Menu
▾
▴
Re: [ebxmlms-develop] Digital signature namespace showstopper problem
|
From: Ng C. Y. [Cyng] <cy...@cs...> - 2003-04-17 07:40:00
|
Hi, > Their SOAP message starts > <SOAP-ENV:Envelope > xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" > xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" > .... > (Note the "dsig" namespace used here for the XML Digital Signature > namespace.) > Hermes produces this: > <soap-env:Envelope > xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > .... > (No declaration at all for the XML Digital Signature namespace.) (There's > another obvious difference: "SOAP-ENV" vs "soap-env", but we'll skip that > for now. :-) I have been investigating XML Signature problems these days. It really causes much headache to me as nothing works smooth for xmlsec 1.0.4 and 1.0.5D2. My observation from the different experiments in using 1.0.5D2 is so long to be concluded and typed here. What I can say up to this moment is that I have followed exactly the "CreateSignature" example as bundled in xmlsec to sign a message and it works. However, the signed message is a DOM element that I have to insert whole tree back into JAXM and send it out. I have checked the sent message's signature which looks the same as the DOM tree. But, once it is verified, I get the exception of: The prefix "ds" for element "ds:SignedInfo" is not bound. Ideally speaking, a library should not care about what prefix an XML file is using because everything depends on the binding of prefix to a particular namespace URI, i.e., only namespace URI is important. > If I feed their message into Hermes, I get the response: > Exception: > hk.hku.cecid.phoenix.message.packaging.validation.SOAPValidationException > Message: Client: <ds:SignedInfo> is not found in <ds:Signature>! However, this problem is due to the fact that when unmarshalling a SOAPElement, JAXM cannot find <dsig:SignedInfo> even though the correct namespace URI is already supplied. > However, things still don't work, because Hermes then says "Verification > of signature failed - no PublicKey found". > Is there any way of telling Hermes to use a > separate certificate to verify the SignatureValue? Currently, Hermes assumes that the signed message must supply the X509Certificate in order to verify. There is no way to tell which certificate to use. I think this involves certificate or public key management that we will consider in the later Hermes version. Regards, CY ---------------------------------------------------------------------------- Ng Chi Yuen, CY. cy...@ce... http://www.cecid.hku.hk/ Technology Officer, Centre for E-Commerce Infrastructure Development, The University of Hong Kong ---------------------------------------------------------------------------- |
