Giter Club home page Giter Club logo

xmldsig-problem's Introduction

XMLDSig problem on Java 11

If you using XMLDSig using the standard java.xml.crypto Java APIs, and in particular relying on the default implementation provided by the JDK (as is quite common), you may run into the following error when upgrading from Java 8, 9, or 10, to Java 11:

org.w3c.dom.DOMException: HIERARCHY_REQUEST_ERR: An attempt was made to insert a node where it is not permitted.
    at java.xml/com.sun.org.apache.xerces.internal.dom.CoreDocumentImpl.insertBefore(CoreDocumentImpl.java:439)
    at java.xml/com.sun.org.apache.xerces.internal.dom.NodeImpl.appendChild(NodeImpl.java:237)
    at java.xml.crypto/org.jcp.xml.dsig.internal.dom.XmlWriterToTree.writeStartElement(XmlWriterToTree.java:104)
    at java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMXMLSignature.marshal(DOMXMLSignature.java:213)
    at java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignature.java:325)
    at somewhere.in.your.Code

The code in this repository demonstrates a solution to this in the 6012c7241 commit. More details are available (discard the ranting) in the commit message.

Background

The implementation of XML signature and encryption in the JDK is based on Apache Santuario, and was updated from version 1.5.4 to 2.1.1 in Java 11 (JDK-8177334).

License

This code is licensed under WTFPL. My intentions are to provide the code for anyone to use it for whatever they like, as long as it is not for anything evil. If the code helps you solve a problem in any way, I would appreciate some kind of attribution, e.g. a reference back to this repository in a relevant commit in your own project, a mention on Twitter, or anything else as a nice gesture. However, this is in no way mandatory.

xmldsig-problem's People

Contributors

runeflobakk avatar

Watchers

avatar

xmldsig-problem's Issues

org.w3c.dom.DOMException: NAMESPACE_ERR on SIgn

Dear Team

I was getting the "org.w3c.dom.DOMException: HIERARCHY_REQUEST_ERR" after upgrading to Java 11 while signing a Document.

After going through the solution you have given, I changed the implementation by giving a New Document instead of the Original Document.

But, Now I am getting the "org.w3c.dom.DOMException: NAMESPACE_ERR" at "signature.sign(dsc)" Line in the below code:

public static String signCbCRDataXML(String filePath) {
    	OutputStream os = null;
    	try{
    		//Fetching the CbCR XML File and storing it in String
	    	DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
	    	dbFactory.setNamespaceAware ( false );  
	    	Document doc = dbFactory.newDocumentBuilder().parse(new FileInputStream(filePath));
	    	String providerName = System.getProperty("jsr105Provider", "org.jcp.xml.dsig.internal.dom.XMLDSigRI");
	
	        XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM", (Provider) Class.forName(providerName).newInstance());
	        
	        // Next, create a Reference to a same-document URI that is an Object element and specify the SHA256 digest algorithm
	        DigestMethod digestMethod = fac.newDigestMethod(DigestMethod.SHA256, null);
	        Reference reference = fac.newReference("#CBC",digestMethod);
	        SignatureMethod signatureMethod = fac.newSignatureMethod("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", null);
	        CanonicalizationMethod canonicalizationMethod = fac.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE, (C14NMethodParameterSpec) null);
	
	        // Create the SignedInfo
	        SignedInfo si = fac.newSignedInfo(canonicalizationMethod, signatureMethod, Collections.singletonList(reference));
	        
	        // Create a KeyValue containing the RSA PublicKey that was generated
	        KeyInfoFactory kif = fac.getKeyInfoFactory();
	        
	        // Set the x509Content from the Petronas Certificate to generate signature
	        FileInputStream fin = new FileInputStream(PETRONAS_CERTIFICATE_PATH);
	    	CertificateFactory cf = CertificateFactory.getInstance("X.509");
	    	List x509Content = new ArrayList();
	    	X509Certificate cert = (X509Certificate)cf.generateCertificate(fin);
	    	X509IssuerSerial issuer = kif.newX509IssuerSerial(cert.getIssuerDN().toString(), cert.getSerialNumber());
	    	x509Content.add(cert.getSubjectX500Principal().getName());
	        x509Content.add(issuer);
	        x509Content.add(cert);
	        X509Data xd = kif.newX509Data(x509Content);
	        
	        // Create a RSA 2048 KeyPair
	        KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
	        kpg.initialize(2048);
	        KeyPair kp = kpg.generateKeyPair();
	        KeyValue kv = kif.newKeyValue(kp.getPublic());
	        
	        XMLStructure content = new DOMStructure(doc.getDocumentElement());
	    	XMLObject obj = fac.newXMLObject(Collections.singletonList(content), "CBC", null, null);
	
	        // Create a KeyInfo and add the KeyValues to it
	    	List keyInfoItems = new ArrayList();
	    	keyInfoItems.add(xd);
	        keyInfoItems.add(kv);
	        KeyInfo ki = kif.newKeyInfo(keyInfoItems);
	        Document signedDocument = dbFactory.newDocumentBuilder().newDocument();
	        DOMSignContext dsc = new DOMSignContext(kp.getPrivate(), signedDocument);
	
	        // Create the XMLSignature and sign it
	        XMLSignature signature = fac.newXMLSignature(si, ki,Collections.singletonList(obj), null, null);
	        signature.sign(dsc);
	
	        TransformerFactory tf = TransformerFactory.newInstance();
	        Transformer trans = tf.newTransformer();
	        
	        //Storing the Signed XML File in the File system
	        os = new FileOutputStream(filePath);
	        trans.transform(new DOMSource(signedDocument), new StreamResult(os));
    	}
}

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.