Ahmet-Kaplan / xades4j

Automatically exported from code.google.com/p/xades4j
GNU Lesser General Public License v3.0
0 stars 0 forks source link

Xades BES validation fails on enveloping signature #64

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Hello.

I use the following code to create enveloping signature on contents of a XML:

File fXmlFile = new File("doc_to_sign.xml");

DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
DocumentBuilder dBuilder = dbFactory.newDocumentBuilder();
Document docSource = dBuilder.parse(fXmlFile);

KeyingDataProvider kp = new PKCS11KeyStoreKeyingDataProvider(
                   "C:\\Windows\\System32\\cryptoCertum3PKCS.dll",
                   "CERTUM",
                   new CertSelector(),
                   new PasswordProvider(), 
                   null, 
                   false);

XadesSigningProfile p = new XadesBesSigningProfile(kp);
XadesSigner signer = p.newSigner();     
Document docDest = dBuilder.newDocument();  
Node objContent = docDest.importNode(docSource.getDocumentElement(),true);
DataObjectDesc obj = new EnvelopedXmlObject(objContent, "text/xml", null);
SignedDataObjects objs = new SignedDataObjects(obj);
XadesSignatureResult sr = signer.sign(objs,docDest);
outputDocument(docDest, "signed_xml.xml");

The signed XML fails validation.

However, when I just sign some string data using the following code, everything 
is OK:

...
Node objContent = docDest.createTextNode("some dummy text");
DataObjectDesc obj = new EnvelopedXmlObject(objContent, "text/xml", null);
...

What can be wrong?

Thanks in advance,
Rafal

Original issue reported on code.google.com by rafalg...@gmail.com on 8 Jan 2013 at 8:22

GoogleCodeExporter commented 9 years ago
OK, some more information.

Signing the following XML is causing validation failure:

<?xml version="1.0"?>
<yeti:YETI Version="1.0" xmlns:yeti="http://something.com/yeti">
</yeti:YETI>

Signing the following passes validation:

<?xml version="1.0"?>
<yeti:YETI xmlns:yeti="http://something.com/yeti">
</yeti:YETI>

It seems the Version attribute is breaking something, but why?

Original comment by rafalg...@gmail.com on 8 Jan 2013 at 9:48

GoogleCodeExporter commented 9 years ago
Another info :)

The digest generated during signing process is made from:

<yeti:YETI Version="1.0" xmlns:yeti="http://something.com/yeti"></yeti:YETI>

However, the digestedInputStream indicates that the digesting was made on the 
following:

<yeti:YETI xmlns:yeti="http://something.com/yeti" Version="1.0"></yeti:YETI>

The order of attributes is wrong. Is there anything I can do with this?

Original comment by rafalg...@gmail.com on 8 Jan 2013 at 2:33

GoogleCodeExporter commented 9 years ago
I solved the problem by making the DocumentBuilderFactory namespace aware, code 
below:

dbFactory.setNamespaceAware(true);

Original comment by rafalg...@gmail.com on 9 Jan 2013 at 9:51

GoogleCodeExporter commented 9 years ago
I was just about to check this. It makes sense, since the namespaces nodes 
won't be there or will be processed differently (order and so on).

Original comment by luis.fgoncalv on 9 Jan 2013 at 10:45