Xades4j verification enveloped signature

StackOverflow https://stackoverflow.com/questions/21549162

Question

I have problem to verify enveloped xml signed with xades4j error I get is "The Reference for URI #data has no XMLSignatureInput" where "#data" is uri for my signed xml verification pass on c# validation

this is xml:

<?xml version="1.0" encoding="UTF-8"?><Envelope xmlns="urn:Zahtev"><root Id="data"><Identifikacija><IDZahteva>D1CC353F-6F04-47A4-B900-31944E2A1D53</IDZahteva></Identifikacija></root><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Potpis_RA_Agenta">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#data">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>IWMyfvcgZm3ElP6TfWtqTtGjEos=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#SignedPropertiesId" Type="http://uri.etsi.org/01903#SignedProperties">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>WBLe3LJ12+hQ3OyTClnQcK2crF0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue Id="Vrednost_za_Potpis_RA_Agenta">
...
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
..
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
....
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
<ds:Object Id="XadesObject">.....</ds:Object>
</ds:Signature></Envelope>

thanks

Was it helpful?

Solution

Apache Santuario (used by xades4j) does not use the "Id" attribute as the XML Id out of the box. You have to set it explicitly. This behavior was introduced on Santuario's version 1.5. Check this xades4j tests file. The DOMHelper class has helper methods to define XML Ids.

As a side note: that signature is not an enveloped signature, since it is not "inside" the signed element. It is a detached signature. The enveloped signature transform is not needed.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top