luisgoncalves / xades4j Goto Github PK

Hello,

I need generate a XadES-EPES 1.3.2 signature on a tar file with following 
requirements:

- RSA-SHA1 algorithm
- Without KeyValue/RSAValue element
- Signature Element as root Element of xml file

Example :

<?xml version="1.0" encoding="UTF-8"?>
<ds:Signature Id="Signature-ID" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo Id="SignedInfo-ID">
<ds:CanonicalizationMethod 
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
...

Do you think xades4j can generate this signature?

Thanks!

(Ps: sorry for my english, i'm a french guy).

What steps will reproduce the problem?
1. It is a common convention with open source project to add the version number 
to the jar filename. The next release of XAdES4j should name the jar something 
like XAdES4j-1.3.jar
2.
3.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.

What steps will reproduce the problem?
1. During signature verification, transforms are executed to obtain the 
Referenced data. Some transforms like XSLT allow the execution of user provided 
code. It easy to write an XSLT transform that takes a long time to execute or 
even enters an infinite loop. This can form the basis of a denial of service 
attack where the threads get consumed because they are busy executing the 
transform. One possible counter-measure is to agree to execute only the 
transforms that are deemed safe. What is considered safe should be left to the 
user judgement. In Santuario, this feature is not built-in, but is easy to 
implement. In Santuario, it is possible to parse the signature in a separate 
step before validation. The developer can easily add code to inspect the parsed 
signature. If the transforms are not acceptable, the validation is never 
called. This idiom does not work in XAdES4J because the signature parsing and 
validation is a single step. Maybe all that is required is a validation method 
that takes a parsed signature as argument plus a documented way to obtain that 
parsed signature.
2.
3.

What is the expected output? What do you see instead?
a means to execute user code between the signature parse and signature 
validation.

What version of the product are you using? On what operating system?
1.2.0
Windows 7

Please provide any additional information below.

Hello,

i create a xades xml signed by a privatekey in a smart card.

So to verification, i don't find how verify the xml file in xades format.


<---------------XADES XML SIGNATURE----------------->

<?xml version="1.0" encoding="UTF-8"?><ds:Signature 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
Id="xmldsig-d613d22c-3359-4775-9ee1-b36e81a18c7a">
<ds:SignedInfo>
<ds:CanonicalizationMethod 
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod 
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference Id="xmldsig-d613d22c-3359-4775-9ee1-b36e81a18c7a-ref0" 
Type="http://www.w3.org/2000/09/xmldsig#Object" 
URI="#xmldsig-d613d22c-3359-4775-9ee1-b36e81a18c7a-object0">
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>Shb6Sb6JZDL3FF/FNqC+WD7OkZqsHoz5EjwQljU9etc=</ds:DigestValue>
</ds:Reference>
<ds:Reference Type="http://uri.etsi.org/01903#SignedProperties" 
URI="#xmldsig-d613d22c-3359-4775-9ee1-b36e81a18c7a-signedprops">
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>j7jfJGQY9+KrPG20uDTDuqOi8u/SwaWMqVKnumWTFbY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue Id="xmldsig-d613d22c-3359-4775-9ee1-b36e81a18c7a-sigvalue">
JHxf2d1tW9QcXmH2FQ6qh526oqKY66IqvjiSD3EGLzubOpGJ4DQJGICQZPv90caNRJY1phb1zCOg
j63NIvyJpRkOvxOdO3yiaxu88Rk0ybe2nc75fNZKbPUMDIgN/AGulEeKHlfWJsrMeimYYjgeao33
W/chCqyd3I/4sliYWCI=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIEoTCCA4mgAwIBAgIDAMsPMA0GCSqGSIb3DQEBBQUAMIGHMQswCQYDVQQGEwJGUjE7MDkGA1UE
CgwyRElSRUNUSU9OIEdFTkVSQUxFIERFUyBET1VBTkVTIEVUIERST0lUUyBJTkRJUkVDVFMxFzAV
BgNVBAsMDjAwMDIgMTIwMDIzMDE1MSIwIAYDVQQDDBlER0RESSBBQyBBdXRoZW50aWZpY2F0aW9u
MB4XDTExMDYxNDA3NDExOVoXDTEzMDYxNDA3NDExOVowgboxCzAJBgNVBAYTAkZSMTswOQYDVQQK
DDJESVJFQ1RJT04gR0VORVJBTEUgREVTIERPVUFORVMgRVQgRFJPSVRTIElORElSRUNUUzEXMBUG
A1UECwwOMDAwMiAxMjAwMjMwMTUxEjAQBgNVBAsMCVBFUlNPTk5FUzEOMAwGA1UEBQwFNTYwNDUx
FzAVBgNVBC0MDmxhbmdsYWRlLWRnZGRpMRgwFgYDVQQDDA9MYXVyZW50IEFOR0xBREUwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBANwza8vBrF95kz2iRLN8ad3o3ZmIdKXWG+t1IbTkh13w7R2e
XKmJpIq6i/bNaFv+lPoJ9A1p/9a/U93CjXWm0yPUXvJIuEmM2UP550/qeC0J5JnSLjDT6SzKTFnq
JVpOVK3mPljMfCvRM1007YqfT6bbBCK1KEo61dAUsGR7g+RpAgMBAAGjggFjMIIBXzAdBgNVHQ4E
FgQUHm8F1ckHpJ8Q7EsipP4Lz8z1zuAwHwYDVR0jBBgwFoAUQe8jaevf+EDXmI4Ex8wDy7RWvd8w
GQYDVR0gBBIwEDAOBgwqgXoBgQMBBAkDAQIwHwYDVR0lBBgwFgYIKwYBBQUHAwIGCisGAQQBgjcU
AgIwDgYDVR0PAQH/BAQDAgeAMFgGA1UdEQRRME+gJAYKKwYBBAGCNxQCA6AWDBRsYW5nbGFkZS1k
Z2RkaUBkZ2RkaYEnbGF1cmVudC5hbmdsYWRlQGRvdWFuZS5maW5hbmNlcy5nb3V2LmZyMDoGA1Ud
HwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmwuZG91YW5lLmdvdXYuZnIvQ0FET19BdXRoQUMuY3JsMDsG
CCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29jc3AuZG91YW5lLmdvdXYuZnIvb2Nz
cDANBgkqhkiG9w0BAQUFAAOCAQEAMv9voxr9TWLwTXKnVezsCUh8bjKggQ+sMXBk025tFX9AhJLX
nvZBCdOKkdYLyGhQiJp56Zb9OuIZYK/TL9GwA06+IjlToH6TbjndnGcRXT/QudaOAVUNe03kAQIl
IjL6+GaRZ5irI1Ap3kuN6KYDwigL5RcSqSSbx57T4h0+2clexUwZyBn4WidQFJSE372fk77ZH7Oq
jsp1zZcIJlrRJ8X9rBDmWindeEAa4iid2fa7TsXZCp1NxDrtjQY/J8ejcqBiIPGafuGiGo5YywlP
q55PtWNftRx2VZ/8QFIPGyGMIS1K53Fh05mAE8/SK94DUurbUoy7muCiLr+V3Ed8YQ==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<ds:Object Id="xmldsig-d613d22c-3359-4775-9ee1-b36e81a18c7a-object0" 
MimeType="text/xml"><TPL><PV>
laurent
anglade
toulouse
dnsce
=
1991
23456
camiontpl451
laurent
anglade
toulouse
dnsce
45
1991
23456
camiontpl451
laurent
anglade
toulouse
dnsce
45
1991
23456
camiontpl451
laurent
anglade
toulouse
dnsce
45
1991
23456
camiontpl451
laurent
anglade
toulouse
dnsce
45
1991
23456
camiontpl451
laurent
anglade
toulouse
dnsce
45
1991
23456
camiontpl451
bar</PV></TPL></ds:Object>
<ds:Object><xades:QualifyingProperties 
xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" 
xmlns:xades141="http://uri.etsi.org/01903/v1.4.1#" 
Target="#xmldsig-d613d22c-3359-4775-9ee1-b36e81a18c7a"><xades:SignedProperties 
Id="xmldsig-d613d22c-3359-4775-9ee1-b36e81a18c7a-signedprops"><xades:SignedSigna
tureProperties><xades:SigningTime>2012-03-19T16:55:15.375+01:00</xades:SigningTi
me><xades:SigningCertificate><xades:Cert><xades:CertDigest><ds:DigestMethod 
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>NhYafJ5k3yM
BCiwYuIfNihqCsTt9ZJghzvuxZMZ0ybk=</ds:DigestValue></xades:CertDigest><xades:Issu
erSerial><ds:X509IssuerName>CN=DGDDI AC Authentification,OU=0002 
120023015,O=DIRECTION GENERALE DES DOUANES ET DROITS 
INDIRECTS,C=FR</ds:X509IssuerName><ds:X509SerialNumber>51983</ds:X509SerialNumbe
r></xades:IssuerSerial></xades:Cert></xades:SigningCertificate></xades:SignedSig
natureProperties></xades:SignedProperties></xades:QualifyingProperties></ds:Obje
ct>
</ds:Signature>

<-------END --------XADES XML SIGNATURE----------------->



i hope extract X509 certificate from xades xml

<---------------TRY JAVA CODE TO VERIFY----------------->


    public static void main(String[] args) throws Exception {
        // Instantiate the document to be validated
        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
        dbf.setNamespaceAware(true);
        Document doc = dbf.newDocumentBuilder().parse(new FileInputStream("c:/firstXades.xml"));

        // Find Signature element
        Element sigElement = getSigElement(doc);
        if (null == sigElement) {
            throw new Exception("Cannot find Signature element");
        }

        SignatureSpecificVerificationOptions ssvo = new SignatureSpecificVerificationOptions();
        ssvo.useDataForAnonymousReference(new FileInputStream("c:/firstXades.xml"));

        CertificateFactory certFactory = CertificateFactory.getInstance("X.509");

        /* ???????????HELP ??????????????? */
        NodeList nlX509 = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "X509Certificate");
        if (nlX509.getLength() == 0) {
            throw new Exception("Cannot find X509Certificate element");
        }
        String certficationChain = nlX509.item(0).getTextContent();
        X509Certificate cert = processReceivedCertificationChain(certficationChain);

        CertificateValidationProvider certValidator = ???????????;

        /* ????????????HELP?????????????? */

        XadesVerificationProfile p = new XadesVerificationProfile(certValidator);
        XadesVerifier verifier = p.newVerifier();

        XAdESVerificationResult r = verifier.verify(sigElement, ssvo);

        System.out.println(r.getSignatureForm());
        System.out.println(r.getSignatureAlgorithmUri());
        System.out.println(r.getSignedDataObjects().size());
        System.out.println(r.getQualifyingProperties().all().size());

    }


<---------END------TRY JAVA CODE TO VERIFY----------------->



With xml desing i can verify


<---------------XML DESIGN CODE TO VERIFY----------------->


    public static void main(String[] args) throws Exception {

        // Instantiate the document to be validated
        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
        dbf.setNamespaceAware(true);
        Document doc = dbf.newDocumentBuilder().parse(new FileInputStream("c:/firstXMLDsig.xml"));

        // Find Signature element
        NodeList nl = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");

        DOMValidateContext valContext = new DOMValidateContext(new X509KeySelector(), nl.item(0));

        /*
         * // Create a DOM XMLSignatureFactory that will be used to unmarshal
         * the // document containing the XMLSignature
         */
        XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
        fac.newDigestMethod(DigestMethod.SHA1, null);
        // Create a DOMValidateContext and specify a KeyValue KeySelector
        // and document context
        /*
         * DOMValidateContext valContext = new DOMValidateContext (new
         * KeyValueKeySelector(), nl.item(0));
         */

        // unmarshal the XMLSignature
        XMLSignature signature = fac.unmarshalXMLSignature(valContext);

        KeyInfo keyInfo = signature.getKeyInfo();

        // Validate the XMLSignature (generated above)
        boolean coreValidity = signature.validate(valContext);





<------END---------XML DESIGN CODE TO VERIFY----------------->



I miss something, but i don't know what.


Thanks before.


Regards.

What steps will reproduce the problem?
1. Produce a signature using a certificate with nonRepudiation key-usage.

An exception is thrown stating that the certificate doesn't contain the 
digitalSignature key-usage.

These certificates should be accepted for qualified signatures.

Hi 
I signed xml documents with xades and i can validate xml successfully but i 
send it to my goverment system but system gave me this error ds:X509Data 
doesn't have  ds:X509SubjectName  tag.  after that i checked my document and it 
ealy doesn't have that tag. i searched internet i couldn't find any useful 
information, i also checked my token info and it has subejct vale. 

Could anyone help me Why doesn't xades create  ds:X509SubjectName  tag ? or i 
can insert it myself with code.  


here is my code 

public void Sign() throws TransformerFactoryConfigurationError, Exception {
        Document doc = SignatureServicesBase.getDocument(_inputStream);

        Pkcs11KeyingDataProvider s = new Pkcs11KeyingDataProvider(_cert);
        XadesBesSigningProfile pr = new XadesBesSigningProfile(s);
        pr.withAlgorithmsProvider(Sha1AlgProvider.class);
        pr.withBasicSignatureOptionsProvider(new MyBasicSignatureOptionsProvider(
                true, true, true));
        MySignaturePropertiesProvider propProv = new MySignaturePropertiesProvider();

        propProv.setSignerRole(_role);

        pr.withSignaturePropertiesProvider(propProv);

        XadesSigner signer = pr.newSigner();



        String refUri = "";
        DataObjectDesc dataObjRef = new DataObjectReference(refUri)
                .withTransform(new DataObjectTransform(
                        Transforms.TRANSFORM_ENVELOPED_SIGNATURE));
        Element elementToSign;


        if (_UBLFormat) {
            NodeList l = doc.getElementsByTagNameNS("*", "ExtensionContent");
            if (l.getLength() <= 0) {
                throw new Exception("Can not find ExtensionContent node!");
            }
            elementToSign = (Element) l.item(0);
        } else {
            elementToSign = doc.getDocumentElement();
        }
        signer.sign(new SignedDataObjects(dataObjRef), elementToSign);

        // new Enveloped(signer).sign(elemenToSign);
        SignatureServicesBase.outputDocument(doc, _outStream);

        if (!_isStream) {
            _inputStream.close();
            _outStream.close();
        }
    }


and example signed document is attached.

Hi;
I use xades4j for signing and verifying xml docs. It works great. 
But some xml docs cause error.
I'm signing the test.xml(attached) with xades4j with Xades-BES Enveloped type 
and produce test_signed.xml (attached).
When i try to verify testt_signed.xml, i get the error below:

10.Ağu.2011 02:21:19 org.apache.xml.security.signature.XMLSignature 
checkSignatureValue

WARNING: Signature verification failed.

10.Ağu.2011 02:21:19 org.apache.xml.security.signature.Reference verify

WARNING: Verification failed for URI 
"#xmldsig-3e3d8af1-f574-41b9-b46c-2820b10e3a13-signedprops"

10.Ağu.2011 02:21:19 org.apache.xml.security.signature.Reference verify

WARNING: Expected Digest: gmqaoyTax5U/yIxoLl74S1Bx6NM=

10.Ağu.2011 02:21:19 org.apache.xml.security.signature.Reference verify

WARNING: Actual Digest: DIWtmTAn7DSUHFsB80erN0+C7mw=

10.Ağu.2011 02:21:19 org.apache.xml.security.signature.Reference verify

WARNING: Verification failed for URI 
"#xmldsig-3e3d8af1-f574-41b9-b46c-2820b10e3a13-signedprops"

10.Ağu.2011 02:21:19 org.apache.xml.security.signature.Reference verify

WARNING: Expected Digest: gmqaoyTax5U/yIxoLl74S1Bx6NM=

10.Ağu.2011 02:21:19 org.apache.xml.security.signature.Reference verify

WARNING: Actual Digest: DIWtmTAn7DSUHFsB80erN0+C7mw=

xades4j.verification.ReferenceValueException: Reference 
'#xmldsig-3e3d8af1-f574-41b9-b46c-2820b10e3a13-signedprops' cannot be validated

    at xades4j.verification.XadesVerifierImpl.doCoreVerification(XadesVerifierImpl.java:337)

    at xades4j.verification.XadesVerifierImpl.verify(XadesVerifierImpl.java:195)

Hi,

First of all thanks for such a great project. In my project, I am trying to 
verify XAdES-BES signed XML content. Signing has done by the another party. But 
I am not able to verify this sign with Xades4j. 

Interestingly, they are able to verify my signed XML that is signed by Xades4j. 

What can be the problem? Below is the some part of unverified signing?

        <ds:Signature Id="Signature_GIB2011000000049">
          <ds:SignedInfo Id="SignedInfo_GIB2011000000049">
            <ds:CanonicalizationMethod
              Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="">
              <ds:Transforms>
                <ds:Transform
                  Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
              </ds:Transforms>
              <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
              <ds:DigestValue>8VLNpeLl7DraDZ2ZNBArOG7TVvaoEQGeU3CNsLi3j48=</ds:DigestValue>
            </ds:Reference>
            <ds:Reference Type="http://uri.etsi.org/01903/v1.3.2#SignedProperties"
              URI="#SignedProperties_GIB2011000000049" Id="SignedProperties-Reference_GIB2011000000049">
              <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
              <ds:DigestValue>rwbtEhXiqsyp8qxng3MY0NAJ/bMuPgGdZBXkkNNo2Ek=</ds:DigestValue>
            </ds:Reference>
          </ds:SignedInfo>
          <ds:SignatureValue Id="id2011000000049">FEdlROTTlvDtu2Ou/Uv2bjQF95n0TbBD6HSd3ryuY5FQGncZikL35+mMNb6gQgzbJGvnipaGApCbal4nhVhaGA/tafKUfDQ3q9bdBgdU4ma+vF802IqSTTthmNDAgA80OoBMMv99rCsaNZwYHa5+wzcKzm/rxB829hClFHWYG6iHeERpqz9/cy1Q6K/h2xF8QxFC14/E4QewSD3X/uWOe9GZuO6cQdSWf2XekcFrECq/CQFgc6Nl5J120Z+Uoz7xaM9b6h/XfD5jCsehCsR5KCG0zh3vypoq8yu9QTPjDFhTOYC3JD2gzGLVN8N2QJzcZqTzXbzD2TBZJLrsIFKfsw==</ds:SignatureValue>
          <ds:KeyInfo>
            <ds:KeyValue>
              <ds:RSAKeyValue>
                <ds:Modulus>g4fWV5+GRbNQTnVpG5naG/4xC167blIngQJdOJVss7LSBjFkOOitvJtpV0Qvsld1HzW9A+P8aR17KdgZzqsc5+akR0+volN2ZH9M+q0Xza7zSQjgBzovv2R6VQWLnEyFb4i3PzEqQMDbF8n30oNWj0BjBvNn+eTkxmk8ifhLDAwrrDasje5CudTNo9pIv73VcJqA3F+pKwW7MGIZeDJpLnbbqz+ELOIR3ev51Ewb889QQyqlMiu2LKaDVmpsFzAlFo25ayLTJ896/cL0Lff+/W+CKeOo3f/SrAcZWp0RWmiKZDET9LqCodeH+2x3M8+KK2IwjABk378e8/TipjfENQ==</ds:Modulus>
                <ds:Exponent>AQAB</ds:Exponent>
              </ds:RSAKeyValue>
            </ds:KeyValue>
            <ds:X509Data>
              <ds:X509SubjectName>CN=e-Fatura Deneme
                A.Ş.,2.5.4.5=#130a39393939393939393939,OU=e-Fatura Deneme A.Ş.</ds:X509SubjectName>
              <ds:X509Certificate>......</ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
          <ds:Object>
            <xades:QualifyingProperties Target="Signature_GIB2011000000049">
              <xades:SignedProperties Id="SignedProperties_GIB2011000000049">
                <xades:SignedSignatureProperties>
                  <xades:SigningTime>2011-08-03T02:51:56+03:00</xades:SigningTime>
                  <xades:SigningCertificate>
                    <xades:Cert>
                      <xades:CertDigest>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                        <ds:DigestValue>4pCQHzUOwVViUIbtc2C5LQkMH/4nS2aTFSx93qp5x8Y=</ds:DigestValue>
                      </xades:CertDigest>
                      <xades:IssuerSerial>
                        <ds:X509IssuerName>CN=Mali Mühür Elektronik Sertifika Hizmet
                          Sağlayıcısı - Sürüm 1, C=TR</ds:X509IssuerName>
                        <ds:X509SerialNumber>662936601706</ds:X509SerialNumber>
                      </xades:IssuerSerial>
                    </xades:Cert>
                  </xades:SigningCertificate>
                  <xades:SignerRole>
                    <xades:ClaimedRoles>
                      <xades:ClaimedRole>Tedarikçi</xades:ClaimedRole>
                    </xades:ClaimedRoles>
                  </xades:SignerRole>
                </xades:SignedSignatureProperties>
              </xades:SignedProperties>
            </xades:QualifyingProperties>
          </ds:Object>
        </ds:Signature>

Thanks.

What steps will reproduce the problem?
1. There are no APIs to pass parameters to the signature canonicalization 
method. The AlgorithmsProvider allows the signature canonicalization method URI 
to be configured, but there are no methods to provide the parameters. This 
works fine for canonicalization methods that take no parameters like Inclusive 
Canonical XML, but is a problem for other methods like Exclusive Canonical XML. 
For reference transforms, it is possible to use DataObjectTransform(String, 
Element) but this option is not possible with the signature canonicalization.
2. The same problem occurs for the time stamp canonicalization method 
parameters.

What is the expected output? What do you see instead?
A signature using a canonicalization method with parameters.

What version of the product are you using? On what operating system?
1.2.0
Windows 7

Please provide any additional information below.

What steps will reproduce the problem?
1. In SignaturePolicyVerifier.verify(), the code calls StreamUtils.readWrite() 
followed by a close within the same try-catch. This will skip the call to 
sigDocStream.close() if the readWrite() throws an exception. A better idiom is 
to call sigDocStream.close() in a finally clause. There are examples of this in 
xades4j.utils.Base64

What is the expected output? What do you see instead?
The stream obtained from 
policyDocumentProvider.getSignaturePolicyDocumentStream(policyId) should be 
closed even if reading the stream causes an IO exception.

What version of the product are you using? On what operating system?
1.2.0
Windows 7

Please provide any additional information below.

I don't know about quirks in other countries, but Polish law requires that the 
CRL or OCSP response been created at least an hour after the signature has been 
created, German law only requires that the CA certificate was valid when user 
certificate was issued (so the user cert can have longer validity than CA).

What steps will reproduce the problem?
1. Sign and Timestamp the document
2. Download CRLs and add to document (extend to XAdES-C)
3. Perform full validation

What is the expected output? What do you see instead?
The validation should fail, as the CRL was issued before the signature was made 
or just few seconds after.

Please provide any additional information below.
While the additional validation could be simulated using 
CustomSignatureVerifier, I don't think this is a good solution for extended 
forms (XAdES-X, -X-L, -A). It also won't work for German locale.
Related: issue 18.

What steps will reproduce the problem?

I am trying to validate the SignatureTimeStamp with 
DefaultTimeStampVerificationProvider.
The error occur in line 109 on DefaultTimeStampVerificationProvider "if (null 
== token.verify(tsaSignerInfo, null))".

What is the expected output? What do you see instead?

Expected: Validation ok.

Occur: 
xades4j.verification.TimeStampInvalidSignatureException: Verification failed 
for property 'SignatureTimeStamp': SHA1withSHA1withRSA Signature not available
    at xades4j.verification.TimeStampUtils.getEx(TimeStampUtils.java:43)
    at xades4j.verification.TimeStampUtils.verifyTokens(TimeStampUtils.java:87)
    at xades4j.verification.SignatureTimeStampVerifier.verify(SignatureTimeStampVerifier.java:64)
    at xades4j.verification.SignatureTimeStampVerifier.verify(SignatureTimeStampVerifier.java:35)
    at xades4j.verification.QualifyingPropertiesVerifierImpl.verifyProperties(QualifyingPropertiesVerifierImpl.java:59)
    at xades4j.verification.XadesVerifierImpl.getValidationDate(XadesVerifierImpl.java:299)
    at xades4j.verification.XadesVerifierImpl.verify(XadesVerifierImpl.java:176)

What version of the product are you using? On what operating system?

XAdES4J 1.1.0
O.S: Windows 7
JDK: 1.6

Please provide any additional information below.

I think that the error occur because the "sun.security.pkcs.PKCS7" doesn't find 
any provider that implement the "1.2.840.113549.1.1.5" Algorithm, but there is 
the default provider SunRsaSign.

Is a example of Xades plug test 2007 to validate a Xades T.

What steps will reproduce the problem?
1. DataObjectTransform cannot handle transforms that take multiple parameters. 
For example, the XPath Filter 2 transform 
(http://www.w3.org/2002/06/xmldsig-filter2) takes multiple dsig-xpath:XPath 
sub-elements as input. It is not possible to create this transform in XAdES4J 
because the DataObjectTransform(String,Element) constructor takes a single 
Element. There should be another constructor that takes a DocumentFragment or 
an array of Nodes. An array of Elements could handle XPath Filter 2 but would 
not allow transforms that take Text nodes as input. Another possibility is to 
add a method to add each parameter Node individually.

What is the expected output? What do you see instead?
A signature using the XPath Filter 2 transform with multiple XPath sub-elements.

What version of the product are you using? On what operating system?
1.2.0
Windows 7

Please provide any additional information below.

What steps will reproduce the problem?
1. XAdES4J should be tested to verify how well it can interoperate with other 
XAdES implementations. This is the purpose of the ETSI plugtests. Participation 
in the plugtest event itself is too expensive, but XAdES4J can still be tested 
against the plugtest test vectors. A copy of the the plugtest test vectors can 
be downloaded here 
http://www.jipdec.or.jp/archives/ecpc/longtermstorage/en/download.html

What is the expected output? What do you see instead?

It is doubtful the XAdES4J test suite can ship with a copy of those test 
vectors (because of licensing issues). On the other hand, the machinery to run 
those tests can be part of the build at the author's discretion.

The real output of this work would be a public statement of how well XAdES4J 
does on the plugtest test vectors and possibly a list of bugs (if applicable).


What version of the product are you using? On what operating system?
1.2.0
Windows 7

Please provide any additional information below.

When signing an XML file using a transform, the presence of a namespace 
attribute in the root node causes the signature to be invalid.

To reproduce this issue do the following
1. Compile and run the Java file. You will need to add your own certificate and 
maybe modify the paths if you like.
2. Validate the certificate. It will fail.
3. Replace petition_ns.xml with petition.xml. The only difference is the 
namespace references. 
4. Re-run. This will now validate

What is the expected output? What do you see instead?
I would expect to see consistent validation regardless of namespace attributes.

What version of the product are you using? On what operating system?
1.2.0

What steps will reproduce the problem?
1. The implementation of TimeStampTokenProvider in 
DefaultTimeStampTokenProvider does not support client authentication. This is 
fine for a free TSA, but it is not sufficient to access a commercial TSA that 
can be used in a legal context.

Of course, every one can implement their own TimeStampTokenProvider, but since 
this will be a common thing to do, examples of doing this would be highly 
valuable.

What is the expected output? What do you see instead?
Examples of TimeStampTokenProvider implementations that support authentication.

What version of the product are you using? On what operating system?
1.2.0
Windows 7

Please provide any additional information below.

What steps will reproduce the problem?
1. The built-in verifiers are considered to be internal and therefore will 
remain private. It is nevertheless desirable to make this functionality 
available to custom verifiers.

The normal way of doing this is to @Inject the verifier type on the constructor 
of the custom verifier. This works unless the application has registered a 
custom verifier of that same type. The custom binding would override the 
built-in binding and the constructor would recieve an instance of custom 
verifier instead. The situation is likely to occur because that's how 
subclassing a verifier is done in Guice. The only way to reach the built-in 
verifier is to hard-code the internal class name. This is very much against 
Guice paradigm.

One solution proposed by the XAdES4J author is to use a named binding to 
specify a built-in verifier, like so:

class MyPolicyVerifier implements 
QualifyingPropertyVerifier?<SignaturePolicyData> {
   MyPolicyVerifier(@BuiltIn QualifyingPropertyVerifier?<SignaturePolicyData> buildInPolicyVerifier)   {
     // ...
   }
   // ...
}

This assumes there is a named binding available for this built-in verifier. 
Unfortunately, there is no way for the application to add this binging without 
hard-coding the internal class name. For this reason, the named bindings of 
built-in verifiers should be pre-registered in the XAdES4J library itself. (or 
another solution must be found for subclassing built-in verifiers).

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.

What steps will reproduce the problem?
1. Run all tests

What is the expected output? What do you see instead?
Expected success all tests, but 11 test failed and 58 passed. Test failed 
because "xades4j.verification.TimeStampInvalidSignatureException: Verification 
failed for property 'SignatureTimeStamp': cannot validate TSA certificate: 
unable to find valid certification path to requested target"

What version of the product are you using? On what operating system?
Win7 x64, xades4j 1.2

How fix it?

First of all, thank you for this implementation of Xades.

In my project, I have to generate and verify some Xades signature in detached 
mode, but without URI of signed data. I saw this point was already discussed in 
another issue. Is this feature will be implemented in the near future ?

Thank you for your answer 

What steps will reproduce the problem?
1. The test suite is not testing the DataObjectTransform(String, Element) 
constructor. This constructor is important because it is needed to create 
transforms with parameters like Exclusive Canonical XML. Adding this junit 
would improve code coverage. It would also serve as the first example how to 
create a transform with parameters. This topic does not appear to be discussed 
in the regular documentation.

What is the expected output? What do you see instead?
A junit that exercises the DataObjectTransform(String,Element) constructor.

What version of the product are you using? On what operating system?
1.2.0
Windows 7

Please provide any additional information below.
Consider adding the example to the regular documentation as well.

Look at my code:

public static byte[] getSigned(byte[] xmlInput, String pin) {

        ByteArrayOutputStream bout = new ByteArrayOutputStream();

        try {
            KeyingDataProvider keyingProviderMy = createPKCS11KeyStoreKeyingDataProvider("C:/Program Files/CryptoTech/CryptoCard/CCPkiP11.dll", "SmartCard", "3", pin, false);

            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
            dbf.setNamespaceAware(true);

            DocumentBuilder db = dbf.newDocumentBuilder();
            Document doc = db.parse(new ByteArrayInputStream(xmlInput));

            Element elemToSign = doc.getDocumentElement();

            XadesSigningProfile p = new XadesBesSigningProfile(keyingProviderMy).withAlgorithmsProvider(MyAlgorithmsProvider.class);
            XadesSigner signer = p.newSigner();
            new Enveloped(signer).sign(elemToSign);

            TransformerFactory tf = TransformerFactory.newInstance();
            tf.newTransformer().transform(new DOMSource(doc), new StreamResult(bout));

        } catch (Exception ex) {      
            return null;
        }

        return bout.toByteArray();
    }

First run works perfect, but when I want to sign the document again, it shows 
me an exception "Private keys must be instance of RSAPrivate(Crt)Key or have 
PKCS#8 encoding".

I decided to create KeyingDataProvider only once. It works ok for the first 
time, but again, after second try it gives me another Exception: 
xades4j.verification.UnexpectedJCAException: expected but could not find 
private key

Could You help me? Thanks for any hints!

Attached patch fixes few spelling mistakes in code comments. It's NOOP as far 
as code is concerned.

What is the expected output? What do you see instead?
Expected:
<ds:Object Id="Document-1">
See:
<ds:Object Id="xmldsig-89736e8d-867b-4b56-b335-7ee0602a9066-object0">

What version of the product are you using? On what operating system?
xades4j 1.0.1

Please provide any additional information below.
I would like to ask how can I change Id of an Object to get what I expect? I 
went through javadoc and found nothing to get my problem solved.

//Sorry for writing here, but there's no other contact avaiable on this site.

Thanks for Your help.

Michal (monczek at gmail.com)

What steps will reproduce the problem?
1. It would nice to upgrade to the latest Santuario release. xades4j builds 
with xmlsec-1.4.5.jar, Santuario is currently at 1.5.1

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.
You have to be careful when porting to xmlsec-1.5.1 since they made a few 
incompatible changes between 1.4.5 and 1.5.0
In particular, the search for ID attributes has changed.

What steps will reproduce the problem?
1. XAdES4J does not support the creation of a signature that references a 
ds:Manifest.  See http://www.w3.org/TR/xmldsig-core/#sec-o-Manifest. 

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?
1.2.0
Windows 7

Please provide any additional information below.
This feature is not high priority.

CA certificates may loose their validity before their "best before" date 
because of compromise, cease of operation, etc. To properly validate signatures 
using certificates issued by such CA we need to have file that can override the 
validity periods of CA certificates.

What steps will reproduce the problem?
1. Have document signed using certificate issued by DigiNotar
2. The document was timestamped by VeriSign before DigiNotar compromise

What is the expected output? What do you see instead?
Document should be considered valid. It isn't because DigiNotar can't be in 
trusted CAs.

Please provide any additional information below.

Related: issue 18 in practice, will be required for XAdES-A implementation.

Suggested file format: Trust Service List published by ETSI 
http://www.etsi.org/deliver/etsi_ts/102200_102299/102231/03.01.02_60/ts_102231v0
30102p.pdf

A new JAXBContext is created in BaseJAXBMarshaller and 
DefaultQualifyingPropertiesUnmarshaller whenever an instance is needed. This is 
bad because it is very expensive to create new instances, and the 
implementation generates some classes at runtime. When the code is run in JBoss 
4.2, this can lead to a memory leak due to caching of class information.

This was found in version 1.2.0, but the relevant code is unchanged in trunk.

Here is a patch that fixes this:


diff -ur 
../../src/XAdES4j/src/main/java/xades4j/xml/marshalling/BaseJAXBMarshaller.java 
./src/main/java/xades4j/xml/marshalling/BaseJAXBMarshaller.java
--- 
../../src/XAdES4j/src/main/java/xades4j/xml/marshalling/BaseJAXBMarshaller.java 
    2011-01-29 01:05:24.000000000 +0000
+++ ./src/main/java/xades4j/xml/marshalling/BaseJAXBMarshaller.java     
2012-06-18 16:49:18.346199259 +0000
@@ -40,6 +40,7 @@
 {
     private final Map<Class, QualifyingPropertyDataToXmlConverter<TXml>> converters;
     private final String propsElemName;
+    private static final Map<Class, JAXBContext> jaxbContexts = new 
HashMap<Class, JAXBContext>();

     protected BaseJAXBMarshaller(int convertersInitialSize, String propsElemName)
     {
@@ -140,8 +141,17 @@
     {
         try
         {
+            JAXBContext jaxbContext;
+            synchronized (jaxbContexts)
+            {
+                jaxbContext = jaxbContexts.get(xmlProps.getClass());
+                if (jaxbContext == null)
+                {
+                    jaxbContext = JAXBContext.newInstance(xmlProps.getClass());
+                    jaxbContexts.put(xmlProps.getClass(), jaxbContext);
+                }
+            }
             // Create the JAXB marshaller.
-            JAXBContext jaxbContext = 
JAXBContext.newInstance(xmlProps.getClass());
             Marshaller marshaller = jaxbContext.createMarshaller();
             // Create the root JAXBElement.
             Object propsElem = createPropsXmlElem(new ObjectFactory(), xmlProps);
diff -ur 
../../src/XAdES4j/src/main/java/xades4j/xml/unmarshalling/DefaultQualifyingPrope
rtiesUnmarshaller.java 
./src/main/java/xades4j/xml/unmarshalling/DefaultQualifyingPropertiesUnmarshalle
r.java
--- 
../../src/XAdES4j/src/main/java/xades4j/xml/unmarshalling/DefaultQualifyingPrope
rtiesUnmarshaller.java      2011-01-29 01:09:06.000000000 +0000
+++ 
./src/main/java/xades4j/xml/unmarshalling/DefaultQualifyingPropertiesUnmarshalle
r.java      2012-06-18 16:50:55.238196397 +0000
@@ -34,6 +34,7 @@
         implements QualifyingPropertiesUnmarshaller
 {
     private final UnmarshallerModule[] modules;
+    private static JAXBContext jaxbContext;

     public DefaultQualifyingPropertiesUnmarshaller()
     {
@@ -52,8 +53,11 @@
         XmlQualifyingPropertiesType xmlQualifyingProps = null;
         try
         {
-            // Create the JAXB unmarshaller.
-            JAXBContext jaxbContext = 
JAXBContext.newInstance(XmlQualifyingPropertiesType.class);
+            synchronized (DefaultQualifyingPropertiesUnmarshaller.class)
+            {
+                if (jaxbContext == null)
+                    jaxbContext = 
JAXBContext.newInstance(XmlQualifyingPropertiesType.class);
+            }
             // Create the JAXB unmarshaller and unmarshalProperties the root JAXB element
             Unmarshaller unmarshaller = jaxbContext.createUnmarshaller();
             JAXBElement<XmlQualifyingPropertiesType> qualifPropsElem = (JAXBElement<XmlQualifyingPropertiesType>)unmarshaller.unmarshal(qualifyingProps);

OutOfMemoryException when signing big files.

This is an issue on the underlying Apache Santuario (1.4.3). It has been fixed 
on 1.4.4 (http://santuario.apache.org/java144releasenotes.html).

XAdES4j should be updated to used the Santuario 1.4.4.

What steps will reproduce the problem?
1. The Attachment Complete and Attachment Content transforms rely on URLs using 
the cid: scheme to retrieve the attachment with the matching Content-ID. 
Unfortunately, since XAdES4J does not expose the Santuario XMLSignature, it is 
not possible to register our own ResourceResolver to find the attachment. This 
will require new APIs in XAdES4J.

What is the expected output? What do you see instead?
Ultimately, we want to be able to use a Reference pointing to an attachment of 
the document using the Attachment Complete or the Attachment Content transform. 
This will execute user code to actually retrieve the attachment that matches 
the cid: URI in the Reference.

What version of the product are you using? On what operating system?
1.2.0
Windows 7

Please provide any additional information below.

Tests in PKIXCertificateValidationProfiderTest and 
FileSystemDirectoryCertStoreTest reference files using Windows-style paths 
causing them to fail on Linux. This patch makes them use universal separators 
(/) that work on Windows and UNIX-like systems.

Hi,
I am trying to use XadES with my smartcard to sign documents.

I faced the following problem. In "native" sunPKCS11 implementation you can do 
the following:


    public static void main(String args[]) {

    if (args.length != 2) {
        usage();
        System.exit(1);
    }
    String configName = args[0];

    Provider p = new sun.security.pkcs11.SunPKCS11(configName);
    Security.addProvider(p);
    Provider[] providers = Security.getProviders();
    for (int i = 0; i < providers.length; i++) {
        System.out.println("Provider " + i + ": "
            + providers[i].getName());
    }
    try {
        KeyStore.PasswordProtection pwd = new KeyStore.PasswordProtection(args[1].toCharArray());
        KeyStore ks = KeyStore.getInstance("PKCS11", p);
        ks.load(null, pwd.getPassword());
....   

    } catch (Exception e) {
        e.printStackTrace();
        System.out.println("Wrong password");
    }
    }

I am interested in ks.load(null, pwd.getPassword());
I have no clue how to pass card password to XadES, which is done by ks.load 
from the script above.



I started from 
        keyingDataProvider = new PKCS11KeyStoreKeyingDataProvider(
            nativeLibrary,
            providerName,
            new FirstCertificateSelector(),
            null,
            null,
            true);

and wanted to use that object, but it seems that keystore object held by that 
object is private. I can't access it and can't pass pin for the smartcard.

Could you point me to right direction please?

Thank you in advance

Best regards
Norbert

What steps will reproduce the problem?
1. In XAdES4J the signature is always added as the last child of the signature 
parent element. In JSR-105, it is also possible to insert the signature before 
a sibling element in the parent element. It would be nice to have that feature 
in XAdES4J.

What is the expected output? What do you see instead?
An API to control exactly where the Signature should be inserted under the 
parent element.

What version of the product are you using? On what operating system?
1.2.0
Windows 7

Please provide any additional information below.
The signature can be created as the last child and moved afterwards, but it is 
clumsy.

Unable to set the base uri in the constructor of XMLSignature in function 
sign() of SignerBES class. The default is "" and it's hardcoded.

Unable to set the base uri in the constructor of XMLSignature in function 
verify() of XadesVerifierImpl class. The default is "" and it's hardcoded.

What steps will reproduce the problem?
1. The wiki claims we can pass a Document as the signature parent.

Element sigParentNode = ...; // The DOM node to which the signature will be 
appended (Element or Document)
signer.sign(dataObjs, sigParentNode);

The javadoc is silent about this but the method signature takes a Node instead 
of an Element hinting about other possibilities.

Unfortunately, when passing a Document we get:
Exception in thread "main" org.w3c.dom.DOMException: HIERARCHY_REQUEST_ERR: An 
attempt was made to insert a node where it is not permitted.

That's because XAdES4J is trying to add a second Element for the signature but 
the Document can only contain one DocumentElement.

This could possibly work if the Document does not have a DocumentElement but 
this means none of the References can contain same-document URIs like #myid. 
This is a serious limitation.

Maybe the intention was to take the DocumentElement as the actual parent.

Another possibility is to forbid passing a Document, therefore deprecating 
sign(SignedDataObjects, Node) and only offer sign(SignedDataObjects, Element).

What is the expected output? What do you see instead?
Either
1) allow passing a Document as the Signature parent, plus an update to the 
javadoc and a new junit.
2) or forbidding passing a Document and an update to the wiki.

What version of the product are you using? On what operating system?
1.2.0
Windows 7

Please provide any additional information below.

For validation of long term signatures, xades4j needs to know when specific 
hash functions, algorithms and algorithm parameters are considered insecure.

For example, signature based on a certificate with MD5 based signature, created 
in 1995 and timestamped with 1024 bit RSAwithSHA with 20 year validity would be 
still considered valid right now (even without use of XAdES-X-L or XAdES-A).

Similarly, a signature with 512 bit RSAwithSHA made in 1995 with valid 
Timestamp would still be considered valid right now.

In the future we will need similar information about SHA-1 and 1024bit RSA. 
Depending on threat model, they may be considered insecure now.

This creates a requirement of configuration file containing information 
defining which hash functions, general algorithms or algorithms with specific 
parameters were secure up to which date.
I suggest use of a configuration file because people are more likely to update 
configuration files than code in legacy applications.

I don't know of any ready-to-use standards of such files.

Related: issue 18.

What steps will reproduce the problem?
1. Create a XAdES-C form. The value in the xades:Number element of a CRLRef is 
wrong.

That value is obtained in DataGenCompleteRevocRefs.generatePropertyData() this 
way:

   byte[] crlNumEnc = crl.getExtensionValue("2.5.29.20");
   BigInteger crlNum = null;
   if (crlNumEnc != null)
      crlNum = new BigInteger(crlNumEnc);

The bytes in crlNumEnc is a DER encoded big integer. It is preceded by the tag 
and the length. The tag and length must not be interpreted as part of the 
BigInteger.

A possible solution is to call the constructor CRLNumberExtension(Boolean 
critical, Object value) with (false,crlNumEnc) and call get("value") on that 
object. Unfortunately, that class is in the hidden package sun.security.x509

Under the covers that calls:
        DerValue val = new DerValue(crlNumEnc);
        BigInteger crlNumber = val.getBigInteger();
But again, DerValue is in the hidden package sun.security.util

If you intend to parse that tiny subset of ASN.1 yourself, take a look at 
DerValue.init(). There are a few ways to encode the length.

A common solution to parse ASN.1 structure is to use BouncyCastle, but this 
seems like an enormous hammer for so little code.


What is the expected output? What do you see instead?
We expect the correct value in the xades:Number element under the xades:CRLRef 
element.

What version of the product are you using? On what operating system?
1.2.0
Windows 7

Please provide any additional information below.

Sucessfully compiled but on execution it produced error.


I expected signed XML , but error produced.

Operating system :Windows 7 pro 32 bit,  
Development IDE: NetBeans 7.0.1, 
JDK : 1.6
Xades4j version : xades4j-1.1.0



Source code
-----------
package xadesevaluator;

import org.w3c.dom.Element;
import java.io.FileNotFoundException;
import java.io.IOException;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.TransformerConfigurationException;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactoryConfigurationError;
import org.w3c.dom.Node;
import java.io.FileOutputStream;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.Source;
import org.w3c.dom.Document;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.DocumentBuilder;
import java.io.File;
import java.security.KeyStoreException;
import java.security.cert.X509Certificate;
import java.util.List;
import org.apache.xml.security.transforms.Transforms;
import org.apache.xml.security.utils.resolver.ResourceResolver;
import org.xml.sax.SAXException;
import xades4j.XAdES4jException;
import xades4j.properties.AllDataObjsCommitmentTypeProperty;
import xades4j.production.SignedDataObjects;
import xades4j.properties.DataObjectDesc;
import xades4j.production.DataObjectReference;

import xades4j.production.XadesBesSigningProfile;
import xades4j.production.XadesSigner;
import xades4j.production.XadesSignatureResult;
import xades4j.production.XadesSigningProfile;
import xades4j.properties.DataObjectTransform;

import xades4j.providers.KeyingDataProvider;
import xades4j.providers.SigningCertChainException;
import xades4j.providers.impl.FileSystemKeyStoreKeyingDataProvider;
import xades4j.providers.impl.KeyStoreKeyingDataProvider.SigningCertSelector;
import xades4j.verification.UnexpectedJCAException;

public class xadesenvelopedsignaturetest {

    private static final String KEYSTOREPATH = ".";//"target/test-files/xades/";
    private static final String SOURCE_SIGNING_PATH = ".\\Testkullanici1.pfx";//"src/test/resources/xades/exported.pfx";
    private static final String SOURCE_CERT_PATH = ".";//"src/test/resources/xades/";

    public xadesenvelopedsignaturetest() {
        ResourceResolver.register("com.uk.nmi.sw.datavaulttesting.vaulttestingutils.xades.XPointerResourceResolver");
    }

    public static void main(String[] args) throws Exception {
            XadesSigner signer = getSigner("123456", SOURCE_SIGNING_PATH);
            signWithoutIDEnveloped(KEYSTOREPATH + "\\080_Signed.xml", signer);
    }

    public static XadesSigner getSigner(String password, String pfxPath) throws Exception {//SigningException {
        try {
            KeyingDataProvider keyingProvider = getKeyingDataProvider(pfxPath, password);
            XadesSigningProfile p = new XadesBesSigningProfile(keyingProvider);
            return p.newSigner();
        } catch (Exception ex) {
            throw new Exception("Error " + ex);
        }
        /*} catch (KeyStoreException ex) {
        throw new SigningException("Keystore Problem : " + ex);
        } catch (SigningCertChainException ex) {
        throw new SigningException("Signer Cert Chain Problem", ex);
        } catch (UnexpectedJCAException ex) {
        throw new SigningException("JCA Problem getting Signer", ex);
        } catch (XadesProfileResolutionException ex) {
        throw new SigningException("XadesProfileResolutionException problem geting Signer", ex);
        }*/
    }

    private static KeyingDataProvider getKeyingDataProvider(String pfxPath, String password) throws KeyStoreException, SigningCertChainException, UnexpectedJCAException {
        KeyingDataProvider keyingProvider = new FileSystemKeyStoreKeyingDataProvider("pkcs12", pfxPath, new SigningCertSelector() {

            @Override
            public X509Certificate selectCertificate(List<X509Certificate> list) {
                return list.get(0);
            }
        }, new DirectPasswordProvider(password), new DirectPasswordProvider(password), true);
        if (keyingProvider.getSigningCertificateChain().isEmpty()) {
            throw new IllegalArgumentException("Cannot initialize keystore with path " + pfxPath);
        }
        return keyingProvider;
    }

    /**
     * Generate the signature and output a single signed file using the enveloped structure
     * This means that the signature is within the signed XML
     * This method signs the root node, not an ID
     * @param outputPath
     * @param signer
     * @param valid
     * @throws TransformerFactoryConfigurationError
     * @throws XAdES4jException
     * @throws TransformerConfigurationException
     * @throws TransformerException
     * @throws IOException
     * @throws FileNotFoundException
     */
    private static void signWithoutIDEnveloped(String outputPath, XadesSigner signer) throws TransformerFactoryConfigurationError, XAdES4jException, TransformerConfigurationException, TransformerException, IOException, FileNotFoundException {


        // Copy source doc into target document
        Document sourceDoc = getDocument(".\\080.xml");
        sourceDoc.setDocumentURI(null);

        writeXMLToFile(sourceDoc, outputPath);

        sourceDoc = getDocument(outputPath);

        Element signatureParent = (Element) sourceDoc.getDocumentElement();
        Element elementToSign = sourceDoc.getDocumentElement();
        String refUri;
        if (elementToSign.hasAttribute("Id")) {
            refUri = '#' + elementToSign.getAttribute("Id");
        } else {
            if (elementToSign.getParentNode().getNodeType() != Node.DOCUMENT_NODE) {
                throw new IllegalArgumentException("Element without Id must be the document root");
            }
            refUri = "";
        }

        DataObjectDesc dataObjRef = new DataObjectReference(refUri).withTransform(new DataObjectTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE));
        XadesSignatureResult result = signer.sign(new SignedDataObjects(dataObjRef).withCommitmentType(AllDataObjsCommitmentTypeProperty.proofOfOrigin()), signatureParent);


        writeXMLToFile(sourceDoc, outputPath);
    }

    /**
     * Write an XML document to file
     * @param doc The document
     * @param outputPath The path to write the XML file to
     * @throws IOException
     * @throws TransformerConfigurationException
     * @throws TransformerFactoryConfigurationError
     * @throws TransformerException
     * @throws FileNotFoundException 
     */
    private static void writeXMLToFile(Document doc, String outputPath) throws IOException, TransformerConfigurationException, TransformerFactoryConfigurationError, TransformerException, FileNotFoundException {
        // Write the output to a file
        Source source = new DOMSource(doc);

        // Prepare the output file
        File outFile = new File(outputPath);
        outFile.getParentFile().mkdirs();
        outFile.createNewFile();
        FileOutputStream fos = new FileOutputStream(outFile);

        StreamResult result = new StreamResult(fos);

        // Write the DOM document to the file
        Transformer xformer = TransformerFactory.newInstance().newTransformer();
        xformer.transform(source, result);

        fos.close();
    }

    /**
     * Load a Document from an XML file
     * @param path The path to the file
     * @return The document extracted from the file
     */
    private static Document getDocument(String path) {
        try {
            // Load the XML to append the signature to.
            File fXmlFile = new File(path);
            DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
            DocumentBuilder dBuilder = dbFactory.newDocumentBuilder();
            Document doc = dBuilder.parse(fXmlFile);
            doc.getDocumentElement().normalize();
            return doc;
        } catch (SAXException ex) {
            return null;
        } catch (IOException ex) {
            return null;
        } catch (ParserConfigurationException ex) {
            return null;
        }
    }
}



Error
------
Exception in thread "main" java.lang.NoClassDefFoundError: 
[Lorg/aopalliance/intercept/MethodInterceptor;
    at java.lang.Class.getDeclaredMethods0(Native Method)
    at java.lang.Class.privateGetDeclaredMethods(Class.java:2427)
    at java.lang.Class.getDeclaredMethods(Class.java:1791)
    at com.google.inject.internal.ProviderMethodsModule.getProviderMethods(ProviderMethodsModule.java:78)
    at com.google.inject.internal.ProviderMethodsModule.configure(ProviderMethodsModule.java:70)
    at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:223)
    at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:232)
    at com.google.inject.spi.Elements.getElements(Elements.java:101)
    at com.google.inject.spi.Elements.getElements(Elements.java:92)
    at com.google.inject.util.Modules$RealOverriddenModuleBuilder$1.configure(Modules.java:142)
    at com.google.inject.AbstractModule.configure(AbstractModule.java:59)
    at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:223)
    at com.google.inject.spi.Elements.getElements(Elements.java:101)
    at com.google.inject.InjectorShell$Builder.build(InjectorShell.java:135)
    at com.google.inject.InjectorBuilder.build(InjectorBuilder.java:102)
    at com.google.inject.Guice.createInjector(Guice.java:92)
    at com.google.inject.Guice.createInjector(Guice.java:69)
    at com.google.inject.Guice.createInjector(Guice.java:59)
    at xades4j.utils.XadesProfileCore.getInstance(XadesProfileCore.java:149)
    at xades4j.production.XadesSigningProfile.newSigner(XadesSigningProfile.java:94)
    at xadesevaluator.xadesenvelopedsignaturetest.getSigner(xadesenvelopedsignaturetest.java:68)
    at xadesevaluator.xadesenvelopedsignaturetest.main(xadesenvelopedsignaturetest.java:60)
Caused by: java.lang.ClassNotFoundException: 
org.aopalliance.intercept.MethodInterceptor
    at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:247)
    ... 22 more
Java Result: 1

Do you have support for XADES-XL? 

What steps will reproduce the problem?
1. Time stamp document with TSA that has certificate with Extended Key Usage 
set to critical with Time Stamping property set
2. Try to validate such document

What is the expected output? What do you see instead?
Document should validate. Instead I get a stack trace with error indicating the 
CertPathBuilder is unable to find certificate for TimeStamp token.

What version of the product are you using? On what operating system?
revision 174, (ver. 1.3.0), Linux

Please provide any additional information below.
The OID of extension is 1.3.6.1.5.5.7.3.8 (as per 
http://tools.ietf.org/html/rfc3280.html)

Attached is patch to fix this issue

I've got a simple CA structure, there's just the CA which signs user 
certificates. This CA also publishes CRL. The only specific thing, is that it 
uses SHA256withRSA, but it's been used for over a year to provide S/MIME 
certificates for Thunderbird, gpg, etc. and https certificates for our www 
servers where it works without problems.

Problem is, when I try to create a XAdES-C document (using 
XadesCSigningProfile) I receive a "Cannot validate certificate to obtain 
validation data" error.

I create the ValidationDataProvider using:

X509CRL crl = /* download fresh CRL */;
KeyStore trustAnchors = loadJKSKeyStore("cacerts.jks", "changeit"); // CA cert
KeyStore myKeyStore = loadJKSKeyStore("private.jks", "changeit"); // my cert 
and CA cert
CertStore cs = otherCertificatesCertStore(trustAnchors, myKeyStore, crl);
pkixcvp = new PKIXCertificateValidationProvider(trustAnchors, true, cs);
vdp = new ValidationDataFromCertValidationProvider(pkixcvp);

and sign using:

signer = new XadesCSigningProfile(keyProvider, vdp).newSigner();
new Enveloped(signer).sign(elem);

where otherCertificatesCertStore() is:

private static CertStore otherCertificatesCertStore(KeyStore trustAnchors,
            KeyStore myCerts, X509CRL... crl)
            throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, KeyStoreException
    {

        Certificate cert = trustAnchors.getCertificate("qbsca");
        CertStore cs;

        Collection<Object> contentList = new ArrayList<Object>();
        contentList.add(cert);
        for (int i=0; i < crl.length; i++) {
            contentList.add(crl[i]);
        }
        cs = CertStore.getInstance("Collection", new CollectionCertStoreParameters(contentList));

        return cs;
    }

Stack trace:

Exception in thread "main" xades4j.providers.ValidationDataException: Cannot 
validate certificate to obtain validation data
    at xades4j.providers.impl.ValidationDataFromCertValidationProvider.getValidationData(ValidationDataFromCertValidationProvider.java:52)
    at xades4j.production.SignerC.getFormatSpecificSignatureProperties(SignerC.java:76)
    at xades4j.production.SignerBES.sign(SignerBES.java:200)
    at xades4j.production.SignerBES.sign(SignerBES.java:122)
    at xades4j.production.Enveloped.sign(Enveloped.java:68)
    at XAdES4jTest.main(XAdES4jTest.java:153)
Caused by: xades4j.providers.CannotBuildCertificationPathException: unable to 
find valid certification path to requested target
    at xades4j.providers.impl.PKIXCertificateValidationProvider.validate(PKIXCertificateValidationProvider.java:257)
    at xades4j.providers.impl.ValidationDataFromCertValidationProvider.getValidationData(ValidationDataFromCertValidationProvider.java:49)
    ... 5 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable 
to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
    at xades4j.providers.impl.PKIXCertificateValidationProvider.validate(PKIXCertificateValidationProvider.java:253)
    ... 6 more

What steps will reproduce the problem?
1. Try to compile the project on a platform that doesn't have 
sun.security.pkcs11.SunPKCS11

What version of the product are you using? On what operating system?
1.2.0, Windows 64 (SunPKCS11 is not available on that platform)

Please provide any additional information below :

The attached patch is a possible solution using reflection. 
However I have actually not fully tested it. 

What steps will reproduce the problem?
1.
I'm trying to create a XAdES-C signature. I'm using the 
ValidationDataFromCertValidationProvider to obtain the validation data. This 
provider finds the validation data by validating the certificate path with a 
PKIXCertificateValidationProvider. Since the XAdES-C profile forces me to 
provide the CRLs, I need to enable CRL checking. Unfortunately, validation 
fails because the signature validation on the CRLs fails. That's because the 
sigProvider of the PKIXBuilderParameters used by 
PKIXCertificateValidationProvider is always null. The call 
Signature.getInstance(alg, null) always throws with an 
IllegalArgumentException("missing provider"). Since none of the CRLs are 
acceptable, the whole path validation fails.

2.
3.

What is the expected output? What do you see instead?
We need a method to set the sigProvider in the 
PKIXCertificateValidationProvider so that certificate path validation with CRL 
enabled works.

What version of the product are you using? On what operating system?
1.2.0
Windows 7

Please provide any additional information below.
The work-around is to copy the PKIXCertificateValidationProvider and add the 
code to set the sigProvider. This causes maintenance problems and licensing 
issues. I think adding the sigProvider parameter is the best solution. Another 
improvement could be to move the creation of the PKIXBuilderParameters into a 
protected method. This would allow subclassing.

Is there a junit that tests the PKIXCertificateValidationProvider with CRL 
checking enabled?

Hi,
All signed files published with verification samples are XADES V1.3.2 and I 
have some XADES V1.1.1 signed files that I tried to verify by adapting one of 
your published tests (testVerifyPetition()), the verification failed.
Is Xades4J capable to verify XADES V1.1.1 signed files?

What steps will reproduce the problem?
1. The library currently does not support directly producing signatures on 
extended forms. That's why there are no profiles for these forms.

What is the expected output? What do you see instead?
New signing profiles to produce extended forms.

What version of the product are you using? On what operating system?
1.2.0
Windows 7

Please provide any additional information below.

Hi,

I'm trying to sign a XML document using XADES-BES.

My document has to have 3 references, first for the whole document, second for 
the signed properties and the last one for the KeyInfo.

I want to add a Transform to each Referencem but I have no way to do it for the 
signed properties and keyinfo references, only I can add it to the first one.

This is the expected result:

<ds:Reference URI="">
         <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
               <ds:XPath>not(ancestor-or-self::ds:Signature)</ds:XPath>
            </ds:Transform>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
         </ds:Transforms>
         <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
         <ds:DigestValue>MYTWNv715dHh9B25ybm1aclGLTo=</ds:DigestValue>
      </ds:Reference>

     <!-- Referencia al objeto XADES-BES -->
     <ds:Reference Id="SignatureUsuario-XADES-Properties-Ref" Type="http://uri.etsi.org/01903/v1.2.2#SignedProperties" URI="#XADES-Properties">
        <ds:Transforms>
           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <ds:DigestValue>RkQ8X/k1EAfkIoxPlwQ4Jn36kCQ=</ds:DigestValue>
     </ds:Reference>

     <!-- Referencia al certificado con que se firmó -->
     <ds:Reference Id="SignatureUsuario-KeyInfo-Ref" URI="#KeyInfo">
        <ds:Transforms>
           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
        <ds:DigestValue>oRMY/RmmI9w0GCYVwnbiYKI2ZQA=</ds:DigestValue>
     </ds:Reference>

Thank you

What steps will reproduce the problem?
1. The junit test XadesVerifierImplTest.testVerifyDetachedC() leaks a 
FileInputStream. At the current stage of development of XAdES4J, we must rely 
on junits for examples and best practices. Updating the junit would remind 
people that SignatureSpecificVerificationOptions.useDataForAnonymousReference() 
does not close the stream. 

What is the expected output? What do you see instead?
A call to close the InputStream.

What version of the product are you using? On what operating system?
1.2.0
Windows 7

Please provide any additional information below.

DefaultTimeStampVerificationProvider, verifyToken method uses time from the 
token itself to validate if the signature in it is valid.

So we're using not validated data in validation. That's incorrect.
The time should be either *now* or time from some validated time stamp higher 
in XAdES hierarchy.

What version of the product are you using? On what operating system?
1.3.0

Patch that fixes the issue is attached (it's a bit hackish though). Depends on 
patch from issue 49.

What steps will reproduce the problem?
1. There should be an option to configure the JCE provider name everywhere a 
JCE object is created. For example, DefaultMessageDigestProvider should 
optionally let the user choose the JCE provider name to call 
MessageDigest.getInstance(digestAlgorithmName, jceProviderName).

This issue is the same as Issue 16 except that it asks that ALL calls to 
getInstance() be addressed. Issue 16 is more concerned with making the 
production of XAdES4J-C forms work.

What is the expected output? What do you see instead?
Everywhere JCE's getInstance(serviceName) is called, there should be a 
configurable option to call getInstance(serviceName, jceProviderName) instead.

What version of the product are you using? On what operating system?
1.2.0
Windows 7

Please provide any additional information below.
Remember that JCE can be picky with null provider names, so when the provider 
is not specified, you need to call getInstance(String) with a single argument.

I have a case where signing element itself corresponds to specific xsd type 
(similar to #SignedProperties).

Current implementation doesn't support setting reference type in SignedInfo 
element.

For example reference without type:
<ds:Reference Id="xmldsig-20c0bdf4-1c17-4a4f-8d50-7e538ac3ae16-ref0" 
URI="#root">...</ds:Reference>

and reference whit type:
<ds:Reference Type="http://uri.etsi.org/01903#SignedProperties" 
URI="#xmldsig-20c0bdf4-1c17-4a4f-8d50-7e538ac3ae16-signedprops">...</ds:Referenc
e>

After the specification the attribute Type in element Reference is optional for 
core check. (http://www.w3.org/TR/xmldsig-core/#sec-o-SignatureProperty)

However I didn't find any way to set it. To add the Type value I think 
corresponding classes in source would be DataObjectDescsProcessor (where 
default value is set to null) and DataObjectReference (where property Type 
could be added).


What version of the product are you using? On what operating system?
xades4j-1.1.0; Windows7 32bit; jdk1.6.0_24;

What steps will reproduce the problem?
1. Many XAdES4J exceptions are thrown as the result of catching an underlying 
exception. That underlying exception should be specified as the cause of the 
XAdES4J exception.

What is the expected output? What do you see instead?
Calling getCause() on a XAdES4J exception should return the root cause of the 
exception, when applicable.

What version of the product are you using? On what operating system?
1.2.0
Windows 7

Please provide any additional information below.
First reported by luigi.