I'm having the following workflow process:
- Get XML as a String
- Convert String to Document, Sign(some elements) the document and return it back in String
- Get Signed XML as a String, convert it to a Document and Validate the Signature
Here is the Signature creation method:
public static String createXMLDSign(String xmlString) throws Exception{
// Create a DOM XMLSignatureFactory that will be used to
// generate the enveloped signature.
String providerName = System.getProperty("jsr105Provider", "org.jcp.xml.dsig.internal.dom.XMLDSigRI");
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM", (Provider) Class.forName(providerName).newInstance());
// Load the KeyStore and get the signing key and certificate.
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream("src/main/resources/jks/client-keystore.jks"), keyStorePass .toCharArray());
KeyStore.PrivateKeyEntry keyEntry =
(KeyStore.PrivateKeyEntry) ks.getEntry
("client-keypair", new KeyStore.PasswordProtection(keyPass .toCharArray()));
X509Certificate cert = (X509Certificate) keyEntry.getCertificate();
// Create the KeyInfo containing the X509Data.
KeyInfoFactory kif = fac.getKeyInfoFactory();
List x509Content = new ArrayList();
x509Content.add(cert.getSubjectX500Principal().getName());
x509Content.add(cert);
X509Data xd = kif.newX509Data(x509Content);
KeyInfo ki = kif.newKeyInfo(Collections.singletonList(xd));
// Instantiate the document to be signed.
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
Document doc = dbf.newDocumentBuilder().parse
(new InputSource(new StringReader(xmlString)));
// Get element which will be signed
Element child =(Element)doc.getElementsByTagName("ns2:Eid").item(0);
child.setAttribute("Id", "1234");
child.setIdAttribute("Id", true);
String id = child.getAttributes().getNamedItem("Id").getNodeValue();
String uri = String.format("#%s", id);
List<Transform> transformList = new LinkedList<>();
transformList.add(fac.newTransform(Transform.ENVELOPED, (TransformParameterSpec) null));
Reference reference = fac.newReference(uri,
fac.newDigestMethod(DigestMethod.SHA256, null), transformList, null, null);
SignedInfo si = fac.newSignedInfo(fac.newCanonicalizationMethod(
CanonicalizationMethod.EXCLUSIVE, (C14NMethodParameterSpec) null), fac
.newSignatureMethod("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", null), Collections.singletonList(reference));
// Remove element from the Node
Node node = doc.getElementsByTagName("ns2:Eis").item(0);
Node eumNode = doc.getElementsByTagName("ns2:EumSignature").item(0);
node.removeChild(eumNode);
// Create a DOMSignContext and specify the RSA PrivateKey and
// location of the resulting XMLSignature's parent element.
DOMSignContext dsc = new DOMSignContext
(keyEntry.getPrivateKey(), /*doc.getDocumentElement()*/node);
dsc.setDefaultNamespacePrefix("ds");
// Create the XMLSignature, but don't sign it yet.
XMLSignature signature = fac.newXMLSignature(si, ki);
// Marshal, generate, and sign the enveloped signature.
signature.sign(dsc);
/////////////Signature verification
// Find Signature element.
signVerification(fac, doc, signature);
// Convert DocToString and verify
String stringDoc = Utils.docToString(doc);
// Instantiate the document to be signed.
DocumentBuilderFactory dbf2 = DocumentBuilderFactory.newInstance();
dbf2.setNamespaceAware(true);
Document doc2 = dbf2.newDocumentBuilder().parse
(new InputSource(new StringReader(stringDoc)));
signVerification(fac, doc2, signature);
/////////////////////////
return Utils.docToString(doc);
}
NOTE: I add manually “Id” attribute in the element which I want to Sign because it doesn't exist in original XML.
Here is the method used for docToString conversion:
public static String docToString(Document doc) {
try {
DOMSource domSource = new DOMSource(doc);
StringWriter writer = new StringWriter();
StreamResult result = new StreamResult(writer);
TransformerFactory tf = TransformerFactory.newInstance();
Transformer transformer = tf.newTransformer();
transformer.transform(domSource, result);
return writer.toString();
} catch (TransformerException ex) {
ex.printStackTrace();
return null;
}
}
Execution result First Validation passed successfully but the second after the conversions failed with an error:
javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.URIReferenceException: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID 1234 at org.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:431) at org.jcp.xml.dsig.internal.dom.DOMReference.validate(DOMReference.java:393) at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:278) at com.innonetworks.utils.XmlSignatureHelper.signVerification(XmlSignatureHelper.java:185) at com.innonetworks.utils.XmlSignatureHelper.createXMLDSign(XmlSignatureHelper.java:160) at com.innonetworks.interceptor.XMLDSignInterceptor.changeOutboundMessage(XMLDSignInterceptor.java:36) at com.innonetworks.interceptor.MessageChangeInterceptor.handleMessage(MessageChangeInterceptor.java:56) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) at com.innonetworks.interceptor.MessageChangeInterceptor.handleMessage(MessageChangeInterceptor.java:41) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:531) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:355) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313) at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:140) at com.sun.proxy.$Proxy55.es1RegisterEIS(Unknown Source) at com.innonetworks.es1.client.SoapClientApp.callSoapClient(SoapClientApp.java:178) at com.innonetworks.es1.client.SoapClientApp.main(SoapClientApp.java:63) Caused by: javax.xml.crypto.URIReferenceException: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID 1234 at org.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:134) at org.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:425) ... 18 more
NOTE If I replace the Reference parameter "uri" with "" the both Verification passed successfully
SOLUTION I fixed the problem and would like to share if can help somebody else. The solution I found in Oracle page JDK-8017265 : XMLSignature Cannot Resolve ID
I used the second workaround - Register the ID elements with the DOMValidateContext.setIdAttributeNS method before validating the signature
Here is the code:
DOMValidateContext valContext = new DOMValidateContext
(new X509KeySelector(), nl.item(0));
final NodeList elements = docNew.getElementsByTagName("ns2:EumSignedInfo");
if (elements.getLength() > 0) {
valContext.setIdAttributeNS((Element) elements.item(0), null, "Id");
}