search

Vytek / xades4j

Automatically exported from code.google.com/p/xades4j
GNU Lesser General Public License v3.0
0 stars 0 forks source link

How can I add a Transform to a SignedProperties and KeyInfo Reference ? #32

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
Hi,

I'm trying to sign a XML document using XADES-BES.

My document has to have 3 references, first for the whole document, second for 
the signed properties and the last one for the KeyInfo.

I want to add a Transform to each Referencem but I have no way to do it for the 
signed properties and keyinfo references, only I can add it to the first one.

This is the expected result:

<ds:Reference URI="">
         <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
               <ds:XPath>not(ancestor-or-self::ds:Signature)</ds:XPath>
            </ds:Transform>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
         </ds:Transforms>
         <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
         <ds:DigestValue>MYTWNv715dHh9B25ybm1aclGLTo=</ds:DigestValue>
      </ds:Reference>

     <!-- Referencia al objeto XADES-BES -->
     <ds:Reference Id="SignatureUsuario-XADES-Properties-Ref" Type="http://uri.etsi.org/01903/v1.2.2#SignedProperties" URI="#XADES-Properties">
        <ds:Transforms>
           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <ds:DigestValue>RkQ8X/k1EAfkIoxPlwQ4Jn36kCQ=</ds:DigestValue>
     </ds:Reference>

     <!-- Referencia al certificado con que se firmó -->
     <ds:Reference Id="SignatureUsuario-KeyInfo-Ref" URI="#KeyInfo">
        <ds:Transforms>
           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
        <ds:DigestValue>oRMY/RmmI9w0GCYVwnbiYKI2ZQA=</ds:DigestValue>
     </ds:Reference>

Thank you

Original issue reported on code.google.com by alberto....@gmail.com on 13 Feb 2012 at 11:29

GoogleCodeExporter commented 9 years ago 
In KeyInfoBuilder class, in the method buildKeyInfo(...), which is called when 
the signer y singing, you can see the lines:

xmlSig.addDocument('#' + keyInfoId,
                   null,                        this.algorithmsProvider.getDigestAlgorithmForDataObjsReferences());

Initialices the Transforms for the KeyInfo to null, so is there any way to set 
the Transforms for the KeyInfo element??

Thanks !!

PD: I'm using 1.4.2 version

Original comment by alberto....@gmail.com on 13 Feb 2012 at 11:39

GoogleCodeExporter commented 9 years ago 
Sorry, the version I'm using is 1.2.0

Original comment by alberto....@gmail.com on 14 Feb 2012 at 9:02

GoogleCodeExporter commented 9 years ago 
Hi Alberto,

Currently there is no way to add those transforms. I haven't considered that 
scenario, but seems a valid one. However, for correctness, probably not every 
transform should be accepted, so one can be sure that the referred elements are 
actually being signed.

Considering the rest of the API, how/where would you expect this to be 
configured?

Original comment by luis.fgoncalv on 14 Feb 2012 at 9:33

GoogleCodeExporter commented 9 years ago 
Hi Luis, Alberto,

We ran into the same problem (no transforms on signed properties) during a 
project.
We fixed it by reusing the canonicalization transform specified for the 
signature. You can see it in the attached patch file. 

We took this approach because signature and reference are generated by the 
library and therefor are most likely to require the same transformation.

Kind regards,
Kevin

P.S.: the code in the patch is based on the trunk

Original comment by eighth.c...@gmail.com on 31 Oct 2012 at 9:35

Attachments:

GoogleCodeExporter commented 9 years ago 
Here is how I did it for KeyInfo.
1. Modify SignerBES.java

this.keyInfoBuilder.buildKeyInfo(signingCertificate, signature);
/* Add line below */
signature.getKeyInfo().setId("KeyInfo"); 

2. Defined DataObjectReference to Id = #KeyInfo, with a Transform.
DataObjectDesc obj2 = new DataObjectReference("#KeyInfo").withTransform(new 
ExclusiveCanonicalXMLWithoutComments(""));

3. result in the Signature :
</ds:Reference>
<ds:Reference Id="xmldsig-12eced92-9bab-4aa4-b38d-a0646c0b57b4-ref1" 
URI="#KeyInfo">
<ds:Transforms>
<ds:Transform 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces 
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" 
PrefixList=""/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>6lQav16xHEPBwQANI4gO57OtHxXjmLWa+kJf9gZJRqI=</ds:DigestValue>
</ds:Reference>

Original comment by david.mi...@gmail.com on 13 Dec 2012 at 11:26

GoogleCodeExporter commented 9 years ago 
David,

1) The KeyInfo id should be unique (prefixed with signature id, for instance).
2) Where did you put the code on 2?

Original comment by luis.fgoncalv on 14 Dec 2012 at 12:52

GoogleCodeExporter commented 9 years ago 
Hello,

I have to obtain a similar result than Alberto:

<ds:Reference Id="SignatureUsuario-XADES-Properties-Ref" 
Type="http://uri.etsi.org/01903/v1.2.2#SignedProperties" 
URI="#XADES-Properties">
        <ds:Transforms>
           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <ds:DigestValue>RkQ8X/k1EAfkIoxPlwQ4Jn36kCQ=</ds:DigestValue>
     </ds:Reference>

I want to know if this issue has been resolved in the last version. If not, 
please tell me if you has resolved with a different way.

It is very important to me resolve this problem.

Thank you very much.

Original comment by guivang...@gmail.com on 3 Nov 2014 at 12:14

GoogleCodeExporter commented 9 years ago 
In the previous comment I made a mistake with de CODE. This is the correct Code

I have to obtain a similar result than Alberto:

<!-- Referencia al certificado con que se firmó -->
     <ds:Reference Id="SignatureUsuario-KeyInfo-Ref" URI="#KeyInfo">
        <ds:Transforms>
           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
        <ds:DigestValue>oRMY/RmmI9w0GCYVwnbiYKI2ZQA=</ds:DigestValue>
     </ds:Reference>

I want to know if this issue has been resolved in the last version. If not, 
please tell me if you has resolved with a different way.

It is very important to me resolve this problem.

Thank you very much.

Original comment by guivang...@gmail.com on 3 Nov 2014 at 2:27

GoogleCodeExporter commented 9 years ago 
The issue is not yet resolved. As previously said and also explained on the 
link below, adding arbitrary transforms is not an option. The only allowed 
transform should be C14N. 

I think the best solution is to use the same C14N algorithm that is used for 
SignedInfo, as suggested by Kevin on comment 4 above.

Would this be enough for you?

http://stackoverflow.com/questions/25789842/xades4j-how-to-produce-an-signature-
with-a-transform-in-the-signedproperties-re

Original comment by luis.fgoncalv on 3 Nov 2014 at 10:08

GoogleCodeExporter commented 9 years ago 
Probably it isn't reasonable to publish a version with that hidden behavior. 
But if you want to implement id for now, you can use the approach suggested by 
Kevin and something similar on KeyInfoBuilder, where the signing certificate 
reference is added.

Original comment by luis.fgoncalv on 3 Nov 2014 at 10:15

GoogleCodeExporter commented 9 years ago 
Luis:

I only have to resolve this reference:

<!-- Referencia al certificado con que se firmó -->
     <ds:Reference Id="SignatureUsuario-KeyInfo-Ref" URI="#KeyInfo">
        <ds:Transforms>
           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
        <ds:DigestValue>oRMY/RmmI9w0GCYVwnbiYKI2ZQA=</ds:DigestValue>
     </ds:Reference>

I don't know how to do it. 

Than you very much.

Original comment by guivang...@gmail.com on 5 Nov 2014 at 1:57

GoogleCodeExporter commented 9 years ago 
To sign key info, you can set BasicSignatureOptionsProvider [1] options. 
However, to include the transform you'd need to change the source code on 
KeyInfoBuilder [2].

[1] 
http://xades4j.googlecode.com/svn/release/1.3.1/javadoc/reference/xades4j/provid
ers/BasicSignatureOptionsProvider.html

[2] 
https://code.google.com/p/xades4j/source/browse/src/main/java/xades4j/production
/KeyInfoBuilder.java#79

Original comment by luis.fgoncalv on 5 Nov 2014 at 3:59