问题
I have another problem with Counter Signature. This time I forced it to work... almost.
Bellow is the copy of the Signature:
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="xmldsig-33fefaee-5877-4bcb-8ee2-782d23424a86">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference Id="xmldsig-33fefaee-5877-4bcb-8ee2-782d23424a86-ref0" URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>tYHwvIGQOhMyX1gAfjLqUwxPaQVEbr9b5aVRNb1GLZA=</ds:DigestValue>
</ds:Reference>
<ds:Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#xmldsig-33fefaee-5877-4bcb-8ee2-782d23424a86-signedprops">
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>60WWYTr+S6Na75HS+IDlenFiSImMmDdJGn9VH/Jm00o=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue Id="xmldsig-33fefaee-5877-4bcb-8ee2-782d23424a86-sigvalue">
cbJxI3IQOBZqcsGTCl/kgBR3aqS876ck9glukj4gJh4QggnUW46+eb3yucrtxojyF4W9jwqhVmwP
IYUJpKjgDnRbIIrVKWYiLpQV70MqWsV8DKPLdzz7vofDZuWQAsKSlEQqzkd1JMQf/HkgDK0PbXCX
iXBCye/+W1eshR/byrU=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICODCCAaGgAwIBAgIBFjANBgkqhkiG9w0BAQUFADA0MQswCQYDVQQGEwJQTDEOMAwGA1UEChMF
cGVrYW8xFTATBgNVBAMUDENBX1BFS0FPX1NTTDAeFw0xNDA2MjYxMDU2MzdaFw0xNTA2MjYxMDU2
MzdaMF8xCzAJBgNVBAYTAlBMMQ4wDAYDVQQKEwVQRUtBTzEWMBQGA1UECxMNUGVrYW9CSVpORVMy
NDEoMCYGA1UEAxQfQkFSVE9TWiBK01pFRiBKQVJLT1dTS0ksIDcxMDU4NjCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEA4ZlPMdEYmwlsy1wFoGTVGShW6nPyHHeAVm2r+nuin9ZOeRFlDl+PPyTJ
oZ6avZKCyt1R3o4oju7LmKQhlCsSR88CZrXF0vPovZjthblvrUJ742RC4laoiBSR9hZIg4CWorF1
rk3/bHobz3ZLCLg+P64RKmTI7WYrgCeHsBJMPfECAwEAAaMvMC0wCQYDVR0TBAIwADALBgNVHQ8E
BAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAiJqNtI1ml8OKSnB5
PzbhfCJlK+12SPFX6GcQkO6dF7ezNFzzC9bcD6MOkAEnR4IfEkD3CIl8Jx8v29XV/eCes3gDa9Z6
OSzVZpMBDFQicWtLfch7Xmh/KS2GFelbkiqHHf/UKfhcN32fsV86WOP6DOb8XMJLrcgmMz0bxvl3
yfM=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<ds:Object>
<xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" xmlns:xades141="http://uri.etsi.org/01903/v1.4.1#" Target="#xmldsig-33fefaee-5877-4bcb-8ee2-782d23424a86">
<xades:SignedProperties Id="xmldsig-33fefaee-5877-4bcb-8ee2-782d23424a86-signedprops">
<xades:SignedSignatureProperties>
<xades:SigningTime>2014-07-08T15:14:22.357+02:00</xades:SigningTime>
<xades:SigningCertificate>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>XmRm5R3UpnVKBPiumnYVL6TXgnqCsbk0XF/JwA5he4c=</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>DELETED</ds:X509IssuerName>
<ds:X509SerialNumber>22</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
</xades:SigningCertificate>
</xades:SignedSignatureProperties>
<xades:SignedDataObjectProperties>
<xades:CommitmentTypeIndication>
<xades:CommitmentTypeId>
<xades:Identifier>http://uri.etsi.org/01903/v1.2.2#ProofOfApproval</xades:Identifier>
<xades:Description>Indicates that the signer has approved the content of the signed data object</xades:Description>
</xades:CommitmentTypeId>
<xades:ObjectReference>#xmldsig-33fefaee-5877-4bcb-8ee2-782d23424a86-ref0</xades:ObjectReference>
</xades:CommitmentTypeIndication>
</xades:SignedDataObjectProperties>
</xades:SignedProperties>
<xades:UnsignedProperties>
<xades:UnsignedSignatureProperties>
<xades:CounterSignature>
<ds:Signature Id="xmldsig-d848b745-aee3-476c-8b93-6ceafa34eaea" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference Id="xmldsig-d848b745-aee3-476c-8b93-6ceafa34eaea-ref0" URI="#xmldsig-33fefaee-5877-4bcb-8ee2-782d23424a86-sigvalue">
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>5bEeIUwcOzwar60fKN7CQrkhukdl1twK+h/J3iLgSso=</ds:DigestValue>
</ds:Reference>
<ds:Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#xmldsig-d848b745-aee3-476c-8b93-6ceafa34eaea-signedprops">
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>VpjF9Ag6SUwezpv1FL/wSgLr5eBme67r3mXz9gqXegE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue Id="xmldsig-d848b745-aee3-476c-8b93-6ceafa34eaea-sigvalue">
0V/J3Tgooevc0vkLAkd/2OGMN1mSvfy/Xn12iBTDEejcQR7c9JR96RIQpZGkYw23tufBf1uReLkf
R7mdHuOWIVeDJjPZYL+l9rP7dv9ceJMtjOxUUgY/codnb5yRv0LnhBkPVBBiEfIogqzsgSM99Rpw
byiAPW6jZT2Qb4MIrlc=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICODCCAaGgAwIBAgIBFjANBgkqhkiG9w0BAQUFADA0MQswCQYDVQQGEwJQTDEOMAwGA1UEChMF
cGVrYW8xFTATBgNVBAMUDENBX1BFS0FPX1NTTDAeFw0xNDA2MjYxMDU2MzdaFw0xNTA2MjYxMDU2
MzdaMF8xCzAJBgNVBAYTAlBMMQ4wDAYDVQQKEwVQRUtBTzEWMBQGA1UECxMNUGVrYW9CSVpORVMy
NDEoMCYGA1UEAxQfQkFSVE9TWiBK01pFRiBKQVJLT1dTS0ksIDcxMDU4NjCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEA4ZlPMdEYmwlsy1wFoGTVGShW6nPyHHeAVm2r+nuin9ZOeRFlDl+PPyTJ
oZ6avZKCyt1R3o4oju7LmKQhlCsSR88CZrXF0vPovZjthblvrUJ742RC4laoiBSR9hZIg4CWorF1
rk3/bHobz3ZLCLg+P64RKmTI7WYrgCeHsBJMPfECAwEAAaMvMC0wCQYDVR0TBAIwADALBgNVHQ8E
BAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAiJqNtI1ml8OKSnB5
PzbhfCJlK+12SPFX6GcQkO6dF7ezNFzzC9bcD6MOkAEnR4IfEkD3CIl8Jx8v29XV/eCes3gDa9Z6
OSzVZpMBDFQicWtLfch7Xmh/KS2GFelbkiqHHf/UKfhcN32fsV86WOP6DOb8XMJLrcgmMz0bxvl3
yfM=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<ds:Object>
<xades:QualifyingProperties Target="#xmldsig-d848b745-aee3-476c-8b93-6ceafa34eaea" xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" xmlns:xades141="http://uri.etsi.org/01903/v1.4.1#">
<xades:SignedProperties Id="xmldsig-d848b745-aee3-476c-8b93-6ceafa34eaea-signedprops">
<xades:SignedSignatureProperties>
<xades:SigningTime>2014-07-08T15:17:53.877+02:00</xades:SigningTime>
<xades:SigningCertificate>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>XmRm5R3UpnVKBPiumnYVL6TXgnqCsbk0XF/JwA5he4c=</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>DELETED</ds:X509IssuerName>
<ds:X509SerialNumber>22</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
</xades:SigningCertificate>
</xades:SignedSignatureProperties>
</xades:SignedProperties>
</xades:QualifyingProperties>
</ds:Object>
</ds:Signature>
</xades:CounterSignature>
</xades:UnsignedSignatureProperties>
</xades:UnsignedProperties>
</xades:QualifyingProperties>
</ds:Object>
My JAVA code:
Element signatureNode = (Element)docSource.getElementsByTagNameNS(Constants.SignatureSpecNS, "Signature").item(0);
//If signatureNode is null, it means there is no certificate in the file - need to create new Enveloped Certificate.
//If signatureNode is not null, we can extend it with CounterSignature.
if (signatureNode != null)
{
String sigValueId = signatureNode.getAttribute(Constants._ATT_ID);
DataObjectReference sigValueRef = new DataObjectReference('#' + sigValueId)
.withType(CounterSignatureProperty.COUNTER_SIGNATURE_TYPE_URI);
XadesSignatureFormatExtender instance = (XadesSignatureFormatExtender)new XadesFormatExtenderProfile().getFormatExtender();
XMLSignature sig = new XMLSignature(signatureNode, "");
Collection<UnsignedSignatureProperty> usp = new ArrayList<UnsignedSignatureProperty>(1);
usp.add(new CounterSignatureProperty(signer));
instance.enrichSignature(sig, new UnsignedProperties(usp));
}
else
{
DataObjectDesc obj1 = new DataObjectReference("")
.withTransform(new EnvelopedSignatureTransform());
signer.sign(new SignedDataObjects(obj1), docSource.getDocumentElement());
//new Enveloped(signer).sign(docSource.getDocumentElement());
}
When I'm trying to verify this document (with two external applications) I'm getting error saying "Incorrect reference in countersign".
Now I'm investigating what went wrong. Did I miss to reference something?
EDIT: I checked with different app and I think I got better error message. It is saying exactly: Signature digest is not equal file digest.
Best Regards John S.
来源:https://stackoverflow.com/questions/24642904/incorrect-reference-in-signature