0

I need to put a reference on Keyinfo in my cades signature (in every case), i see that in SignerBES.java class xades4j process reference in the statement:

 Map<DataObjectDesc, Reference> referenceMappings = this.dataObjectDescsProcessor.process(
            signedDataObjects,
            signature);

After the generation of keyinfo dataStructure.

Can you suggest me where to put exactly the creation of Reference object to obtain the reference to keyingo object?

Thanks,

P.S. I see that xades4j can optionally be setted in a way to sign the keyinfo element, but i see this bug report (http://code.google.com/p/xades4j/issues/detail?id=32) regarding the 1.2.0 version and i don't understand if 1.3.0 fixed this bug

M.

Michele Bortolato
  • 707
  • 2
  • 11
  • 27

2 Answers2

3

Here is how I did it for KeyInfo.

Modify SignerBES.java

    this.keyInfoBuilder.buildKeyInfo(signingCertificate, signature);
    /* Add line below */
    signature.getKeyInfo().setId("KeyInfo");

Define DataObjectReference to Id = #KeyInfo, with a Transform.

    DataObjectDesc obj2 = new DataObjectReference("#KeyInfo").withTransform(new ExclusiveCanonicalXMLWithoutComments(""));

Result in the Signature :

`</ds:Reference>
<ds:Reference Id="xmldsig-12eced92-9bab-4aa4-b38d-a0646c0b57b4-ref1" URI="#KeyInfo">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>6lQav16xHEPBwQANI4gO57OtHxXjmLWa+kJf9gZJRqI=</ds:DigestValue>
</ds:Reference>
`
David
  • 31
  • 2
0

Currently there's a provider for some basic signatures options that enables you to sign the signing certificate. The current implementation of xades4j actually signs the whole KeyInfo element when you ask to sign the certificate. This won't let you control transforms, and I'm not sure it should.

I'm open to suggestions on this one, since there was another issue about this. One possible approach isto adding a new type of DataObjectDesc whose semantics is to sign the KeyInfo or the signing certificate element.

lgoncalves
  • 2,040
  • 1
  • 14
  • 12