[prev in list] [next in list] [prev in thread] [next in thread]
List: xml-security-dev
Subject: Detached with peculiar URIs
From: "=?ISO-8859-1?Q?Andr=E9_Luiz_Cardoso?=" <andrecardoso () gmail ! com>
Date: 2007-08-07 2:14:02
Message-ID: 1155f9220708061914t5c96c67ep5c6cbc34271aae53 () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi,
I'm having trouble on creating a Detached signature of resources referenced
by files URI's and FTP URI's.
After looking the sources files I decided to create tests for these
situations.
I had modified the tests on the following tests:
org.apache.xml.security.test.signature.CreateSignatureTest and
javax.xml.crypto.test.dsig.DetachedTest.
I'm sending these files for analysis.
The testDetachedFileURI of the CreateSignatureTest test case passes with the
following modification on the
org.apache.xml.security.utils.resolver.implementations.ResolverLocalFilesystemclass:
On the method engineResolve, the uriNew is instantiated by this way:
URI uriNew = null;
if(BaseURI != null && !BaseURI.equals("")) {
uriNew = new URI(new URI(BaseURI), uri.getNodeValue());
} else {
uriNew = new URI(uri.getNodeValue());
}
instead of this:
URI uriNew = new URI(new URI(BaseURI), uri.getNodeValue());
I cannot make the other tests to pass. Please, if anyone already done this
kind of detached signatures, send me some example, maybe I'm doing something
wrong.
Sorry about my english...
Thank you.
André Luiz Cardoso.
[Attachment #5 (text/html)]
Hi, <br><br>I'm having trouble on creating a Detached signature of resources \
referenced by files URI's and FTP URI's. <br>After looking the sources files \
I decided to create tests for these situations.<br>I had modified the tests on the \
following tests: org.apache.xml.security.test.signature.CreateSignatureTest \
and javax.xml.crypto.test.dsig.DetachedTest. <br>I'm sending these files for \
analysis. <br>The testDetachedFileURI of the CreateSignatureTest test case passes \
with the following modification on the \
org.apache.xml.security.utils.resolver.implementations.ResolverLocalFilesystem \
class:<br><br>On the method engineResolve, the uriNew is instantiated by this \
way:<br><br> URI uriNew = \
null;<br> if(BaseURI != null && \
!BaseURI.equals("")) { <br> \
uriNew = new URI(new URI(BaseURI), \
uri.getNodeValue());<br> } else \
{<br> uriNew = new \
URI(uri.getNodeValue());<br> \
}<br><br>instead of this:<br><br>URI uriNew = new URI(new URI(BaseURI), \
uri.getNodeValue());<br><br>I cannot make the other tests to pass. Please, if anyone \
already done this kind of detached signatures, send me some example, maybe I'm \
doing something wrong. <br>Sorry about my english...<br> <br>Thank you.<br>André Luiz \
Cardoso.<br>
["CreateSignatureTest.java" (text/x-java)]
/*
* Copyright 1999-2005 The Apache Software Foundation.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.apache.xml.security.test.signature;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.FileInputStream;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.PublicKey;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.apache.xml.security.algorithms.SignatureAlgorithm;
import org.apache.xml.security.c14n.Canonicalizer;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.signature.ObjectContainer;
import org.apache.xml.security.transforms.Transforms;
import org.apache.xml.security.transforms.params.XPathContainer;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.utils.Constants;
import org.apache.xml.security.utils.XMLUtils;
import org.apache.xpath.XPathAPI;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import junit.framework.Test;
import junit.framework.TestCase;
import junit.framework.TestSuite;
/**
* Tests that create signatures.
*
* @author Sean Mullan
*/
public class CreateSignatureTest extends TestCase {
/** {@link org.apache.commons.logging} logging facility */
static org.apache.commons.logging.Log log =
org.apache.commons.logging.LogFactory.getLog
(CreateSignatureTest.class.getName());
private static final String BASEDIR = System.getProperty("basedir");
private static final String SEP = System.getProperty("file.separator");
public static Test suite() {
return new TestSuite(CreateSignatureTest.class);
}
public CreateSignatureTest(String name) {
super(name);
}
public static void main(String[] args) {
String[] testCaseName = { "-noloading",
CreateSignatureTest.class.getName() };
junit.textui.TestRunner.main(testCaseName);
}
/**
* Test for bug 36044 - Canonicalizing an empty node-set throws an
* ArrayIndexOutOfBoundsException.
*/
public void testEmptyNodeSet() throws Exception {
Document doc = db.newDocument();
Element envelope = doc.createElementNS("http://www.usps.gov/",
"Envelope");
envelope.appendChild(doc.createTextNode("\n"));
doc.appendChild(envelope);
XMLSignature sig =
new XMLSignature(doc, null, XMLSignature.ALGO_ID_SIGNATURE_DSA);
ObjectContainer object1 = new ObjectContainer(doc);
object1.setId("object-1");
object1.setMimeType("text/plain");
sig.appendObject(object1);
ObjectContainer object2 = new ObjectContainer(doc);
object2.setId("object-2");
object2.setMimeType("text/plain");
object2.setEncoding("http://www.w3.org/2000/09/xmldsig#base64");
object2.appendChild(doc.createTextNode("SSBhbSB0aGUgdGV4dC4="));
sig.appendObject(object2);
Transforms transforms = new Transforms(doc);
XPathContainer xpathC = new XPathContainer(doc);
xpathC.setXPath("self::text()");
transforms.addTransform(Transforms.TRANSFORM_XPATH,
xpathC.getElementPlusReturns());
sig.addDocument("#object-1", transforms,
Constants.ALGO_ID_DIGEST_SHA1, null,
"http://www.w3.org/2000/09/xmldsig#Object");
KeyStore ks = KeyStore.getInstance("JKS");
FileInputStream fis = null;
if (BASEDIR != null && !"".equals(BASEDIR)) {
fis = new FileInputStream(BASEDIR + SEP +
"data/org/apache/xml/security/samples/input/keystore.jks");
} else {
fis = new FileInputStream(
"data/org/apache/xml/security/samples/input/keystore.jks");
}
ks.load(fis, "xmlsecurity".toCharArray());
PrivateKey privateKey = (PrivateKey) ks.getKey("test",
"xmlsecurity".toCharArray());
sig.sign(privateKey);
}
KeyPair kp = null;
javax.xml.parsers.DocumentBuilder db;
protected void setUp() throws Exception {
javax.xml.parsers.DocumentBuilderFactory dbf = javax.xml.parsers.DocumentBuilderFactory
.newInstance();
dbf.setNamespaceAware(true);
db = dbf.newDocumentBuilder();
org.apache.xml.security.Init.init();
kp=KeyPairGenerator.getInstance("RSA").genKeyPair();
}
public void testOne() throws Exception {
doVerify(doSign());
doVerify(doSign());
}
public void testDetachedURL() throws Exception {
String uri = "http://www.ietf.org/rfc/rfc3161.txt";
doVerify(doDatachedSign(uri));
}
public void testDetachedFileURI() throws Exception {
String uri = "file:/home/andre/workspace/xml-security/data/websigMiflet.xml";
doVerify(doDatachedSign(uri));
}
public void testDetachedFTPURI() throws Exception {
String uri = "ftp://ftp.rfc-editor.org/in-notes/rfc2606.txt";
doVerify(doDatachedSign(uri));
}
String doDatachedSign(String uri) throws Exception {
org.w3c.dom.Document doc = db.newDocument();
PrivateKey privateKey = kp.getPrivate();
XMLSignature sig = new XMLSignature(doc, doc.getBaseURI(),
XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1);
doc.appendChild(sig.getElement());
sig.addDocument(uri);
sig.addKeyInfo(kp.getPublic());
sig.sign(privateKey);
ByteArrayOutputStream bos = new ByteArrayOutputStream();
XMLUtils.outputDOMc14nWithComments(doc, bos);
return new String(bos.toByteArray());
}
String doSign() throws Exception {
PrivateKey privateKey = kp.getPrivate();
org.w3c.dom.Document doc = db.newDocument();
doc.appendChild(doc.createComment(" Comment before "));
Element root = doc.createElementNS("",
"RootElement");
doc.appendChild(root);
root.appendChild(doc.createTextNode("Some simple text\n"));
Element canonElem = XMLUtils.createElementInSignatureSpace(doc,
Constants._TAG_CANONICALIZATIONMETHOD);
canonElem.setAttributeNS(null, Constants._ATT_ALGORITHM,
Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
SignatureAlgorithm signatureAlgorithm = new SignatureAlgorithm(doc,
XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1);
XMLSignature sig = new XMLSignature(doc, null, signatureAlgorithm
.getElement(), canonElem);
root.appendChild(sig.getElement());
doc.appendChild(doc.createComment(" Comment after "));
Transforms transforms = new Transforms(doc);
transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
transforms.addTransform(Transforms.TRANSFORM_C14N_WITH_COMMENTS);
sig.addDocument("", transforms, Constants.ALGO_ID_DIGEST_SHA1);
sig.addKeyInfo(kp.getPublic());
sig.sign(privateKey);
ByteArrayOutputStream bos = new ByteArrayOutputStream();
XMLUtils.outputDOMc14nWithComments(doc, bos);
return new String(bos.toByteArray());
}
void doVerify(String signedXML) throws Exception {
org.w3c.dom.Document doc = db.parse(new ByteArrayInputStream(signedXML.getBytes()));
Element nscontext = XMLUtils.createDSctx(doc, "ds",Constants.SignatureSpecNS);
Element sigElement = (Element) XPathAPI.selectSingleNode(doc,"//ds:Signature[1]", nscontext);
XMLSignature signature = new XMLSignature(sigElement, "");
KeyInfo ki = signature.getKeyInfo();
if (ki == null) {
throw new RuntimeException("No keyinfo");
}
PublicKey pk = signature.getKeyInfo().getPublicKey();
if (pk == null) {
throw new RuntimeException("No public key");
}
assertTrue(signature.checkSignatureValue(pk) );
}
}
["DetachedTest.java" (text/x-java)]
/*
* Copyright 2006 The Apache Software Foundation.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
/*
* Copyright 2005 Sun Microsystems, Inc. All rights reserved.
*/
package javax.xml.crypto.test.dsig;
import javax.xml.crypto.dsig.*;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dom.*;
import javax.xml.crypto.dsig.keyinfo.*;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import java.io.File;
import java.io.FileInputStream;
import java.security.*;
import java.util.*;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.DocumentBuilder;
import org.w3c.dom.Document;
import junit.framework.*;
/**
* This is a simple example of generating and validating a Detached XML
* Signature using the JSR 105 API. The resulting signature will look like (key
* and signature values will be different):
*
* <pre><code>
* <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
* <SignedInfo>
* <CanonicalizationMethod \
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
* <SignatureMethod \
Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
* <Reference URI="http://www.w3.org/TR/xml-stylesheet">
* <DigestMethod \
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
* <DigestValue>60NvZvtdTB+7UnlLp/H24p7h4bs=</DigestValue>
* </Reference>
* </SignedInfo>
* <SignatureValue>
* DpEylhQoiUKBoKWmYfajXO7LZxiDYgVtUtCNyTgwZgoChzorA2nhkQ==
* </SignatureValue>
* <KeyInfo>
* <KeyValue>
* <DSAKeyValue>
* <P>
* rFto8uPQM6y34FLPmDh40BLJ1rVrC8VeRquuhPZ6jYNFkQuwxnu/wCvIAMhukPBL
* FET8bJf/b2ef+oqxZajEb+88zlZoyG8g/wMfDBHTxz+CnowLahnCCTYBp5kt7G8q
* UobJuvjylwj1st7V9Lsu03iXMXtbiriUjFa5gURasN8=
* </P>
* <Q>
* kEjAFpCe4lcUOdwphpzf+tBaUds=
* </Q>
* <G>
* oe14R2OtyKx+s+60O5BRNMOYpIg2TU/f15N3bsDErKOWtKXeNK9FS7dWStreDxo2
* SSgOonqAd4FuJ/4uva7GgNL4ULIqY7E+mW5iwJ7n/WTELh98mEocsLXkNh24HcH4
* BZfSCTruuzmCyjdV1KSqX/Eux04HfCWYmdxN3SQ/qqw=
* </G>
* <Y>
* pA5NnZvcd574WRXuOA7ZfC/7Lqt4cB0MRLWtHubtJoVOao9ib5ry4rTk0r6ddnOv
* AIGKktutzK3ymvKleS3DOrwZQgJ+/BDWDW8kO9R66o6rdjiSobBi/0c2V1+dkqOg
* jFmKz395mvCOZGhC7fqAVhHat2EjGPMfgSZyABa7+1k=
* </Y>
* </KeyValue>
* </DSAKeyValue>
* </KeyInfo>
* </Signature>
* @author Sean Mullan
*
*/
public class DetachedTest extends TestCase {
static {
Security.insertProviderAt(
new org.jcp.xml.dsig.internal.dom.XMLDSigRI(), 1);
}
public DetachedTest(String name) {
super(name);
}
public void testURL() {
String uri = "http://www.w3.org/TR/xml-stylesheet";
createAndTestDetached(uri);
}
public void testFile() {
String uri = "file:/home/andre/workspace/xml-security/data/websigMiflet.xml";
createAndTestDetached(uri);
}
public void testFTP() {
String uri = "ftp://ftp.rfc-editor.org/in-notes/rfc2606.txt";
createAndTestDetached(uri);
}
private void createAndTestDetached(String uri) {
try {
//
// PART 1 : Creating the detached signature
//
// Create a factory that will be used to generate the signature
// structures
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM",
new org.jcp.xml.dsig.internal.dom.XMLDSigRI());
// Create a Reference to an external URI that will be digested
Reference ref = fac.newReference(
uri, fac.newDigestMethod(
DigestMethod.SHA1, null));
// Create a DSA KeyPair
KeyPairGenerator kpg = KeyPairGenerator.getInstance("DSA");
kpg.initialize(1024, new SecureRandom("not so random bytes"
.getBytes()));
KeyPair kp = kpg.generateKeyPair();
// Create a KeyValue containing the generated DSA PublicKey
KeyInfoFactory kif = fac.getKeyInfoFactory();
KeyValue kv = kif.newKeyValue(kp.getPublic());
// Create a KeyInfo and add the KeyValue to it
KeyInfo ki = kif.newKeyInfo(Collections.singletonList(kv));
// Create SignedInfo
SignedInfo si = fac.newSignedInfo(fac.newCanonicalizationMethod(
CanonicalizationMethod.INCLUSIVE_WITH_COMMENTS,
(C14NMethodParameterSpec) null), fac.newSignatureMethod(
SignatureMethod.DSA_SHA1, null), Collections
.singletonList(ref));
// Create XMLSignature
XMLSignature signature = fac.newXMLSignature(si, ki, null, null,
null);
// Create an XMLSignContext and set the
// DSA PrivateKey for signing
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
dbf.setValidating(false);
Document doc = dbf.newDocumentBuilder().newDocument();
DOMSignContext signContext = new DOMSignContext(kp.getPrivate(),
doc);
signContext.putNamespacePrefix(XMLSignature.XMLNS, "ds");
// Generate (and sign) the XMLSignature
signature.sign(signContext);
//
// PART 2 : Validating the detached signature
//
// Create a XMLValidateContext & set the DSAPublicKey for validating
XMLValidateContext vc = new DOMValidateContext(kp.getPublic(), doc
.getDocumentElement());
// Validate the Signature (generated above)
boolean coreValidity = signature.validate(vc);
// Check core validation status
if (coreValidity == false) {
// check the validation status of each Reference
Iterator i = signature.getSignedInfo().getReferences()
.iterator();
for (int j = 0; i.hasNext(); j++) {
Reference reference = (Reference) i.next();
boolean refValid = reference.validate(vc);
}
fail("Signature failed core validation");
}
// You can also validate an XML Signature which is in XML format.
// Unmarshal and validate an XMLSignature from a DOMValidateContext
signature = fac.unmarshalXMLSignature(vc);
coreValidity = signature.validate(vc);
assertTrue("Core validity of unmarshalled XMLSignature is false",
coreValidity);
} catch (Exception ex) {
ex.printStackTrace();
fail("Exception: " + ex);
}
}
public static void main(String[] args) throws Exception {
DetachedTest dt = new DetachedTest("");
dt.testURL();
dt.testFile();
dt.testFTP();
}
}
["ResolverLocalFilesystem.java" (text/x-java)]
/*
* Copyright 1999-2004 The Apache Software Foundation.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.apache.xml.security.utils.resolver.implementations;
import java.io.FileInputStream;
import org.apache.xml.utils.URI;
import org.apache.xml.security.signature.XMLSignatureInput;
import org.apache.xml.security.utils.resolver.ResourceResolverException;
import org.apache.xml.security.utils.resolver.ResourceResolverSpi;
import org.w3c.dom.Attr;
/**
* A simple ResourceResolver for requests into the local filesystem.
*
* @author $Author: raul $
*/
public class ResolverLocalFilesystem extends ResourceResolverSpi {
/** {@link org.apache.commons.logging} logging facility */
static org.apache.commons.logging.Log log =
org.apache.commons.logging.LogFactory.getLog(
ResolverLocalFilesystem.class.getName());
public boolean engineIsThreadSafe() {
return true;
}
/**
* @inheritDoc
*/
public XMLSignatureInput engineResolve(Attr uri, String BaseURI)
throws ResourceResolverException {
try {
URI uriNew = null;
if(BaseURI != null && !BaseURI.equals("")) {
uriNew = new URI(new URI(BaseURI), uri.getNodeValue());
} else {
uriNew = new URI(uri.getNodeValue());
}
// if the URI contains a fragment, ignore it
URI uriNewNoFrag = new URI(uriNew);
uriNewNoFrag.setFragment(null);
String fileName =
ResolverLocalFilesystem
.translateUriToFilename(uriNewNoFrag.toString());
FileInputStream inputStream = new FileInputStream(fileName);
XMLSignatureInput result = new XMLSignatureInput(inputStream);
result.setSourceURI(uriNew.toString());
return result;
} catch (Exception e) {
throw new ResourceResolverException("generic.EmptyMessage", e, uri,
BaseURI);
}
}
private static int FILE_URI_LENGTH="file:/".length();
/**
* Method translateUriToFilename
*
* @param uri
* @return the string of the filename
*/
private static String translateUriToFilename(String uri) {
String subStr = uri.substring(FILE_URI_LENGTH);
if (subStr.indexOf("%20") > -1)
{
int offset = 0;
int index = 0;
StringBuffer temp = new StringBuffer(subStr.length());
do
{
index = subStr.indexOf("%20",offset);
if (index == -1) temp.append(subStr.substring(offset));
else
{
temp.append(subStr.substring(offset,index));
temp.append(' ');
offset = index+3;
}
}
while(index != -1);
subStr = temp.toString();
}
if (subStr.charAt(1) == ':') {
// we're running M$ Windows, so this works fine
return subStr;
}
// we're running some UNIX, so we have to prepend a slash
return "/" + subStr;
}
/**
* @inheritDoc
*/
public boolean engineCanResolve(Attr uri, String BaseURI) {
if (uri == null) {
return false;
}
String uriNodeValue = uri.getNodeValue();
if (uriNodeValue.equals("") || (uriNodeValue.charAt(0)=='#')) {
return false;
}
try {
//URI uriNew = new URI(new URI(BaseURI), uri.getNodeValue());
if (log.isDebugEnabled())
log.debug("I was asked whether I can resolve " + uriNodeValue/*uriNew.toString()*/);
if ( uriNodeValue.startsWith("file:") ||
BaseURI.startsWith("file:")/*uriNew.getScheme().equals("file")*/) {
if (log.isDebugEnabled())
log.debug("I state that I can resolve " + uriNodeValue/*uriNew.toString()*/);
return true;
}
} catch (Exception e) {}
log.debug("But I can't");
return false;
}
}
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic