I am using the following code to serialize
OutputFormat format = new OutputFormat(signDocument);
format.setLineSeparator(LineSeparator.Windows);
format.setIndenting(true);
format.setLineWidth(0);
format.setPreserveSpace(true);
XMLSerializer serializer = new XMLSerializer (
new FileWriter("output_DOM.xml"), format);
//serializer.asDOMSerializer();
serializer.serialize(signDocument);
*/chirsmail sapl <[EMAIL PROTECTED]>/* wrote:
Yes, you are correct.Here is what i did
1)Converted JDOM to DOM and then signed.
2)Serialized the signed DOM and send it to O/P stream - Attached the
file output_DOM.xml
3)Then converted the singed DOM to JDOM
4)Then again covnerted JDOM to DOM Attached file output_DOMFromJDOM.xml
I can see the different that the singed DOM contains
<ds:Reference URI="**" xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*";>
and the DOM converted from JDOM after signing contains
<ds:Reference URI="**">
The name space is missing
xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*";>
I have attached the signed DOM below:
<ds:Signature xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*";>
*-* <file:///C:/DigitalBridge/workspace/JEDIEngine/output_DOM.xml#>
<ds:SignedInfo xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*";>
* * <ds:CanonicalizationMethod
Algorithm="*http://www.w3.org/TR/2001/REC-xml-c14n-20010315*";
xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*"; />
* * <ds:SignatureMethod
Algorithm="*http://www.w3.org/2000/09/xmldsig#rsa-sha1*";
xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*"; />
*-* <file:///C:/DigitalBridge/workspace/JEDIEngine/output_DOM.xml#>
<ds:Reference URI="**" xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*";>
*-* <file:///C:/DigitalBridge/workspace/JEDIEngine/output_DOM.xml#>
<ds:Transforms xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*";>
* * <ds:Transform
Algorithm="*http://www.w3.org/2000/09/xmldsig#enveloped-signature*";
xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*"; />
* * <ds:Transform
Algorithm="*http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments*";
xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*"; />
* * </ds:Transforms>
* * <ds:DigestMethod
Algorithm="*http://www.w3.org/2000/09/xmldsig#sha1*";
xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*"; />
* * <ds:DigestValue
xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*";>*8LzJf7lSdxcPiyeb2ApFOPEHVZE=*</ds:DigestValue>
* * </ds:Reference>
* * </ds:SignedInfo>
* * <ds:SignatureValue
xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*";>*VnLYodjEkycbfrkEnbsIjureVSIRCppJLonEf1Bt4Gh2n8DibSF5icHYqWfRU5LjyNifskOyWhzK
Ua1s/NfNoS9xeuo3skiQHkGG83eDEcz8/mB+Vot35bR4FL2QGjztDbaEBrzR+4/iD0IUPy3YjiHS
Zl3c9jtb/mM1LjYV8oI=*</ds:SignatureValue>
*-* <file:///C:/DigitalBridge/workspace/JEDIEngine/output_DOM.xml#>
<ds:KeyInfo xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*";>
*-* <file:///C:/DigitalBridge/workspace/JEDIEngine/output_DOM.xml#>
<ds:X509Data xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*";>
* * <ds:X509Certificate
xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*";>*MIICNDCCAZ0CBEQki2AwDQYJKoZIhvcNAQEEBQAwYTELMAkGA1UEBhMCREUxHTAbBgNVBAoTFFVu
aXZlcnNpdHkgb2YgU2llZ2VuMRAwDgYDVQQLEwdGQjEyTlVFMSEwHwYDVQQDExhDaHJpc3RpYW4g
R2V1ZXItUG9sbG1hbm4wHhcNMDYwMzI1MDAxNDI0WhcNMTEwOTE1MDAxNDI0WjBhMQswCQYDVQQG
EwJERTEdMBsGA1UEChMUVW5pdmVyc2l0eSBvZiBTaWVnZW4xEDAOBgNVBAsTB0ZCMTJOVUUxITAf
BgNVBAMTGENocmlzdGlhbiBHZXVlci1Qb2xsbWFubjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAiMyPaBtjyD45i3iNi/ijObw+XrmiMgADOSUAo62MjBK6A1qZb4uwhrF+vSkWfrdpmW1yfH0H
UTOAT4pgNc8UWn8WH61LRlj5MBnVF5f32DBqxgXs7K3i42W3xWeMr7cPwuD00qOeisbiLuTSKg8a
xsmf+ATnZWBMTpH7O5NtxFsCAwEAATANBgkqhkiG9w0BAQQFAAOBgQB0ZO7ZSvIbtWLKtUrypyEp
P+Q5Ly1Fd2++/K+Fr8d6tPxBD0LS0QGmLd2jHHzkf0XX0XanMPpEzW/nDtHJkszRlu9jis/m1VLf
2B91o7arMGpW9M2AhmrNqI5AGnb4m96AsGJr0ZEy4+BfXbx4A4bnhxUlfh5p/7jrCBSQAexU7A==*</ds:X509Certificate>
* * </ds:X509Data>
*-* <file:///C:/DigitalBridge/workspace/JEDIEngine/output_DOM.xml#>
<ds:KeyValue xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*";>
*-* <file:///C:/DigitalBridge/workspace/JEDIEngine/output_DOM.xml#>
<ds:RSAKeyValue xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*";>
* * <ds:Modulus
xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*";>*iMyPaBtjyD45i3iNi/ijObw+XrmiMgADOSUAo62MjBK6A1qZb4uwhrF+vSkWfrdpmW1yfH0HUTOA
T4pgNc8UWn8WH61LRlj5MBnVF5f32DBqxgXs7K3i42W3xWeMr7cPwuD00qOeisbiLuTSKg8axsmf
+ATnZWBMTpH7O5NtxFs=*</ds:Modulus>
* * <ds:Exponent
xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*";>*AQAB*</ds:Exponent>
* * </ds:RSAKeyValue>
* * </ds:KeyValue>
* * </ds:KeyInfo>
* * </ds:Signature>
I have attached the signed DOM from JDOM for validation below:
<ds:Signature xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*";>
*-*
<file:///C:/DigitalBridge/workspace/JEDIEngine/output_DOMFromJDOM.xml#>
<ds:SignedInfo>
* * <ds:CanonicalizationMethod
Algorithm="*http://www.w3.org/TR/2001/REC-xml-c14n-20010315*"; />
* * <ds:SignatureMethod
Algorithm="*http://www.w3.org/2000/09/xmldsig#rsa-sha1*"; />
*-*
<file:///C:/DigitalBridge/workspace/JEDIEngine/output_DOMFromJDOM.xml#>
<ds:Reference URI="**">
*-*
<file:///C:/DigitalBridge/workspace/JEDIEngine/output_DOMFromJDOM.xml#>
<ds:Transforms>
* * <ds:Transform
Algorithm="*http://www.w3.org/2000/09/xmldsig#enveloped-signature*"; />
* * <ds:Transform
Algorithm="*http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments*";
/>
* * </ds:Transforms>
* * <ds:DigestMethod
Algorithm="*http://www.w3.org/2000/09/xmldsig#sha1*"; />
* * <ds:DigestValue>*8LzJf7lSdxcPiyeb2ApFOPEHVZE=*</ds:DigestValue>
* * </ds:Reference>
* * </ds:SignedInfo>
* *
<ds:SignatureValue>*VnLYodjEkycbfrkEnbsIjureVSIRCppJLonEf1Bt4Gh2n8DibSF5icHYqWfRU5LjyNifskOyWhzK
Ua1s/NfNoS9xeuo3skiQHkGG83eDEcz8/mB+Vot35bR4FL2QGjztDbaEBrzR+4/iD0IUPy3YjiHS
Zl3c9jtb/mM1LjYV8oI=*</ds:SignatureValue>
*-*
<file:///C:/DigitalBridge/workspace/JEDIEngine/output_DOMFromJDOM.xml#>
<ds:KeyInfo>
*-*
<file:///C:/DigitalBridge/workspace/JEDIEngine/output_DOMFromJDOM.xml#>
<ds:X509Data>
* *
<ds:X509Certificate>*MIICNDCCAZ0CBEQki2AwDQYJKoZIhvcNAQEEBQAwYTELMAkGA1UEBhMCREUxHTAbBgNVBAoTFFVu
aXZlcnNpdHkgb2YgU2llZ2VuMRAwDgYDVQQLEwdGQjEyTlVFMSEwHwYDVQQDExhDaHJpc3RpYW4g
R2V1ZXItUG9sbG1hbm4wHhcNMDYwMzI1MDAxNDI0WhcNMTEwOTE1MDAxNDI0WjBhMQswCQYDVQQG
EwJERTEdMBsGA1UEChMUVW5pdmVyc2l0eSBvZiBTaWVnZW4xEDAOBgNVBAsTB0ZCMTJOVUUxITAf
BgNVBAMTGENocmlzdGlhbiBHZXVlci1Qb2xsbWFubjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAiMyPaBtjyD45i3iNi/ijObw+XrmiMgADOSUAo62MjBK6A1qZb4uwhrF+vSkWfrdpmW1yfH0H
UTOAT4pgNc8UWn8WH61LRlj5MBnVF5f32DBqxgXs7K3i42W3xWeMr7cPwuD00qOeisbiLuTSKg8a
xsmf+ATnZWBMTpH7O5NtxFsCAwEAATANBgkqhkiG9w0BAQQFAAOBgQB0ZO7ZSvIbtWLKtUrypyEp
P+Q5Ly1Fd2++/K+Fr8d6tPxBD0LS0QGmLd2jHHzkf0XX0XanMPpEzW/nDtHJkszRlu9jis/m1VLf
2B91o7arMGpW9M2AhmrNqI5AGnb4m96AsGJr0ZEy4+BfXbx4A4bnhxUlfh5p/7jrCBSQAexU7A==*</ds:X509Certificate>
* * </ds:X509Data>
*-*
<file:///C:/DigitalBridge/workspace/JEDIEngine/output_DOMFromJDOM.xml#>
<ds:KeyValue>
*-*
<file:///C:/DigitalBridge/workspace/JEDIEngine/output_DOMFromJDOM.xml#>
<ds:RSAKeyValue>
* *
<ds:Modulus>*iMyPaBtjyD45i3iNi/ijObw+XrmiMgADOSUAo62MjBK6A1qZb4uwhrF+vSkWfrdpmW1yfH0HUTOA
T4pgNc8UWn8WH61LRlj5MBnVF5f32DBqxgXs7K3i42W3xWeMr7cPwuD00qOeisbiLuTSKg8axsmf
+ATnZWBMTpH7O5NtxFs=*</ds:Modulus>
* * <ds:Exponent>*AQAB*</ds:Exponent>
* * </ds:RSAKeyValue>
* * </ds:KeyValue>
* * </ds:KeyInfo>
* * </ds:Signature>
can you help me get original DOM out of JDOM
Thanks
Chris,
*/Jesse Pelton <[EMAIL PROTECTED]>/* wrote:
So, if you serialize the original DOM (canonicalized), convert
to JDOM, convert back to DOM, and serialize the resulting DOM
(canonicalized), how do the two serializations differ? It sounds
like the content of the document is being changed in some
non-trivial way somewhere in the JDOM <-> DOM conversion. The
point of canonicalization is to factor out insignificant changes
(like attribute ordering), but one or both of the conversions
appears to introduce something that C14N cannot accommodate. If
you can attach the two serializations of a given (small)
document, that might help diagnose the problem.
------------------------------------------------------------------------
*From:* chirsmail sapl [mailto:[EMAIL PROTECTED]
*Sent:* Friday, April 07, 2006 2:08 PM
*To:* security-dev@xml.apache.org
*Subject:* Re: JDOM - Sign validation
One more point to add is that singed DOM validates.But the
singed DOM converted to JDOM and then DOM out of JDOM doesnt
validate.
*/Martin Labarthe Dubois <[EMAIL PROTECTED]>/* wrote:
you can try saving the XML to a file, and reading from it,
when traspasing from one format to another and viceversa.
JDOM <-> DOM
moreover, i usually use IBMXMLSecurity suite to test the
file just
typing
java dsig.VerifyGUI "filename.xml"
----- Original Message -----
*From:* chirsmail sapl <mailto:[EMAIL PROTECTED]>
*To:* security-dev@xml.apache.org
<mailto:security-dev@xml.apache.org>
*Sent:* Friday, April 07, 2006 2:31 PM
*Subject:* Re: JDOM - Sign validation
thanks for the reply.When i print DOM and DOM converted
from JDOM seems to be same.I see lot of difference on
the object level of signed DOM and DOM converted from
JDOM.Because the signing of DOM converted from JDOM work
well.After updating the DOM into JDOM and then convert
the JDOM back to DOM ,the vaildation fails.
I think if i get the exact singed DOM out of JDOM , i
should be able to valid the sign.But don't know how to
get the exact DOM out of JDOM for validation.
*/Martin Labarthe Dubois <[EMAIL PROTECTED]>/* wrote:
Yes. in this case i also saw both of them
identical from the c14n perspective.
You must have some other difference.
----- Original Message -----
*From:* David Wall - Yozons Inc.
<mailto:[EMAIL PROTECTED]>
*To:* security-dev@xml.apache.org
<mailto:security-dev@xml.apache.org>
*Sent:* Friday, April 07, 2006 2:09 PM
*Subject:* Re: JDOM - Sign validation
Thanks for the reply.
1)The different is on the byte level.When we
print the byte of the orignal DOM and DOM
converted from JDOM , the size is different.
2)The DOM converted from JDOM has the white
space if the element doesn't have the values.
For example :
Orignal XML content:
<?xml version="1.0" encoding="UTF-8"?>
<div id="main"></div>
DOM o/p using XMLUtils.outputDOMc14nWithComments(
<div id="main"></div>
JDOM O/P converted from DOM using XMLOutputter:
<?xml version="1.0" encoding="UTF-8"?>
<div id="main" />
I think thats why it doesn't valid the DOM
converted from JDOM.
Can any expert suggest me a way to resolve the
issue.
Isn't the point of canonicalization to remove
such problems from syntactically equivalent
XML? It seems that the element is the same,
has the same value and same attributes with the
same values, so they should be treated as the
same data from a digital signing perspective.
David
------------------------------------------------------------------------
Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone
calls. Great rates starting at 1¢/min.
<http://us.rd.yahoo.com/mail_us/taglines/postman7/*http://us.rd.yahoo.com/evt=39666/*http://beta.messenger.yahoo.com>
------------------------------------------------------------------------
Blab-away for as little as 1¢/min. Make PC-to-Phone Calls
<http://us.rd.yahoo.com/mail_us/taglines/postman2/*http://us.rd.yahoo.com/evt=39663/*http://voice.yahoo.com>
using Yahoo! Messenger with Voice.
------------------------------------------------------------------------
How low will we go? Check out Yahoo! Messenger’s low PC-to-Phone
call rates.
<http://us.rd.yahoo.com/mail_us/taglines/postman8/*http://us.rd.yahoo.com/evt=39663/*http://voice.yahoo.com>
<http://us.rd.yahoo.com/mail_us/taglines/postman8/*http://us.rd.yahoo.com/evt=39663/*http://voice.yahoo.com>
------------------------------------------------------------------------
Yahoo! Messenger with Voice.
<http://us.rd.yahoo.com/mail_us/taglines/postman3/*http://us.rd.yahoo.com/evt=39666/*http://beta.messenger.yahoo.com>
PC-to-Phone calls for ridiculously low rates.
