<soap:Envelope
xmlns:soap=";>
<env:Header
    xmlns:env=";>
    <wsse:Security
        xmlns:wsse=".0.xsd"
        xmlns:wsu=".0.xsd" soap:mustUnderstand="true">
        <ds:Signature
            xmlns:ds="; Id="SIG-B9561BC9E482A7482717165370736895">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm=";/>
                <ds:SignatureMethod Algorithm=";/>
                <ds:Reference URI="#id-B9561BC9E482A7482717165370736684">
                    <ds:Transforms>
                        <ds:Transform Algorithm=";>
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm=";/>
                    <ds:DigestValue>some value</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>some value </ds:SignatureValue>
        </ds:Signature>
    </wsse:Security>
</env:Header>
<soap:Body
    xmlns:wsu=".0.xsd" wsu:Id="id-B9561BC9E482A7482717165370736684">
    <Test/>
</soap:Body>
</soap:Envelope>

I have the requirement to sign the soap body as shown above.

I believe this is called detached signing.

I want to use opensaml and the implementation till now looks like this:

signature.setSigningCredential(credential);
signature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

Then marshall the signature and call Signer.signObject(signature);. Reference: .html

I also added content reference pointing to the soap body i want to sign

Element bodyElement = (Element) doc.getDocumentElement().getElementsByTagName("SOAP-Body").item(0);
        String bodyId = "body123"; // Unique reference ID
        bodyElement.setAttribute("Id", bodyId);
        bodyElement.setIdAttribute("Id", true);

        DocumentInternalIDContentReference uriContentReference = new DocumentInternalIDContentReference( bodyId);
        uriContentReference.setDigestAlgorithm(SignatureConstants.ALGO_ID_DIGEST_SHA256);
        uriContentReference.getTransforms().add(SignatureConstants.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);

        signature.getContentReferences().add(uriContentReference);

But I get this error:

Exception in thread "main" .opensaml.xmlsec.signature.support.SignatureException: Signature computation error
    at .opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignerProviderImpl.signObject(ApacheSantuarioSignerProviderImpl.java:62)
    at .opensaml.xmlsec.signature.support.Signer.signObject(Signer.java:73)
    at com.amazon.bancomatpayremittancelambda.service.OpenSAMLDetachedSignature.main(OpenSAMLDetachedSignature.java:98)
Caused by: .apache.xml.security.signature.ReferenceNotInitializedException: Cannot resolve element with ID body123
Original Exception was .apache.xml.security.signature.ReferenceNotInitializedException: Cannot resolve element with ID body123
Original Exception was .apache.xml.security.signature.ReferenceNotInitializedException: Cannot resolve element with ID body123
Original Exception was .apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID body123
    at .apache.xml.security.signature.Reference.calculateDigest(Reference.java:744)
    at .apache.xml.security.signature.Reference.generateDigestValue(Reference.java:405)
    at .apache.xml.security.signature.Manifest.generateDigestValues(Manifest.java:205)
    at .apache.xml.security.signature.XMLSignature.sign(XMLSignature.java:631)
    at .opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignerProviderImpl.signObject(ApacheSantuarioSignerProviderImpl.java:59)
    ... 2 more

tl;dr

How can I create the above xml request using openSaml?

<soap:Envelope
xmlns:soap="http://www.w3./2003/05/soap-envelope">
<env:Header
    xmlns:env="http://www.w3./2003/05/soap-envelope">
    <wsse:Security
        xmlns:wsse="http://docs.oasis-open./wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
        xmlns:wsu="http://docs.oasis-open./wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="true">
        <ds:Signature
            xmlns:ds="http://www.w3./2000/09/xmldsig#" Id="SIG-B9561BC9E482A7482717165370736895">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3./2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod Algorithm="http://www.w3./2001/04/xmldsig-more#rsa-sha512"/>
                <ds:Reference URI="#id-B9561BC9E482A7482717165370736684">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3./2001/10/xml-exc-c14n#">
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3./2001/04/xmlenc#sha512"/>
                    <ds:DigestValue>some value</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>some value </ds:SignatureValue>
        </ds:Signature>
    </wsse:Security>
</env:Header>
<soap:Body
    xmlns:wsu="http://docs.oasis-open./wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-B9561BC9E482A7482717165370736684">
    <Test/>
</soap:Body>
</soap:Envelope>

I have the requirement to sign the soap body as shown above.

I believe this is called detached signing.

I want to use opensaml and the implementation till now looks like this:

signature.setSigningCredential(credential);
signature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

Then marshall the signature and call Signer.signObject(signature);. Reference: https://blog.samlsecurity/2012/11/signing-with-opensaml.html

I also added content reference pointing to the soap body i want to sign

Element bodyElement = (Element) doc.getDocumentElement().getElementsByTagName("SOAP-Body").item(0);
        String bodyId = "body123"; // Unique reference ID
        bodyElement.setAttribute("Id", bodyId);
        bodyElement.setIdAttribute("Id", true);

        DocumentInternalIDContentReference uriContentReference = new DocumentInternalIDContentReference( bodyId);
        uriContentReference.setDigestAlgorithm(SignatureConstants.ALGO_ID_DIGEST_SHA256);
        uriContentReference.getTransforms().add(SignatureConstants.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);

        signature.getContentReferences().add(uriContentReference);

But I get this error:

Exception in thread "main" .opensaml.xmlsec.signature.support.SignatureException: Signature computation error
    at .opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignerProviderImpl.signObject(ApacheSantuarioSignerProviderImpl.java:62)
    at .opensaml.xmlsec.signature.support.Signer.signObject(Signer.java:73)
    at com.amazon.bancomatpayremittancelambda.service.OpenSAMLDetachedSignature.main(OpenSAMLDetachedSignature.java:98)
Caused by: .apache.xml.security.signature.ReferenceNotInitializedException: Cannot resolve element with ID body123
Original Exception was .apache.xml.security.signature.ReferenceNotInitializedException: Cannot resolve element with ID body123
Original Exception was .apache.xml.security.signature.ReferenceNotInitializedException: Cannot resolve element with ID body123
Original Exception was .apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID body123
    at .apache.xml.security.signature.Reference.calculateDigest(Reference.java:744)
    at .apache.xml.security.signature.Reference.generateDigestValue(Reference.java:405)
    at .apache.xml.security.signature.Manifest.generateDigestValues(Manifest.java:205)
    at .apache.xml.security.signature.XMLSignature.sign(XMLSignature.java:631)
    at .opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignerProviderImpl.signObject(ApacheSantuarioSignerProviderImpl.java:59)
    ... 2 more

tl;dr

How can I create the above xml request using openSaml?

• java
• xml
• digital-signature
• opensaml

Share Improve this question Follow edited Mar 4 at 13:31 SynAck asked Feb 27 at 14:44 SynAckSynAck 22655 silver badges2121 bronze badges 17

• There are two types of signatures 1) The signature wraps the xml object 2) The signature is a sibling element of the xml object. Your XML is Detached XML (the second type) since the signature and the body (object) are sibling elements. The signature is in the heading which is a sibling of the body. See learn.microsoft/en-us/previous-versions/windows/desktop/… – jdweng Commented Feb 27 at 16:52
• I know mine is detached signature. But in the blog, it is not a detached signature. So I want to know how to sign a detached signature using opensaml – SynAck Commented Feb 27 at 21:48
• The BLOB is not code., it is pseudo code You have two XML objects. 1) The XML object (element and children) which gets signatured, compute a Key 2) The XML object (element) where the signature is added. The following is the XML interface for a Detached signature : litsec.github.io/opensaml-javadoc-mirror//opensaml/… – jdweng Commented Feb 27 at 22:23
• I think I might have framed the question incorrectly. Let me try to fix it @jdweng – SynAck Commented Feb 27 at 22:58
• 1 I'm trying the best I can to solve your issue. You said "In the signature interface, I do not see any method to set the digest algorithm, the transforms and the signingInfo or most importantly point the reference to my soap body:" I'm trying to provide other links to answer your issue. I'm not going to write code that you already know how to do. You only posted a portion of your code so I do not know exactly what you need. – jdweng Commented Mar 3 at 13:11

 |  Show 12 more comments

1 Answer 1

Sorted by: Reset to default 0

I was able to figure out how to sign a detached internal signature by looking at some UTs in openSaml library :

 // 

                                发布者：admin，转转请注明出处：http://www.yc00.com/questions/1743627049a4480710.html