XML Signatures - How To ?

I need of help how to organize a XML structure for hierarchical (nested) signature scheme. For example:
Signed Object 1: O1
Signatures Level 1:
- S1.1 signs O1;
- S1.2 signs O1;
Signature Level 2:
- S2.1 signs O1, S1.1 and S1.2
- S2.2 signs O1, S1.1 and S1.2
Signature Level 3:
- S3.1 signs O1, S2.1 and S2.2.
Maybe it is good to combine the signature of different levels in Manifest, but I don't know how to do that.
Any help?

Hi,
There are 3 variant:
1. Using only references;
2. Using XPath;
3. Using Manifest.
The clear for me which is simple and easy for realization is the 1st variant.
I can't find any examples for using of Manifest, so I don't know how to implement it.
XPath is very complicated for me.
So, the References are my way.

Similar Messages

Problem with XML signature

Can anybody tell me how to generate an xml signature
with the base 64 transform(Transform.BASE64)?
I just can't find any documentation on the web.
It would be great to provide a small code exemple.
Thanks
Antoine

Thanks for the reply.
I'm applying appropriate namespaces to the generated xml string. Could it be the probelem?
this is how the generated xml looks in final stage, I mean after I'm doing some rework on the generated xml.
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#PAYMENTS"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>IXgHx5ioixsJ13jyg767D8UCU9s=</DigestValue></Reference></SignedInfo><SignatureValue>DO+Fngf3h0Q5iDoMq2mZFL+bxL3vY1i1fyqzBbKRPhHlzqWrW2wP3SFHjVzPLXdj92W8hMx9I8Jq
QBV/D+pUKa32aZB7kPwOGZqR63X+d6Hca58jnTK7+zq8Fzi2DPlE+omQhgT3xeXp/lQpKI8vAgVT
eX+eylRYTAZDSfDw7qk=</SignatureValue><Object Id="PAYMENTS"><PAYMENTS xmlns=""><Payment><PaymentIdA></PaymentIdA><PaymentIdB>aa</PaymentIdB><SrcBank>bb</SrcBank><SrcAccount>cc</SrcAccount><PayerId>dd</PayerId><PayerName>Dato</PayerName><TaxPayerId>00022023</TaxPayerId><TaxPayerName></TaxPayerName><ReceiverName>mof</ReceiverName><AdditinalInfo>racxa</AdditinalInfo><Amount>521</Amount><TreasuryCode>hello</TreasuryCode><PaymentTime>hi</PaymentTime><PaymentChannel>ib</PaymentChannel></Payment></PAYMENTS></Object></Signature>

Sap PI - XML signature

Hi Experts
We have to digitally Sign and Encrypt and Decrypt an XML file in PI7.11 system using soap adapter
To have an expert advise
can I use WSSE or Apache WSS4J or SAML or Apache axis soap adapter
My requirement is:
XML Documents shall be signed using XML signature and Use enveloped signatures
Support RSA signing in conformance with the algorithm indentified by sha1
Use exclusive canonicalization (with comment or without comments)
Will WSSE or Wss4j can support the above requirements...Please advise
Thanking you
Pooja

Hi ,
Thank you for your response...
I mean when you say java experts can do easily...yes we do have java experts who can develop a source code encrypt and sign the code and give it to us as an ear file
However I tried deploying EAR file on PI system my converting it into sda file ...no luck ..the file getting converted to ear file and i renamed and tried to deploy using jspm....no luck
As we cannot import the ear file directly to NWDS to deploy it on PI system ....what we are trying is to get the source code from Java developer and we are developing and EJB and Ear projects by replacing the source code
and later once deploy using adapter modules we can test it
My question is:
Can we configure WSSE on PI as per this link(/people/rajendra.badi/blog/2011/08/24/configuring-wsse-digital-signing-and-encryption-using-sap-pi-711-aae-soap-adapter) and try
Signing and Enc/Dec
or
How to configure and use Apache wss4j and Apache axis soap adapter...can you please forward me some documents on it
Thanking you
Pooja

Web service security: XML signatures and encryption

Hi users -
I am trying to figure out how to implement XML signatures and encryption for my web service. We are only on AS ABAP 7.0, SP 11 - we do not have SOAMANAGER yet. Yet all documentation I can find on configuring encryption and signatures, references SOAMANAGER.
Does anyone know of a guide anywhere on implementing XML signatures and encryption for web services pre-SOAMANAGER? It's listed as supported - but I can't find a thing! Your help is much appreciated!
Thanks so much!
Abby

Hi Users -
I found the answer to this (although it wasn't one I liked.) It doesn't appear that encryption with XML signatures is supported prior to SP 14.
I found this information at
https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/6d19c8ee-0c01-0010-619d-92af980436d7
page 36
Hope that saves somebody else some time...
Thanks!
Abby

Web Services: XML signatures and encryption 7.0 SP14

Hi users -
I am trying to figure out how to implement XML signatures and encryption for my web service. We are only on AS ABAP 7.0, SP 11 - we do not have SOAMANAGER yet. Yet all documentation I can find on configuring encryption and signatures, references SOAMANAGER.
Does anyone know of a guide anywhere on implementing XML signatures and encryption for web services pre-SOAMANAGER? Your help is much appreciated!
Thanks so much!
Abby

Hi Users -
I found the answer to this (although it wasn't one I liked.) It doesn't appear that encryption with XML signatures is supported prior to SP 14.
I found this information at
https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/6d19c8ee-0c01-0010-619d-92af980436d7
page 36
Hope that saves somebody else some time...
Thanks!
Abby

XML Signature signing the keyinfo

Hi,
I have a requirement to generate enveloping XML Signature for a XML document. Using JSR 105 i was able to achieve enveloping signature, however one more requirement is to sign the KeyInfo element. Can someone please help in figuring out how to sign the KeyInfo element.
The requirement is to achieve:
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Id="Signature001">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<dsig:Reference URI="#KeyInfo001">
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>lidrMtTOohEypP9i9KcrY9+MrbI=</dsig:DigestValue>
</dsig:Reference>
<dsig:Reference URI="#Resource1">
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>hUHy5l7iki/Xks3V0bzz7kamGlU=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>GufDaAGCgjTfLKFZhK8/6Sb9KbqnKFQdaQ4SZ4ftoOySmYuYvLAh7wmYdiqqx7ykpWnvfejP+6wT
SamsvB6xotqkUgC3p1ZsJubq9Wc4kKZeaTJfEmeq0vIWjCWFXu3pofJJSyecmBWmTQK+WezMwRIX
aE4oHWJsXDBw8CarlmI=</dsig:SignatureValue>
<dsig:KeyInfo Id="KeyInfo001">
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>xm9N3kv/MNfsYOoN48vhy3xiCyJuZl5nxEb2ya8+ItvwI+73IjSjVlqfkdxIAH4vBpjVhLfpV+p+
GUqpuN6kb2/ynnXAcRzM/YGkIsVYBHZZsUK6BSfIxo/IDmPC2cv866W6NG8DQlnzRhOYBLpdtc3P
XlRdkm6SlDLv8/ck+FE=</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
<dsig:Object Id="Resource1">
...

Can you post the full stack trace of the ArrayIndexOutOfBoundException please? Also, what version/update of the JRE are you using?

XML Signature in OWSM

Any idea on XML signature?
How to validate OWSM policy to validate XML signature?

XML Signature defines an XML syntax for digital signatures.
Depending upon your OWSM policy your XML signature may change.

Extending XML Signature Schemes

Hello,
currently I am doing some research in the area of signatures.
However, I want to do an performance evaluation using the JCA with some not yet implemented algorithms.
My question is if there is a tutorial or how-to which explains how the JCA framework can be extended to support new Hash-Functions & Signatureschemes or even better some sample code?
Greetings,
Kai

XML Signature defines an XML syntax for digital signatures.
Depending upon your OWSM policy your XML signature may change.

JAXB Messing up my XML Signatures

I have a requirement to sign an XML message.
Currently our schemas (being ISO20022) have to have the XML signature located in a particular part of the message even though the signature is based on an XPath elsewhere in the message:
(Ignore the fact that my elements are not iso20022 for now)
<Message>
     <MessageHeader>
         <Sgntr>
            
         </Sgntr>
     </MessageHeader>
     <MessageBody>
          <Document>
          </Document>
     </MessageBody>
</Message>The XPath signature is based upon is:
/Message/MessageBody
The Sgntr element is of type xs:any
To create the signature I perform the following:
1) Unmarshall the /Message and parse it into a org.w3c.dom.Document using a javax.xml.parsers.DocumentBuilder
2) Sign the org.w3c.dom.Document of the message using the code below
3) I then attached the signature to the pre-marshalled object at the /Message/MessageHeader/Sgntr element and re-marshall the object
Once marshalled, the Signature now has a bunch of empty xmlns declarations:
<Signature:Signature xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:Signature="http://www.w3.org/2000/09/xmldsig#">
          <SignedInfo>
               <ns7:CanonicalizationMethod xmlns="" xmlns:ns7="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
               <ns7:SignatureMethod xmlns="" xmlns:ns7="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>This is causing me issues when trying to parse the XML with other technologies! It seems the empty xmlns declaration is taken as the default namespace and subsequent namespaces are stripped out.
When extracting the initial signature it seems fine:
<?xml version="1.0" encoding="UTF-8"?>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
     <SignedInfo>
          <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
          <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
          <Reference URI="">
               <Transforms>
                    <Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
                         <XPath>/BPAYResponse/ResponsePayload</XPath>
                    </Transform>
               </Transforms>
               <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
               <DigestValue>KPMR+irQuoCGp4fm91XworlhjIc=</DigestValue>
          </Reference>
     </SignedInfo>
     <SignatureValue>NQZwvGrg7p25Q+zoU/xn4nm0PO59KIj8AgxLf4JfsaSbtSXq/5vjgg==</SignatureValue>
     <KeyInfo>
          <KeyValue>
               <DSAKeyValue>
                    <P>/KaCzo4Syrom78z3EQ5SbbB4sF7ey80etKII864WF64B81uRpH5t9jQTxeEu0ImbzRMqzVDZkVG9xD7nN1kuFw==</P>
                    <Q>li7dzDacuo67Jg7mtqEm2TRuOMU=</Q>
                    <G>Z4Rxsnqc9E7pGknFFH2xqaryRPBaQ01khpMdLRQnG541Awtx/XPaF5Bpsy4pNWMOHCBiNU0NogpsQW5QvnlMpA==</G>
                    <Y>ZjsWue3LCHpbuN9fF6jPKW6zgkjGR84t3X/h18aICc4+RGfob1k7yzuSVqN/uFLt++Vib7r9d8O23dv0GZ+3+g==</Y>
               </DSAKeyValue>
          </KeyValue>
     </KeyInfo>
</Signature>Rather than having to extract and relocate the signature, can I just have the signature generated at the point we need it?
Otherwise how can I prevent the namespaces being re-written by JAXB? What other alternatives are there?
     private Element createSignature(org.w3c.dom.Document xmlDoc) {
          XMLSignatureFactory xmlFactory = XMLSignatureFactory.getInstance("DOM");
          try {
               KeyPairGenerator kpg = KeyPairGenerator.getInstance("DSA");
               kpg.initialize(512);
               KeyPair kp = kpg.generateKeyPair();
               TransformParameterSpec parms = new XPathFilterParameterSpec("/Message/MessageBody");
               DOMSignContext context = new DOMSignContext(kp.getPrivate(), xmlDoc.getDocumentElement());
               javax.xml.crypto.dsig.Reference ref = xmlFactory.newReference("", xmlFactory.newDigestMethod(DigestMethod.SHA1, null),
                         Collections.singletonList(
                                   xmlFactory.newTransform(Transform.XPATH, parms))
                                   , null, null);
               SignedInfo si = xmlFactory.newSignedInfo
                    (xmlFactory.newCanonicalizationMethod
                              (CanonicalizationMethod.INCLUSIVE,
                                        (C14NMethodParameterSpec) null),
                                        xmlFactory.newSignatureMethod(SignatureMethod.DSA_SHA1, null),
                                        Collections.singletonList(ref));
               KeyInfoFactory kif = xmlFactory.getKeyInfoFactory();
               KeyValue kv = kif.newKeyValue(kp.getPublic());
               KeyInfo ki = kif.newKeyInfo(Collections.singletonList(kv));
               XMLSignature signature = xmlFactory.newXMLSignature(si, ki);
               signature.sign(context);
               return xmlDoc.getDocumentElement();
          } catch(KeyException e) {
               // TODO Auto-generated catch block
               e.printStackTrace();
          } catch (NoSuchAlgorithmException e) {
               // TODO Auto-generated catch block
               e.printStackTrace();
          } catch (InvalidAlgorithmParameterException e) {
               // TODO Auto-generated catch block
               e.printStackTrace();
          } catch (MarshalException e) {
               // TODO Auto-generated catch block
               e.printStackTrace();
          } catch (XMLSignatureException e) {
               // TODO Auto-generated catch block
               e.printStackTrace();
          return null;
     }

Okay, I've been able to adjust the location of the Signature when being signed:
     DOMSignContext context = new DOMSignContext(kp.getPrivate(), xmlDoc.getDocumentElement());
     context.setParent(xmlDoc.getElementsByTagName("MessageHeader").item(0));However, since my Sgntr element is of type "any" I cannot target it as it needs something to exist.

XML Security - How to sign a single TAG

Hello there!
Well, recently I start to develp some apps, using XML Security from OSDT (Oracle Security Developer Tools), I got the sample code for:
SimpleSing
SignAndEncrypt
I understand how this works, based on W3C standard for XML Digial Signature. I can did my app works fine ...
By now, i get some doubts about some issues, It's possible to do a signature for only one TAG from the original XML, i.e.:
<?xml version="1.0"?>
<account>
<name>My Name</name>
<id>231233</id>
<amount>2313.00</amount>
<location>US</location>
<account>
I need to know if i can apply a Digital Signature for only TAG <amount>.
This is possible? I read few documents about Signatures, but i didnt get lucky.
thanks in advance
VieL.
Edited by: user2051378 on Nov 20, 2008 2:59 PM
Edited by: user2051378 on Nov 20, 2008 3:03 PM

Ok, I got other solution, the elegant solution :)
I just read the [XML Signature XPath Filter 2.0|http://www.w3.org/TR/xmldsig-filter2/|XML Signature XPath Filter 2.0] recommendation and I can apply this using the OSDT API.
And I just need to specify a XPath expression (like ram* said, and without extra-steps) in the Transform Element, like this:
XSSignature sig = XSSignature.newInstance(doc, "Sig");
XSReference ref = sig.createReference();
XSAlgorithmIdentifier est = sig.createXPathTransform("dsig", XMLURI.ns_xmldsig, "{color:#ff0000}ancestor-or-self::_*aTagName*_{color}");
ref.addTransform(est);
and this generate a XML Signature like this:
<dsig:Signature xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Id="Sig">
<dsig:SignedInfo Id="Sig.SigInfo">
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference Id="Sig.Ref" URI="">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<dsig:XPath>{color:#ff0000}ancestor-or-self::_aTagName_{color}</dsig:XPath>
</dsig:Transform>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>HKlJpmpS5AhpC95I4EG9yN53vxk=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue Id="EnvelopedSig.SigValue">
GLsrWNnKR1EgVHTLgCxPZtEx/wk18MvOcG7wd2ua066jAaT5xn10qXuU66tgozt6M2AERvgbh6+ZXUwMvyNcPw==
</dsig:SignatureValue>
<dsig:KeyInfo Id="Sig.KeyInfo">
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>
xyKQm6k42cha9kAt5SlT/Lg2iZhz7t3tV3Ow7TCgoN3YH2sIIC4dEjMbIPwkLpVwMSLUDCcu0sEI6JK4bgt0EQ==
</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
The recommendation said that there are 3 kinds of Filters, intersect, substract and union. Well to can sign just a TAG I used the intersect filter.
Now, It's more easy to sign a part of a XML ...
Rgds
VieL.

MTOM combined with WS-Security (XML signature)

I'm testing the support of MTOM together with WS-Security (XML-DSIG) on OEG. When verifying the XML signature I noticed I had to add the "Insert MTOM attachments"-filter first. Is this the right way? Shouldn't the signature verification do this transparently?
My other question is how OEG handles the attachments? Does it page them to disk? What happens if my attachments are very large? With the default setup of OEG I encountered out-of-memory issues with attachments above 200MB
Edited by: wsalembi on Sep 22, 2011 12:45 AM

If you just sign the <xop:Include> element, you are effectively only signing the reference to the attachment, i.e. the value of the href attribute. This will only prevent someone changing the href to point to a different attachment.
If you in-line the base64 encoded contents of the attachment into the XML message and only sign the base64 encoded string, you are only preventing anyone from changing the contents of the attachment.
You are not stopping somebody from changing what the <xop:Include> href attribute points to.
So I think there is value in signing BOTH the contents AND the <xop:Include> element so that:
- The integrity of the contents of the attachment is ensured, and
- The integrity of the reference to the attachment in the <xop:Include> element is ensured.
Interestingly, the XOP spec acknowledges this issue in Section 6.1:
http://www.w3.org/TR/xop10/#package_integrity
6.1 XOP Package Integrity
The integrity of Infosets optimized using XOP may need to be ensured. As XOP packages can be transformed to recover such Infosets (see 3.2 Interpreting XOP Packages), existing XML Digital Signature techniques can be used to protect them. Note, however, that a signature over the Infoset does not necessarily protect against modifications of other aspects of the XOP packaging; for example, an Infoset signature check might not protect against re-ordering of non-root parts.
In the future a transform algorithm for use with XML Signature could provide a more efficient processing model where the raw octets are digested directly.
In OEG, it would be possible to use 2 XML Signature Validation filters with an Insert MTOM Attachment filter to validate both signatures.
The flow in the policy would be as follows:
1. 1st XML Signature Filter :- Validate the Signature over the <xop:Include> element
2. Insert MTOM Attachment Filter :- Inline the base64 encoded contents of the attachment
3. 2nd XML Signature Filter :- Validate the Signature over the element now containing the in-lined base64 encoded data.
This policy would ensure the integrity of the attachment contents AND the reference to this attachment in the <xop:Include> element.

Web Service Security with SAML - Invalid XML signature

Hello together,
we want to build a scenario where we want to use Web Service Security with SAML.
The scenario will be
WS Client (Java Application) -> WS Adapter -> Integration Engine -> WS Adapter-> CRM (Web AS ABAP 7.01 SP 3)
SAP PI release is 7.11 (SP Level 4)
We want to use the SAML Authentification from WS Client to PI and from PI to Web AS ABAP.
The SAML authentifications between the WS Client and PI works when there is no SAML auth between PI and CRM.
But we get following error at calling the CRM system when we want to communicate with SAML:
<E_TEXT>CX_WS_SECURITY_FAULT:Invalid XML signature</E_TEXT>
Has somebody an idea of the possible reason for the error.
Thanks in advance
Stefan

Error Messages in the Trace/Log Viewer:
CX_WS_SECURITY_FAULT : Invalid XML signature | program: CL_ST_CRYPTO==================CP include: CL_ST_CRYPTO==================CM00G line: 48
A SOAP Runtime Core Exception occurred in method CL_ST_CRYPTO==================CM00G of class CL_ST_CRYPTO==================CP at position id 48 with internal error id 1001 and error text CX_WS_SECURITY_FAULT:Invalid XML signature (fault location is 1 ).
Invalid XML signature

How generate a XML file & how to save data in that file?

hi,
How to generate an xml file & how to add data in that xml file? is there anyone who can help me about this? Firstly i need to open a xml file and after that i need to save user data in that file? how i will do it? What will be the solution of this? please give me solution........
with regards
Bina

With an API like Xerces you can parse an XML document into a DOM tree. You can do modifications on that tree manually and then write it back out as XML data.
http://xerces.apache.org/xerces2-j/

Problem in XML Signature

Hi,
i get an Exception in Registering mechanism for XML Signature factory
it says.
javax.xml.crypto.NoSuchMechanismException : Cannot find DOM Mechanism type
I use J2sdk1.4.2_05 with JWSDP 1.4
Following is the code do let me know where i go wrong.
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.DocumentBuilder;
import org.w3c.dom.Document;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.CanonicalizationMethod;
import javax.xml.crypto.dsig.Transform;
import javax.xml.crypto.dsig.DigestMethod;
import javax.xml.crypto.dsig.SignatureMethod;
import javax.xml.crypto.*;
import javax.xml.crypto.dsig.*;
import javax.xml.crypto.dom.*;
import java.security.Provider;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyValue;
import java.security.KeyPairGenerator;
import java.security.KeyPair;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import java.io.FileInputStream;
import java.util.Collections;
//author Palani V. Rajan
// SafeScrypt Ltd
class XMLSign
XMLSign(){}
/*XMLSign(String inputFile)
public void signTheMarkup(String inputFilePath)
Document domDoc;
try{
System.out.println("Creating DOM");
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
DocumentBuilder db = dbf.newDocumentBuilder();
domDoc = db.parse(new FileInputStream(inputFilePath));
System.out.println("Generating Key's.....");
KeyPairGenerator kpg = KeyPairGenerator.getInstance("DSA");
kpg.initialize(1024);
KeyPair kp = kpg.generateKeyPair();
DOMSignContext dsc = new DOMSignContext(kp.getPrivate(), domDoc.getDocumentElement());
String providerName = System.getProperty("jsr105Provider", "org.jcp.xml.dsig.internal.dom.XMLDSigRI");
System.out.println("Creating xml sign.....");
System.out.println("Provider Name "+providerName);
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM",(Provider) Class.forName(providerName).newInstance());
System.out.println("T 1");
Reference ref = fac.newReference("", fac.newDigestMethod(DigestMethod.SHA1, null),Collections.singletonList(fac.newTransform(Transform.ENVELOPED, null)),null, null);
System.out.println("T 2");
SignedInfo si = fac.newSignedInfo(fac.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE_WITH_COMMENTS, null),fac.newSignatureMethod(SignatureMethod.DSA_SHA1, null),Collections.singletonList(ref));
System.out.println("T 4");
KeyInfoFactory kif = fac.getKeyInfoFactory();
KeyValue kv = kif.newKeyValue(kp.getPublic());
KeyInfo ki = kif.newKeyInfo(Collections.singletonList(kv));
System.out.println("T 5");
XMLSignature signature = fac.newXMLSignature(si, ki);
signature.sign(dsc);
}catch(Exception e){e.printStackTrace();}
public static void main(String[] q)
System.out.println("Creating XML Signatures.....");
XMLSign xs = new XMLSign();
xs.signTheMarkup(q[0]);
Thnx in Advance
Vinodh

I have encountered the same problem. I am using Jbuilder 5 with JDK 1.3.0. I copied all the JAR files of jwsdp-1.5 by creating a custom library.
Even then It didnt work. Can some one who has resolved this please help.
I have tried running the same code in JDeveloper 10g (10.1.2) and got a same error.
Regards,
Srinivas.

Problem verifying xml signature

We have a problem with verifying XML Signatures which are part of a SOAP message. Thanks a lot for helping! Hope my problem is understandable - otherwise ask.
We use the following enviroment:
Java6
Axis 2 V1.2 with XML Beans
Step 1:
The Java 6 XML Signature is an enveloped signature over an element called payload with exclusive XML canonicalization. We sign the payload and send the payload including signature to the server. At first I discovered the following namespace problem.
DigesterOutputstream Create Signature:
FEINER: <Payload Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDAyNDAwPC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:34D51D9DE4B7A19DD411938151524022</MessageID><Timestamp><Created>UNDO</Created></Timestamp></Payload>
DigesterOutput Verify Signature:
FEINER: <Payload xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDAyNDAwPC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:34D51D9DE4B7A19DD411938151524022</MessageID><Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><Created>UNDO</Created></Timestamp></Payload>
31.10.2007 08:25:48 org.jcp.xml.dsig.internal.dom.DOMReference validate
FEIN: Expected digest: 71PfJ/xxn38TtQrpZOpRdqTZsBw=
31.10.2007 08:25:48 org.jcp.xml.dsig.internal.dom.DOMReference validate
FEIN: Actual digest: B1Qdei/0yW1mqR2T50LXKFfxhl0=
Soap request with payload:
<?xml version='1.0' encoding='utf-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><TelematikHeader xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1"><MessageID>urn:uuid:34D51D9DE4B7A19DD411938151524022</MessageID><ConversationID /><ServiceLocalization><Type>VSD</Type><Provider>101575519</Provider></ServiceLocalization><MessageType><Component>VSD</Component><Operation>PerformUpdates</Operation></MessageType><RoleDataProcessor /></TelematikHeader><TransportHeader xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1"><InterfaceVersion>0.0.24.3</InterfaceVersion></TransportHeader></soapenv:Header><soapenv:Body><TelematikExecute xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1"><Payload Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDAyNDAwPC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:34D51D9DE4B7A19DD411938151524022</MessageID><Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><Created>UNDO</Created></Timestamp><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#c623c3be-529b-4d6d-8f1e-a4a29660f344"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>71PfJ/xxn38TtQrpZOpRdqTZsBw=</DigestValue></Reference></SignedInfo><SignatureValue>FuhOdrz9kHR0MeAUq9Rxkg6w++7foR77s9AYQUQxb8qPJ44Ba6By8R/H+CCn5JP5cPFz8/mGOgOD NGKLgZp66xbVSWe1UeehmZLH1a2kvHsx/VvYo3Lr5foHsl6YikUBMXCBdhI4ukKJTuwBOK/7m3lu 7Zl07SFo0zWL73gUTxc=</SignatureValue><KeyInfo><X509Data><X509SubjectName>CN=Harris Knafla,OU=IP,O=TK,ST=Hamburg,C=DE</X509SubjectName><X509Certificate>MIIC0DCCAjmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCREUxEDAOBgNVBAgT B0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxCzAJBgNVBAoTAlRLMQswCQYDVQQLEwJJUDEUMBIG A1UEAxMLTmlscyBLbmFmbGExKjAoBgkqhkiG9w0BCQEWG0RyLk5pbHMuS25hZmxhQHRrLW9ubGlu ZS5kZTAeFw0wNzA2MjkxNzQ2MzBaFw0wODA2MjgxNzQ2MzBaMFExCzAJBgNVBAYTAkRFMRAwDgYD VQQIEwdIYW1idXJnMQswCQYDVQQKEwJUSzELMAkGA1UECxMCSVAxFjAUBgNVBAMTDUhhcnJpcyBL bmFmbGEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMjAnKFGjXjbPbi4X1vnI/H7ArNfayv HO7+QbuV1FqIR+aZuAYZeR5v0s8NKyGOcMxscAQk59ZrdfqaaIiwtcXk2fNHphtSVqLqR4NLWO2q xJKXwBcAxIn7byjq/DqjiUr5nmw1cMWJtK1xwB6pVMvCv97KGg2Z8peronBxg6mVAgMBAAGjezB5 MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl MB0GA1UdDgQWBBRaMTzoUhWt1wguyvPlPuUUV8VRtTAfBgNVHSMEGDAWgBQuZ2A4G1XF+GvL7vai Zst6RUCqYjANBgkqhkiG9w0BAQUFAAOBgQAr3rtJIVNchr3pMEfFcSzbJJWo/c0LRkUnWkP1gD6f MqLoLFUbl8k6tKJ9V4P0Oe2BODRIfNyTFjKLzD1lHAFFRz9pzYUx+hq4VDWooA3MsewNDDyJwupi vlmHcM+Y8Cv97q9pERiqAY88TRMZxntl/b98W61KARAO+HUDhTnA1g==</X509Certificate></X509Data></KeyInfo></Signature></Payload></TelematikExecute></soapenv:Body></soapenv:Envelope>
The problem is the namespaces under the elements payload and timestamp. For verification the namespaces are inherited from parent element. I wonder why this happens - I thought this should not happen when using exclusive canonicalization, or?
Step 2:
Then I added the namespaces before creating the signature , e.g.
payloadElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns", "http://ws.gematik.de/Schema/Telematik/Transport/V1");
for all attributes that are not part of the create signature log. Then the xml signature was verify successfully when I tested this against my own server. See log files:
DigesterOutputstream for create signature:
31.10.2007 11:16:00 org.jcp.xml.dsig.internal.DigesterOutputStream write
FEINER: <Payload xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDMwMjI5PC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:9E0D31C48FDB63BBCD11938257462232</MessageID><Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><Created>UNDO</Created></Timestamp></Payload>
DigesterOutputstream verify signature:
31.10.2007 11:19:00 org.jcp.xml.dsig.internal.DigesterOutputStream write
FEINER: <Payload xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDMwMjI5PC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:9E0D31C48FDB63BBCD11938257462232</MessageID><Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><Created>UNDO</Created></Timestamp></Payload>
The whole soap request:
<?xml version='1.0' encoding='utf-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1"><wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-3596382">MIIC0DCCAjmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCREUxEDAOBgNVBAgTB0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxCzAJBgNVBAoTAlRLMQswCQYDVQQLEwJJUDEUMBIGA1UEAxMLTmlscyBLbmFmbGExKjAoBgkqhkiG9w0BCQEWG0RyLk5pbHMuS25hZmxhQHRrLW9ubGluZS5kZTAeFw0wNzA2MjkxNzQ2MzBaFw0wODA2MjgxNzQ2MzBaMFExCzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdIYW1idXJnMQswCQYDVQQKEwJUSzELMAkGA1UECxMCSVAxFjAUBgNVBAMTDUhhcnJpcyBLbmFmbGEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMjAnKFGjXjbPbi4X1vnI/H7ArNfayvHO7+QbuV1FqIR+aZuAYZeR5v0s8NKyGOcMxscAQk59ZrdfqaaIiwtcXk2fNHphtSVqLqR4NLWO2qxJKXwBcAxIn7byjq/DqjiUr5nmw1cMWJtK1xwB6pVMvCv97KGg2Z8peronBxg6mVAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRaMTzoUhWt1wguyvPlPuUUV8VRtTAfBgNVHSMEGDAWgBQuZ2A4G1XF+GvL7vaiZst6RUCqYjANBgkqhkiG9w0BAQUFAAOBgQAr3rtJIVNchr3pMEfFcSzbJJWo/c0LRkUnWkP1gD6fMqLoLFUbl8k6tKJ9V4P0Oe2BODRIfNyTFjKLzD1lHAFFRz9pzYUx+hq4VDWooA3MsewNDDyJwupivlmHcM+Y8Cv97q9pERiqAY88TRMZxntl/b98W61KARAO+HUDhTnA1g==</wsse:BinarySecurityToken><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-8331318"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#id-28000914"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>Q2LregRFO//cXlkcThu9Bx0jal4=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-10464309"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>BX651XEWk4u4pGgshQhocYxPkSo=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#Timestamp-7651652"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>ezisLn/pGWNqMHbT6UlHyM4Ez64=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> Xl4SSEwrtyUnsqf8xOmfzojLLU18tOrikOhK+HRyqHqv0lPF+AqANLU6yygNdhbfI5qyef9BLr6I CmSPIX4QQR+Hq45l/Ewa+M2K1OOjqvBUGYyQqrKCqUFtsISr9xPudB8ZmaVfaUu5chjIvy/sPYYx TuYv2Ma6uEwek1YZpbE= </ds:SignatureValue> <ds:KeyInfo Id="KeyId-1823783"> <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-17125267"><wsse:Reference URI="#CertId-3596382" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /></wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature><wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-7651652"><wsu:Created>2007-10-31T10:16:00.474Z</wsu:Created><wsu:Expires>2007-10-31T10:21:00.474Z</wsu:Expires></wsu:Timestamp></wsse:Security><TelematikHeader xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-10464309"><MessageID>urn:uuid:9E0D31C48FDB63BBCD11938257462232</MessageID><ConversationID /><ServiceLocalization><Type>VSD</Type><Provider>101575519</Provider></ServiceLocalization><MessageType><Component>VSD</Component><Operation>PerformUpdates</Operation></MessageType><RoleDataProcessor /></TelematikHeader><TransportHeader xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1"><InterfaceVersion>0.0.24.3</InterfaceVersion></TransportHeader></soapenv:Header><soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-28000914"><TelematikExecute xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1"><Payload Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDMwMjI5PC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:9E0D31C48FDB63BBCD11938257462232</MessageID><Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><Created>UNDO</Created></Timestamp><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#c623c3be-529b-4d6d-8f1e-a4a29660f344"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>XHIiHK4NYczByvAJSZH8u3hSvuQ=</DigestValue></Reference></SignedInfo><SignatureValue>JQnTQJ1TidrMuWmSmpHE3ZR5M728A3tlvKjrM3GxFPuy5YOmmybxR0T7xe72WSdWsqvFT9QGE+iP GL5POuc3s8lLc1QGZRKhZvjHAKFldDNyxAMWRL7ZXmhpjsRXT3HethKWew3669SKjJFkZ1IYEnZz QrJOmgt1MMjWx99CgaQ=</SignatureValue><KeyInfo><X509Data><X509SubjectName>CN=Harris Knafla,OU=IP,O=TK,ST=Hamburg,C=DE</X509SubjectName><X509Certificate>MIIC0DCCAjmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCREUxEDAOBgNVBAgT B0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxCzAJBgNVBAoTAlRLMQswCQYDVQQLEwJJUDEUMBIG A1UEAxMLTmlscyBLbmFmbGExKjAoBgkqhkiG9w0BCQEWG0RyLk5pbHMuS25hZmxhQHRrLW9ubGlu ZS5kZTAeFw0wNzA2MjkxNzQ2MzBaFw0wODA2MjgxNzQ2MzBaMFExCzAJBgNVBAYTAkRFMRAwDgYD VQQIEwdIYW1idXJnMQswCQYDVQQKEwJUSzELMAkGA1UECxMCSVAxFjAUBgNVBAMTDUhhcnJpcyBL bmFmbGEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMjAnKFGjXjbPbi4X1vnI/H7ArNfayv HO7+QbuV1FqIR+aZuAYZeR5v0s8NKyGOcMxscAQk59ZrdfqaaIiwtcXk2fNHphtSVqLqR4NLWO2q xJKXwBcAxIn7byjq/DqjiUr5nmw1cMWJtK1xwB6pVMvCv97KGg2Z8peronBxg6mVAgMBAAGjezB5 MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl MB0GA1UdDgQWBBRaMTzoUhWt1wguyvPlPuUUV8VRtTAfBgNVHSMEGDAWgBQuZ2A4G1XF+GvL7vai Zst6RUCqYjANBgkqhkiG9w0BAQUFAAOBgQAr3rtJIVNchr3pMEfFcSzbJJWo/c0LRkUnWkP1gD6f MqLoLFUbl8k6tKJ9V4P0Oe2BODRIfNyTFjKLzD1lHAFFRz9pzYUx+hq4VDWooA3MsewNDDyJwupi vlmHcM+Y8Cv97q9pERiqAY88TRMZxntl/b98W61KARAO+HUDhTnA1g==</X509Certificate></X509Data></KeyInfo></Signature></Payload></TelematikExecute></soapenv:Body></soapenv:Envelope>
As you can see in the soap request on top of the xml signature there is a Webservice Security signature (WSSE) over three elements. This should be no problem altough WSSE adds the wsu:id attribute to the body element. WSSE was omitted in step 1 for simplicity.
I wonder that the attributes which have been set to the payloadElement are not part of the actual message. But it works!
Step 3:
The same request was sent to an external webservice server and the server reports a xml signature verification problem. I don't have any logs or further information. But I have to get this to work against this server.
Java Files for Create + Verify Signature. For Create I get a DOM Node from a XML Bean. For step 1 the attribute setting should be in comments. I use VerifySignature for step 1 + 2.
SignPayload.java:
package de.tk.signature;
import java.io.ByteArrayOutputStream;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.OutputStream;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.xml.crypto.dsig.CanonicalizationMethod;
import javax.xml.crypto.dsig.DigestMethod;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.SignatureMethod;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.Transform;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.dsig.spec.ExcC14NParameterSpec;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;
import org.apache.xmlbeans.XmlObject;
import de.tk.schemaTools.TkSchemaHandler;
import de.tk.util.ClientProperties;
public class SignPayload {
     public static void signDocument(XmlObject telematikExecuteXmlObject, String payloadId) {
          try {
               // get Document
               org.w3c.dom.Node node = telematikExecuteXmlObject.getDomNode();
               Document documentTo = node.getOwnerDocument();
               XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
               Reference ref = fac.newReference("#"+payloadId, fac.newDigestMethod(DigestMethod.SHA1, null), Collections.singletonList(fac
                         .newTransform(Transform.ENVELOPED, (TransformParameterSpec) null)), null, null);
               // Create the SignedInfo.
               SignedInfo si = fac.newSignedInfo(fac.newCanonicalizationMethod(CanonicalizationMethod.EXCLUSIVE, (C14NMethodParameterSpec) null), fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null),
                         Collections.singletonList(ref));
               KeyStore keyStore = KeyStore.getInstance("JKS");
               String keyStoreFilename = ClientProperties.getKeystorefile();
               FileInputStream keyStoreFile = new FileInputStream(keyStoreFilename);
               keyStore.load(keyStoreFile, "storePwd".toCharArray());
               keyStoreFile.close();
               KeyStore.PrivateKeyEntry keyEntry = (KeyStore.PrivateKeyEntry) keyStore.getEntry("harris", new KeyStore.PasswordProtection("keyPwd".toCharArray()));
               X509Certificate cert = (X509Certificate) keyEntry.getCertificate();
               // Create the KeyInfo containing the X509Data.
               KeyInfoFactory kif = fac.getKeyInfoFactory();
               List x509Content = new ArrayList();
               x509Content.add(cert.getSubjectX500Principal().getName());
               x509Content.add(cert);
               X509Data xd = kif.newX509Data(x509Content);
               KeyInfo ki = kif.newKeyInfo(Collections.singletonList(xd));
               Node payloadNode = new TkSchemaHandler().getNode(documentTo, "Payload");
               String prefix = payloadNode.getPrefix();
               NamedNodeMap nameNodeMap = payloadNode.getAttributes();
               // String baseUri = payloadNode.getBaseURI(); not implemented
               boolean attributes = payloadNode.hasAttributes();
               Element payloadElement = (Element) payloadNode;
               //xmlns is the prefix and first parameter the namespaceURI
               // xmlns existiert ohne WSSE, beim Create XMLOutputter ausgegeben
               payloadElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns", "http://ws.gematik.de/Schema/Telematik/Transport/V1");
               // existiert ohne WSSE
               // bei Create nicht; aber bei Verify im DigestOutputter mit drin
               payloadElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:soapenv", "http://schemas.xmlsoap.org/soap/envelope/");
               // existiert nur bei WSSE
               payloadElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:wsu", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
               Node timestampNode = new TkSchemaHandler().getNode(documentTo, "Timestamp");
               Element timestampElement = (Element) timestampNode;
               // existiert ohne WSSE
               // beim Create Outputter angegeben sowie beim Verify
               timestampElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
               // existiert nur bei WSSE, war wohl nur notwendig da bei WSSE Signature auf falschen Timestamp zugegriffen worden ist.
               // Create a DOMSignContext and specify the RSA PrivateKey and
               // location of the resulting XMLSignature's parent element.
               DOMSignContext dsc = new DOMSignContext(keyEntry.getPrivateKey(),payloadNode);
               // Create the XMLSignature, but don't sign it yet.
               XMLSignature signature = fac.newXMLSignature(si, ki);
               // DomInfo.visualize(document);
               SAXBuilderDemo2.print(documentTo);
               // Marshal, generate, and sign the enveloped signature.
               signature.sign(dsc);
          } catch (Exception exc) {
               throw new RuntimeException(exc.getMessage());
VerifySignature.java:
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.OutputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import javax.xml.crypto.dsig.CanonicalizationMethod;
import javax.xml.crypto.dsig.DigestMethod;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.SignatureMethod;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.Transform;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.w3c.dom.Document;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
public class VerifySignature {
     * @param args
     public static void main(String[] args) {
          // TODO Auto-generated method stub
          try {
               String filename = args[0];
               System.out.println("Verify Document: " + filename);
               XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
               DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
               dbf.setNamespaceAware(true);
               Document doc = dbf
               .newDocumentBuilder()
               .parse(
                         new FileInputStream(filename));
//               Find Signature element.
//               NodeList nl =
//               doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
               Node node = TkSchemaHandler.getNode(doc,"/*[local-name()='Envelope' and namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/']/*[local-name()='Body' and namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/'][1]/*[local-name()='TelematikExecute' and namespace-uri()='http://ws.gematik.de/Schema/Telematik/Transport/V1'][1]/*[local-name()='Payload' and namespace-uri()='http://ws.gematik.de/Schema/Telematik/Transport/V1'][1]/*[local-name()='Signature' and namespace-uri()='http://www.w3.org/2000/09/xmldsig#'][1]");
               if (nl.getLength() == 0) {
               throw new Exception("Cannot find Signature element");
               Node node = nl.item(0); */
//               Create a DOMValidateContext and specify a KeySelector
//               and document context.
               DOMValidateContext valContext = new DOMValidateContext
               (new X509KeySelector(), node);
//               Unmarshal the XMLSignature.
               XMLSignature signature = fac.unmarshalXMLSignature(valContext);
//               Validate the XMLSignature.
               boolean coreValidity = signature.validate(valContext);
               // sample 6
//               Check core validation status.
               if (coreValidity == false) {
               System.err.println("Signature failed core validation");
               boolean sv = signature.getSignatureValue().validate(valContext);
               System.out.println("signature validation status: " + sv);
               if (sv == false) {
               // Check the validation status of each Reference.
               Iterator i = signature.getSignedInfo().getReferences().iterator();
               for (int j=0; i.hasNext(); j++) {
               boolean refValid = ((Reference) i.next()).validate(valContext);
               System.out.println("ref["+j+"] validity status: " + refValid);
               } else {
               System.out.println("OK! Signature passed core validation!");
          } catch (Exception exc) {
               exc.printStackTrace();
Questions:
1. Do I really have to set all the namespace attributes? I thought with exclusive xml this should not be necessary. Is there any other solution?
2. Do you think I got all the settings right in SignPayload.java?
Thanks a lot in advance.
Cheers !
Nils

It seems to be a bug with the JDK you are using. What is the JDK version you are using?

XML Signatures - How To ?

Similar Messages

Maybe you are looking for