Re: [Jersey] Question on Jersey with JAXB and digital signatures.

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Jersey] Question on Jersey with JAXB and digital signatures.

Marek Potociar
This is really a JAXB question. Forwarding to JAXB users forum and dropping Jersey users forum via BCC.

Marek

On 13 Feb 2015, at 05:18, John MacAuley <[hidden email]> wrote:

Peoples,

I have been googling all day and have different example code for handling digital signatures when using JAXB and am running into an issue with what I believe is the introduction of namespaces to the "SignedInfo" element by JAXB marshalling.

I have defined an XSD that will be used by multiple applications implemented in different programming languages. I compile the XSD to JAXB annotated classes for use by my implementation (Jersey JAX-RS and JAX-WS). The flow I currently have is the following:

• JAXB object is created with appropriate data or delivered from a remote application.
• Marshall JAXB to DOM for signing as described by Blaise Doughan here [http://stackoverflow.com/questions/17193550/jaxb-marshalling-with-xmldsig-signature].
• Sign DOM using private key creating Enveloped signature.
• Unmarshall DOM to JAXB for use in JAX-RS/WS messaging.

I was forced to add an "xsd:any" element at the end of my parent element in my XSD definition for the DOM to JAXB unmarshalling to work, otherwise the embedded "Signature" element was dropped. I also made the JAXBContext aware of the xmldsig namespace.

The following sequence of steps works: JAXB -> DOM -> Sign -> Validate

So I know the signing is working properly. However, the following sequence fails validation: JAXB -> DOM -> Sign -> JAXB -> DOM ->Validate

After some testing and reading my guess is that the modification of the "SignedInfo" by the JABX Marshaller is causing the issue as it is adding namespace prefixes to all the xmlsig elements.

Here is the DOM generated XML (abbreviated):

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
        <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <Reference URI="">
            <Transforms>
                <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
            <DigestValue>...</DigestValue>
        </Reference>
    </SignedInfo>
    <SignatureValue>...</SignatureValue>
    <KeyInfo>
        <X509Data>
            <X509SubjectName>...</X509SubjectName>
            <X509Certificate>...</X509Certificate>
        </X509Data>
    </KeyInfo>
</Signature>
And here is the element after being marshalled from JAXB (ns2 is defined in the parent element):

<ns2:Signature>
    <ns2:SignedInfo>
        <ns2:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
        <ns2:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <ns2:Reference URI="">
            <ns2:Transforms>
                <ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            </ns2:Transforms>
            <ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
            <ns2:DigestValue>...</ns2:DigestValue>
        </ns2:Reference>
    </ns2:SignedInfo>
    <ns2:SignatureValue>...</ns2:SignatureValue>
    <ns2:KeyInfo>
        <ns2:X509Data>
            <ns2:X509SubjectName>...</ns2:X509SubjectName>
            <ns2:X509Certificate>...</ns2:X509Certificate>
        </ns2:X509Data>
    </ns2:KeyInfo>
</ns2:Signature>
Am I correct in my assumption that this is the reason for the validation failure?

Is there a way to leave the "Signature" element untouched when using JAXB?  Has anyone been using digital signatures with Jersey and JAX-RS/WS successfully?

Is there a CanonicalizationMethod that will ignore any namespace prefixes in the signature calculations?

Also, if the namespace prefix in the signed XML is to change would this also fail validation (for example, from ns1 to abc)? I am wondering if as other applications serialize/deserialize the XML and perhaps change the namespace prefix would the digital signature be invalidated?

Thank you for any help!

John



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Jersey] Question on Jersey with JAXB and digital signatures.

Iaroslav Savytskyi
Hi,

It’s not specified explicitly in your mail but I assume that you are using JAXB RI as your JAXB provider.

In this case there will be simple answer. We implemented improvement to avoid redundant namespaces generation some time ago. Please try to use JAXB 2.2.11.

Hopefully this will solve your issue.


Yarda

> On 13 Feb 2015, at 17:57, Marek Potociar <[hidden email]> wrote:
>
> This is really a JAXB question. Forwarding to JAXB users forum and dropping Jersey users forum via BCC.
>
> Marek
>
>> On 13 Feb 2015, at 05:18, John MacAuley <[hidden email]> wrote:
>>
>> Peoples,
>>
>> I have been googling all day and have different example code for handling digital signatures when using JAXB and am running into an issue with what I believe is the introduction of namespaces to the "SignedInfo" element by JAXB marshalling.
>>
>> I have defined an XSD that will be used by multiple applications implemented in different programming languages. I compile the XSD to JAXB annotated classes for use by my implementation (Jersey JAX-RS and JAX-WS). The flow I currently have is the following:
>>
>> • JAXB object is created with appropriate data or delivered from a remote application.
>> • Marshall JAXB to DOM for signing as described by Blaise Doughan here [http://stackoverflow.com/questions/17193550/jaxb-marshalling-with-xmldsig-signature].
>> • Sign DOM using private key creating Enveloped signature.
>> • Unmarshall DOM to JAXB for use in JAX-RS/WS messaging.
>>
>> I was forced to add an "xsd:any" element at the end of my parent element in my XSD definition for the DOM to JAXB unmarshalling to work, otherwise the embedded "Signature" element was dropped. I also made the JAXBContext aware of the xmldsig namespace.
>>
>> The following sequence of steps works: JAXB -> DOM -> Sign -> Validate
>>
>> So I know the signing is working properly. However, the following sequence fails validation: JAXB -> DOM -> Sign -> JAXB -> DOM ->Validate
>>
>> After some testing and reading my guess is that the modification of the "SignedInfo" by the JABX Marshaller is causing the issue as it is adding namespace prefixes to all the xmlsig elements.
>>
>> Here is the DOM generated XML (abbreviated):
>>
>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>>
>>    
>> <SignedInfo>
>>
>>        
>> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
>>
>>        
>> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>
>>        
>> <Reference URI="">
>>
>>            
>> <Transforms>
>>
>>                
>> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>
>>            
>> </Transforms>
>>
>>            
>> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
>>
>>            
>> <DigestValue>...</DigestValue>
>>
>>        
>> </Reference>
>>
>>    
>> </SignedInfo>
>>
>>    
>> <SignatureValue>...</SignatureValue>
>>
>>    
>> <KeyInfo>
>>
>>        
>> <X509Data>
>>
>>            
>> <X509SubjectName>...</X509SubjectName>
>>
>>            
>> <X509Certificate>...</X509Certificate>
>>
>>        
>> </X509Data>
>>
>>    
>> </KeyInfo>
>> </Signature>
>> And here is the element after being marshalled from JAXB (ns2 is defined in the parent element):
>>
>> <ns2:Signature>
>>
>>    
>> <ns2:SignedInfo>
>>
>>        
>> <ns2:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
>>
>>        
>> <ns2:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>
>>        
>> <ns2:Reference URI="">
>>
>>            
>> <ns2:Transforms>
>>
>>                
>> <ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>
>>            
>> </ns2:Transforms>
>>
>>            
>> <ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
>>
>>            
>> <ns2:DigestValue>...</ns2:DigestValue>
>>
>>        
>> </ns2:Reference>
>>
>>    
>> </ns2:SignedInfo>
>>
>>    
>> <ns2:SignatureValue>...</ns2:SignatureValue>
>>
>>    
>> <ns2:KeyInfo>
>>
>>        
>> <ns2:X509Data>
>>
>>            
>> <ns2:X509SubjectName>...</ns2:X509SubjectName>
>>
>>            
>> <ns2:X509Certificate>...</ns2:X509Certificate>
>>
>>        
>> </ns2:X509Data>
>>
>>    
>> </ns2:KeyInfo>
>> </ns2:Signature>
>> Am I correct in my assumption that this is the reason for the validation failure?
>>
>> Is there a way to leave the "Signature" element untouched when using JAXB?  Has anyone been using digital signatures with Jersey and JAX-RS/WS successfully?
>>
>> Is there a CanonicalizationMethod that will ignore any namespace prefixes in the signature calculations?
>>
>> Also, if the namespace prefix in the signed XML is to change would this also fail validation (for example, from ns1 to abc)? I am wondering if as other applications serialize/deserialize the XML and perhaps change the namespace prefix would the digital signature be invalidated?
>>
>> Thank you for any help!
>>
>> John
>>
>>
>

Loading...