java - XML Signature Reference digest uses parent namespace -


i need sign xml-file in java, needs contain 3 references.
while 2 of them valid (expected digest == actual digest), 1 invalid.
relevant part of xml looks like:

<qualifyingproperties xmlns="http://uri.etsi.org/01903/v1.3.2#" target="signature1">     <signedproperties id="signedproperties_1">         <signedsignatureproperties>             <signingtime>2014-11-27t13:49:36</signingtime>         </signedsignatureproperties>     </signedproperties> </qualifyingproperties> 

the reference references element "signedproperties" , children.
can see "qualifyingproperties" element defines namespace (xmlns="http://uri.etsi.org/01903/v1.3.2#") , guess thats problem:

after having @ log found, "pre-digest" value looks like:

<signedproperties xmlns="http://uri.etsi.org/01903/v1.3.2#" id="signedproperties_1">     <signedsignatureproperties>         <signingtime>2014-11-27t13:49:36</signingtime>     </signedsignatureproperties> </signedproperties> 

while "signedproperties" element in real file not contain namespace, parent does.
found out, actual digest matches sha-256 of "pre-digest" value, while expected digest matches sha-256 of real file (without namespace).

the reference created following code:

reference sigpropref = fac.newreference("#signedproperties_1", fac.newdigestmethod(digestmethod.sha256, null),     collections.singletonlist(sigproptransform), "http://uri.etsi.org/01903#signedproperties", "reference-signedpropeties" ); 

where sigproptransform canonicalizationmethod.exclusive transform.

my question is, how can solve problem, i.e. how can prevent namespace added "signedproperties" element, before calculating digest?

if need other informations please leave comment, pretty new theme, not sure informations relevant , not.
lot!

edit: after playing arround bit, seems me, "actual digest" digest, validator calculated, while "expected digest" digest inside "digestvalue" element.
means, digest value inside file matches sha-256 of referenced filepart, validator reason calculates digest parents namespace.
guess need include parents namespace in digest calculation.

edit: continued playing arround , have not pre-digest value of validator 1 of "digest calculation".
1 gives me:

<signedproperties id="signedproperties_1"><signedsignatureproperties><signingtime>2014-11-27t15:51:26</signingtime></signedsignatureproperties></signedproperties>   

when give following transform:

transform sigproptransform = fac.newtransform(canonicalizationmethod.exclusive, (excc14nparameterspec)null);   

and:

<signedproperties xmlns:ds="some-url" xmlns:msg="some-other-url" id="signedproperties_1"><signedsignatureproperties><signingtime>2014-11-27t15:52:49</signingtime></signedsignatureproperties></signedproperties> 

when don't give transform.
namespace xmlns="http://uri.etsi.org/01903/v1.3.2#" never included.

how include it?

i'm afraid cannot prevent adding namespace - it's being add during canonicalizaton. this 1 helped me when had identical issue ;)


Comments

Popular posts from this blog

matlab - "Contour not rendered for non-finite ZData" -

delphi - Indy UDP Read Contents of Adata -

javascript - Any ideas when Firefox is likely to implement lengthAdjust and textLength? -