Menu
▾
▴
signserver-develop
You can subscribe to this list here.
| 2008 |
Jan
(1) |
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(4) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(2) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
(4) |
Dec
|
| 2010 |
Jan
(1) |
Feb
|
Mar
|
Apr
(4) |
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(3) |
| 2012 |
Jan
(1) |
Feb
(8) |
Mar
(10) |
Apr
|
May
(12) |
Jun
(2) |
Jul
(28) |
Aug
(15) |
Sep
(12) |
Oct
(2) |
Nov
|
Dec
(16) |
| 2013 |
Jan
(30) |
Feb
(1) |
Mar
|
Apr
(11) |
May
(2) |
Jun
(11) |
Jul
(15) |
Aug
(4) |
Sep
(1) |
Oct
(10) |
Nov
(1) |
Dec
(2) |
| 2014 |
Jan
(8) |
Feb
(13) |
Mar
(12) |
Apr
(24) |
May
(2) |
Jun
(1) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
(2) |
Dec
(1) |
| 2015 |
Jan
(3) |
Feb
(6) |
Mar
|
Apr
|
May
(7) |
Jun
(7) |
Jul
(3) |
Aug
(5) |
Sep
(1) |
Oct
(8) |
Nov
(6) |
Dec
|
| 2016 |
Jan
|
Feb
(3) |
Mar
(5) |
Apr
(9) |
May
(26) |
Jun
(8) |
Jul
|
Aug
|
Sep
(11) |
Oct
(8) |
Nov
(1) |
Dec
(2) |
| 2017 |
Jan
(4) |
Feb
(7) |
Mar
(7) |
Apr
(4) |
May
(1) |
Jun
(5) |
Jul
(3) |
Aug
(3) |
Sep
(1) |
Oct
(4) |
Nov
(5) |
Dec
(1) |
| 2018 |
Jan
(4) |
Feb
(1) |
Mar
(1) |
Apr
(1) |
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
(1) |
Mar
(2) |
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
(2) |
Dec
|
| 2020 |
Jan
(3) |
Feb
|
Mar
(2) |
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2022 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
(1) |
| 2023 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
| 2025 |
Jan
|
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Markus K. <ma...@pr...> - 2014-02-03 08:24:00
|
On 2014-02-02 01:43, ant...@yo... wrote:
> Hi everyone,
>
> I try to access to a Remote EJB from an instance of glassfish 3.
>
> Signserver is running on another server on glassfish 2.
>
> I can not access to the remote ejb. The jndi name is not recognized.
>
> Here is my code :
>
> Properties props = new Properties();
> props.setProperty("org.omg.CORBA.ORBInitialHost", "signserverpki");
> props.setProperty("org.omg.CORBA.ORBInitialPort", "3700");
> InitialContext ic = null;
> try {
> ic = new InitialContext(props);
> } catch (NamingException ex) {
> java.util.logging.Logger.getLogger(SignatureWS.class.getName()).log(Level.SEVERE,
> null, ex);
> }
>
> IRemote worker = null;
> try {
> worker = (IRemote)
> ic.lookup("org.signserver.ejb.interfaces.IWorkerSession$IRemote");
> } catch (NamingException ex) {
> java.util.logging.Logger.getLogger(SignatureWS.class.getName()).log(Level.SEVERE,
> null, ex);
> }
>
> The exception thrown is :
> javax.naming.NamingException: Lookup failed for
> 'org.signserver.ejb.interfaces.IWorkerSession$IRemote' in
> SerialContext[myEnv={org.omg.CORBA.ORBInitialPort=3700,
> java.naming.factory.initial=com.sun.enterprise.naming.impl.SerialInitContextFactory,
> org.omg.CORBA.ORBInitialHost=signserverpki,
> java.naming.factory.state=com.sun.corba.ee.impl.presentation.rmi.JNDIStateFactoryImpl,
> java.naming.factory.url.pkgs=com.sun.enterprise.naming} [Root exception
> is javax.naming.NameNotFoundException:
> org.signserver.ejb.interfaces.IWorkerSession$IRemote not found]
>
>
> I am working with signserver 3.2.3
>
> Thanks a lot for your help.
>
>
> Antoine
>
> ------------------------------------------------------------------------------
> WatchGuard Dimension instantly turns raw network data into actionable
> security intelligence. It gives you real-time visual feedback on key
> security issues and trends. Skip the complicated setup - simply import
> a virtual appliance and go from zero to informed in seconds.
> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>
Hi Antoine,
I don't think I tried EJB lookups between different application servers
and especially not between two different versions, but at least the code
looks correct if it were used to lookup from a client application.
Maybe there could be an issue with the two different versions, have you
tried if the code works between two GlassFish V2 ?
Regards,
Markus
|
|
From: <ant...@yo...> - 2014-02-02 00:57:13
|
Hi everyone,
I try to access to a Remote EJB from an instance of glassfish 3.
Signserver is running on another server on glassfish 2.
I can not access to the remote ejb. The jndi name is not recognized.
Here is my code :
Properties props = new Properties();
props.setProperty("org.omg.CORBA.ORBInitialHost", "signserverpki");
props.setProperty("org.omg.CORBA.ORBInitialPort", "3700");
InitialContext ic = null;
try {
ic = new InitialContext(props);
} catch (NamingException ex) {
java.util.logging.Logger.getLogger(SignatureWS.class.getName()).log(Level.SEVERE,
null, ex);
}
IRemote worker = null;
try {
worker = (IRemote)
ic.lookup("org.signserver.ejb.interfaces.IWorkerSession$IRemote");
} catch (NamingException ex) {
java.util.logging.Logger.getLogger(SignatureWS.class.getName()).log(Level.SEVERE,
null, ex);
}
The exception thrown is :
javax.naming.NamingException: Lookup failed for
'org.signserver.ejb.interfaces.IWorkerSession$IRemote' in
SerialContext[myEnv={org.omg.CORBA.ORBInitialPort=3700,
java.naming.factory.initial=com.sun.enterprise.naming.impl.SerialInitContextFactory,
org.omg.CORBA.ORBInitialHost=signserverpki,
java.naming.factory.state=com.sun.corba.ee.impl.presentation.rmi.JNDIStateFactoryImpl,
java.naming.factory.url.pkgs=com.sun.enterprise.naming} [Root exception
is javax.naming.NameNotFoundException:
org.signserver.ejb.interfaces.IWorkerSession$IRemote not found]
I am working with signserver 3.2.3
Thanks a lot for your help.
Antoine
|
|
From: Markus K. <ma...@pr...> - 2014-01-17 12:15:40
|
Hi, The upcoming SignServer 3.5 will support JBoss 7.1 and JDK 7. Still some testing remains for the new application server support, but if you would like to test it out today, checkout SignServer from SVN and let us know how it works. It should also work with JBoss EAP 6.1, 6.2 and GlassFish 3.1. Best regards, Markus PrimeKey Solutions |
|
From: Markus K. <ma...@pr...> - 2014-01-11 11:36:04
|
That's great Cristian!
Cheers,
Markus
On 2014-01-10 16:22, Cristian Altamirano wrote:
> Markus.
> Thank by answer.
> I tell you resolved my problem adding my certificate To HSM using java.
> The Java Class for add certificate to Utimaco HSM:
>
> import java.io.File;
> import java.io.FileInputStream;
> import java.io.FileNotFoundException;
> import java.io.IOException;
> import java.security.KeyStore;
> import java.security.KeyStoreException;
> import java.security.NoSuchAlgorithmException;
> import java.security.PrivateKey;
> import java.security.Provider;
> import java.security.Security;
> import java.security.UnrecoverableKeyException;
> import java.security.cert.CertificateException;
> import java.util.Enumeration;
>
> /**
> * @author Cristian Altamirano <cal...@gm...
> <mailto:cal...@gm...>>
> * @version 1.6
> (jdk-6u25-linux-i586.rpm)
> * @since 09/01/2014
> */
> public class AdderHSM {
> /*
> * pkcs11.cfg :
> * name=HSMToken
>
> library=/home/cristian/utimaco/Software/PKCS11/lib/Linux-x86-32/libcs2_pkcs11.so
> description=SafeGuard CryptoServer PKCS11 provider
> slot=8
> */
> /*
> * lib used: sunpkcs11.jar
> */
> private static final String UTIMACO_CONFIG =
> "/home/cristian/utimaco/SUNProvider/pkcs11.cfg";
> private static final String KEY_PIN = "ocho";
> public void pkcs12ToPckcs11() throws KeyStoreException,
> NoSuchAlgorithmException, CertificateException, FileNotFoundException,
> IOException, UnrecoverableKeyException{
>
> //Read certificate from file System
> String certificateKey="****";
> KeyStore keyStore = KeyStore.getInstance("pkcs12");
> //Load the keystore
> keyStore.load(new
> FileInputStream("/home/cristian/caltamirano.p12"),
> certificateKey.toCharArray());
> String alias = "";
> Enumeration<String> e = keyStore.aliases();
> //Get the alias from certificate
> while (e.hasMoreElements()) {
> alias = (String) e.nextElement();
> }
>
> //Load the HSM configuration
> FileInputStream fis = new FileInputStream(new
> File(UTIMACO_CONFIG));
> Provider provider = new sun.security.pkcs11.SunPKCS11(fis);
> Security.addProvider(provider);
> KeyStore p11 = KeyStore.getInstance("PKCS11", provider);
> p11.load(null, KEY_PIN.toCharArray());
>
> //Add the keystore to Utimaco HSM
> KeyStore.PrivateKeyEntry priEntry = new
> KeyStore.PrivateKeyEntry((PrivateKey) keyStore.getKey(alias,
> certificateKey.toCharArray()), keyStore.getCertificateChain(alias));
> KeyStore.PasswordProtection passwordProtection = new
> KeyStore.PasswordProtection(certificateKey.toCharArray());
> //Now add the key Alias = defaulKey in signserver file
> configuration ( qs_xmlsigner_configuration.properties)
> p11.setEntry("caltamiranoKeyAlias", priEntry,
> passwordProtection);
>
>
> System.out.println("Certified add to HSM utimaco");
> }
> }
>
>
> Then qs_xmlsigner_configuration.properties
>
>
> # $Id: qs_xmlsigner_configuration.properties 1729 2011-06-17 11:58:25Z
> netmackan $
> #
> # Example SignServer configuration property file
> #
> # Used to quick install a XMLSigner
> #
> # Install with the command:
> # bin/signserver.sh setproperties
> sample-configs/qs_xmlsigner_configuration.properties
> #
>
> ## Global properties
>
> GLOB.WORKERGENID1.CLASSPATH = org.signserver.module.xmlsigner.XMLSigner
> #GLOB.WORKERGENID1.SIGNERTOKEN.CLASSPATH =
> org.signserver.server.cryptotokens.SoftCryptoToken
> #GLOB.WORKERGENID1.SIGNERTOKEN.CLASSPATH =
> org.signserver.server.cryptotokens.P12CryptoToken
> GLOB.WORKERGENID1.SIGNERTOKEN.CLASSPATH =
> org.signserver.server.cryptotokens.PKCS11CryptoToken
>
>
> ## General properties
>
> WORKERGENID1.NAME <http://WORKERGENID1.NAME>=XMLSigner
> WORKERGENID1.AUTHTYPE=NOAUTH
>
> ## P12CryptoToken properties
>
> #WORKERGENID1.KEYSTOREPATH=/home/cristian/certificados/esign/caltamirano.p12
> #WORKERGENID1.KEYSTOREPASSWORD=1947
>
>
> ## PKCS11CryptoToken properties
>
> WORKERGENID1.sharedLibrary=/home/cristian/utimaco/Software/PKCS11/lib/Linux-x86-32/libcs2_pkcs11.so
> WORKERGENID1.slot=8
> WORKERGENID1.defaultKey=caltamiranoKeyAlias
> WORKERGENID1.pin ocho
>
>
> Then add config and certificate using CLI signserver.
>
> ./signserver setproperties qs_xmlsigner_configuration.properties
> ./signserver uploadsignercertificate /home/cristian/caltamirano.pem
> ./signserver uploadsignercertificatechain chain.pem
>
> Now reload config and works.
>
> ./signserver reload all.
>
>
> Regards.
>
>
>
>
>
>
>
> On Fri, Jan 10, 2014 at 11:45 AM, Markus Kilås <ma...@pr...
> <mailto:ma...@pr...>> wrote:
>
> Dear Cristian,
>
> (Please, use a new subject for posts concerning a new topic)
>
> See answers below.
>
> On 2014-01-09 00:31, Cristian Altamirano wrote:
> > Dears.
> > I am testing utimaco Simulation with Signserver.
> > But I cannot understand where is the property defaultkey.
> > ¿Where is defaultkey in the image?
> > Atach a image with the configuration Utimaco Simulation.
> >
>
> The SignServer worker property DEFAULTKEY should contain the key alias
> (label) of the key _in_ the HSM slot. In your configuration below you
> have indicated that there should be a key named "tres" in the slot.
>
> On the picture it looks like you have a _slot_ labeled tres however the
> certificate is what is pointing out which key to use and it is labeled
> (CKA_LABEL) "X509 Certifificate" (!).
>
> Either you should use that as value for DEFAULTKEY or change that to be
> "tres".
>
> >
> > Then I made this configuration file.
> >
> > ## Global properties
> >
> > GLOB.WORKERGENID1.CLASSPATH = org.signserver.module.
> > xmlsigner.XMLSigner
> > GLOB.WORKERGENID1.SIGNERTOKEN.CLASSPATH =
> > org.signserver.server.cryptotokens.PKCS11CryptoToken
> >
> >
> > ## General properties
> >
> > WORKERGENID1.NAME <http://WORKERGENID1.NAME>
> <http://WORKERGENID1.NAME>=XMLSignerTest
> > WORKERGENID1.AUTHTYPE=NOAUTH
> >
> > ## PKCS11CryptoToken properties
> >
> >
> WORKERGENID1.sharedLibrary=/home/cristian/utimaco/Software/PKCS11/lib/Linux-x86-32/libcs2_pkcs11.so
> > WORKERGENID1.slot=3
> > WORKERGENID1.defaultKey=tres
> > WORKERGENID1.pin tres
> >
> >
> > The administrator of signserver say:
> >
> > Status of Signer with Id 1 is :
> > Worker status : Offline
> > Token status : Active
> > Signings: 0 (counter disabled)
> > Errors:
> > No signer certificate available
> > Certificate chain not available
> >
> > Why?
>
> Most likely offline because of the wrong name of the key as well as
> because the certificate and certificate chain needs to be uploaded to
> SignServer explicitly. See the quick install guide:
> http://www.signserver.org/manual/installguide.html#Production%20configuration%20with%20HSM
>
> Also note that SignServer (Java) has some requirements on the key
> representation in the slot. It is normally best to use a Java tool when
> creating or importing the key to the HSM to be sure it will be readable
> by Java.
>
> >
> > If I add certificate PKCS12 at slot 3 using p11tool.
> >
> > Can I work with a certified pre-loaded on hsm?
>
> SignServer does not use the certificate in the slot more than to point
> out which key-pair to use. The certificate currently has to be uploaded
> to SignServer explicitly as described in the quick install guide above.
>
>
> Best regards,
> Markus
> PrimeKey Solutions
>
> >
> > Regards.
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > Cristian Altamirano
> >
> >
>
>
>
>
> --
> Saluda.
> Cristian Altamirano
>
>
--
Kind regards,
Markus Kilås
PKI Specialist
PrimeKey Solutions AB
Anderstorpsv. 16
171 54 Solna
Sweden
Phone: +46 70 424 94 85
Skype: markusatskype
Email: mar...@pr...
www.primekey.se
|
|
From: Markus K. <ma...@pr...> - 2014-01-10 14:45:15
|
Dear Cristian, (Please, use a new subject for posts concerning a new topic) See answers below. On 2014-01-09 00:31, Cristian Altamirano wrote: > Dears. > I am testing utimaco Simulation with Signserver. > But I cannot understand where is the property defaultkey. > ¿Where is defaultkey in the image? > Atach a image with the configuration Utimaco Simulation. > The SignServer worker property DEFAULTKEY should contain the key alias (label) of the key _in_ the HSM slot. In your configuration below you have indicated that there should be a key named "tres" in the slot. On the picture it looks like you have a _slot_ labeled tres however the certificate is what is pointing out which key to use and it is labeled (CKA_LABEL) "X509 Certifificate" (!). Either you should use that as value for DEFAULTKEY or change that to be "tres". > > Then I made this configuration file. > > ## Global properties > > GLOB.WORKERGENID1.CLASSPATH = org.signserver.module. > xmlsigner.XMLSigner > GLOB.WORKERGENID1.SIGNERTOKEN.CLASSPATH = > org.signserver.server.cryptotokens.PKCS11CryptoToken > > > ## General properties > > WORKERGENID1.NAME <http://WORKERGENID1.NAME>=XMLSignerTest > WORKERGENID1.AUTHTYPE=NOAUTH > > ## PKCS11CryptoToken properties > > WORKERGENID1.sharedLibrary=/home/cristian/utimaco/Software/PKCS11/lib/Linux-x86-32/libcs2_pkcs11.so > WORKERGENID1.slot=3 > WORKERGENID1.defaultKey=tres > WORKERGENID1.pin tres > > > The administrator of signserver say: > > Status of Signer with Id 1 is : > Worker status : Offline > Token status : Active > Signings: 0 (counter disabled) > Errors: > No signer certificate available > Certificate chain not available > > Why? Most likely offline because of the wrong name of the key as well as because the certificate and certificate chain needs to be uploaded to SignServer explicitly. See the quick install guide: http://www.signserver.org/manual/installguide.html#Production%20configuration%20with%20HSM Also note that SignServer (Java) has some requirements on the key representation in the slot. It is normally best to use a Java tool when creating or importing the key to the HSM to be sure it will be readable by Java. > > If I add certificate PKCS12 at slot 3 using p11tool. > > Can I work with a certified pre-loaded on hsm? SignServer does not use the certificate in the slot more than to point out which key-pair to use. The certificate currently has to be uploaded to SignServer explicitly as described in the quick install guide above. Best regards, Markus PrimeKey Solutions > > Regards. > > > > > > > > > > > > -- > Cristian Altamirano > > |
|
From: Markus K. <ma...@pr...> - 2014-01-08 08:40:53
|
Dear Cristian, Thank you for sharing. Regards, Markus PrimeKey Solutions offers a commercial EJBCA & SignServer support subscription and training. Please see www.primekey.se or contact in...@pr... for more information. http://www.primekey.se/Services/Support/ http://www.primekey.se/Services/Training/ On 2014-01-07 23:07, Cristian Altamirano wrote: > Markus. > This works for me. > > code: > > > System.setProperty("javax.net.ssl.trustStore", > "/home/cristian/truststore.jks"); > System.setProperty("javax.net.ssl.trustStorePassword", "******"); > System.setProperty("javax.net.ssl.keyStore", > "/home/cristian/tomcat.jks"); > System.setProperty("javax.net.ssl.keyStorePassword", "********"); > > AdminWSServiceLocator service = new AdminWSServiceLocator(); > AdminWS as = service.getAdminWSPort(); > > as.setGlobalProperty(GlobalConfiguration.SCOPE_GLOBAL, > "WORKER1.CLASSPATH", "org.signserver.module.pdfsigner.PDFSigner"); > as.setGlobalProperty(GlobalConfiguration.SCOPE_GLOBAL, > "WORKER1.SIGNERTOKEN.CLASSPATH", > "org.signserver.server.cryptotokens.P12CryptoToken"); > as.setWorkerProperty(1, "NAME", "PDFSignerTest"); > as.setWorkerProperty(1, "AUTHTYPE", "NOAUTH"); > as.setWorkerProperty(1, > "KEYSTOREPATH","/home/cristian/caltamirano.p12"); > as.setWorkerProperty(1, "KEYSTOREPASSWORD", "********"); > as.reloadConfiguration(1); > > Thank you. |
|
From: Cristian A. <cal...@gm...> - 2014-01-07 22:07:51
|
Markus.
This works for me.
code:
System.setProperty("javax.net.ssl.trustStore",
"/home/cristian/truststore.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "******");
System.setProperty("javax.net.ssl.keyStore",
"/home/cristian/tomcat.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "********");
AdminWSServiceLocator service = new AdminWSServiceLocator();
AdminWS as = service.getAdminWSPort();
as.setGlobalProperty(GlobalConfiguration.SCOPE_GLOBAL,
"WORKER1.CLASSPATH", "org.signserver.module.pdfsigner.PDFSigner");
as.setGlobalProperty(GlobalConfiguration.SCOPE_GLOBAL,
"WORKER1.SIGNERTOKEN.CLASSPATH",
"org.signserver.server.cryptotokens.P12CryptoToken");
as.setWorkerProperty(1, "NAME", "PDFSignerTest");
as.setWorkerProperty(1, "AUTHTYPE", "NOAUTH");
as.setWorkerProperty(1,
"KEYSTOREPATH","/home/cristian/caltamirano.p12");
as.setWorkerProperty(1, "KEYSTOREPASSWORD", "********");
as.reloadConfiguration(1);
Thank you.
|
|
From: Markus K. <ma...@pr...> - 2014-01-07 09:16:07
|
Thank you Cristian for the submitting the patch. I have created https://jira.primekey.se/browse/DSS-709 to eventually have this added to SignServer. Best regards, Markus > > On 2014-01-06 22:28, Cristian Altamirano wrote: >> Hi Markus. >> This work fine for me. >> I have verified the sign using >> http://docs.oracle.com/javase/7/docs/technotes/guides/security/xmldsig/Validate.java >> >> Other consultation. >> >> How I can create a worker from adminws? >> >> Have some sample code that you can show me? >> >> >> I can create it using the settings that bring in examples running the >> command >> >> ./signserver setproperties file_configuration.properties >> >> >> Regards. >> >> >> >> On Fri, Dec 27, 2013 at 4:47 AM, Markus Kilås <ma...@pr... >> <mailto:ma...@pr...>> wrote: >> >> Hi Cristian, >> >> Including the KeyValue tag is not currently supported. Let us know >> if you are interested in this feature. >> >> If you want to develop it yourself we would be happy to recieve a patch. >> >> What I think you could do (not tested) is to in XMLSigner.java use >> something like: >> ---- >> KeyInfoFactory kif = fac.getKeyInfoFactory(); >> X509Data x509d = kif.newX509Data(x509CertChain); >> List<XMLStructure> kviItems = new LinkedList<XMLStructure>(); >> kviItems.add(x509d);* >> RSAKeyValue rsaKeyValue = kif.newKeyValue(publicKey);* >> *kviItems.add(rsaKeyValue);* >> ---- >> >> Best regards, >> >> Markus >> >> PrimeKey Solutions offers a commercial EJBCA & SignServer support >> subscription and training. Please see www.primekey.se >> <http://www.primekey.se> or contact in...@pr... >> <mailto:in...@pr...> for more information. >> http://www.primekey.se/Services/Support/ >> http://www.primekey.se/Services/Training/ >> >> >> On 2013-12-23 14:42, Cristian Altamirano wrote: >>> Markus, >>> This function is rarely used. However there is a state >>> agency that uses it. I have another consultation. >>> When I use xmlsigner need theTAG <Signature >>> xmlns="http://www.w3.org/2000/09/xmldsig#"> return TAG <KeyValue>. >>> >>> For Example: >>> >>> <Signature >>> xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod >>> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><SignatureMethod >>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference >>> URI=""><Transforms><Transform >>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod >>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>itzC/c4YAzqfJN9PNUmqTMiI8Xo=</DigestValue></Reference></SignedInfo><SignatureValue>L0jE/ia5qxCydsFszdbdWiJoJDmn38htrvZJnFhb/KUQn6ReVDM+FNTa3L6pE0EqC9fOXOdT01lu >>> vqDwubmjRtyPZG7y2jauqFOUFN1RJIq8WZKeI7JUqK9yOXCo10WbmXDWY8ePIXXPh9sV3sgcusue >>> FxgOFBGq/3PtQT73qWCE5fkkOKB7v7/UB6EJhEQz6Xh5ttIehYDLWbzBYZhgNdSDdhkvSAPXVUpt >>> /hiJ+BRRMBtxM6IWb59oshDOSDi3GgvnjruG3C1rOZgYh8+WGTVI77Uf+At+TtxfUOkQpDGEuCmv >>> ZR3CgOvftwZkc+zSSsTIw7V5YlkxQhnJEBWOsg==</SignatureValue><KeyInfo>*<KeyValue><RSAKeyValue><Modulus>z+jlSLP5ZTDFgV25Kcq6xfb30GKssWhn1MpfQUgZvXUWWuC91p6PXLl5Um8Nj6lc/EV2cwVdHAbW >>> we9z3spVk7g3WNt6gw6khwZmj/tbJZ+iLKYNdCAoQi9I6kQFSh7Ted0GjNBBng3AHGyWXjnZ/sYX >>> wBNDpgd7Vf0H9j1icdlNX7rtjpBXi+jbnTg1dndbzWvmSnA70SJx3/BN5CgBNpZzK9RhYJ0CpngQ >>> gNcyJdAevKk8flpeAhDiBqY7a400yE4vHKgdFt/8dtBsNajBngpSsCjpvQZ91hQWewmeTTr9dCnh >>> 9r92ZwDcNnoxC/mYjA9i61rLWPRei9OwZ+Rxhw==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></KeyValue>*<X509Data><X509Certificate>MIIGXTCCBUWgAwIBAgIQaP7ZrIUusx5x3hw0yfiX4zANBgkqhkiG9w0BAQUFADCBqDELMAkGA1UE >>> BhMCQ0wxFDASBgNVBAoTC0UtU2lnbiBTLkEuMR8wHQYDVQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3 >>> b3JrMUEwPwYDVQQDEzhFLVNpZ24gU0MgQ2xhc3MgMiBDb25zdW1lciBJbmRpdmlkdWFsIFN1YnNj >>> cmliZXIgQ0EgLSBHMjEfMB0GCSqGSIb3DQEJARYQZS1zaWduQGUtc2lnbi5jbDAeFw0xMzEyMjAw >>> MDAwMDBaFw0xNDEyMjAyMzU5NTlaMIIBJTEUMBIGA1UEChMLRS1TaWduIFMuQS4xLTArBgNVBAsT >>> JFRlcm1pbm9zIGRlIHVzbyBlbiB3d3cuZS1zaWduLmNsL3JwYTElMCMGA1UECxMcQXV0aGVudGlj >>> YXRlZCBieSBFLVNpZ24gUy5BLjEnMCUGA1UECxMeTWVtYmVyLCBTeW1hbnRlYyBUcnVzdCBOZXR3 >>> b3JrMRswGQYDVQQLExJEaWdpdGFsIElEIENsYXNzIDIxGTAXBgNVBAsUEFJVVCAtIDEzODQ1Mjgw >>> LTgxLTArBgNVBAMMJENyaXN0aWFuIEFsZWphbmRybyBBbHRhbWlyYW5vIExMYW5vczEnMCUGCSqG >>> SIb3DQEJARYYY2FsdGFtaXJhbm9AZXNpZ24tbGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A >>> MIIBCgKCAQEAz+jlSLP5ZTDFgV25Kcq6xfb30GKssWhn1MpfQUgZvXUWWuC91p6PXLl5Um8Nj6lc >>> /EV2cwVdHAbWwe9z3spVk7g3WNt6gw6khwZmj/tbJZ+iLKYNdCAoQi9I6kQFSh7Ted0GjNBBng3A >>> HGyWXjnZ/sYXwBNDpgd7Vf0H9j1icdlNX7rtjpBXi+jbnTg1dndbzWvmSnA70SJx3/BN5CgBNpZz >>> K9RhYJ0CpngQgNcyJdAevKk8flpeAhDiBqY7a400yE4vHKgdFt/8dtBsNajBngpSsCjpvQZ91hQW >>> ewmeTTr9dCnh9r92ZwDcNnoxC/mYjA9i61rLWPRei9OwZ+RxhwIDAQABo4ICATCCAf0wIwYDVR0R >>> BBwwGqAYBggrBgEEAcEBAaAMFgoxMzg0NTI4MC04MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgME8G >>> A1UdHwRIMEYwRKBCoECGPmh0dHA6Ly9vbnNpdGVjcmwudmVyaXNpZ24uY29tL0VTaWduU0FDU0ND >>> bGFzczJHMi9MYXRlc3RDUkwuY3JsMB8GA1UdIwQYMBaAFNvPd2JYCzg2JS0a0mrEVAGybkwOMB0G >>> A1UdDgQWBBS+9VwTBT8X7iyiTi+YarFB/SQLATA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUHMAGG >>> H2h0dHA6Ly9vbnNpdGUtb2NzcC52ZXJpc2lnbi5jb20wgZgGA1UdIASBkDCBjTCBigYLYIZIAYb4 >>> RQEHFwIwezAxBggrBgEFBQcCARYlaHR0cHM6Ly93d3cuZS1zaWduLmNsL3JlcG9zaXRvcmlvLmh0 >>> bTBGBggrBgEFBQcCAjA6GjhDZXJ0aWZpY2FkbyBwYXJhIHVzbyBUcmlidXRhcmlvLCBDb21lcmNp >>> bywgUGFnb3MgeSBPdHJvczARBglghkgBhvhCAQEEBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwIG >>> CCsGAQUFBwMEMCMGA1UdEgQcMBqgGAYIKwYBBAHBAQKgDBYKOTk1NTE3NDAtSzANBgkqhkiG9w0B >>> AQUFAAOCAQEAvet0Rwq6W4zzLPYsT6rbpnx/lUAKLmBAJhQKK2zH1QSPM68FkVMe9+XSV3y6KFt9 >>> PVRdYq/M2b2QZ//YHHFEoLeU6gcTTNgL6oVo+PQqUWYtrsU+H023ci9TA7F3EejJPRIRrRxMMN+a >>> Dh9Zqu0qTCtQQ00sWUfjm1xL0UxWsRwYLnjDdwJlxwVdQ4pzN2yy/MqkNs6T6xVnMktfQmH1mgc7 >>> gIHBhZk3oqFe/auzLvjQ/tdaGrnVfCulS7+SUXO0xzIjrWwZiefJgJQ3xj3KqmHJvVWovbMHpfYQ >>> 6qVSq1qqhKgeQEydPJiK7d+DQ0V1eJ6b2ZNd8CALDSA3UjT4hA==</X509Certificate></X509Data></KeyInfo></Signature> >>> >>> >>> If I use signserver (xmlsigner configuration) the TAG signature >>> return this: >>> >>> <Signature >>> xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod >>> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/><SignatureMethod >>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference >>> URI=""><Transforms><Transform >>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod >>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>itzC/c4YAzqfJN9PNUmqTMiI8Xo=</DigestValue></Reference></SignedInfo><SignatureValue>mcI/lJbd/mq36HU/RM8UQOceJmVwVSzEqkIezJOMXmPjM3OdIKOD7IDkY5B+xcte5r77eG6OOREt >>> DV1bf8UxWkdToUR9XNxswOhPFDRwmpavVLivY0B41d0Rbq8Ee3HyotxPJeiS7ZX1E0A7xobot/cN >>> qA/EbnZQDisiEsugfrI+pU2uTBNRaUgETC5+ODs7fjuGvo6iKBp7vU8ijDR2HCLYtzhx2fczMKjE >>> OyLiK2MehGWWe4gyOi2jssFKEGSVCRToG2lU4taJo2AUKzN3AXJBKcL53VtbUn/IgeyWWt6IwYAn >>> oveZ7KcWpUp2x2Lw4MhDmfLgf1Wb14WDgUDVBg==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIGXTCCBUWgAwIBAgIQaP7ZrIUusx5x3hw0yfiX4zANBgkqhkiG9w0BAQUFADCBqDELMAkGA1UE >>> BhMCQ0wxFDASBgNVBAoTC0UtU2lnbiBTLkEuMR8wHQYDVQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3 >>> b3JrMUEwPwYDVQQDEzhFLVNpZ24gU0MgQ2xhc3MgMiBDb25zdW1lciBJbmRpdmlkdWFsIFN1YnNj >>> cmliZXIgQ0EgLSBHMjEfMB0GCSqGSIb3DQEJARYQZS1zaWduQGUtc2lnbi5jbDAeFw0xMzEyMjAw >>> MDAwMDBaFw0xNDEyMjAyMzU5NTlaMIIBJTEUMBIGA1UEChMLRS1TaWduIFMuQS4xLTArBgNVBAsT >>> JFRlcm1pbm9zIGRlIHVzbyBlbiB3d3cuZS1zaWduLmNsL3JwYTElMCMGA1UECxMcQXV0aGVudGlj >>> YXRlZCBieSBFLVNpZ24gUy5BLjEnMCUGA1UECxMeTWVtYmVyLCBTeW1hbnRlYyBUcnVzdCBOZXR3 >>> b3JrMRswGQYDVQQLExJEaWdpdGFsIElEIENsYXNzIDIxGTAXBgNVBAsUEFJVVCAtIDEzODQ1Mjgw >>> LTgxLTArBgNVBAMMJENyaXN0aWFuIEFsZWphbmRybyBBbHRhbWlyYW5vIExMYW5vczEnMCUGCSqG >>> SIb3DQEJARYYY2FsdGFtaXJhbm9AZXNpZ24tbGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A >>> MIIBCgKCAQEAz+jlSLP5ZTDFgV25Kcq6xfb30GKssWhn1MpfQUgZvXUWWuC91p6PXLl5Um8Nj6lc >>> /EV2cwVdHAbWwe9z3spVk7g3WNt6gw6khwZmj/tbJZ+iLKYNdCAoQi9I6kQFSh7Ted0GjNBBng3A >>> HGyWXjnZ/sYXwBNDpgd7Vf0H9j1icdlNX7rtjpBXi+jbnTg1dndbzWvmSnA70SJx3/BN5CgBNpZz >>> K9RhYJ0CpngQgNcyJdAevKk8flpeAhDiBqY7a400yE4vHKgdFt/8dtBsNajBngpSsCjpvQZ91hQW >>> ewmeTTr9dCnh9r92ZwDcNnoxC/mYjA9i61rLWPRei9OwZ+RxhwIDAQABo4ICATCCAf0wIwYDVR0R >>> BBwwGqAYBggrBgEEAcEBAaAMFgoxMzg0NTI4MC04MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgME8G >>> A1UdHwRIMEYwRKBCoECGPmh0dHA6Ly9vbnNpdGVjcmwudmVyaXNpZ24uY29tL0VTaWduU0FDU0ND >>> bGFzczJHMi9MYXRlc3RDUkwuY3JsMB8GA1UdIwQYMBaAFNvPd2JYCzg2JS0a0mrEVAGybkwOMB0G >>> A1UdDgQWBBS+9VwTBT8X7iyiTi+YarFB/SQLATA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUHMAGG >>> H2h0dHA6Ly9vbnNpdGUtb2NzcC52ZXJpc2lnbi5jb20wgZgGA1UdIASBkDCBjTCBigYLYIZIAYb4 >>> RQEHFwIwezAxBggrBgEFBQcCARYlaHR0cHM6Ly93d3cuZS1zaWduLmNsL3JlcG9zaXRvcmlvLmh0 >>> bTBGBggrBgEFBQcCAjA6GjhDZXJ0aWZpY2FkbyBwYXJhIHVzbyBUcmlidXRhcmlvLCBDb21lcmNp >>> bywgUGFnb3MgeSBPdHJvczARBglghkgBhvhCAQEEBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwIG >>> CCsGAQUFBwMEMCMGA1UdEgQcMBqgGAYIKwYBBAHBAQKgDBYKOTk1NTE3NDAtSzANBgkqhkiG9w0B >>> AQUFAAOCAQEAvet0Rwq6W4zzLPYsT6rbpnx/lUAKLmBAJhQKK2zH1QSPM68FkVMe9+XSV3y6KFt9 >>> PVRdYq/M2b2QZ//YHHFEoLeU6gcTTNgL6oVo+PQqUWYtrsU+H023ci9TA7F3EejJPRIRrRxMMN+a >>> Dh9Zqu0qTCtQQ00sWUfjm1xL0UxWsRwYLnjDdwJlxwVdQ4pzN2yy/MqkNs6T6xVnMktfQmH1mgc7 >>> gIHBhZk3oqFe/auzLvjQ/tdaGrnVfCulS7+SUXO0xzIjrWwZiefJgJQ3xj3KqmHJvVWovbMHpfYQ >>> 6qVSq1qqhKgeQEydPJiK7d+DQ0V1eJ6b2ZNd8CALDSA3UjT4hA==</X509Certificate><X509Certificate>MIIGTTCCBTWgAwIBAgIQKbLznlYRzv8kSNGZCYBXdTANBgkqhkiG9w0BAQUFADCByjELMAkGA1UE >>> BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBO >>> ZXR3b3JrMTowOAYDVQQLEzEoYykgMTk5OSBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVk >>> IHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAyIFB1YmxpYyBQcmltYXJ5IENlcnRp >>> ZmljYXRpb24gQXV0aG9yaXR5IC0gRzMwHhcNMTIxMTE1MDAwMDAwWhcNMTcxMTE0MjM1OTU5WjCB >>> qDELMAkGA1UEBhMCQ0wxFDASBgNVBAoTC0UtU2lnbiBTLkEuMR8wHQYDVQQLExZTeW1hbnRlYyBU >>> cnVzdCBOZXR3b3JrMUEwPwYDVQQDEzhFLVNpZ24gU0MgQ2xhc3MgMiBDb25zdW1lciBJbmRpdmlk >>> dWFsIFN1YnNjcmliZXIgQ0EgLSBHMjEfMB0GCSqGSIb3DQEJARYQZS1zaWduQGUtc2lnbi5jbDCC >>> ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO+9QdJcqEZ+rG7t+iW8F9chMQ0N+GkWyYet >>> ivwzy/Kvh3ngQVe8UOrOM1Zx5hDJxtxk4GO2kXbpXoYlkak6jOpnlvGtf92Atz7CJ4w9WiuebvcX >>> EcczTY7Ne+TZK+TnXyLtcw77vl4ZKTfblO1l2euHzRp6bXYmJ5948watkvshtRlvrxeaH48jHN0r >>> 0u2F9hQKgRXLWwOISQYakT+BgIyHdf1JJvAWwnystqMI4RHfSLgPRRwERfSB2gWwS/BKZdCp479D >>> s4ZAtxt1zgQKyGQYYNoRkVP48NVCwia04JSVCLHWrodKvxHRp/Uq4X/Zyo1dKQfc4iEjRe1GuiA3 >>> X7sCAwEAAaOCAk0wggJJMDgGCCsGAQUFBwEBBCwwKjAoBggrBgEFBQcwAYYcaHR0cDovL3BraS1v >>> Y3NwLnZlcmlzaWduLmNvbTASBgNVHRMBAf8ECDAGAQH/AgEAMHcGA1UdIARwMG4wbAYLYIZIAYb4 >>> RQEHFwIwXTAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZS1zaWduLmNsL3JlcG9zaXRvcmlvLmh0 >>> bWwwJwYIKwYBBQUHAgIwGxoZaHR0cHM6Ly93d3cuZS1zaWduLmNsL3JwYTA0BgNVHR8ELTArMCmg >>> J6AlhiNodHRwOi8vY3JsLnZlcmlzaWduLmNvbS9wY2EyLWczLmNybDAOBgNVHQ8BAf8EBAMCAQYw >>> KAYDVR0RBCEwH6QdMBsxGTAXBgNVBAMTEEFmZmlsaWF0ZS0yMDQ4LTQwHQYDVR0OBBYEFNvPd2JY >>> Czg2JS0a0mrEVAGybkwOMIHwBgNVHSMEgegwgeWhgdCkgc0wgcoxCzAJBgNVBAYTAlVTMRcwFQYD >>> VQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE6MDgG >>> A1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTFF >>> MEMGA1UEAxM8VmVyaVNpZ24gQ2xhc3MgMiBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1 >>> dGhvcml0eSAtIEczghBhcMtJjF+YRSnnsKbZUFt6MA0GCSqGSIb3DQEBBQUAA4IBAQA8PGoxQFzV >>> 0Cmct9QP6Px6oFSAxJ9dt47CtMO+qZzu367Oo+ij+6iIMHWs9+wHjJM9VoOe6S8RUwywcVYEqsdI >>> gProsYFJmsgGVPLihxFfIVI+OVKexIAZrfRqR4Blf75D4C0eFdLU+6K/iKY8ag9874kKhhOuRMHy >>> IsUz+vQYn3GmvsWBXSx5BG4uzOXwjPgPe4dTvpIHen/1tKzip1Ti3cZFgLmiIy+CkvBLsKDQepRj >>> W6PPv5nRYhQGgHheShH6UdRx9cEhx3xkY1ucWjFq3dawIaMcVGtaicgHXWsoyX5vmnjARd2H3ie6 >>> zNcqlO6Z5cjvCpJyqSq0Kw6HccLw</X509Certificate><X509Certificate>MIIEGTCCAwECEGFwy0mMX5hFKeewptlQW3owDQYJKoZIhvcNAQEFBQAwgcoxCzAJBgNVBAYTAlVT >>> MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y >>> azE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ug >>> b25seTFFMEMGA1UEAxM8VmVyaVNpZ24gQ2xhc3MgMiBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0 >>> aW9uIEF1dGhvcml0eSAtIEczMB4XDTk5MTAwMTAwMDAwMFoXDTM2MDcxNjIzNTk1OVowgcoxCzAJ >>> BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1 >>> c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0aG9y >>> aXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNpZ24gQ2xhc3MgMiBQdWJsaWMgUHJpbWFyeSBD >>> ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEczMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC >>> AQEArwoNwtUs22e5LeWUJ92lvuCwTY+zYVY81nzD9M0+hsuiiOLh2KRpxbXiv8GmR1BeRjmL1Za6 >>> tW8UvxDOJxOeBUebMXoT2B/Z0wI3i60sR/COgQanDTAM6/c8DyAd3HJG7qUCyFvDyVZpTMUYwZF7 >>> C9UTAJu878NIPkZgIIUq1ZC2zYugzDLdt/1AVbJQHFauzI13TccgTacxdu9okoqQHgiBVrKtaaNS >>> 0MscxCM9H5n+TOgWY47GCI72MfbS+uV23bUckqNJzc0BzWjNqWm6o+sdDZykIKbBoMXRRkwXbdKs >>> Zj+WjOCE1Db/IlnF+RFgqF8EffIa9iVCYQ/ESrg+iQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQA0 >>> JhU8wI1NQ0kdvekhktdmnLfexbjQ5F1fdiLAJvmEOjr5jLX77GDx6M4EsMjdpwOPMPOY36TmpDHf >>> 0xwLRtxyID+u7gU8pDM/CzmscHhzS5kr3zDCVLCoO1Wh/hYozUK9dG6A2ydEp85EXdQbkJgNHkKU >>> sQAsBNB0owIFImNjzYO1+8FtYmtpdf1dcEG59b98377BMnMiIYtYgXsVkXq642RIsH/7NiXaldDx >>> JBQX3RiAa0YjOVT1jmIJBB2UkKab5iXiQkWquJCtvgiPqQtCGJTPcjnhsUPgKM+351psE2tJs//j >>> GHyJizNdrDPXp/naOlXJWBD5qu9ats9LS98q</X509Certificate></X509Data></KeyInfo></Signature> >>> >>> >>> Regards. >>> >>> Cristian Altamirano >>> >>> >>> On Mon, Dec 16, 2013 at 4:01 AM, Markus Kilås >>> <ejb...@pr... <mailto:ejb...@pr...>> wrote: >>> >>> Dear Cristian, >>> >>> Currently the SignServer XML signer has no support for >>> specifying tags to be excluded. If the underlaying library >>> supports XPath expressions this should be quite easy to develop. >>> What would be the use case for this feature? >>> >>> >>> Cheers, >>> Markus >>> >>> PrimeKey Solutions offers a commercial EJBCA & SignServer >>> support subscription and training. Please see www.primekey.se >>> <http://www.primekey.se> or contact in...@pr... >>> <mailto:in...@pr...> for more information. >>> http://www.primekey.se/Services/Support/ >>> http://www.primekey.se/Services/Training/ >>> >>> >>> >>> On 2013-12-13 19:49, Cristian Altamirano wrote: >>>> Hi Dear. >>>> My name is Cristian Altamirano and I am >>>> testing signserver using xml file. >>>> I wonder if signserver can make a digital sign wtithout some >>>> xml tag. >>>> For example I want to know if the sign can >>>> be something like: >>>> >>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> >>>> <ds:SignedInfo> >>>> <ds:CanonicalizationMethod >>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" >>>> /> >>>> <ds:SignatureMethod >>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> >>>> <ds:Reference URI="#183"> >>>> <ds:Transforms> >>>> <ds:Transform >>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" >>>> /> >>>> <ds:Transform >>>> Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116"> >>>> *<ds:XPath >>>> xmlns:ctr="http://www.abcdef.cl/2005/05/CGRDoc" >>>> xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">not(ancestor-or-self::ctr:Folio) >>>> and not(ancestor-or-self::ctr:Fecha) and >>>> not(ancestor-or-self::ctr:Lugar)</ds:XPath>* >>>> </ds:Transform> >>>> </ds:Transforms> >>>> <ds:DigestMethod >>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> >>>> >>>> <ds:DigestValue>ErGgQ8Ke0hF2C1SSi12Abssi0Kg=</ds:DigestValue> >>>> </ds:Reference> >>>> <ds:Reference >>>> URI="#a4dbe2a7-0aac-4391-8773-62b1d519ada82"> >>>> <ds:Transforms> >>>> <ds:Transform >>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" >>>> /> >>>> </ds:Transforms> >>>> <ds:DigestMethod >>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> >>>> >>>> <ds:DigestValue>AD6lnb/DQl0tTgF+njpq+qUk9Zc=</ds:DigestValue> >>>> </ds:Reference> >>>> </ds:SignedInfo> >>>> >>>> <ds:SignatureValue>CwEOfSDVDFcXlKkhjNm/lqIbHfmsXwxb+RoNndGR0zi+YrAGMchqE+tXmqxyEB4IOp9gciw9NecmSCXFGD13NmEpLJynt6BVcGqe3BuC1txKwOZYQNlN4yLalVUrmfge+wrd0ebfFEDoJPq+fA13Yvo16v7Vj2dvdYjffcUK4jc=</ds:SignatureValue> >>>> <ds:KeyInfo> >>>> <ds:X509Data> >>>> <ds:X509IssuerSerial> >>>> <ds:X509IssuerName>CN=TEST, O=TEST, OU=TEST, >>>> E=...@E-... <mailto:TE...@E-...>, >>>> C=CL</ds:X509IssuerName> >>>> >>>> <ds:X509SerialNumber>140585008369263210178025</ds:X509SerialNumber> >>>> </ds:X509IssuerSerial> >>>> <ds:X509SubjectName>C=CL, E=...@TE... >>>> <mailto:TE...@TE...>, OU=TEST, O=TEST, >>>> CN=TEST</ds:X509SubjectName> >>>> >>>> <ds:X509Certificate>MIICUTCCAbqgAwIBAgIKHcUg6kSMM7Cl6TANBgkqhkiG9w0BAQUFADBZMQ0wCwYDVQQDEwRURVNUMQ0wCwYDVQQKEwRURVNUMQ0wCwYDVQQLEwRURVNUMR0wGwYJKoZIhvcNAQkBFg5URVNUQEUtU0lHTi5DTDELMAkGA1UEBhMCQ0wwHhcNMTMxMDA3MTMyODM1WhcNMTgxMDA3MTMyODM1WjBZMQ0wCwYDVQQDEwRURVNUMQ0wCwYDVQQKEwRURVNUMQ0wCwYDVQQLEwRURVNUMR0wGwYJKoZIhvcNAQkBFg5URVNUQEUtU0lHTi5DTDELMAkGA1UEBhMCQ0wwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALSvW/fbYisBDVaECeQMTvq4VyT2urClj6WGwwPROa+6iMILy3mtP4aa8ptgjT+l7DNeKceZBIMo+8K2YrMTRS1K/8NRBa/QTRA2pOwp9UVKr5g08f4wOyjonybPNOh0w3797yCh9A39YcJ5KZGSMFiypdOLnJ25KxYxNmMpkWXTAgMBAAGjIDAeMA8GCSqGSIb3LwEBCgQCBQAwCwYDVR0PBAQDAgSQMA0GCSqGSIb3DQEBBQUAA4GBADkRuoSugzY5/pDkRTR2tFfnwItA2e0r5ga6cOBEsVcfBDe00Clgaks52QoTFSSltgSHKBPsSR4XmE6AmE5gnBVQPeNNmb5TJovG4DnzoODp0mgSpOKj6aO4YY70H8tJzUeeSfWUU1/y0pPdDclN46NFwoAPKSmihvwGeCbuqwua</ds:X509Certificate> >>>> </ds:X509Data> >>>> <ds:KeyValue> >>>> <ds:RSAKeyValue> >>>> >>>> <ds:Modulus>tK9b99tiKwENVoQJ5AxO+rhXJPa6sKWPpYbDA9E5r7qIwgvLea0/hprym2CNP6XsM14px5kEgyj7wrZisxNFLUr/w1EFr9BNEDak7Cn1RUqvmDTx/jA7KOifJs806HTDfv3vIKH0Df1hwnkpkZIwWLKl04ucnbkrFjE2YymRZdM=</ds:Modulus> >>>> <ds:Exponent>AQAB</ds:Exponent> >>>> </ds:RSAKeyValue> >>>> </ds:KeyValue> >>>> </ds:KeyInfo> >>>> </ds:Signature> >>>> >>>> >>>> >>>> -- >>>> Regards. >>>> Cristian Altamirano >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Rapidly troubleshoot problems before they affect your business. Most IT >>>> organizations don't have a clear picture of how application performance >>>> affects their revenue. With AppDynamics, you get 100% visibility into your >>>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! >>>> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk >>>> >>>> >>>> _______________________________________________ >>>> SignServer-develop mailing list >>>> Sig...@li... <mailto:Sig...@li...> >>>> https://lists.sourceforge.net/lists/listinfo/signserver-develop >>> >>> >>> -- >>> >>> PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se <http://www.primekey.se> or contact in...@pr... <mailto:in...@pr...> for more information. >>> http://www.primekey.se/Services/Support/ >>> http://www.primekey.se/Services/Training/ >>> >>> >>> >>> >>> -- >>> Saluda. >>> Cristian Altamirano >>> >>> >> >> >> -- >> Kind regards, >> Markus Kilås >> PKI Specialist >> >> PrimeKey Solutions AB >> >> Anderstorpsv. 16 >> 171 54 Solna >> Sweden >> >> Phone: +46 70 424 94 85 <tel:%2B46%2070%20424%2094%2085> >> Skype: markusatskype >> Email: mar...@pr... <mailto:mar...@pr...> >> >> www.primekey.se <http://www.primekey.se> >> >> >> >> >> >> -- >> Saluda. >> Cristian Altamirano >> >> > > > > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > > > > _______________________________________________ > SignServer-develop mailing list > Sig...@li... > https://lists.sourceforge.net/lists/listinfo/signserver-develop > -- Kind regards, Markus Kilås PKI Specialist PrimeKey Solutions AB Anderstorpsv. 16 171 54 Solna Sweden Phone: +46 70 424 94 85 Skype: markusatskype Email: mar...@pr... www.primekey.se |
|
From: Markus K. <ma...@pr...> - 2014-01-07 09:00:09
|
Hi Cristian, (I included the mailinglist, please respond to the list) We don't have any sample code for that at the moment. In https://jira.primekey.se/browse/DSS-300 we will add support in the AdminGUI (which can use the WS interface) for adding workers so after that we might consider adding some samples for it. However this would be the process from my head: --- To set up the xmlsigner as in doc/sample-configs/qs_xmlsigner_configuration.properties 1. Setting the "CLASSPATH" global property // GLOB.WORKERGENID1.SIGNERTOKEN.CLASSPATH = org.signserver.server.cryptotokens.P12CryptoToken adminws.setGlobalProperty("GLOB.", "SIGNERTOKEN.CLASSPATH", "org.signserver.server.cryptotokens.P12CryptoToken"); 2. Setting the "SIGNERTOKEN.CLASSPATH" global property: // GLOB.WORKERGENID1.SIGNERTOKEN.CLASSPATH = org.signserver.server.cryptotokens.P12CryptoToken adminws.setGlobalProperty("GLOB.", "SIGNERTOKEN.CLASSPATH", "org.signserver.server.cryptotokens.P12CryptoToken"); 3. Setting the worker properties adminws.setWorkerProperty(123, "NAME", "XMLSigner"); adminws.setWorkerProperty(123, "AUTHTYPE", "NOAUTH"); adminws.setWorkerProperty(123, "KEYSTOREPATH", "/opt/signserver/p12/signer2.p12"); adminws.setWorkerProperty(123, "KEYSTOREPASSWORD", "foo123"); 4. Reload configuration adminws.reloadConfiguration(123); --- Best regards, Markus On 2014-01-06 22:28, Cristian Altamirano wrote: > Hi Markus. > This work fine for me. > I have verified the sign using > http://docs.oracle.com/javase/7/docs/technotes/guides/security/xmldsig/Validate.java > > Other consultation. > > How I can create a worker from adminws? > > Have some sample code that you can show me? > > > I can create it using the settings that bring in examples running the > command > > ./signserver setproperties file_configuration.properties > > > Regards. > > > > On Fri, Dec 27, 2013 at 4:47 AM, Markus Kilås <ma...@pr... > <mailto:ma...@pr...>> wrote: > > Hi Cristian, > > Including the KeyValue tag is not currently supported. Let us know > if you are interested in this feature. > > If you want to develop it yourself we would be happy to recieve a patch. > > What I think you could do (not tested) is to in XMLSigner.java use > something like: > ---- > KeyInfoFactory kif = fac.getKeyInfoFactory(); > X509Data x509d = kif.newX509Data(x509CertChain); > List<XMLStructure> kviItems = new LinkedList<XMLStructure>(); > kviItems.add(x509d);* > RSAKeyValue rsaKeyValue = kif.newKeyValue(publicKey);* > *kviItems.add(rsaKeyValue);* > ---- > > Best regards, > > Markus > > PrimeKey Solutions offers a commercial EJBCA & SignServer support > subscription and training. Please see www.primekey.se > <http://www.primekey.se> or contact in...@pr... > <mailto:in...@pr...> for more information. > http://www.primekey.se/Services/Support/ > http://www.primekey.se/Services/Training/ > > > On 2013-12-23 14:42, Cristian Altamirano wrote: >> Markus, >> This function is rarely used. However there is a state >> agency that uses it. I have another consultation. >> When I use xmlsigner need theTAG <Signature >> xmlns="http://www.w3.org/2000/09/xmldsig#"> return TAG <KeyValue>. >> >> For Example: >> >> <Signature >> xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod >> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><SignatureMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference >> URI=""><Transforms><Transform >> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>itzC/c4YAzqfJN9PNUmqTMiI8Xo=</DigestValue></Reference></SignedInfo><SignatureValue>L0jE/ia5qxCydsFszdbdWiJoJDmn38htrvZJnFhb/KUQn6ReVDM+FNTa3L6pE0EqC9fOXOdT01lu >> vqDwubmjRtyPZG7y2jauqFOUFN1RJIq8WZKeI7JUqK9yOXCo10WbmXDWY8ePIXXPh9sV3sgcusue >> FxgOFBGq/3PtQT73qWCE5fkkOKB7v7/UB6EJhEQz6Xh5ttIehYDLWbzBYZhgNdSDdhkvSAPXVUpt >> /hiJ+BRRMBtxM6IWb59oshDOSDi3GgvnjruG3C1rOZgYh8+WGTVI77Uf+At+TtxfUOkQpDGEuCmv >> ZR3CgOvftwZkc+zSSsTIw7V5YlkxQhnJEBWOsg==</SignatureValue><KeyInfo>*<KeyValue><RSAKeyValue><Modulus>z+jlSLP5ZTDFgV25Kcq6xfb30GKssWhn1MpfQUgZvXUWWuC91p6PXLl5Um8Nj6lc/EV2cwVdHAbW >> we9z3spVk7g3WNt6gw6khwZmj/tbJZ+iLKYNdCAoQi9I6kQFSh7Ted0GjNBBng3AHGyWXjnZ/sYX >> wBNDpgd7Vf0H9j1icdlNX7rtjpBXi+jbnTg1dndbzWvmSnA70SJx3/BN5CgBNpZzK9RhYJ0CpngQ >> gNcyJdAevKk8flpeAhDiBqY7a400yE4vHKgdFt/8dtBsNajBngpSsCjpvQZ91hQWewmeTTr9dCnh >> 9r92ZwDcNnoxC/mYjA9i61rLWPRei9OwZ+Rxhw==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></KeyValue>*<X509Data><X509Certificate>MIIGXTCCBUWgAwIBAgIQaP7ZrIUusx5x3hw0yfiX4zANBgkqhkiG9w0BAQUFADCBqDELMAkGA1UE >> BhMCQ0wxFDASBgNVBAoTC0UtU2lnbiBTLkEuMR8wHQYDVQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3 >> b3JrMUEwPwYDVQQDEzhFLVNpZ24gU0MgQ2xhc3MgMiBDb25zdW1lciBJbmRpdmlkdWFsIFN1YnNj >> cmliZXIgQ0EgLSBHMjEfMB0GCSqGSIb3DQEJARYQZS1zaWduQGUtc2lnbi5jbDAeFw0xMzEyMjAw >> MDAwMDBaFw0xNDEyMjAyMzU5NTlaMIIBJTEUMBIGA1UEChMLRS1TaWduIFMuQS4xLTArBgNVBAsT >> JFRlcm1pbm9zIGRlIHVzbyBlbiB3d3cuZS1zaWduLmNsL3JwYTElMCMGA1UECxMcQXV0aGVudGlj >> YXRlZCBieSBFLVNpZ24gUy5BLjEnMCUGA1UECxMeTWVtYmVyLCBTeW1hbnRlYyBUcnVzdCBOZXR3 >> b3JrMRswGQYDVQQLExJEaWdpdGFsIElEIENsYXNzIDIxGTAXBgNVBAsUEFJVVCAtIDEzODQ1Mjgw >> LTgxLTArBgNVBAMMJENyaXN0aWFuIEFsZWphbmRybyBBbHRhbWlyYW5vIExMYW5vczEnMCUGCSqG >> SIb3DQEJARYYY2FsdGFtaXJhbm9AZXNpZ24tbGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A >> MIIBCgKCAQEAz+jlSLP5ZTDFgV25Kcq6xfb30GKssWhn1MpfQUgZvXUWWuC91p6PXLl5Um8Nj6lc >> /EV2cwVdHAbWwe9z3spVk7g3WNt6gw6khwZmj/tbJZ+iLKYNdCAoQi9I6kQFSh7Ted0GjNBBng3A >> HGyWXjnZ/sYXwBNDpgd7Vf0H9j1icdlNX7rtjpBXi+jbnTg1dndbzWvmSnA70SJx3/BN5CgBNpZz >> K9RhYJ0CpngQgNcyJdAevKk8flpeAhDiBqY7a400yE4vHKgdFt/8dtBsNajBngpSsCjpvQZ91hQW >> ewmeTTr9dCnh9r92ZwDcNnoxC/mYjA9i61rLWPRei9OwZ+RxhwIDAQABo4ICATCCAf0wIwYDVR0R >> BBwwGqAYBggrBgEEAcEBAaAMFgoxMzg0NTI4MC04MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgME8G >> A1UdHwRIMEYwRKBCoECGPmh0dHA6Ly9vbnNpdGVjcmwudmVyaXNpZ24uY29tL0VTaWduU0FDU0ND >> bGFzczJHMi9MYXRlc3RDUkwuY3JsMB8GA1UdIwQYMBaAFNvPd2JYCzg2JS0a0mrEVAGybkwOMB0G >> A1UdDgQWBBS+9VwTBT8X7iyiTi+YarFB/SQLATA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUHMAGG >> H2h0dHA6Ly9vbnNpdGUtb2NzcC52ZXJpc2lnbi5jb20wgZgGA1UdIASBkDCBjTCBigYLYIZIAYb4 >> RQEHFwIwezAxBggrBgEFBQcCARYlaHR0cHM6Ly93d3cuZS1zaWduLmNsL3JlcG9zaXRvcmlvLmh0 >> bTBGBggrBgEFBQcCAjA6GjhDZXJ0aWZpY2FkbyBwYXJhIHVzbyBUcmlidXRhcmlvLCBDb21lcmNp >> bywgUGFnb3MgeSBPdHJvczARBglghkgBhvhCAQEEBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwIG >> CCsGAQUFBwMEMCMGA1UdEgQcMBqgGAYIKwYBBAHBAQKgDBYKOTk1NTE3NDAtSzANBgkqhkiG9w0B >> AQUFAAOCAQEAvet0Rwq6W4zzLPYsT6rbpnx/lUAKLmBAJhQKK2zH1QSPM68FkVMe9+XSV3y6KFt9 >> PVRdYq/M2b2QZ//YHHFEoLeU6gcTTNgL6oVo+PQqUWYtrsU+H023ci9TA7F3EejJPRIRrRxMMN+a >> Dh9Zqu0qTCtQQ00sWUfjm1xL0UxWsRwYLnjDdwJlxwVdQ4pzN2yy/MqkNs6T6xVnMktfQmH1mgc7 >> gIHBhZk3oqFe/auzLvjQ/tdaGrnVfCulS7+SUXO0xzIjrWwZiefJgJQ3xj3KqmHJvVWovbMHpfYQ >> 6qVSq1qqhKgeQEydPJiK7d+DQ0V1eJ6b2ZNd8CALDSA3UjT4hA==</X509Certificate></X509Data></KeyInfo></Signature> >> >> >> If I use signserver (xmlsigner configuration) the TAG signature >> return this: >> >> <Signature >> xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod >> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/><SignatureMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference >> URI=""><Transforms><Transform >> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>itzC/c4YAzqfJN9PNUmqTMiI8Xo=</DigestValue></Reference></SignedInfo><SignatureValue>mcI/lJbd/mq36HU/RM8UQOceJmVwVSzEqkIezJOMXmPjM3OdIKOD7IDkY5B+xcte5r77eG6OOREt >> DV1bf8UxWkdToUR9XNxswOhPFDRwmpavVLivY0B41d0Rbq8Ee3HyotxPJeiS7ZX1E0A7xobot/cN >> qA/EbnZQDisiEsugfrI+pU2uTBNRaUgETC5+ODs7fjuGvo6iKBp7vU8ijDR2HCLYtzhx2fczMKjE >> OyLiK2MehGWWe4gyOi2jssFKEGSVCRToG2lU4taJo2AUKzN3AXJBKcL53VtbUn/IgeyWWt6IwYAn >> oveZ7KcWpUp2x2Lw4MhDmfLgf1Wb14WDgUDVBg==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIGXTCCBUWgAwIBAgIQaP7ZrIUusx5x3hw0yfiX4zANBgkqhkiG9w0BAQUFADCBqDELMAkGA1UE >> BhMCQ0wxFDASBgNVBAoTC0UtU2lnbiBTLkEuMR8wHQYDVQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3 >> b3JrMUEwPwYDVQQDEzhFLVNpZ24gU0MgQ2xhc3MgMiBDb25zdW1lciBJbmRpdmlkdWFsIFN1YnNj >> cmliZXIgQ0EgLSBHMjEfMB0GCSqGSIb3DQEJARYQZS1zaWduQGUtc2lnbi5jbDAeFw0xMzEyMjAw >> MDAwMDBaFw0xNDEyMjAyMzU5NTlaMIIBJTEUMBIGA1UEChMLRS1TaWduIFMuQS4xLTArBgNVBAsT >> JFRlcm1pbm9zIGRlIHVzbyBlbiB3d3cuZS1zaWduLmNsL3JwYTElMCMGA1UECxMcQXV0aGVudGlj >> YXRlZCBieSBFLVNpZ24gUy5BLjEnMCUGA1UECxMeTWVtYmVyLCBTeW1hbnRlYyBUcnVzdCBOZXR3 >> b3JrMRswGQYDVQQLExJEaWdpdGFsIElEIENsYXNzIDIxGTAXBgNVBAsUEFJVVCAtIDEzODQ1Mjgw >> LTgxLTArBgNVBAMMJENyaXN0aWFuIEFsZWphbmRybyBBbHRhbWlyYW5vIExMYW5vczEnMCUGCSqG >> SIb3DQEJARYYY2FsdGFtaXJhbm9AZXNpZ24tbGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A >> MIIBCgKCAQEAz+jlSLP5ZTDFgV25Kcq6xfb30GKssWhn1MpfQUgZvXUWWuC91p6PXLl5Um8Nj6lc >> /EV2cwVdHAbWwe9z3spVk7g3WNt6gw6khwZmj/tbJZ+iLKYNdCAoQi9I6kQFSh7Ted0GjNBBng3A >> HGyWXjnZ/sYXwBNDpgd7Vf0H9j1icdlNX7rtjpBXi+jbnTg1dndbzWvmSnA70SJx3/BN5CgBNpZz >> K9RhYJ0CpngQgNcyJdAevKk8flpeAhDiBqY7a400yE4vHKgdFt/8dtBsNajBngpSsCjpvQZ91hQW >> ewmeTTr9dCnh9r92ZwDcNnoxC/mYjA9i61rLWPRei9OwZ+RxhwIDAQABo4ICATCCAf0wIwYDVR0R >> BBwwGqAYBggrBgEEAcEBAaAMFgoxMzg0NTI4MC04MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgME8G >> A1UdHwRIMEYwRKBCoECGPmh0dHA6Ly9vbnNpdGVjcmwudmVyaXNpZ24uY29tL0VTaWduU0FDU0ND >> bGFzczJHMi9MYXRlc3RDUkwuY3JsMB8GA1UdIwQYMBaAFNvPd2JYCzg2JS0a0mrEVAGybkwOMB0G >> A1UdDgQWBBS+9VwTBT8X7iyiTi+YarFB/SQLATA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUHMAGG >> H2h0dHA6Ly9vbnNpdGUtb2NzcC52ZXJpc2lnbi5jb20wgZgGA1UdIASBkDCBjTCBigYLYIZIAYb4 >> RQEHFwIwezAxBggrBgEFBQcCARYlaHR0cHM6Ly93d3cuZS1zaWduLmNsL3JlcG9zaXRvcmlvLmh0 >> bTBGBggrBgEFBQcCAjA6GjhDZXJ0aWZpY2FkbyBwYXJhIHVzbyBUcmlidXRhcmlvLCBDb21lcmNp >> bywgUGFnb3MgeSBPdHJvczARBglghkgBhvhCAQEEBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwIG >> CCsGAQUFBwMEMCMGA1UdEgQcMBqgGAYIKwYBBAHBAQKgDBYKOTk1NTE3NDAtSzANBgkqhkiG9w0B >> AQUFAAOCAQEAvet0Rwq6W4zzLPYsT6rbpnx/lUAKLmBAJhQKK2zH1QSPM68FkVMe9+XSV3y6KFt9 >> PVRdYq/M2b2QZ//YHHFEoLeU6gcTTNgL6oVo+PQqUWYtrsU+H023ci9TA7F3EejJPRIRrRxMMN+a >> Dh9Zqu0qTCtQQ00sWUfjm1xL0UxWsRwYLnjDdwJlxwVdQ4pzN2yy/MqkNs6T6xVnMktfQmH1mgc7 >> gIHBhZk3oqFe/auzLvjQ/tdaGrnVfCulS7+SUXO0xzIjrWwZiefJgJQ3xj3KqmHJvVWovbMHpfYQ >> 6qVSq1qqhKgeQEydPJiK7d+DQ0V1eJ6b2ZNd8CALDSA3UjT4hA==</X509Certificate><X509Certificate>MIIGTTCCBTWgAwIBAgIQKbLznlYRzv8kSNGZCYBXdTANBgkqhkiG9w0BAQUFADCByjELMAkGA1UE >> BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBO >> ZXR3b3JrMTowOAYDVQQLEzEoYykgMTk5OSBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVk >> IHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAyIFB1YmxpYyBQcmltYXJ5IENlcnRp >> ZmljYXRpb24gQXV0aG9yaXR5IC0gRzMwHhcNMTIxMTE1MDAwMDAwWhcNMTcxMTE0MjM1OTU5WjCB >> qDELMAkGA1UEBhMCQ0wxFDASBgNVBAoTC0UtU2lnbiBTLkEuMR8wHQYDVQQLExZTeW1hbnRlYyBU >> cnVzdCBOZXR3b3JrMUEwPwYDVQQDEzhFLVNpZ24gU0MgQ2xhc3MgMiBDb25zdW1lciBJbmRpdmlk >> dWFsIFN1YnNjcmliZXIgQ0EgLSBHMjEfMB0GCSqGSIb3DQEJARYQZS1zaWduQGUtc2lnbi5jbDCC >> ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO+9QdJcqEZ+rG7t+iW8F9chMQ0N+GkWyYet >> ivwzy/Kvh3ngQVe8UOrOM1Zx5hDJxtxk4GO2kXbpXoYlkak6jOpnlvGtf92Atz7CJ4w9WiuebvcX >> EcczTY7Ne+TZK+TnXyLtcw77vl4ZKTfblO1l2euHzRp6bXYmJ5948watkvshtRlvrxeaH48jHN0r >> 0u2F9hQKgRXLWwOISQYakT+BgIyHdf1JJvAWwnystqMI4RHfSLgPRRwERfSB2gWwS/BKZdCp479D >> s4ZAtxt1zgQKyGQYYNoRkVP48NVCwia04JSVCLHWrodKvxHRp/Uq4X/Zyo1dKQfc4iEjRe1GuiA3 >> X7sCAwEAAaOCAk0wggJJMDgGCCsGAQUFBwEBBCwwKjAoBggrBgEFBQcwAYYcaHR0cDovL3BraS1v >> Y3NwLnZlcmlzaWduLmNvbTASBgNVHRMBAf8ECDAGAQH/AgEAMHcGA1UdIARwMG4wbAYLYIZIAYb4 >> RQEHFwIwXTAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZS1zaWduLmNsL3JlcG9zaXRvcmlvLmh0 >> bWwwJwYIKwYBBQUHAgIwGxoZaHR0cHM6Ly93d3cuZS1zaWduLmNsL3JwYTA0BgNVHR8ELTArMCmg >> J6AlhiNodHRwOi8vY3JsLnZlcmlzaWduLmNvbS9wY2EyLWczLmNybDAOBgNVHQ8BAf8EBAMCAQYw >> KAYDVR0RBCEwH6QdMBsxGTAXBgNVBAMTEEFmZmlsaWF0ZS0yMDQ4LTQwHQYDVR0OBBYEFNvPd2JY >> Czg2JS0a0mrEVAGybkwOMIHwBgNVHSMEgegwgeWhgdCkgc0wgcoxCzAJBgNVBAYTAlVTMRcwFQYD >> VQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE6MDgG >> A1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTFF >> MEMGA1UEAxM8VmVyaVNpZ24gQ2xhc3MgMiBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1 >> dGhvcml0eSAtIEczghBhcMtJjF+YRSnnsKbZUFt6MA0GCSqGSIb3DQEBBQUAA4IBAQA8PGoxQFzV >> 0Cmct9QP6Px6oFSAxJ9dt47CtMO+qZzu367Oo+ij+6iIMHWs9+wHjJM9VoOe6S8RUwywcVYEqsdI >> gProsYFJmsgGVPLihxFfIVI+OVKexIAZrfRqR4Blf75D4C0eFdLU+6K/iKY8ag9874kKhhOuRMHy >> IsUz+vQYn3GmvsWBXSx5BG4uzOXwjPgPe4dTvpIHen/1tKzip1Ti3cZFgLmiIy+CkvBLsKDQepRj >> W6PPv5nRYhQGgHheShH6UdRx9cEhx3xkY1ucWjFq3dawIaMcVGtaicgHXWsoyX5vmnjARd2H3ie6 >> zNcqlO6Z5cjvCpJyqSq0Kw6HccLw</X509Certificate><X509Certificate>MIIEGTCCAwECEGFwy0mMX5hFKeewptlQW3owDQYJKoZIhvcNAQEFBQAwgcoxCzAJBgNVBAYTAlVT >> MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y >> azE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ug >> b25seTFFMEMGA1UEAxM8VmVyaVNpZ24gQ2xhc3MgMiBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0 >> aW9uIEF1dGhvcml0eSAtIEczMB4XDTk5MTAwMTAwMDAwMFoXDTM2MDcxNjIzNTk1OVowgcoxCzAJ >> BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1 >> c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0aG9y >> aXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNpZ24gQ2xhc3MgMiBQdWJsaWMgUHJpbWFyeSBD >> ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEczMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC >> AQEArwoNwtUs22e5LeWUJ92lvuCwTY+zYVY81nzD9M0+hsuiiOLh2KRpxbXiv8GmR1BeRjmL1Za6 >> tW8UvxDOJxOeBUebMXoT2B/Z0wI3i60sR/COgQanDTAM6/c8DyAd3HJG7qUCyFvDyVZpTMUYwZF7 >> C9UTAJu878NIPkZgIIUq1ZC2zYugzDLdt/1AVbJQHFauzI13TccgTacxdu9okoqQHgiBVrKtaaNS >> 0MscxCM9H5n+TOgWY47GCI72MfbS+uV23bUckqNJzc0BzWjNqWm6o+sdDZykIKbBoMXRRkwXbdKs >> Zj+WjOCE1Db/IlnF+RFgqF8EffIa9iVCYQ/ESrg+iQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQA0 >> JhU8wI1NQ0kdvekhktdmnLfexbjQ5F1fdiLAJvmEOjr5jLX77GDx6M4EsMjdpwOPMPOY36TmpDHf >> 0xwLRtxyID+u7gU8pDM/CzmscHhzS5kr3zDCVLCoO1Wh/hYozUK9dG6A2ydEp85EXdQbkJgNHkKU >> sQAsBNB0owIFImNjzYO1+8FtYmtpdf1dcEG59b98377BMnMiIYtYgXsVkXq642RIsH/7NiXaldDx >> JBQX3RiAa0YjOVT1jmIJBB2UkKab5iXiQkWquJCtvgiPqQtCGJTPcjnhsUPgKM+351psE2tJs//j >> GHyJizNdrDPXp/naOlXJWBD5qu9ats9LS98q</X509Certificate></X509Data></KeyInfo></Signature> >> >> >> Regards. >> >> Cristian Altamirano >> >> >> On Mon, Dec 16, 2013 at 4:01 AM, Markus Kilås >> <ejb...@pr... <mailto:ejb...@pr...>> wrote: >> >> Dear Cristian, >> >> Currently the SignServer XML signer has no support for >> specifying tags to be excluded. If the underlaying library >> supports XPath expressions this should be quite easy to develop. >> What would be the use case for this feature? >> >> >> Cheers, >> Markus >> >> PrimeKey Solutions offers a commercial EJBCA & SignServer >> support subscription and training. Please see www.primekey.se >> <http://www.primekey.se> or contact in...@pr... >> <mailto:in...@pr...> for more information. >> http://www.primekey.se/Services/Support/ >> http://www.primekey.se/Services/Training/ >> >> >> >> On 2013-12-13 19:49, Cristian Altamirano wrote: >>> Hi Dear. >>> My name is Cristian Altamirano and I am >>> testing signserver using xml file. >>> I wonder if signserver can make a digital sign wtithout some >>> xml tag. >>> For example I want to know if the sign can >>> be something like: >>> >>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> >>> <ds:SignedInfo> >>> <ds:CanonicalizationMethod >>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" >>> /> >>> <ds:SignatureMethod >>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> >>> <ds:Reference URI="#183"> >>> <ds:Transforms> >>> <ds:Transform >>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" >>> /> >>> <ds:Transform >>> Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116"> >>> *<ds:XPath >>> xmlns:ctr="http://www.abcdef.cl/2005/05/CGRDoc" >>> xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">not(ancestor-or-self::ctr:Folio) >>> and not(ancestor-or-self::ctr:Fecha) and >>> not(ancestor-or-self::ctr:Lugar)</ds:XPath>* >>> </ds:Transform> >>> </ds:Transforms> >>> <ds:DigestMethod >>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> >>> >>> <ds:DigestValue>ErGgQ8Ke0hF2C1SSi12Abssi0Kg=</ds:DigestValue> >>> </ds:Reference> >>> <ds:Reference >>> URI="#a4dbe2a7-0aac-4391-8773-62b1d519ada82"> >>> <ds:Transforms> >>> <ds:Transform >>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" >>> /> >>> </ds:Transforms> >>> <ds:DigestMethod >>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> >>> >>> <ds:DigestValue>AD6lnb/DQl0tTgF+njpq+qUk9Zc=</ds:DigestValue> >>> </ds:Reference> >>> </ds:SignedInfo> >>> >>> <ds:SignatureValue>CwEOfSDVDFcXlKkhjNm/lqIbHfmsXwxb+RoNndGR0zi+YrAGMchqE+tXmqxyEB4IOp9gciw9NecmSCXFGD13NmEpLJynt6BVcGqe3BuC1txKwOZYQNlN4yLalVUrmfge+wrd0ebfFEDoJPq+fA13Yvo16v7Vj2dvdYjffcUK4jc=</ds:SignatureValue> >>> <ds:KeyInfo> >>> <ds:X509Data> >>> <ds:X509IssuerSerial> >>> <ds:X509IssuerName>CN=TEST, O=TEST, OU=TEST, >>> E=...@E-... <mailto:TE...@E-...>, >>> C=CL</ds:X509IssuerName> >>> >>> <ds:X509SerialNumber>140585008369263210178025</ds:X509SerialNumber> >>> </ds:X509IssuerSerial> >>> <ds:X509SubjectName>C=CL, E=...@TE... >>> <mailto:TE...@TE...>, OU=TEST, O=TEST, >>> CN=TEST</ds:X509SubjectName> >>> >>> <ds:X509Certificate>MIICUTCCAbqgAwIBAgIKHcUg6kSMM7Cl6TANBgkqhkiG9w0BAQUFADBZMQ0wCwYDVQQDEwRURVNUMQ0wCwYDVQQKEwRURVNUMQ0wCwYDVQQLEwRURVNUMR0wGwYJKoZIhvcNAQkBFg5URVNUQEUtU0lHTi5DTDELMAkGA1UEBhMCQ0wwHhcNMTMxMDA3MTMyODM1WhcNMTgxMDA3MTMyODM1WjBZMQ0wCwYDVQQDEwRURVNUMQ0wCwYDVQQKEwRURVNUMQ0wCwYDVQQLEwRURVNUMR0wGwYJKoZIhvcNAQkBFg5URVNUQEUtU0lHTi5DTDELMAkGA1UEBhMCQ0wwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALSvW/fbYisBDVaECeQMTvq4VyT2urClj6WGwwPROa+6iMILy3mtP4aa8ptgjT+l7DNeKceZBIMo+8K2YrMTRS1K/8NRBa/QTRA2pOwp9UVKr5g08f4wOyjonybPNOh0w3797yCh9A39YcJ5KZGSMFiypdOLnJ25KxYxNmMpkWXTAgMBAAGjIDAeMA8GCSqGSIb3LwEBCgQCBQAwCwYDVR0PBAQDAgSQMA0GCSqGSIb3DQEBBQUAA4GBADkRuoSugzY5/pDkRTR2tFfnwItA2e0r5ga6cOBEsVcfBDe00Clgaks52QoTFSSltgSHKBPsSR4XmE6AmE5gnBVQPeNNmb5TJovG4DnzoODp0mgSpOKj6aO4YY70H8tJzUeeSfWUU1/y0pPdDclN46NFwoAPKSmihvwGeCbuqwua</ds:X509Certificate> >>> </ds:X509Data> >>> <ds:KeyValue> >>> <ds:RSAKeyValue> >>> >>> <ds:Modulus>tK9b99tiKwENVoQJ5AxO+rhXJPa6sKWPpYbDA9E5r7qIwgvLea0/hprym2CNP6XsM14px5kEgyj7wrZisxNFLUr/w1EFr9BNEDak7Cn1RUqvmDTx/jA7KOifJs806HTDfv3vIKH0Df1hwnkpkZIwWLKl04ucnbkrFjE2YymRZdM=</ds:Modulus> >>> <ds:Exponent>AQAB</ds:Exponent> >>> </ds:RSAKeyValue> >>> </ds:KeyValue> >>> </ds:KeyInfo> >>> </ds:Signature> >>> >>> >>> >>> -- >>> Regards. >>> Cristian Altamirano >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Rapidly troubleshoot problems before they affect your business. Most IT >>> organizations don't have a clear picture of how application performance >>> affects their revenue. With AppDynamics, you get 100% visibility into your >>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! >>> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk >>> >>> >>> _______________________________________________ >>> SignServer-develop mailing list >>> Sig...@li... <mailto:Sig...@li...> >>> https://lists.sourceforge.net/lists/listinfo/signserver-develop >> >> >> -- >> >> PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se <http://www.primekey.se> or contact in...@pr... <mailto:in...@pr...> for more information. >> http://www.primekey.se/Services/Support/ >> http://www.primekey.se/Services/Training/ >> >> >> >> >> -- >> Saluda. >> Cristian Altamirano >> >> > > > -- > Kind regards, > Markus Kilås > PKI Specialist > > PrimeKey Solutions AB > > Anderstorpsv. 16 > 171 54 Solna > Sweden > > Phone: +46 70 424 94 85 <tel:%2B46%2070%20424%2094%2085> > Skype: markusatskype > Email: mar...@pr... <mailto:mar...@pr...> > > www.primekey.se <http://www.primekey.se> > > > > > > -- > Saluda. > Cristian Altamirano > > -- Kind regards, Markus Kilås PrimeKey Solutions AB |
|
From: Markus K. <ejb...@pr...> - 2013-12-16 07:01:12
|
Dear Cristian, Currently the SignServer XML signer has no support for specifying tags to be excluded. If the underlaying library supports XPath expressions this should be quite easy to develop. What would be the use case for this feature? Cheers, Markus PrimeKey Solutions offers a commercial EJBCA & SignServer support subscription and training. Please see www.primekey.se or contact in...@pr... for more information. http://www.primekey.se/Services/Support/ http://www.primekey.se/Services/Training/ On 2013-12-13 19:49, Cristian Altamirano wrote: > Hi Dear. > My name is Cristian Altamirano and I am testing > signserver using xml file. > I wonder if signserver can make a digital sign wtithout some xml tag. > For example I want to know if the sign can be > something like: > > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" /> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> > <ds:Reference URI="#183"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> > <ds:Transform > Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116"> > *<ds:XPath > xmlns:ctr="http://www.abcdef.cl/2005/05/CGRDoc" > xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">not(ancestor-or-self::ctr:Folio) > and not(ancestor-or-self::ctr:Fecha) and > not(ancestor-or-self::ctr:Lugar)</ds:XPath>* > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> > <ds:DigestValue>ErGgQ8Ke0hF2C1SSi12Abssi0Kg=</ds:DigestValue> > </ds:Reference> > <ds:Reference URI="#a4dbe2a7-0aac-4391-8773-62b1d519ada82"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> > <ds:DigestValue>AD6lnb/DQl0tTgF+njpq+qUk9Zc=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > > <ds:SignatureValue>CwEOfSDVDFcXlKkhjNm/lqIbHfmsXwxb+RoNndGR0zi+YrAGMchqE+tXmqxyEB4IOp9gciw9NecmSCXFGD13NmEpLJynt6BVcGqe3BuC1txKwOZYQNlN4yLalVUrmfge+wrd0ebfFEDoJPq+fA13Yvo16v7Vj2dvdYjffcUK4jc=</ds:SignatureValue> > <ds:KeyInfo> > <ds:X509Data> > <ds:X509IssuerSerial> > <ds:X509IssuerName>CN=TEST, O=TEST, OU=TEST, > E=...@E-... <mailto:TE...@E-...>, C=CL</ds:X509IssuerName> > > <ds:X509SerialNumber>140585008369263210178025</ds:X509SerialNumber> > </ds:X509IssuerSerial> > <ds:X509SubjectName>C=CL, E=...@TE... > <mailto:TE...@TE...>, OU=TEST, O=TEST, CN=TEST</ds:X509SubjectName> > > <ds:X509Certificate>MIICUTCCAbqgAwIBAgIKHcUg6kSMM7Cl6TANBgkqhkiG9w0BAQUFADBZMQ0wCwYDVQQDEwRURVNUMQ0wCwYDVQQKEwRURVNUMQ0wCwYDVQQLEwRURVNUMR0wGwYJKoZIhvcNAQkBFg5URVNUQEUtU0lHTi5DTDELMAkGA1UEBhMCQ0wwHhcNMTMxMDA3MTMyODM1WhcNMTgxMDA3MTMyODM1WjBZMQ0wCwYDVQQDEwRURVNUMQ0wCwYDVQQKEwRURVNUMQ0wCwYDVQQLEwRURVNUMR0wGwYJKoZIhvcNAQkBFg5URVNUQEUtU0lHTi5DTDELMAkGA1UEBhMCQ0wwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALSvW/fbYisBDVaECeQMTvq4VyT2urClj6WGwwPROa+6iMILy3mtP4aa8ptgjT+l7DNeKceZBIMo+8K2YrMTRS1K/8NRBa/QTRA2pOwp9UVKr5g08f4wOyjonybPNOh0w3797yCh9A39YcJ5KZGSMFiypdOLnJ25KxYxNmMpkWXTAgMBAAGjIDAeMA8GCSqGSIb3LwEBCgQCBQAwCwYDVR0PBAQDAgSQMA0GCSqGSIb3DQEBBQUAA4GBADkRuoSugzY5/pDkRTR2tFfnwItA2e0r5ga6cOBEsVcfBDe00Clgaks52QoTFSSltgSHKBPsSR4XmE6AmE5gnBVQPeNNmb5TJovG4DnzoODp0mgSpOKj6aO4YY70H8tJzUeeSfWUU1/y0pPdDclN46NFwoAPKSmihvwGeCbuqwua</ds:X509Certificate> > </ds:X509Data> > <ds:KeyValue> > <ds:RSAKeyValue> > > <ds:Modulus>tK9b99tiKwENVoQJ5AxO+rhXJPa6sKWPpYbDA9E5r7qIwgvLea0/hprym2CNP6XsM14px5kEgyj7wrZisxNFLUr/w1EFr9BNEDak7Cn1RUqvmDTx/jA7KOifJs806HTDfv3vIKH0Df1hwnkpkZIwWLKl04ucnbkrFjE2YymRZdM=</ds:Modulus> > <ds:Exponent>AQAB</ds:Exponent> > </ds:RSAKeyValue> > </ds:KeyValue> > </ds:KeyInfo> > </ds:Signature> > > > > -- > Regards. > Cristian Altamirano > > > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > > > _______________________________________________ > SignServer-develop mailing list > Sig...@li... > https://lists.sourceforge.net/lists/listinfo/signserver-develop -- PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact in...@pr... for more information. http://www.primekey.se/Services/Support/ http://www.primekey.se/Services/Training/ |
|
From: Cristian A. <cal...@gm...> - 2013-12-13 18:49:14
|
Hi Dear.
My name is Cristian Altamirano and I am testing
signserver using xml file.
I wonder if signserver can make a digital sign wtithout some xml tag.
For example I want to know if the sign can be something
like:
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
<ds:SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#183">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="
http://www.w3.org/TR/1999/REC-xpath-19991116">
*<ds:XPath xmlns:ctr="http://www.abcdef.cl/2005/05/CGRDoc
<http://www.abcdef.cl/2005/05/CGRDoc>"
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#
<http://www.w3.org/2000/09/xmldsig#>">not(ancestor-or-self::ctr:Folio) and
not(ancestor-or-self::ctr:Fecha) and
not(ancestor-or-self::ctr:Lugar)</ds:XPath>*
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>ErGgQ8Ke0hF2C1SSi12Abssi0Kg=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#a4dbe2a7-0aac-4391-8773-62b1d519ada82">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</ds:Transforms>
<ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>AD6lnb/DQl0tTgF+njpq+qUk9Zc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>CwEOfSDVDFcXlKkhjNm/lqIbHfmsXwxb+RoNndGR0zi+YrAGMchqE+tXmqxyEB4IOp9gciw9NecmSCXFGD13NmEpLJynt6BVcGqe3BuC1txKwOZYQNlN4yLalVUrmfge+wrd0ebfFEDoJPq+fA13Yvo16v7Vj2dvdYjffcUK4jc=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=TEST, O=TEST, OU=TEST, E=...@E-...,
C=CL</ds:X509IssuerName>
<ds:X509SerialNumber>140585008369263210178025</ds:X509SerialNumber>
</ds:X509IssuerSerial>
<ds:X509SubjectName>C=CL, E=...@TE..., OU=TEST, O=TEST,
CN=TEST</ds:X509SubjectName>
<ds:X509Certificate>MIICUTCCAbqgAwIBAgIKHcUg6kSMM7Cl6TANBgkqhkiG9w0BAQUFADBZMQ0wCwYDVQQDEwRURVNUMQ0wCwYDVQQKEwRURVNUMQ0wCwYDVQQLEwRURVNUMR0wGwYJKoZIhvcNAQkBFg5URVNUQEUtU0lHTi5DTDELMAkGA1UEBhMCQ0wwHhcNMTMxMDA3MTMyODM1WhcNMTgxMDA3MTMyODM1WjBZMQ0wCwYDVQQDEwRURVNUMQ0wCwYDVQQKEwRURVNUMQ0wCwYDVQQLEwRURVNUMR0wGwYJKoZIhvcNAQkBFg5URVNUQEUtU0lHTi5DTDELMAkGA1UEBhMCQ0wwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALSvW/fbYisBDVaECeQMTvq4VyT2urClj6WGwwPROa+6iMILy3mtP4aa8ptgjT+l7DNeKceZBIMo+8K2YrMTRS1K/8NRBa/QTRA2pOwp9UVKr5g08f4wOyjonybPNOh0w3797yCh9A39YcJ5KZGSMFiypdOLnJ25KxYxNmMpkWXTAgMBAAGjIDAeMA8GCSqGSIb3LwEBCgQCBQAwCwYDVR0PBAQDAgSQMA0GCSqGSIb3DQEBBQUAA4GBADkRuoSugzY5/pDkRTR2tFfnwItA2e0r5ga6cOBEsVcfBDe00Clgaks52QoTFSSltgSHKBPsSR4XmE6AmE5gnBVQPeNNmb5TJovG4DnzoODp0mgSpOKj6aO4YY70H8tJzUeeSfWUU1/y0pPdDclN46NFwoAPKSmihvwGeCbuqwua</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>tK9b99tiKwENVoQJ5AxO+rhXJPa6sKWPpYbDA9E5r7qIwgvLea0/hprym2CNP6XsM14px5kEgyj7wrZisxNFLUr/w1EFr9BNEDak7Cn1RUqvmDTx/jA7KOifJs806HTDfv3vIKH0Df1hwnkpkZIwWLKl04ucnbkrFjE2YymRZdM=</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
--
Regards.
Cristian Altamirano
|
|
From: Markus K. <ejb...@pr...> - 2013-11-05 14:37:03
|
Hi Antoine, After activating the worker (or directly if you have specified the password in the configuration), make sure you issue an "reload WORKERID" so the key usage counter gets initialized. Notice that this has to be done after the worker is activated as the key-pair needs to be accessed as part of the activation. After the reload the token status might be offline in which case you will have to activate it again before both statuses changes to active. Best regards, Markus On 2013-10-17 18:41, Antoine Louiset wrote: > Hi everyone, > > I have an error for a pdf worker. The cryptotoken is offline, the > error is : key usage limit exceeded or not initialized > > In my configuration of the worker, the value of KEYUSAGELIMIT is -1. > > Any ideas ? > > Thanks a lot ! > > -- > Antoine Louiset > -- PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact in...@pr... for more information. http://www.primekey.se/Services/Support/ http://www.primekey.se/Services/Training/ |
|
From: Marcus L. <mar...@pr...> - 2013-10-25 05:56:44
|
tor 2013-10-24 klockan 17:31 +0200 skrev Antoine Louiset: > Hi ! > > I've got a problem with PCKS11 configuration. > > When I use "getstatus brief all", the worker is offline, the > cryptotoken is active but I've got an error : "No signer certificate > available". Hi! How did you configure the signer? Did you use one of the sample configurations and modify to use the PKCS11CryptoToken? If you run the command bin/signserver getconfig <id of worker> how does the values for SIGNERCERT and SIGNERCERTCHAIN look like? Also, did you use the uploadsignercertificate and uploadsignercertificatechain CLI commands to upload the signer certificate and certificate chain signed by the CA for the signer key from the HSM? If you look at a document, f.ex. XML if it's an XML signer and extract the certificate from that, does it match the expected? Regards, Marcus Lundblad > > The defaultkey is set and it exists because if I set one which is not > in the HSM, it does not work. > > Something strange : it works when I sign a document (I change the > alias during the request so this is not the defaultkey which is used). > > I do not have an Exception when I sign whereas the signer seems to be > offline. I have only one worker so it could not be another one which > signed. > > Any ideas ? If the worker is offline, could it be a problem for > signserver ? > > Thanks a lot !! Your answer is precious for me. > > -- > Antoine Louiset > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk > _______________________________________________ > SignServer-develop mailing list > Sig...@li... > https://lists.sourceforge.net/lists/listinfo/signserver-develop |
|
From: Antoine L. <ant...@yo...> - 2013-10-24 15:56:28
|
Hi ! I've got a problem with PCKS11 configuration. When I use "getstatus brief all", the worker is offline, the cryptotoken is active but I've got an error : "No signer certificate available". The defaultkey is set and it exists because if I set one which is not in the HSM, it does not work. Something strange : it works when I sign a document (I change the alias during the request so this is not the defaultkey which is used). I do not have an Exception when I sign whereas the signer seems to be offline. I have only one worker so it could not be another one which signed. Any ideas ? If the worker is offline, could it be a problem for signserver ? Thanks a lot !! Your answer is precious for me. -- Antoine Louiset |
|
From: Marcus L. <mar...@pr...> - 2013-10-21 13:00:23
|
mån 2013-10-21 klockan 10:05 +0200 skrev Antoine Louiset: > Hi, > > Yes I'm using mysql and I wonder if the problem could be that. > > Thanks for your answer ! > I tried setting up a test environment with a test PDF signer using a JKSCryptoToken, I'm running this on MySQL 5.5.33 (the version in Debian testing). It works correctly for me both using the default (no KEYUSAGELIMIT specified, default to -1), setting -1 implicitly and also using a limit of 100. Could you generate server log outputs when reloading the signer and when attempting to sign a document. Maybe I could get some hint there. Regards, Marcus > On Mon, 21 Oct 2013 08:41:16 +0200, Marcus Lundblad > <mar...@pr...> wrote: > > lör 2013-10-19 klockan 01:28 +0200 skrev Antoine Louiset: > >> Hi Marcus, > >> > >> Thanks for your answer ! > >> > >> Result of keytool command : > >> > >> Type Keystore : JKS > >> Fournisseur Keystore : SUN > >> > >> Votre Keystore contient 3 entrée(s) > >> > >> 6, 11 oct. 2013, PrivateKeyEntry, > >> Empreinte du certificat (MD5) : > >> 3C:73:E1:46:8E:FC:B2:84:EE:58:DE:CB:D2:30:26:29 > >> 7ofi6mgp6dc6vaibcjyha3zrafb5my6c0qpftnnn, 19 oct. 2013, > >> PrivateKeyEntry, > >> Empreinte du certificat (MD5) : > >> 11:0C:B2:5C:E1:77:76:77:17:F9:15:8A:D8:B5:89:82 > >> 7, 11 oct. 2013, PrivateKeyEntry, > >> Empreinte du certificat (MD5) : > >> 26:D5:6B:A1:FF:DD:A6:1E:7F:99:F4:2F:64:2C:03:4B > >> > >> > >> The result of "select * from KeyUsageCounter;" > >> +------------------------------------------------------------------+---------+ > >> | keyHash | > >> counter | > >> +------------------------------------------------------------------+---------+ > >> | 9f8966010dc45a88538b54413f94af2ff906172e6b7439360e3d1f3b363b8b7d | > >> 0 | > >> +------------------------------------------------------------------+---------+ > >> > >> > >> I tried to launch activatecryptotoken but the worker was still offline. > >> > >> I add DISABLEKEYUSAGECOUNTER=true and now it works. > >> > >> It will be better to user the counter, have you got any ideas ? > >> > > > > I think I'll need to do some further investigations and try to reproduce > > the problem using worker configured using a JKSCryptoToken. > > > > Is this using MySQL by the way? > > > > Regards, Marcus > > > >> Thanks a lot !! > >> > >> > >> Antoine > >> > >> > >> On Fri, 18 Oct 2013 15:29:52 +0200, Marcus Lundblad > >> <mar...@pr...> wrote: > >> > fre 2013-10-18 klockan 09:31 +0200 skrev Antoine Louiset: > >> > > >> > > >> >> CHECKCERTPRIVATEKEYVALIDITY=false > >> >> > >> >> SIGNERCERTCHAIN= > >> >> > >> >> KEYSTOREPATH=/etc/certificates/ysKeystore.jks > >> >> > >> >> DEFAULTKEY=6 > >> > > >> > How does the key aliases in the keystore look like, if you use: > >> > keytool -list -keystore /etc/certificates/ysKeystore.jks > >> > > >> > You could also try to take a look at the content of the KeyUsageCounter > >> > table in the database, to see if there is a row corresponding to the > >> > figerprint of the key in the keystore. > >> > > >> > Another thing that you could try to do set DISABLEKEYUSAGECOUNTER=true > >> > and (temporarily) remove the KEYUSAGELIMIT property (they can not both > >> > be defined simultaniously) to rule of that there could be something > >> > missing in the keystore, perhaps. > >> > > >> > Regards, > >> > Marcus Lundblad > >> >> > >> >> KEYUSAGELIMIT=-1 > >> >> > >> >> REQUIRE_REQUEST_PROPERTIES=ALIAS,AUTHPARAM,DEMAND > >> >> > >> >> AUTHTYPE=org.signserver.server.YousignAuthorizer > >> >> > >> >> NAME=YousignPDFSigner > >> >> > >> >> SIGNERCERT= > >> >> > >> >> KEYSTOREPASSWORD=xxxx > >> >> > >> >> CLASSPATH=org.signserver.common.ProcessableConfig > >> >> > >> >> KEYSTORETYPE=JKS > >> >> > >> >> CHECKCERTVALIDITY=false > >> >> > >> >> LOCATION=France > >> >> > >> >> > >> >> > >> >> Active Authorized Clients are are (Cert DN, IssuerDN): > >> >> INFO IMPLICITLYCA_Q not set, using default. > >> >> INFO IMPLICITLYCA_A not set, using default. > >> >> INFO IMPLICITLYCA_B not set, using default. > >> >> INFO IMPLICITLYCA_G not set, using default. > >> >> INFO IMPLICITLYCA_N not set, using default. > >> >> The current configuration use the following signer certificate : > >> >> > >> >> Subject DN: ----------- > >> >> Serial number: ----------- > >> >> Issuer DN: ----------- > >> >> Valid from: 2013-10-11 12:55:46 CEST > >> >> Valid until: 2015-10-11 12:55:46 CEST > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> Thanks a lot ! > >> >> > >> >> > >> >> Antoine > >> >> > >> >> On Fri, 18 Oct 2013 09:18:35 +0200, Marcus Lundblad > >> >> <mar...@pr...> wrote: > >> >> > tor 2013-10-17 klockan 18:41 +0200 skrev Antoine Louiset: > >> >> >> Hi everyone, > >> >> >> > >> >> >> I have an error for a pdf worker. The cryptotoken is offline, the > >> >> >> error is : key usage limit exceeded or not initialized > >> >> >> > >> >> >> In my configuration of the worker, the value of KEYUSAGELIMIT is -1. > >> >> >> > >> >> >> Any ideas ? > >> >> >> > >> >> > > >> >> > Hi Antoine! > >> >> > > >> >> > Could you try running: > >> >> > bin/signserver getstatus brief all > >> >> > > >> >> > And see what the output is regarding your pdf worker. > >> >> > > >> >> > Regards, > >> >> > Marcus Lundblad > >> >> > > >> >> >> Thanks a lot ! > >> >> >> > >> >> >> -- > >> >> >> Antoine Louiset > >> >> >> > >> >> >> > >> >> >> ------------------------------------------------------------------------------ > >> >> >> October Webinars: Code for Performance > >> >> >> Free Intel webinars can help you accelerate application performance. > >> >> >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > >> >> >> the latest Intel processors and coprocessors. See abstracts and register > > >> >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk > >> >> >> _______________________________________________ > >> >> >> SignServer-develop mailing list > >> >> >> Sig...@li... > >> >> >> https://lists.sourceforge.net/lists/listinfo/signserver-develop > >> >> > >> > |
|
From: Antoine L. <ant...@yo...> - 2013-10-21 10:31:19
|
Hi, Yes I'm using mysql and I wonder if the problem could be that. Thanks for your answer ! On Mon, 21 Oct 2013 08:41:16 +0200, Marcus Lundblad <mar...@pr...> wrote: > lör 2013-10-19 klockan 01:28 +0200 skrev Antoine Louiset: >> Hi Marcus, >> >> Thanks for your answer ! >> >> Result of keytool command : >> >> Type Keystore : JKS >> Fournisseur Keystore : SUN >> >> Votre Keystore contient 3 entrée(s) >> >> 6, 11 oct. 2013, PrivateKeyEntry, >> Empreinte du certificat (MD5) : >> 3C:73:E1:46:8E:FC:B2:84:EE:58:DE:CB:D2:30:26:29 >> 7ofi6mgp6dc6vaibcjyha3zrafb5my6c0qpftnnn, 19 oct. 2013, >> PrivateKeyEntry, >> Empreinte du certificat (MD5) : >> 11:0C:B2:5C:E1:77:76:77:17:F9:15:8A:D8:B5:89:82 >> 7, 11 oct. 2013, PrivateKeyEntry, >> Empreinte du certificat (MD5) : >> 26:D5:6B:A1:FF:DD:A6:1E:7F:99:F4:2F:64:2C:03:4B >> >> >> The result of "select * from KeyUsageCounter;" >> +------------------------------------------------------------------+---------+ >> | keyHash | >> counter | >> +------------------------------------------------------------------+---------+ >> | 9f8966010dc45a88538b54413f94af2ff906172e6b7439360e3d1f3b363b8b7d | >> 0 | >> +------------------------------------------------------------------+---------+ >> >> >> I tried to launch activatecryptotoken but the worker was still offline. >> >> I add DISABLEKEYUSAGECOUNTER=true and now it works. >> >> It will be better to user the counter, have you got any ideas ? >> > > I think I'll need to do some further investigations and try to reproduce > the problem using worker configured using a JKSCryptoToken. > > Is this using MySQL by the way? > > Regards, Marcus > >> Thanks a lot !! >> >> >> Antoine >> >> >> On Fri, 18 Oct 2013 15:29:52 +0200, Marcus Lundblad >> <mar...@pr...> wrote: >> > fre 2013-10-18 klockan 09:31 +0200 skrev Antoine Louiset: >> > >> > >> >> CHECKCERTPRIVATEKEYVALIDITY=false >> >> >> >> SIGNERCERTCHAIN= >> >> >> >> KEYSTOREPATH=/etc/certificates/ysKeystore.jks >> >> >> >> DEFAULTKEY=6 >> > >> > How does the key aliases in the keystore look like, if you use: >> > keytool -list -keystore /etc/certificates/ysKeystore.jks >> > >> > You could also try to take a look at the content of the KeyUsageCounter >> > table in the database, to see if there is a row corresponding to the >> > figerprint of the key in the keystore. >> > >> > Another thing that you could try to do set DISABLEKEYUSAGECOUNTER=true >> > and (temporarily) remove the KEYUSAGELIMIT property (they can not both >> > be defined simultaniously) to rule of that there could be something >> > missing in the keystore, perhaps. >> > >> > Regards, >> > Marcus Lundblad >> >> >> >> KEYUSAGELIMIT=-1 >> >> >> >> REQUIRE_REQUEST_PROPERTIES=ALIAS,AUTHPARAM,DEMAND >> >> >> >> AUTHTYPE=org.signserver.server.YousignAuthorizer >> >> >> >> NAME=YousignPDFSigner >> >> >> >> SIGNERCERT= >> >> >> >> KEYSTOREPASSWORD=xxxx >> >> >> >> CLASSPATH=org.signserver.common.ProcessableConfig >> >> >> >> KEYSTORETYPE=JKS >> >> >> >> CHECKCERTVALIDITY=false >> >> >> >> LOCATION=France >> >> >> >> >> >> >> >> Active Authorized Clients are are (Cert DN, IssuerDN): >> >> INFO IMPLICITLYCA_Q not set, using default. >> >> INFO IMPLICITLYCA_A not set, using default. >> >> INFO IMPLICITLYCA_B not set, using default. >> >> INFO IMPLICITLYCA_G not set, using default. >> >> INFO IMPLICITLYCA_N not set, using default. >> >> The current configuration use the following signer certificate : >> >> >> >> Subject DN: ----------- >> >> Serial number: ----------- >> >> Issuer DN: ----------- >> >> Valid from: 2013-10-11 12:55:46 CEST >> >> Valid until: 2015-10-11 12:55:46 CEST >> >> >> >> >> >> >> >> >> >> >> >> Thanks a lot ! >> >> >> >> >> >> Antoine >> >> >> >> On Fri, 18 Oct 2013 09:18:35 +0200, Marcus Lundblad >> >> <mar...@pr...> wrote: >> >> > tor 2013-10-17 klockan 18:41 +0200 skrev Antoine Louiset: >> >> >> Hi everyone, >> >> >> >> >> >> I have an error for a pdf worker. The cryptotoken is offline, the >> >> >> error is : key usage limit exceeded or not initialized >> >> >> >> >> >> In my configuration of the worker, the value of KEYUSAGELIMIT is -1. >> >> >> >> >> >> Any ideas ? >> >> >> >> >> > >> >> > Hi Antoine! >> >> > >> >> > Could you try running: >> >> > bin/signserver getstatus brief all >> >> > >> >> > And see what the output is regarding your pdf worker. >> >> > >> >> > Regards, >> >> > Marcus Lundblad >> >> > >> >> >> Thanks a lot ! >> >> >> >> >> >> -- >> >> >> Antoine Louiset >> >> >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> >> October Webinars: Code for Performance >> >> >> Free Intel webinars can help you accelerate application performance. >> >> >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from >> >> >> the latest Intel processors and coprocessors. See abstracts and register > >> >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk >> >> >> _______________________________________________ >> >> >> SignServer-develop mailing list >> >> >> Sig...@li... >> >> >> https://lists.sourceforge.net/lists/listinfo/signserver-develop >> >> >> -- Antoine Louiset +33 6 76 66 80 34 |
|
From: Marcus L. <mar...@pr...> - 2013-10-21 06:41:28
|
lör 2013-10-19 klockan 01:28 +0200 skrev Antoine Louiset: > Hi Marcus, > > Thanks for your answer ! > > Result of keytool command : > > Type Keystore : JKS > Fournisseur Keystore : SUN > > Votre Keystore contient 3 entrée(s) > > 6, 11 oct. 2013, PrivateKeyEntry, > Empreinte du certificat (MD5) : > 3C:73:E1:46:8E:FC:B2:84:EE:58:DE:CB:D2:30:26:29 > 7ofi6mgp6dc6vaibcjyha3zrafb5my6c0qpftnnn, 19 oct. 2013, > PrivateKeyEntry, > Empreinte du certificat (MD5) : > 11:0C:B2:5C:E1:77:76:77:17:F9:15:8A:D8:B5:89:82 > 7, 11 oct. 2013, PrivateKeyEntry, > Empreinte du certificat (MD5) : > 26:D5:6B:A1:FF:DD:A6:1E:7F:99:F4:2F:64:2C:03:4B > > > The result of "select * from KeyUsageCounter;" > +------------------------------------------------------------------+---------+ > | keyHash | > counter | > +------------------------------------------------------------------+---------+ > | 9f8966010dc45a88538b54413f94af2ff906172e6b7439360e3d1f3b363b8b7d | > 0 | > +------------------------------------------------------------------+---------+ > > > I tried to launch activatecryptotoken but the worker was still offline. > > I add DISABLEKEYUSAGECOUNTER=true and now it works. > > It will be better to user the counter, have you got any ideas ? > I think I'll need to do some further investigations and try to reproduce the problem using worker configured using a JKSCryptoToken. Is this using MySQL by the way? Regards, Marcus > Thanks a lot !! > > > Antoine > > > On Fri, 18 Oct 2013 15:29:52 +0200, Marcus Lundblad > <mar...@pr...> wrote: > > fre 2013-10-18 klockan 09:31 +0200 skrev Antoine Louiset: > > > > > >> CHECKCERTPRIVATEKEYVALIDITY=false > >> > >> SIGNERCERTCHAIN= > >> > >> KEYSTOREPATH=/etc/certificates/ysKeystore.jks > >> > >> DEFAULTKEY=6 > > > > How does the key aliases in the keystore look like, if you use: > > keytool -list -keystore /etc/certificates/ysKeystore.jks > > > > You could also try to take a look at the content of the KeyUsageCounter > > table in the database, to see if there is a row corresponding to the > > figerprint of the key in the keystore. > > > > Another thing that you could try to do set DISABLEKEYUSAGECOUNTER=true > > and (temporarily) remove the KEYUSAGELIMIT property (they can not both > > be defined simultaniously) to rule of that there could be something > > missing in the keystore, perhaps. > > > > Regards, > > Marcus Lundblad > >> > >> KEYUSAGELIMIT=-1 > >> > >> REQUIRE_REQUEST_PROPERTIES=ALIAS,AUTHPARAM,DEMAND > >> > >> AUTHTYPE=org.signserver.server.YousignAuthorizer > >> > >> NAME=YousignPDFSigner > >> > >> SIGNERCERT= > >> > >> KEYSTOREPASSWORD=xxxx > >> > >> CLASSPATH=org.signserver.common.ProcessableConfig > >> > >> KEYSTORETYPE=JKS > >> > >> CHECKCERTVALIDITY=false > >> > >> LOCATION=France > >> > >> > >> > >> Active Authorized Clients are are (Cert DN, IssuerDN): > >> INFO IMPLICITLYCA_Q not set, using default. > >> INFO IMPLICITLYCA_A not set, using default. > >> INFO IMPLICITLYCA_B not set, using default. > >> INFO IMPLICITLYCA_G not set, using default. > >> INFO IMPLICITLYCA_N not set, using default. > >> The current configuration use the following signer certificate : > >> > >> Subject DN: ----------- > >> Serial number: ----------- > >> Issuer DN: ----------- > >> Valid from: 2013-10-11 12:55:46 CEST > >> Valid until: 2015-10-11 12:55:46 CEST > >> > >> > >> > >> > >> > >> Thanks a lot ! > >> > >> > >> Antoine > >> > >> On Fri, 18 Oct 2013 09:18:35 +0200, Marcus Lundblad > >> <mar...@pr...> wrote: > >> > tor 2013-10-17 klockan 18:41 +0200 skrev Antoine Louiset: > >> >> Hi everyone, > >> >> > >> >> I have an error for a pdf worker. The cryptotoken is offline, the > >> >> error is : key usage limit exceeded or not initialized > >> >> > >> >> In my configuration of the worker, the value of KEYUSAGELIMIT is -1. > >> >> > >> >> Any ideas ? > >> >> > >> > > >> > Hi Antoine! > >> > > >> > Could you try running: > >> > bin/signserver getstatus brief all > >> > > >> > And see what the output is regarding your pdf worker. > >> > > >> > Regards, > >> > Marcus Lundblad > >> > > >> >> Thanks a lot ! > >> >> > >> >> -- > >> >> Antoine Louiset > >> >> > >> >> > >> >> ------------------------------------------------------------------------------ > >> >> October Webinars: Code for Performance > >> >> Free Intel webinars can help you accelerate application performance. > >> >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > >> >> the latest Intel processors and coprocessors. See abstracts and register > > >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk > >> >> _______________________________________________ > >> >> SignServer-develop mailing list > >> >> Sig...@li... > >> >> https://lists.sourceforge.net/lists/listinfo/signserver-develop > >> > |
|
From: Antoine L. <ant...@yo...> - 2013-10-18 23:46:16
|
Hi Marcus, Thanks for your answer ! Result of keytool command : Type Keystore : JKS Fournisseur Keystore : SUN Votre Keystore contient 3 entrée(s) 6, 11 oct. 2013, PrivateKeyEntry, Empreinte du certificat (MD5) : 3C:73:E1:46:8E:FC:B2:84:EE:58:DE:CB:D2:30:26:29 7ofi6mgp6dc6vaibcjyha3zrafb5my6c0qpftnnn, 19 oct. 2013, PrivateKeyEntry, Empreinte du certificat (MD5) : 11:0C:B2:5C:E1:77:76:77:17:F9:15:8A:D8:B5:89:82 7, 11 oct. 2013, PrivateKeyEntry, Empreinte du certificat (MD5) : 26:D5:6B:A1:FF:DD:A6:1E:7F:99:F4:2F:64:2C:03:4B The result of "select * from KeyUsageCounter;" +------------------------------------------------------------------+---------+ | keyHash | counter | +------------------------------------------------------------------+---------+ | 9f8966010dc45a88538b54413f94af2ff906172e6b7439360e3d1f3b363b8b7d | 0 | +------------------------------------------------------------------+---------+ I tried to launch activatecryptotoken but the worker was still offline. I add DISABLEKEYUSAGECOUNTER=true and now it works. It will be better to user the counter, have you got any ideas ? Thanks a lot !! Antoine On Fri, 18 Oct 2013 15:29:52 +0200, Marcus Lundblad <mar...@pr...> wrote: > fre 2013-10-18 klockan 09:31 +0200 skrev Antoine Louiset: > > >> CHECKCERTPRIVATEKEYVALIDITY=false >> >> SIGNERCERTCHAIN= >> >> KEYSTOREPATH=/etc/certificates/ysKeystore.jks >> >> DEFAULTKEY=6 > > How does the key aliases in the keystore look like, if you use: > keytool -list -keystore /etc/certificates/ysKeystore.jks > > You could also try to take a look at the content of the KeyUsageCounter > table in the database, to see if there is a row corresponding to the > figerprint of the key in the keystore. > > Another thing that you could try to do set DISABLEKEYUSAGECOUNTER=true > and (temporarily) remove the KEYUSAGELIMIT property (they can not both > be defined simultaniously) to rule of that there could be something > missing in the keystore, perhaps. > > Regards, > Marcus Lundblad >> >> KEYUSAGELIMIT=-1 >> >> REQUIRE_REQUEST_PROPERTIES=ALIAS,AUTHPARAM,DEMAND >> >> AUTHTYPE=org.signserver.server.YousignAuthorizer >> >> NAME=YousignPDFSigner >> >> SIGNERCERT= >> >> KEYSTOREPASSWORD=xxxx >> >> CLASSPATH=org.signserver.common.ProcessableConfig >> >> KEYSTORETYPE=JKS >> >> CHECKCERTVALIDITY=false >> >> LOCATION=France >> >> >> >> Active Authorized Clients are are (Cert DN, IssuerDN): >> INFO IMPLICITLYCA_Q not set, using default. >> INFO IMPLICITLYCA_A not set, using default. >> INFO IMPLICITLYCA_B not set, using default. >> INFO IMPLICITLYCA_G not set, using default. >> INFO IMPLICITLYCA_N not set, using default. >> The current configuration use the following signer certificate : >> >> Subject DN: ----------- >> Serial number: ----------- >> Issuer DN: ----------- >> Valid from: 2013-10-11 12:55:46 CEST >> Valid until: 2015-10-11 12:55:46 CEST >> >> >> >> >> >> Thanks a lot ! >> >> >> Antoine >> >> On Fri, 18 Oct 2013 09:18:35 +0200, Marcus Lundblad >> <mar...@pr...> wrote: >> > tor 2013-10-17 klockan 18:41 +0200 skrev Antoine Louiset: >> >> Hi everyone, >> >> >> >> I have an error for a pdf worker. The cryptotoken is offline, the >> >> error is : key usage limit exceeded or not initialized >> >> >> >> In my configuration of the worker, the value of KEYUSAGELIMIT is -1. >> >> >> >> Any ideas ? >> >> >> > >> > Hi Antoine! >> > >> > Could you try running: >> > bin/signserver getstatus brief all >> > >> > And see what the output is regarding your pdf worker. >> > >> > Regards, >> > Marcus Lundblad >> > >> >> Thanks a lot ! >> >> >> >> -- >> >> Antoine Louiset >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> October Webinars: Code for Performance >> >> Free Intel webinars can help you accelerate application performance. >> >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from >> >> the latest Intel processors and coprocessors. See abstracts and register > >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk >> >> _______________________________________________ >> >> SignServer-develop mailing list >> >> Sig...@li... >> >> https://lists.sourceforge.net/lists/listinfo/signserver-develop >> -- Antoine Louiset |
|
From: Marcus L. <mar...@pr...> - 2013-10-18 13:30:02
|
fre 2013-10-18 klockan 09:31 +0200 skrev Antoine Louiset: > CHECKCERTPRIVATEKEYVALIDITY=false > > SIGNERCERTCHAIN= > > KEYSTOREPATH=/etc/certificates/ysKeystore.jks > > DEFAULTKEY=6 How does the key aliases in the keystore look like, if you use: keytool -list -keystore /etc/certificates/ysKeystore.jks You could also try to take a look at the content of the KeyUsageCounter table in the database, to see if there is a row corresponding to the figerprint of the key in the keystore. Another thing that you could try to do set DISABLEKEYUSAGECOUNTER=true and (temporarily) remove the KEYUSAGELIMIT property (they can not both be defined simultaniously) to rule of that there could be something missing in the keystore, perhaps. Regards, Marcus Lundblad > > KEYUSAGELIMIT=-1 > > REQUIRE_REQUEST_PROPERTIES=ALIAS,AUTHPARAM,DEMAND > > AUTHTYPE=org.signserver.server.YousignAuthorizer > > NAME=YousignPDFSigner > > SIGNERCERT= > > KEYSTOREPASSWORD=xxxx > > CLASSPATH=org.signserver.common.ProcessableConfig > > KEYSTORETYPE=JKS > > CHECKCERTVALIDITY=false > > LOCATION=France > > > > Active Authorized Clients are are (Cert DN, IssuerDN): > INFO IMPLICITLYCA_Q not set, using default. > INFO IMPLICITLYCA_A not set, using default. > INFO IMPLICITLYCA_B not set, using default. > INFO IMPLICITLYCA_G not set, using default. > INFO IMPLICITLYCA_N not set, using default. > The current configuration use the following signer certificate : > > Subject DN: ----------- > Serial number: ----------- > Issuer DN: ----------- > Valid from: 2013-10-11 12:55:46 CEST > Valid until: 2015-10-11 12:55:46 CEST > > > > > > Thanks a lot ! > > > Antoine > > On Fri, 18 Oct 2013 09:18:35 +0200, Marcus Lundblad > <mar...@pr...> wrote: > > tor 2013-10-17 klockan 18:41 +0200 skrev Antoine Louiset: > >> Hi everyone, > >> > >> I have an error for a pdf worker. The cryptotoken is offline, the > >> error is : key usage limit exceeded or not initialized > >> > >> In my configuration of the worker, the value of KEYUSAGELIMIT is -1. > >> > >> Any ideas ? > >> > > > > Hi Antoine! > > > > Could you try running: > > bin/signserver getstatus brief all > > > > And see what the output is regarding your pdf worker. > > > > Regards, > > Marcus Lundblad > > > >> Thanks a lot ! > >> > >> -- > >> Antoine Louiset > >> > >> > >> ------------------------------------------------------------------------------ > >> October Webinars: Code for Performance > >> Free Intel webinars can help you accelerate application performance. > >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > >> the latest Intel processors and coprocessors. See abstracts and register > > >> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk > >> _______________________________________________ > >> SignServer-develop mailing list > >> Sig...@li... > >> https://lists.sourceforge.net/lists/listinfo/signserver-develop > |
|
From: Antoine L. <ant...@yo...> - 2013-10-18 07:31:28
|
Hi,
Here is the result of getstatus brief all :
Current version of server is : SignServer 3.3.0alpha12
Status of Signer with Id 1 is :
Worker status : Offline
Token status : Active
Signings: 0
Errors:
Key usage limit exceeded or not initialized
and here is the result of getstatus complete all :
Current version of server is : SignServer 3.3.0alpha12
The Global Configuration of Properties are :
GLOB.WORKER1.SIGNERTOKEN.CLASSPATH=org.signserver.server.cryptotokens.JKSCryptoToken
GLOB.WORKER1.CLASSPATH=org.signserver.module.pdfsigner.PDFSigner
The global configuration is in sync with the database.
Status of Signer with Id 1 is :
Worker status : Offline
Token status : Active
Signings: 0
Errors:
Key usage limit exceeded or not initialized
Active Properties are :
ALLOW_REQUEST_PROPERTIES_OVERRIDE=LOCATION, REASON,
ADD_VISIBLE_SIGNATURE, EMBED_CRL, EMBED_OCSP_RESPONSE,
REJECT_PERMISSIONS, SET_PERMISSIONS,
REMOVE_PERMISSIONS,SET_OWNERPASSWORD,VISIBLE_SIGNATURE_PAGE,VISIBLE_SIGNATURE_RECTANGLE,VISIBLE_SIGNATURE_CUSTOM_IMAGE_BASE64,VISIBLE_SIGNATURE_CUSTOM_IMAGE_RESIZE_TO_RECTANGLE,CERTIFICATION_LEVEL
REASON=Signed by Yousign
CHECKCERTPRIVATEKEYVALIDITY=false
SIGNERCERTCHAIN=
KEYSTOREPATH=/etc/certificates/ysKeystore.jks
DEFAULTKEY=6
KEYUSAGELIMIT=-1
REQUIRE_REQUEST_PROPERTIES=ALIAS,AUTHPARAM,DEMAND
AUTHTYPE=org.signserver.server.YousignAuthorizer
NAME=YousignPDFSigner
SIGNERCERT=
KEYSTOREPASSWORD=xxxx
CLASSPATH=org.signserver.common.ProcessableConfig
KEYSTORETYPE=JKS
CHECKCERTVALIDITY=false
LOCATION=France
Active Authorized Clients are are (Cert DN, IssuerDN):
INFO IMPLICITLYCA_Q not set, using default.
INFO IMPLICITLYCA_A not set, using default.
INFO IMPLICITLYCA_B not set, using default.
INFO IMPLICITLYCA_G not set, using default.
INFO IMPLICITLYCA_N not set, using default.
The current configuration use the following signer certificate :
Subject DN: -----------
Serial number: -----------
Issuer DN: -----------
Valid from: 2013-10-11 12:55:46 CEST
Valid until: 2015-10-11 12:55:46 CEST
Thanks a lot !
Antoine
On Fri, 18 Oct 2013 09:18:35 +0200, Marcus Lundblad
<mar...@pr...> wrote:
> tor 2013-10-17 klockan 18:41 +0200 skrev Antoine Louiset:
>> Hi everyone,
>>
>> I have an error for a pdf worker. The cryptotoken is offline, the
>> error is : key usage limit exceeded or not initialized
>>
>> In my configuration of the worker, the value of KEYUSAGELIMIT is -1.
>>
>> Any ideas ?
>>
>
> Hi Antoine!
>
> Could you try running:
> bin/signserver getstatus brief all
>
> And see what the output is regarding your pdf worker.
>
> Regards,
> Marcus Lundblad
>
>> Thanks a lot !
>>
>> --
>> Antoine Louiset
>>
>>
>> ------------------------------------------------------------------------------
>> October Webinars: Code for Performance
>> Free Intel webinars can help you accelerate application performance.
>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
>> the latest Intel processors and coprocessors. See abstracts and register >
>> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
>> _______________________________________________
>> SignServer-develop mailing list
>> Sig...@li...
>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
--
Antoine Louiset
|
|
From: Marcus L. <mar...@pr...> - 2013-10-18 07:18:53
|
tor 2013-10-17 klockan 18:41 +0200 skrev Antoine Louiset: > Hi everyone, > > I have an error for a pdf worker. The cryptotoken is offline, the > error is : key usage limit exceeded or not initialized > > In my configuration of the worker, the value of KEYUSAGELIMIT is -1. > > Any ideas ? > Hi Antoine! Could you try running: bin/signserver getstatus brief all And see what the output is regarding your pdf worker. Regards, Marcus Lundblad > Thanks a lot ! > > -- > Antoine Louiset > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk > _______________________________________________ > SignServer-develop mailing list > Sig...@li... > https://lists.sourceforge.net/lists/listinfo/signserver-develop |
|
From: Antoine L. <ant...@yo...> - 2013-10-17 22:46:10
|
Hi everyone, I have an error for a pdf worker. The cryptotoken is offline, the error is : key usage limit exceeded or not initialized In my configuration of the worker, the value of KEYUSAGELIMIT is -1. Any ideas ? Thanks a lot ! -- Antoine Louiset |
|
From: Markus K. <ma...@pr...> - 2013-09-19 14:26:19
|
The PrimeKey SignServer team is happy to announce that SignServer 3.4.2 has been released! This is a maintenance release with in total 13 tickets resolved. The most noteworthy changes can be seen below. Development continues beyond this version and all requests from the community are scheduled for SignServer 3.4.3 or later releases. More information is available at the project web site and the complete changelog can be viewed in the issue tracker. Major new features and improvements: - Uses PKCS#11 crypto token implementation from CESeCore - Support for starting audit log verification from a specified sequence number - Option to archive all X-Forwarded-For addresses - Option to include the ordering field in time-stamp tokens even if the field has value false - Option to not include the signingTime CMS attribute in time-stamp signer - Option to cache PKCS#11 key reference to increase performance - Includes IssuerSerial in the SigningCertificate attribute in time-stamp signer Bug fixes: - HSM auto activation was not working when signed audit log were used - Key generation was not working with slotListIndex - ClientCLI over web services was not working unless includemodulesinbuild was specified Read the full changelog for details (https://jira.primekey.se/browse/DSS?report=com.atlassian.jira.plugin.system.project:changelog-panel). Regards, The PrimeKey SignServer team |
|
From: Markus K. <ma...@pr...> - 2013-08-15 12:36:01
|
Hi, Today there are good and free PDF readers available as an alternative to the large proprietary reader [1]. One missing feature though, is support for digital signatures. I am reaching out on this mailing list as I know many people with knowledge of PKI and an interest in digital signatures are available here. There is a ticket available in Poppler [2] for implementing support for verifying digital signatures and during the last five years some initial patches as been developed [3]. Poppler is the PDF rendering library used by many PDF applications such as Evince and Okular. Recently some people has started to donate money at FreedomSponsors to get the implementation going: http://www.freedomsponsors.org/core/issue/319/support-for-digital-signatures So if you want to step up and do the implementation or to support those that will by placing a bounty at FreedomSponsors, now is a good time :) [1] http://PDFReaders.org/ [2] http://freedesktop.org/wiki/Software/poppler/ [3] https://bugs.freedesktop.org/show_bug.cgi?id=16770 [4] http://www.freedomsponsors.org/core/issue/319/support-for-digital-signatures Best regards, Markus |
|
From: Antoine L. <ant...@yo...> - 2013-08-06 17:27:16
|
-------- Original Message -------- Subject: Re: [SignServer-develop] Timestamp authority in pdf Date: Tue, 06 Aug 2013 12:16:14 +0200 From: Antoine Louiset <ant...@yo...> To: Valentin Peltier <val...@ar...> Hi, Thanks a lot for your answer ! Shoul we use TSA_URL (with TSA_USERNAME & TSA_PASSWORD) to call a local timestamp signer ? Have a nice day ! On Mon, 5 Aug 2013 09:30:51 +0200, Valentin Peltier <val...@ar...> wrote: > Hi, > > You can timestamp pdf with your local machine, but you need a > timestamp certificate that you can make with Openssl. Don't forget to > add only the timestamp usage for key extension. > > Here, free timestamp authorities: > http://timestamping.edelweb.fr/ [1] > http://tsa.safecreative.org/ [2] > > Regards, > > 2013/8/2 Antoine Louiset > Hi everyone, > > Is it possible to use a local timestamp signer with a pdf signer > (instead of remote) ? > > If not, do you know free (or cheap) timestamp authorities ? > > Thanks ! > > -- > Antoine Louiset > > > ------------------------------------------------------------------------------ > Get your SQL database under version control now! > Version control is standard for application code, but databases > havent > caught up. So what steps can you take to put your SQL databases > under > version control? Why should you start doing it? Read more to find > out. > > http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk > [4] > _______________________________________________ > SignServer-develop mailing list > Sig...@li... [5] > https://lists.sourceforge.net/lists/listinfo/signserver-develop [6] -- Antoine Louiset -- Antoine Louiset +33 6 76 66 80 34 |
8 messages has been excluded from this view by a project administrator.
