X509Digest

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

X509Digest

Clement_Pellerin
I'm trying to create a signature programmatically in Santuario 2.0.6
I need to add the new element X509Digest defined by XML DSig 1.1
Unfortunately, there is no junit for this usage.

When I run this code:
  List<Object> x509Content = new ArrayList<Object>();
  XMLX509Digest certDigest = new XMLX509Digest(domDocument, signerCert, certDigestUri);
  x509Content.add(certDigest);
  X509Data x509Data = keyInfoFactory.newX509Data(x509Content);

I'm getting the error:
  ClassCastException: content[0] is not a valid X509Data type

Indeed, the constructor of DOMX509Data does not accept an XMLX509Digest
as part of the content list. In particular, XMLX509Digest is not an
XMLStructure.

I noticed XMLX509Digest is tagged by the XMLX509DataContent interface,
but that interface is not used by DOMX509Data, surprisingly.


As a side note, I looked for a factory method in DOMKeyInfoFactory
but I could not find one to create an X509Digest.
There are factory methods in org.apache.xml.security.keys.content.X509Data
which is unrelated to javax.xml.crypto.dsig.keyinfo.X509Data
so I'm confused.
Reply | Threaded
Open this post in threaded view
|

Re: X509Digest

Sean Mullan
This is not going to work. You are mixing 2 different APIs together. To
understand this better, I need to explain a bit more.

The original Apache Java XML Signature library consisted of APIs in the
org.apache.xml.security namespace.

Later, JSR 105 based the implementation of the standard Java XML
Signature API (javax.xml.crypto and subpackages) on the Apache XML
Signature Library. However, only a subset of the implementation could be
used since the underlying Apache APIs were too different to be
retrofitted and maintain compatibility at the same time.

Since there was already a large base of users using the original Apache
XML Signature APIs, we could not just remove them, so we decided to
support both usages, i.e. 1) via the standard Java API, and 2) via the
Apache API.

So, you can't do what you are trying to do below. You need to use either
the standard Java API OR the Apache API but not both.

You should be able to pass in a DOMStructure object that represents an
X509Digest element. Ideally though, the JSR 105 API should be enhanced
to add a new X509Digest class. I'll file an RFE for that.

HTH,
Sean

On 02/16/2016 05:15 PM, Pellerin, Clement wrote:

> I'm trying to create a signature programmatically in Santuario 2.0.6
> I need to add the new element X509Digest defined by XML DSig 1.1
> Unfortunately, there is no junit for this usage.
>
> When I run this code:
>    List<Object> x509Content = new ArrayList<Object>();
>    XMLX509Digest certDigest = new XMLX509Digest(domDocument, signerCert, certDigestUri);
>    x509Content.add(certDigest);
>    X509Data x509Data = keyInfoFactory.newX509Data(x509Content);
>
> I'm getting the error:
>    ClassCastException: content[0] is not a valid X509Data type
>
> Indeed, the constructor of DOMX509Data does not accept an XMLX509Digest
> as part of the content list. In particular, XMLX509Digest is not an
> XMLStructure.
>
> I noticed XMLX509Digest is tagged by the XMLX509DataContent interface,
> but that interface is not used by DOMX509Data, surprisingly.
>
>
> As a side note, I looked for a factory method in DOMKeyInfoFactory
> but I could not find one to create an X509Digest.
> There are factory methods in org.apache.xml.security.keys.content.X509Data
> which is unrelated to javax.xml.crypto.dsig.keyinfo.X509Data
> so I'm confused.
>