Cristovao Santos

Greenhorn
+ Follow
since Jul 01, 2008
Merit badge: grant badges
For More
Cows and Likes
Cows
Total received
In last 30 days
0
Forums and Threads

Recent posts by Cristovao Santos

Hi!

I have to validate the xml's signature... Well, with my code the signature is not valid, but supposedly it must be valid... Can anyone validate that and if so, tell me what can i doing wrong... I think the problem is because this XML have three certificates (a certificate chain) and i can be doing the validation in a wrong manner... Please, help me!

The XML File:



Thanks a lot,
Cristovao
Hi.

I have created a keystore in my webserver. In this keystore i putted:
1st - My own self signed certificate

keytool -genkey -alias vbvsign -keyalg RSA -keysize 1024 -keystore .keystoreCV -storepass vbvsignpass -storetype jks -dname "CN=172.29.145.110-172.29.145.119, OU=Development, O=SISP, L=Praia, ST=Praia, C=CV"

keytool -certreq -v -alias vbvsign -keystore .keystoreCV -storepass vbvsignpass -file vbvCSR.pem

2nd - CA Certificatekeytool -import -alias MPIclientCA -keystore .keystoreCV -trustcacerts -file pitroot.der

3rd - Client Certificate received by email
keytool -import -alias MPIclientCertificate -keystore .keystoreCV -trustcacerts -file
keytool -import -alias vbvsign -keystore .keystoreCV -trustcacerts -file MPIclient_certificate.der


When i received the last one (3rd), they also send a PKCS#7 certificate chain. Now, i need to validate a XML File, signed, and i dont know what or how can i validate that... Now, i am validating the three certificates (it looks well), but when validating the signature it return a validation error:
"javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key"

I think that possibly maybe i need to import or do something else with the PKCS#7 certificate chain that i received by email, but i dont know what to do...

Can you help me please!

Thanks a lot,
Cristovao
15 years ago
Hi!

I'm trying to validate a XML with a detached signature. There a certificate chain, like you can see in the example, and i have in my server a keystore with the certificates. Well, my qestion is how can i validate the certificate chain, and also the signature of the xml? Anyone have an example for me? I let you with the XML.

<?xml version="1.0" encoding="UTF-8" ?>
- - <Message id="N3p1Mzc3ejdYOXdCRHA1TkZHM1U=">
- <PAResxxx id="3780197">
(...)
</PAResxxx>
- <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
- <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
- <Reference URI="#3780197">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>9BoB5VASWdKHLbG0I81B7UwDU/k=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>(...)SignatureValue>
- <KeyInfo>
- <X509Data>

<X509Certificate>(...)X509Certificate>
<X509Certificate>(...)X509Certificate>
<X509Certificate>(...)X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</Message>


Let me know if you have any question about that... This is driving me crazy!

Thanks a lot for your help!

Cristovao
15 years ago
Hi.

I am driving crazy with this problem.
I have created a keystore in my server (windows 2000) using keytool. Then i created a csr that i sent to an entity that i will receive xml sign messages. This entity give me back an email with a certificate and a PKCS7.
The format are:
*********************************
Your DER encoded certificate and PKCS#7 certificate chain are attached.

Your PEM encoded certificate is:
-----BEGIN CERTIFICATE-----
MIICLjCCAZegAwIBAgIVAKPB7Vlb9cb2q+H1hg+yiDTIQoCDMA0GCSqGSIb3DQEBBQUAMD4xCzAJ
..................
-----END CERTIFICATE-----

Your PEM encoded PKCS#7 certificate chain is:

-----BEGIN PKCS7-----
MIIGogYJKoZIhvcNAQcCoIIGkzCCBo8CAQExADALBgkqhkiG9w0BBwGgggZ3MIICHzCCAYigAwIB
....................
-----END PKCS7-----

*****************************

Now, i have to import that to my keystore right? I had copy the first certificate to a .der file and import that to my keystore using keytool command. After that i tried to import the PKCS7 but unfortunetly i dont know how to do that.

Anyone can help me please?

Ths a lot!

Cristms
16 years ago
Hi Ulf!

Sorry but.. I dont speak very well english, its probably one reason of the dificulty to you understand me.
Well, the applet is always in the scenario... Maybe i forget to tell that the applet is in a web server of our client, and this one will send messages to our servlet...
Yes, of course a need to set a variable with my key to send the value from the applet to our server, but i dont want the key stored in the applet, i want to calculate that in runtime and send it.

I hope that you understand me!
16 years ago
Hi Ulf!

Thanks for your attention to my case. Well... When you tell me:

"That would be possible either with an applet-generated UUID, or with a server-generated one that gets sent to the applet via a <param> tag."

I suppose that i dont explain all that you must to know. When i want to use something to create my key in runtime, it must be something that i can get in runtime, and do not have the key stored in the applet. So, i need to use something else, and the idea is to use de applet size (for example), and in server a store in a file the size of all my jars, by authorized client. So, when we receive a message from a web server of our client, i will receive a key and a client id. In our server i create de key, with the fields that is suppose to be, and i will get the size of this client jar file saved in a file (for example, or database). If the keys match so the message is valid.

It is more clear now?

16 years ago
Hi Ulf!

Well, i'd like to have something i can get in runtime, do you understand? Something that i can get in runtime and send it to the server. The inconvenience of an http request to the server to return the size of my jar increments a lot of possibilities to fail, like permissions to access to my jar file; one more connection only to do that... I dont know if i am thinking right, but ok, thank a lot for your replies....
16 years ago
Hi Ulf!

I think i had understood your solution, but, to pass the UUID like a param tag to the applet, i need to have de UUID stored in my code, it's right? Well, i want something that i can obtain in the applet without any http request and dont want to store the UUID in the applet or in the jsp page (where i call the applet).

Any suggestion?
16 years ago
Thanks Ulff, but this value to use for the creation key, must be knowed by the server, in order to confirm that the server request is originated by a knowed applet. It is more clearly now?

Thanks a lot
16 years ago
Hi!

Thanks a lot for your replies!
Well, what i am looking for, is something that i can use or get in applet to use like a piece of a unique key. My boss told me for use the size of my jar, but, like you said, it is only possible with a http request... So now, i want something (a property or something else) that a can get and use in the applet and it is not explicit in code...
16 years ago
Hi guys!

Please, can anyone tell me how can i get the size in java code of the applet (jar file). It is possible? Or can i get a unique applet propertie that i can use to identify a particulary applet?

Thanks a lot for your time.

Cristovao
16 years ago