Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Problem validating XML signature - "Cannot resolve element with ID"

jimcplFeb 27 2009 — edited Mar 3 2009

Hi,

Sorry, I posted this in another forum, but I think that this is probably the right one.

I'm trying to write an app that will take a SOAP message that has a signature. I can validate the signature but then the application is throwing an exception because it can't find seem to find the reference.

Here's a snippet of the code where the problem is happening:

try {
XMLSignature signature = xmlSignatureFactory.unmarshalXMLSignature(domValidateContext);
System.out.println("In main: signature = [" + signature + "]");

System.out.println("7");

//
// Following code from: http://weblogs.java.net/blog/mullan/archive/2006/01/my_xml_signatur.html
//
System.out.println("\nIn main: Doing separate signature validation...");
boolean sv = signature.getSignatureValue().validate(domValidateContext);
System.out.println("In main: signature validation status: " + sv);

// Validate the signature
if (signature.validate(domValidateContext)) {
System.out.println("8");
System.out.println("Signature valid.");
} else {
System.out.println("9");
System.err.println("Signature failed core validation");
}
} catch (Exception e) {
System.out.println("\nIn main: ** ERROR ** Exception thrown in last try e=[" + e + "]");
}

The output looks like (the first couple of lines below are from the KeySelector):

In select(): got past getPublicKey(), key.getAlgorithm = [RSA]
In select(): in last if, returning key = [Sun RSA public key, 1024 bits
modulus: 116218211255823658303006763108224814410739569775156780205298251217565
83715932619639055775195566294821033353900965658199182335318274192445562231529916
88808879000537886389402651516962393595477627094586269653266369121305080814204866
28962565534045602323621020976742720422097322373598899173293407173310623185898931

public exponent: 65537]
In main: signature validation status: true

In main: ** ERROR ** Exception thrown in last try e=[javax.xml.crypto.dsig.XMLSi
gnatureException: javax.xml.crypto.URIReferenceException: com.sun.org.apache.xml
.internal.security.utils.resolver.ResourceResolverException: Cannot resolve elem
ent with ID ff388ecaf50f9b23130bf297cd4079af]

The input document/SOAP message looks like:

<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header>
<wsse:Security env:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<Assertion AssertionID="ff388ecaf50f9b23130bf297cd4079af" IssueInstant="2009-02-20T22:56:37.113Z" Issuer="http://www.bea.com/wsrp/saml" MajorVersion="1" MinorVersion="1" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns="urn:oasis:names:tc:SAML:1.0:assertion"><Conditions NotBefore="2009-02-20T22:41:37.112Z" NotOnOrAfter="2009-02-20T23:26:37.112Z"/><AuthenticationStatement AuthenticationInstant="2009-02-20T22:56:37.112Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><Subject><NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">foo</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="#ff388ecaf50f9b23130bf297cd4079af"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><exc14n:InclusiveNamespaces PrefixList="" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>QVVEqebiI8LY8u2/elbrXxyZ04k=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>P0a5rpznbrP.....YalRamuB/23ViicWeRqSpstEgGTAXsmLtEN4i908bHZWEhsL7ZcAoUE4JN9ONUSuuG7sZZuOx8ya4Lg28lx0jIHBEhI+LGnLQ=</dsig:SignatureValue><dsig:KeyInfo><dsig:X509Data><dsig:X509Certificate>MIIDMDCCApmgAwIBAgIB...tM3wS8cQqSXE38zm3Bhg==</dsig:X509Certificate></dsig:X509Data></dsig:KeyInfo></dsig:Signature></Assertion></wsse:Security></env:Header><env:Body><m:maintainState xmlns:m="http://services"><m:y>456</m:y></m:maintainState></env:Body></env:Envelope>

As you can see, the <Assertion> element has "AssertionID=xxx" that matches the Reference URI in the <dsig:Reference>, so I can't figure out why it's not able to find the reference?

Can anyone suggest what the problem might be?

Thanks,
Jim

P.S. Here's the javac version: javac 1.6.0_12

Locked Post

New comments cannot be posted to this locked post.

Locked on Mar 31 2009

Added on Feb 27 2009

#other-security-apis-tools-and-issues

15 comments

8,819 views