java - XML Signature Reference digest uses parent namespace -
i need sign xml-file in java, needs contain 3 reference
s.
while 2 of them valid (expected digest == actual digest), 1 invalid.
relevant part of xml looks like:
<qualifyingproperties xmlns="http://uri.etsi.org/01903/v1.3.2#" target="signature1"> <signedproperties id="signedproperties_1"> <signedsignatureproperties> <signingtime>2014-11-27t13:49:36</signingtime> </signedsignatureproperties> </signedproperties> </qualifyingproperties>
the reference
references element
"signedproperties" , children.
can see "qualifyingproperties" element
defines namespace (xmlns="http://uri.etsi.org/01903/v1.3.2#"
) , guess thats problem:
after having @ log found, "pre-digest" value looks like:
<signedproperties xmlns="http://uri.etsi.org/01903/v1.3.2#" id="signedproperties_1"> <signedsignatureproperties> <signingtime>2014-11-27t13:49:36</signingtime> </signedsignatureproperties> </signedproperties>
while "signedproperties" element
in real file not contain namespace, parent does.
found out, actual digest matches sha-256 of "pre-digest" value, while expected digest matches sha-256 of real file (without namespace).
the reference
created following code:
reference sigpropref = fac.newreference("#signedproperties_1", fac.newdigestmethod(digestmethod.sha256, null), collections.singletonlist(sigproptransform), "http://uri.etsi.org/01903#signedproperties", "reference-signedpropeties" );
where sigproptransform
canonicalizationmethod.exclusive
transform
.
my question is, how can solve problem, i.e. how can prevent namespace added "signedproperties" element
, before calculating digest?
if need other informations please leave comment, pretty new theme, not sure informations relevant , not.
lot!
edit: after playing arround bit, seems me, "actual digest" digest, validator calculated, while "expected digest" digest inside "digestvalue" element
.
means, digest value inside file matches sha-256 of referenced filepart, validator reason calculates digest parents namespace.
guess need include parents namespace in digest calculation.
edit: continued playing arround , have not pre-digest value of validator 1 of "digest calculation".
1 gives me:
<signedproperties id="signedproperties_1"><signedsignatureproperties><signingtime>2014-11-27t15:51:26</signingtime></signedsignatureproperties></signedproperties>
when give following transform
:
transform sigproptransform = fac.newtransform(canonicalizationmethod.exclusive, (excc14nparameterspec)null);
and:
<signedproperties xmlns:ds="some-url" xmlns:msg="some-other-url" id="signedproperties_1"><signedsignatureproperties><signingtime>2014-11-27t15:52:49</signingtime></signedsignatureproperties></signedproperties>
when don't give transform
.
namespace xmlns="http://uri.etsi.org/01903/v1.3.2#"
never included.
how include it?
i'm afraid cannot prevent adding namespace - it's being add during canonicalizaton. this 1 helped me when had identical issue ;)
Comments
Post a Comment