I'm desperately trying to sign an XML document with a X509 certificate. I have to sign multiple elements in my document, so I'm giving a List of Reference to my SignedInfo.
The problem I'm facing occurs at the signature itself. I receive an exception saying that it cannot resolve an element with the ID I provide.
While researching to find a solution, I stumbled upon this ticket (which is a bug of OpenJDK 1.7) : https://bugs.openjdk.java.net/browse/JDK-8017171
I'm using Oracle JDK 1.8 and still have the problem.
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
Document doc = dbf.newDocumentBuilder().parse(new FileInputStream(unsignedXml));
List<Reference> refs = new ArrayList<Reference>();
refs.add(fac.newReference(
"#TS",
fac.newDigestMethod("http://www.w3.org/2000/09/xmldsig#sha1", null),
Collections.singletonList(fac.newTransform("http://www.w3.org/2001/10/xml-exc-c14n#",(TransformParameterSpec) null)),
null, null));
SignedInfo si = fac.newSignedInfo(
fac.newCanonicalizationMethod(CanonicalizationMethod.EXCLUSIVE,
(C14NMethodParameterSpec) null),
fac.newSignatureMethod("http://www.w3.org/2000/09/xmldsig#rsa-sha1", null),
refs);
FileInputStream input = new FileInputStream(keystoreFile);
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(input, password.toCharArray());
Key key = ks.getKey(alias, password.toCharArray());
if (key instanceof PrivateKey) {
Certificate cert = ks.getCertificate(alias);
PublicKey publicKey = cert.getPublicKey();
keyPair = new KeyPair(publicKey, (PrivateKey) key);
}
KeyInfoFactory kif = fac.getKeyInfoFactory();
KeyValue kv = kif.newKeyValue(keyPair.getPublic());
KeyInfo ki = kif.newKeyInfo(Collections.singletonList(kv));
DOMSignContext dsc = new DOMSignContext(keyPair.getPrivate(), doc.getDocumentElement());
XMLSignature signature = fac.newXMLSignature(si, ki);
signature.sign(dsc);
OutputStream out = new FileOutputStream(signedXml);
Exception in thread "main" javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.URIReferenceException: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID TS
at org.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:431)
at org.jcp.xml.dsig.internal.dom.DOMReference.digest(DOMReference.java:359)
at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.digestReference(DOMXMLSignature.java:496)
at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignature.java:379)
at testsig.testsig.Signature.sign(Signature.java:131)
at testsig.testsig.App.main(App.java:32)
Caused by: javax.xml.crypto.URIReferenceException: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID TS
at org.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:134)
at org.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:425)
... 5 more
Caused by: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID TS
at com.sun.org.apache.xml.internal.security.utils.resolver.implementations.ResolverFragment.engineResolveURI(ResolverFragment.java:89)
at com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:313)
at org.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:126)
... 6 more
javax.xml.crypto.URIReferenceException: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID TS
at org.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:134)
at org.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:425)
at org.jcp.xml.dsig.internal.dom.DOMReference.digest(DOMReference.java:359)
at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.digestReference(DOMXMLSignature.java:496)
at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignature.java:379)
at testsig.testsig.Signature.sign(Signature.java:131)
at testsig.testsig.App.main(App.java:32)
Caused by: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID TS
at com.sun.org.apache.xml.internal.security.utils.resolver.implementations.ResolverFragment.engineResolveURI(ResolverFragment.java:89)
at com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:313)
at org.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:126)
... 6 more
My problem could be solved with at least one answer to those following questions : Is there a workaround ? Is there an other way of signing XML files ?
Regards
I ended up finding more a work around than a solution. The idea is to get the Element I need with XMLHelper using the DOM, getting the ID Attr from the element. Then I add the attribute with setIdAttributeNode() to my Element. When manipulating the Element that way, no Exception is thrown when adding a new Reference to the XMLSignatureFactory.
NodeList list = doc.getElementsByTagName("wsu:Timestamp");
Node node = list.item(0);
Element tempEl = XMLHelper.getChildElementsByTagName(doc.getDocumentElement(), "Header").get(0);
Element securityElement = XMLHelper.getChildElementsByTagName(tempEl, "Security").get(0);
tempEl = XMLHelper.getChildElementsByTagName(securityElement, "Assertion").get(0);
Attr attr = (Attr)tempEl.getAttributes().getNamedItem("AssertionID");
tempEl.setIdAttributeNode(attr, true);
String ref = "#" + attr.getValue();
List<Reference> refs = new ArrayList<Reference>();
refs.add(fac.newReference(
ref,
fac.newDigestMethod("http://www.w3.org/2000/09/xmldsig#sha1", null),
Collections.singletonList(fac.newTransform("http://www.w3.org/2001/10/xml-exc-c14n#",(TransformParameterSpec) null)),
null,
null));
This is not an ideal solution in my opinion as it is too much related to the DOM of the XML. But I suppose that was the only solution I could find to make it work and go around the known bug within the JDK.