Hi I just have contructed an org.apache.xml.security.signature.XMLSignature from a xml that complies with xmldsig w3c recommendation, and I can see that the xml contains all certificate chain in
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
elements, but using the XMLSignature API I can see that I can only access the user certificate and the issuer one, but not the complete chain, is there an straightforward way to get this done through xmlsec API?
I found a solution for this, not the most clean, but it works:
XMLSignature signature = new XMLSignature(sigElement,
null);
KeyInfo keyInfo = signature.getKeyInfo();
NodeList x509Certificates = keyInfo.getElement().getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "X509Certificate");
ArrayList<X509Certificate> allCertificates = new ArrayList<X509Certificate>();
for (int i = 0; i < x509Certificates.getLength(); i++) {
Node x509CertificateElement = x509Certificates.item(i);
byte[] decodedX509Certificate = Base64.decode(x509CertificateElement.getTextContent());
X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(new ByteArrayInputStream(decodedX509Certificate));
allCertificates.add(x509Certificate);
}
// now you have all certificates in allCertificates
Related
need some tips/advice about (optimization) and how to sign XML with a certificate in the fastest way possible. On some databases (Oracle) it needs 30 msec to sign a file.. But on another database, it needs 1.2 sec. This function/method is called in a loop. It signs some XML data and returns a signed XML in a String. (Java method is exposed as PL/SQL function).
public static String signXML(String vhodniXml) throws Exception {
DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
dbFactory.setNamespaceAware(true);
Document doc = dbFactory.newDocumentBuilder().parse(new ByteArrayInputStream(vhodniXml.getBytes()));
NodeList nl = doc.getElementsByTagName("fu:BusinessPremiseRequest");
Node node = nl.item(0);
((Element) node).setIdAttribute("Id", true);
Enumeration e = p12.aliases();
String alias = (String) e.nextElement();
Key privateKey = p12.getKey(alias, geslo.toCharArray());
KeyStore.PrivateKeyEntry keyEntry
= (KeyStore.PrivateKeyEntry) p12.getEntry(alias, new KeyStore.PasswordProtection(geslo.toCharArray()));
X509Certificate cert = (X509Certificate) keyEntry.getCertificate();
PublicKey publicKey = cert.getPublicKey();
final XMLSignatureFactory sigFactory = XMLSignatureFactory.getInstance("DOM");
// Create a Reference to the enveloped document
Reference ref = sigFactory.newReference("#data",
sigFactory.newDigestMethod(DigestMethod.SHA256, null),
Collections.singletonList(sigFactory.newTransform(Transform.ENVELOPED, (TransformParameterSpec) null)),
null,
null);
SignedInfo si = sigFactory.newSignedInfo(sigFactory.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE, (C14NMethodParameterSpec) null), sigFactory.newSignatureMethod("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", null), Collections.singletonList(ref));
// Create a KeyValue containing the RSA PublicKey
KeyInfoFactory keyInfoFactory = sigFactory.getKeyInfoFactory();
X509IssuerSerial x509IssuerSerial = keyInfoFactory.newX509IssuerSerial(cert.getSubjectX500Principal().getName(), cert.getSerialNumber());
List x509Content = new ArrayList();
x509Content.add(cert.getSubjectX500Principal().getName());
x509Content.add(x509IssuerSerial);
KeyValue keyValue = keyInfoFactory.newKeyValue(publicKey);
X509Data xd = keyInfoFactory.newX509Data(x509Content);
// Create a KeyInfo and add the KeyValue to it
KeyInfo keyInfo = keyInfoFactory.newKeyInfo(Collections.singletonList(xd));
// Create a DOMSignContext and specify the RSA PrivateKey and
// location of the resulting XMLSignature's parent element
DOMSignContext dsc = new DOMSignContext(
privateKey,
node
);
// Create the XMLSignature (but don't sign it yet)
XMLSignature signature = sigFactory.newXMLSignature(si, keyInfo);
// Marshal, generate (and sign) the enveloped signature
signature.sign(dsc);
ByteArrayOutputStream os = new ByteArrayOutputStream();
Transformer trans = TransformerFactory.newInstance()
.newTransformer();
trans.transform(new DOMSource(doc), new StreamResult(os));
return new String(os.toByteArray());
}
The first thing to do is to remove some IO operations by storing your key related objects in fields because reading the KeyStore to get keys takes time.
I have an issue with XML Signature value mismatch error. Full Scenario
I generated a private 1024 bit key with OpenSSL.
I generated the CSR with that private key and sent it to VISA, they have signed the document with their root CA certificate and sent me a signed certificate in the .pem format.
I use the following java code to sign an XML document.
When i send the data back to VISA they verify the signature value and send an error of mismatch.
XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM", (Provider) Class.forName(providerName).newInstance());
DigestMethod digestMethod = factory.newDigestMethod(DigestMethod.SHA1, null);
factory.newTransform(Transform.ENVELOPED, (TransformParameterSpec) null);
Reference reference = factory.newReference("#" + paresId, digestMethod, null, null,null);
CanonicalizationMethod canonicalizationMethod = factory.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE, (C14NMethodParameterSpec) null);
SignatureMethod signatureMethod = factory.newSignatureMethod(SignatureMethod.RSA_SHA1, null);
SignedInfo signedInfo = factory.newSignedInfo(canonicalizationMethod, signatureMethod, Collections.singletonList(reference));
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(512);
KeyPair keyPair = kpg.generateKeyPair();
KeyInfoFactory keyInfoFactory = factory.getKeyInfoFactory();
KeyStore keyStore = KeyStore.getInstance("JKS"); //PKC#7
keyStore.load(new FileInputStream(keystorePath), "dell12345".toCharArray());
KeyStore.PrivateKeyEntry keyEntry =
(KeyStore.PrivateKeyEntry) keyStore.getEntry("deskey", new KeyStore.PasswordProtection("dell12345".toCharArray()));
//PrivateKey m_objRequestSigningKey = (PrivateKey) obj_keyStore.getKey(str_alias, "password".toCharArray());
KeyStore.TrustedCertificateEntry rootEntry = (KeyStore.TrustedCertificateEntry) keyStore.getEntry("root", null);
X509Certificate rootCertificate = (X509Certificate) rootEntry.getTrustedCertificate();
KeyStore.TrustedCertificateEntry intermediateEntry = (KeyStore.TrustedCertificateEntry) keyStore.getEntry("intermediate", null);
X509Certificate intermediateCertificate = (X509Certificate) intermediateEntry.getTrustedCertificate();
KeyStore.TrustedCertificateEntry signEntry = (KeyStore.TrustedCertificateEntry) keyStore.getEntry("sign", null);
X509Certificate sigingCertificate = (X509Certificate) signEntry.getTrustedCertificate();
List<X509Certificate> x509 = new ArrayList<X509Certificate>();
x509.add(rootCertificate );
x509.add(intermediateCertificate );
x509.add(sigingCertificate );
X509Data x509Data = keyInfoFactory.newX509Data(x509);
List<X509Data> items = new ArrayList<X509Data>();
items.add(x509Data);
KeyInfo keyInfo = keyInfoFactory.newKeyInfo(items);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
Document doc = dbf.newDocumentBuilder().parse(IOUtils.toInputStream(inputXml));
DOMSignContext dsc = new DOMSignContext(keyEntry.getPrivateKey(), doc.getDocumentElement());
XMLSignature signature = factory.newXMLSignature(signedInfo, keyInfo);
signature.sign(dsc);
Sorry, after a long time I am going to answer the question which I have posted 5 years back.
Actually, the problem was basically with the XML formatting, I removed the next line and carriage return characters from XML and send back to Visa and then my signature was match properly.
I don't know why they giving the error even I mentioned the CanonicalizationMethod properly.
I've just signed a document. The signer certificate has one issuer intermediate certificate and intermediate's issuer is the root certificate.
I sign document and I see the full chain of that certificate. But when I see in PDF explorer, there is only Signer certificate:
I need that certificate chain. I'm going to get them using PDFbox, but I have no idea where it is.
You can find code to show the certificate chain in the ShowSignature.java example in the examples subproject of the PDFBox source code download or in the repository.
Here's some code reduced from there, which is only applicable for certain signature subtypes (adbe.pkcs7.detached and ETSI.CAdES.detached, the others can be seen in the mentioned example):
try (PDDocument document = PDDocument.load(file))
{
for (PDSignature sig : document.getSignatureDictionaries())
{
COSDictionary sigDict = sig.getCOSObject();
COSString contents = (COSString) sigDict.getDictionaryObject(COSName.CONTENTS);
CMSSignedData signedData = new CMSSignedData(contents.getBytes());
Store<X509CertificateHolder> certificatesStore = signedData.getCertificates();
JcaX509CertificateConverter certificateConverter = new JcaX509CertificateConverter();
Collection<X509CertificateHolder> matches = certificatesStore.getMatches(null);
System.out.println("Certificates in chain: " + matches.size());
System.out.println();
int n = 0;
for (X509CertificateHolder certificateHolder : matches)
{
++n;
X509Certificate certificate = certificateConverter.getCertificate(certificateHolder);
System.out.println("Certificate " + n + ":");
System.out.println(certificate);
System.out.println();
}
}
}
The ShowSignature.java example has much more to offer: it checks the signature validity, whether the signature covers the whole document and (new in 2.0.13) checks the whole certificate chain including revocation (OCSP or CRL).
I'm working on webservice client which requires authentication and xml signing.
I've read a lot of articles but it looks like my one looks different.
I need to send a request containing tag with some certificate details.
I received from Service provider few files (certificate.crt , certificate.p12 , certificate.pem)
I managed to attach crt file into request using follString providerName =
System.getProperty("jsr105Provider", "org.jcp.xml.dsig.internal.dom.XMLDSigRI");
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM", (Provider) Class.forName(providerName).newInstance());
Reference ref = fac.newReference("", fac.newDigestMethod(
DigestMethod.SHA1, null), Collections.singletonList(fac
.newTransform(Transform.ENVELOPED, (XMLStructure) null)), null,
null);
// Create the SignedInfo
SignedInfo si = fac.newSignedInfo(
fac.newCanonicalizationMethod(CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS, (C14NMethodParameterSpec) null),
fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null), Collections.singletonList(ref));
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(512);
KeyPair kp = kpg.generateKeyPair();
KeyInfoFactory kif = fac.getKeyInfoFactory();
KeyValue kv = kif.newKeyValue(kp.getPublic());
CertificateFactory cf = CertificateFactory.getInstance("X.509");
Certificate cert = cf.generateCertificate(new FileInputStream(new File("certificate.crt")));
X509Data x509d = kif.newX509Data(Collections.singletonList(cert));
KeyInfo ki = kif.newKeyInfo(Arrays.asList(x509d, kv));
Document doc = (Document) result.getNode();
DOMSignContext dsc = new DOMSignContext(kp.getPrivate(), doc.getDocumentElement());
XMLSignature signature = fac.newXMLSignature(si, ki);
signature.sign(dsc);
But RSA key is generated and different each call. It is obvious because I'm using KeyPairGenerator. Is it possible to import my private key from P12 file instead?
When I run this application on tomcat do I need to configure it somehow to enable the HTTPS calls to the service?
You can use KeySotre
Load the file:
KeyStore ks = KeyStore.getInstance("PKCS12");
FileInputStream ksin = new FileInputStream("myfile.p12");
ks.load(ksin, "password");
getKey("keyalis", "password");
Need some help with crypto routines in Java.
Given a PKCS#7 signature, I want to verify all certificates it contains against a trusted store. I assume that all certificates contained in signature are in the correct order to form a valid certificate path (or chain, whatever), so that
topmost (#0) is a signing certificate;
next one (#1) is an intermediate certificate, used to sign #0;
next one (#2) is another intermediate certificate, used to sign #1;
and so on.
The last certificate (#N) is signed by CA.
That's what I've managed to hack so far:
// Exception handling skipped for readability
//byte[] signature = ...
pkcs7 = new PKCS7(signature); // `sun.security.pkcs.PKCS7;`
// *** Checking some PKCS#7 parameters here
X509Certificate prevCert = null; // Previous certificate we've found
X509Certificate[] certs = pkcs7.getCertificates(); // `java.security.cert.X509Certificate`
for (int i = 0; i < certs.length; i++) {
// *** Checking certificate validity period here
if (cert != null) {
// Verify previous certificate in chain against this one
prevCert.verify(certs[i].getPublicKey());
}
prevCert = certs[i];
}
//String keyStorePath = ...
KeyStore keyStore = KeyStore.getInstance("JKS"); // `java.security.KeyStore`
keyStore.load(new FileInputStream(keyStorePath), null);
// Get trusted VeriSign class 1 certificate
Certificate caCert = keyStore.getCertificate("verisignclass1ca"); // `java.security.cert.Certificate`
// Verify last certificate against trusted certificate
cert.verify(caCert.getPublicKey());
So the question is -- how can this be done using standard Java classes like CertPath and friends? I have a strong feeling I'm re-inventing a bicycle. Or, if someone has an example with BouncyCastle library, that would also be fine.
Bonus question: how to verify a certificate against a trusted store so that root certificate is selected automatically?
Found the solution myself. So, here's how one can extract and validate a certificate chain against the trusted store (exception handling skipped for readability):
CertificateFactory cf = CertificateFactory.getInstance("X.509");
// Get ContentInfo
//byte[] signature = ... // PKCS#7 signature bytes
InputStream signatureIn = new ByteArrayInputStream(signature);
DERObject obj = new ASN1InputStream(signatureIn).readObject();
ContentInfo contentInfo = ContentInfo.getInstance(obj);
// Extract certificates
SignedData signedData = SignedData.getInstance(contentInfo.getContent());
Enumeration certificates = signedData.getCertificates().getObjects();
// Build certificate path
List certList = new ArrayList();
while (certificates.hasMoreElements()) {
DERObject certObj = (DERObject) certificates.nextElement();
InputStream in = new ByteArrayInputStream(certObj.getDEREncoded());
certList.add(cf.generateCertificate(in));
}
CertPath certPath = cf.generateCertPath(certList);
// Load key store
//String keyStorePath = ...
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(new FileInputStream(keyStorePath), null);
// Set validation parameters
PKIXParameters params = new PKIXParameters(keyStore);
params.setRevocationEnabled(false); // to avoid exception on empty CRL
// Validate certificate path
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
CertPathValidatorResult result = validator.validate(certPath, params);
validate() will throw an exception if validation fails.
Docs: ASN1Set, ContentInfo, SignedData. All other exotic names and related docs can be found in java.security.cert.
No SUN-dependencies here, only BouncyCastle provider library is needed.
This question (and especially an answer) may help too.
You want CertificateFactory. The last example in the javadocs do exactly what you want.