It's a quite common format, and well acknowledged (for instance by italian and other EU countries regulations).
  Should i file or vote an RFE?

  Charles_F wrote:
  Hi.
  I would appreciate any help regarding the topic.
  I need to create xml digital signature of files that are located in the same directory,
  let's say working directory (current directory) of application.
  I only get in the Reference tag with URI
  <Reference URI="file:/D:/projects/netbeans/CryptoHelpers/form.xml>
  althought I'd like to achieve
  <Reference URI="form.xml">To do that, just specify "form.xml" when creating the Reference and not the complete path. Change:
  Reference refList = xmlSignatureFactory.newReference(
  srcFile.toURI().toString(),
  digestMethod);
  referenceList.add(refList);to:
  Reference refList = xmlSignatureFactory.newReference(
  filePath, digestMethod);
  referenceList.add(refList);Also, make sure your baseURI is set to the directory that the file is located in and ends with a trailing slash. Change:
  signContext.setBaseURI("file:/");to
  signContext.setBaseURI("file:/D:/projects/netbeans/CryptoHelpers/");

• XML Digital Signature Canonicalisation Error.

  Hi,
  I am writing JAVA code to perform XML Digital Signature and Verification. I am using jwsdp-2.0 jar files xmldsig.jar and xmlsec.jar.
  I am successfully able to sing the xml but still have few issues.
  1. Canoniclisation on SignedInfo is not happening. API is signing the SignedInfo Element without performing Canonicalisation. I turned on debugging and it shows FINE: Canonicalized SignedInfo:error. Because its not able to perform Canonicalisation verification fails on other end.
  fac.newCanonicalizationMethod(CanonicalizationMethod.EXCLUSIVE,(C14NMethodParameterSpec)null) is the canonicalisation param I am passing to SI.
  2. Not able to specify XPointer in URI string when creating Reference object. It works fine with, just id of element as reference, but not with xpointer.
  Any help on these issue is greatly appreciated.
  Thanks for your help.
  Ajit Rathod
  CODE :
  ============================================================
  import javax.crypto.SecretKey;
  import javax.crypto.spec.SecretKeySpec;
  import javax.xml.crypto.dsig.*;
  import javax.xml.crypto.dsig.dom.DOMSignContext;
  import javax.xml.crypto.dsig.spec.*;
  import java.io.ByteArrayOutputStream;
  import java.io.FileInputStream;
  import java.io.FileOutputStream;
  import java.io.OutputStream;
  import java.net.URLEncoder;
  import java.security.*;
  import java.util.Collections;
  import javax.xml.parsers.DocumentBuilderFactory;
  import javax.xml.transform.*;
  import javax.xml.transform.dom.DOMSource;
  import javax.xml.transform.stream.StreamResult;
  import org.w3c.dom.Document;
  import org.w3c.dom.NodeList;
  public class GenEnveloped {
       public static void main(String[] args) throws Exception {
  String providerName = System.getProperty
  ("jsr105Provider", "org.jcp.xml.dsig.internal.dom.XMLDSigRI");
       XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM",(Provider) Class.forName(providerName).newInstance());
       String strRefURI = "";
       strRefURI = "#testID";     
       Transform trf = fac.newTransform(CanonicalizationMethod.EXCLUSIVE,(TransformParameterSpec)null);
  Reference ref = fac.newReference (strRefURI, fac.newDigestMethod(DigestMethod.SHA1,null), Collections.singletonList(trf),null,null);
       SignedInfo si = fac.newSignedInfo(fac.newCanonicalizationMethod(CanonicalizationMethod.EXCLUSIVE,(C14NMethodParameterSpec)null),fac.newSignatureMethod(SignatureMethod.HMAC_SHA1, null),Collections.singletonList(ref));     
       DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
       dbf.setNamespaceAware(true);
       Document doc = dbf.newDocumentBuilder().parse(new FileInputStream("testSamlData.xml"));     
       NodeList nlWSSESecurity = doc.getElementsByTagName("wsse:Security");
       String strKey = "asefasfsadfasdfsfasfdfsdasdfasdf";
       ByteArrayOutputStream baos = new ByteArrayOutputStream();     
       byte keyBytes[] = strKey.getBytes();     
       SecretKey sk = new SecretKeySpec(keyBytes,SignatureMethod.HMAC_SHA1);
       XMLSignature signature = fac.newXMLSignature(si,null);
       DOMSignContext dsc = new DOMSignContext     (sk,nlWSSESecurity.item(0));     
       //DOMSignContext dsc = new DOMSignContext     (sk,doc.getDocumentElement());
       dsc.setDefaultNamespacePrefix("ds");          
  signature.sign(dsc);
       OutputStream os;
       boolean blFile = true;
       if (blFile)
            os = new FileOutputStream("testSamlDataSigned.xml");
            System.out.println("Result is written out to File system");
       else
       os = System.out;
       TransformerFactory tf = TransformerFactory.newInstance();
       Transformer trans = tf.newTransformer();
       trans.transform(new DOMSource(doc), new StreamResult(os));
  }

  Charles_F wrote:
  Hi.
  I would appreciate any help regarding the topic.
  I need to create xml digital signature of files that are located in the same directory,
  let's say working directory (current directory) of application.
  I only get in the Reference tag with URI
  <Reference URI="file:/D:/projects/netbeans/CryptoHelpers/form.xml>
  althought I'd like to achieve
  <Reference URI="form.xml">To do that, just specify "form.xml" when creating the Reference and not the complete path. Change:
  Reference refList = xmlSignatureFactory.newReference(
  srcFile.toURI().toString(),
  digestMethod);
  referenceList.add(refList);to:
  Reference refList = xmlSignatureFactory.newReference(
  filePath, digestMethod);
  referenceList.add(refList);Also, make sure your baseURI is set to the directory that the file is located in and ends with a trailing slash. Change:
  signContext.setBaseURI("file:/");to
  signContext.setBaseURI("file:/D:/projects/netbeans/CryptoHelpers/");

• Digital Signature Validation Issue

  Hi All,
  I have a problem with my digital signature fields. Whenever the user digitally signs the form, there is a message that says that the form is "Signed and all signatures are valid, but with unsigned changes after the last signature". When I open the signature panel (in Adobe Reader or in the Preview PDF tab of Livecycle) the form indicates that a bunch of fields located on the Master Page were deleted and then added (see below). Does anyone know what is causing this or how to fix it?

  I'm having the same issue as well. In addition to the additions/deletions to the master pages, the signature panel indicates that a field on the title page of my form was filled in after validation. I ran a temporary script on the signature field's postSign event, using Acrobat's signatureGetModifications() method, to narrow down where the updates are occurring, and it seems that they're taking place either at the same time the signature is validated or just after. The form is set to automatically preserve scripting changes when it is saved; switching to "manual" doesn't help. Turning field locking on/off doesn't work, either. Once the form has been saved and reopened, though, the problem disappears and the signature validates correctly.
  UPDATE 30 DEC 14: The master pages that are being "modified" have separate content areas for navigation buttons; it's these CAs, and their associated subforms and buttons, that Acrobat reports as being modified. I tried commenting out the scripts on the buttons' click events without success.
  UPDATE 15 APR 15: I've compared the preSign version of the XML for the field that's being modified with the postSign version and found that the XML is somehow being modified by the act of signing the document. To clarify: I need to fill in a date field on my form to indicate when the form is closed out. I have the signature field's preSign set up to add the current date to the date field. The preSign XML includes <value> and <date> tags, which are missing from the postSign version. Why would applying a signature modify the form's XML?

• Digital Signature validation

  I have been using digital certificates to sign pdf documents for approximately a year.  The signatures can be checked against  a CRL which is provided on the internet.  So far Adobe Acrobat Reader has worked fine, retreiving CRLS and validating certificates.
  Today I found out that since renewing expired certificates ( the default lifetime was set to 1 year) the  signatures on old signed documents are unverified .  The local time of the computer was stored in the signature not a timestamp. 
  I found that reader defaults to using the local time of the computer to validate an old signature when a timestamp is not used, this has been rectified in 9.1 so that it uses to date that the signature was generated (why on earth would it use anything else!).  I now have the signatures validated by changing this setting providing the date range of the CRL in the reader encompases the end date of the certificate.
  However, when the reader updates the CRL in the cache and the new CRL date range does not include that of the original signature the reader throws up an error stating that the CRL is invalid or expired.
  How can I get it to agree pass the validation without turning off revocation checking?  I have the CRLs that were in force at the time of the signing but there is no way I can provide them to the reader.  How can I make the reader apply the current and valid CRL to the old documents.  The expiry date of the old certificates are still in there?
  I always thought that not having to keep a CRL history for expired certificates was a dumb idea when I read the documents, but I didn't imagine that old signatures would become invalid when the certificate expired (mine have become invalid less thant 5 days after the documents were signed.  What were the developers thinking.
  This is pushing toward creating certificates with lifetimes of 100's or thousands of years so that they can always be validated.
  Anybody have a working solution.

  I have found a solution.to this
  Using a virtual machine I set the date on the system back to a point in time when the certificates were all valid.  I then create a new crl with a lifetime which makes it valid for one month from the real date (today).  I then set the date back and copy the crl to the distrubution point.
  Hey presto, acrobat reader loads the crl and is quite happy to accept it even though it has events recorded in it that happened after the date on which it was created!.
  Problem solved, but for how long?

• Digital signature valid or invalid depending on the signing Windows user

  I have a very strange problem and was not able to determine how to resolve it because I quite don't undestand the mechanisms of signing, it seems.
  I have a digital signature issued by a member of the "Adobe Approved Trust List". If I sign a document with Adobe Reader XI or Adobe Acrobat XI Standard logged in with one Windows user account the signature appears valid on any other Windows user account. If I use another Windows user account and sign the document with the same digital signature the signature is invalid in this Windows user account and any other.
  I didn't change any settings in any of the Adobe products. I use the standard configuration as present just after a fresh install.
  One thing I already checked, which nevertheless doesn't explain this strange behavior, is to enable Windows-Integration in the signature configuration of the Adobe products. If this is enabled both documents (the one signed with the "good" Windows user account and the other signed in a "bad" one) show the signature as valid on any Windows account.
  So I am wondering if, besides the signature itself, anything else is integrated into a document while being signed that could explain that behavior and, if this is the case, where the setting, trigger, whatsoever, is, to set up Adobe correctly.
  Please help.

  What do you mean by "signature is invalid"? Is it a a red X or is it Unknown? A problem with trust results in the "Unknown" status, not "Invalid".
  In any case, inspect the signature, first in the Signature panel. It will tell you some info about what's wrong with this signature. Then right-click on the signature and select "Show Signature Properties". You'll get a dialog with more info. In this dialog select "Show Signer's Certificate". Check the chain (in the left pane) and "Revocation" tab for each certificate in the chain.
  Compare this info for signatures created on a "good" account and "bad". My guess is that the "bad" account is lacking some certificate-related component.and the "good account has it. The fact that if you turn on Windows integration signature becomes valid tells me that it is something related to account.
  Another thing to try is this. Go to C:\Users\<username>\AppData\Roaming\Adobe\Acrobat\11.0\Security folder and see if it has CRLCache folder. If it has, delete it and try to sign again.
  Also compare the preferences. Check the Edit->Preferences->Signatures->Verification->More->Verification Time preference. Is it the same on both accounts? Is it "Time when the signature was created"? Is the "Include signature's revocation status" check box in  Edit->Preferences->Signatures->Verification->More->Creation and Appearances->More checked in both accounts?

• XML SAX dtd Validation Problem

  Hi,
            I’m having problems getting an xml document to validate within Weblogic 8.1. I am trying to parse a document that references both a dtd and xsd. Both the schema and dtd reference need to be substituted so they use local paths. I specify the schema the parser should use and have created an entityResolver to change the dtd reference.
            When this runs as a standalone app from eclipse the file parses and validates without a problem. When deployed to the app server the process seems to be unable read the contents of the dtd. Its not that it cannot find the file (no FileNotFoundException is thrown but this can be created if I delete the dtd) rather it seems to find no declared elements.
            Initial thought was that the code didn’t have access to read the dtd from its location on disk, to check I moved the dtd to within the deployed war and reference as a resource. The problem still persists.
            Code Snippet:
            boolean isValid = false;
            try {
            // Create and configure factory
            SAXParserFactory factory = SAXParserFactoryImpl.newInstance();
            factory.setValidating(true);
            factory.setNamespaceAware(true);
            // To be notified of validation errors in the XML document,
            // add a custom error handler to the document builder
            PIMSFeedFileValidationHandler handler
            = new PIMSFeedFileValidationHandler();
            // Create and Configure Parser
            SAXParser parser = factory.newSAXParser();
            parser.setProperty(JAXP_SCHEMA_LANGUAGE, W3C_XML_SCHEMA);
            parser.setProperty(NAMESPACE_PROPERTY_KEY, getSchemaFilePath());
            // Set reader with entityResolver for dtd
            XMLReader xmlReader = parser.getXMLReader();
            xmlReader.setEntityResolver(new SAXEntityResolver(this.dtdPath));
            // convert file to URL, as it is a remote file
            URL url = super.getFile().toURL();
            // Open an input stream and parse
            InputStream is = url.openStream();
            xmlReader.setErrorHandler(handler);
            xmlReader.parse(new InputSource(is));
            is.close();
            // get the result of parsing the document by checking the
            // errorhandler's isValid property
            isValid = handler.isValid();
            if (!isValid) {
            LOGGER.warn(handler.getMessage());
            LOGGER.debug("XML file is valid XML? " + isValid);
            } catch (ParserConfigurationException e) {
            LOGGER.error("Error parsing file", e);
            } catch (SAXException e) {
            LOGGER.error("Error parsing file", e);
            } catch (IOException e) {
            throw new FeedException(e);
            return isValid;
            See stack trace below for a little more info.
            2005-01-28 10:24:09,217 [DEBUG] [file] - Attempting validation of file 'cw501205.wa1.xml' with schema at 'C:/pims-feeds/hansard/schema/hansard-v1-9.xsd'
            2005-01-28 10:24:09,217 [DEBUG] [file] - Entity Resolver is using DTD path file:C:/Vignette/runtime_services/8.1/install/common/nodemanager/
            VgnVCMServer/stage/pims-hansard/pims-hansard.war/WEB-INF/classes/com/morse/pims/cms/feed/sax/ISO-Entities.dtd
            2005-01-28 10:24:09,227 [DEBUG] [file] - Creating InputSource at: file:C:/Vignette/runtime_services/8.1/install/common/nodemanager/VgnVCMServer/stage/pims-hansard/pims-hansard.war/WEB-INF/classes/com/morse/pims/cms/feed/sax/ISO-Entities.dtd
            2005-01-28 10:24:09,718 [WARN ] [file] - org.xml.sax.SAXParseException: Element type "Hansard" must be declared.
            org.xml.sax.SAXParseException: Element type "Session" must be declared.
            org.xml.sax.SAXParseException: Element type "DailyRecord" must be declared.
            org.xml.sax.SAXParseException: Element type "Volume" must be declared.
            org.xml.sax.SAXParseException: Element type "Written" must be declared.
            org.xml.sax.SAXParseException: Element type "WrittenHeading" must be declared.
            org.xml.sax.SAXParseException: Element type "Introduction" must be declared.
            … continues for all the elements in the doc
            2005-01-28 10:24:10,519 [DEBUG] [file] - XML file is valid XML? false
            2005-01-28 10:24:10,519 [WARN ] [file] - Daily Part file 'cw501205.wa1.xml' was not valid XML and was not processed.
            Has anybody seen this behavior before with weblogic and if so how have you resolved the issue.
            Thanks in Advance
            Adam

  It looks like you clicked on "Post" before you got around to explaining your problem. I don't see any error messages or any description of what was supposed to happen and what happened instead.
  Now, I don't know anything about XML Schema, but just guessing at how that unique name feature might be designed, and just guessing that your unique name is actually in the <userId> element, I would suggest that this:
  <xsd:unique name="un_name"> 
    <xsd:selector xpath="USER"/> 
    <xsd:field xpath="."/> 
  </xsd:unique> is at fault because it doesn't mention the <userId> element anywhere.