Things to do for add a reference to keyInfo - xmlsec

I need to put a reference on Keyinfo in my cades signature (in every case), i see that in SignerBES.java class xades4j process reference in the statement:
Map<DataObjectDesc, Reference> referenceMappings = this.dataObjectDescsProcessor.process(
signedDataObjects,
signature);
After the generation of keyinfo dataStructure.
Can you suggest me where to put exactly the creation of Reference object to obtain the reference to keyingo object?
Thanks,
P.S. I see that xades4j can optionally be setted in a way to sign the keyinfo element, but i see this bug report (http://code.google.com/p/xades4j/issues/detail?id=32) regarding the 1.2.0 version and i don't understand if 1.3.0 fixed this bug
M.

Here is how I did it for KeyInfo.
Modify SignerBES.java
this.keyInfoBuilder.buildKeyInfo(signingCertificate, signature);
/* Add line below */
signature.getKeyInfo().setId("KeyInfo");
Define DataObjectReference to Id = #KeyInfo, with a Transform.
DataObjectDesc obj2 = new DataObjectReference("#KeyInfo").withTransform(new ExclusiveCanonicalXMLWithoutComments(""));
Result in the Signature :
`</ds:Reference>
<ds:Reference Id="xmldsig-12eced92-9bab-4aa4-b38d-a0646c0b57b4-ref1" URI="#KeyInfo">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>6lQav16xHEPBwQANI4gO57OtHxXjmLWa+kJf9gZJRqI=</ds:DigestValue>
</ds:Reference>
`

Currently there's a provider for some basic signatures options that enables you to sign the signing certificate. The current implementation of xades4j actually signs the whole KeyInfo element when you ask to sign the certificate. This won't let you control transforms, and I'm not sure it should.
I'm open to suggestions on this one, since there was another issue about this. One possible approach isto adding a new type of DataObjectDesc whose semantics is to sign the KeyInfo or the signing certificate element.

Related

F# WsdlTypeProvider MaxReceivedMessageSize

I am using F# and the WsdlTypeProvider with this code:
type svc = FSharp.Data.TypeProviders.WsdlService<"http://my.service.url?wsdl">
let svcClient = svc.GetServicePort()
It works quite well in most cases calling some method on the client. But in some cases I get this message:
The maximum message size quota for incoming messages (65536) has been exceeded. To increase the quota, use the MaxReceivedMessageSize property on the appropriate binding element.
Except there is no such property on the binding. The binding may be accessed using:
let binding = svcClient.DataContext.Endpoint.Binding
Casting the binding to BasicHttpBinding, which has the property, does not work either, because apparently the bindings are not related inheritance wise:
let binding = svcClient.DataContext.Endpoint.Binding :?> System.ServiceModel.BasicHttpBinding
And it results in this error:
Unable to cast object of type
'System.ServiceModel.Channels.CustomBinding' to type
'System.ServiceModel.BasicHttpBinding'.
So the question is:
How can I increase the MaxReceivedMessageSize while using the WsdlTypeProvider?
There doesn't seem to be any settings in my App.Config, like there would be if I was attaching to a service in the regular way, by generating proxy etc.
If you are writing this code for testing purpose than it is ok to use BasicHttp binding but to support sessions and for security reasons you should not use BasicHttp for commercial use of application . Go for netTcp or WsHttp bindings. The following code works for netTcp binding.
<bindings>
<customBinding>
<binding name="CustomBinding_MyService">
<binaryMessageEncoding>
<readerQuotas maxDepth="32" maxStringContentLength="200000000" maxArrayLength="200000000"/>
</binaryMessageEncoding>
<tcpTransport maxBufferPoolSize="200000000" maxReceivedMessageSize="200000000" maxBufferSize="200000000">
<extendedProtectionPolicy policyEnforcement="Never"/>
</tcpTransport>
</binding>
</customBinding>
</bindings>
Hope this helps!

Getting a Windows Client to Change its Web Service Endpoint Dynamically – Problems with a WSDL

This describes a problem I had and the solution found, which I did not see discussed elsewhere (except the Background material).
Background – What Should Work (but May Not)
Let’s assume a web service defined by “https://mysite.com/?wsdl”, whose functions are to be called by a Windows client “myclient.exe”. In Visual Studio, you provide a “Service Reference” (The problem described here also manifests with the older-style “Web Reference”.)
Suppose you have more than 1 machine (mysite and mysite2) exposing the same web services. It is desirable to just change the client’s choice of endpoint at runtime to point to the correct machine, without having to update the Service Reference. This could be done in 3 ways:
Edit the deployed myclient.exe.config (or its source at compile time in VS, app.config), in particular:
<system.serviceModel>
...
<client>
<endpoint address="https://mysite2.com/?wsdl" …/>
</client>
</system.serviceModel>
Arrange your client code so that it reads in or selects the endpoint address, and sets it in the constructor (where “MyWebService” is the name of the Service Reference, and MyWebServiceBinding is defined in app.config), e.g. in C#:
public static EndpointAddress remoteAddress =
new EndpointAddress("https://mysite2.com/?wsdl");
public static BasicHttpBinding basicBinding =
new BasicHttpBinding("MyWebServiceBinding"); //Your binding type may differ
public MyWebService.myWebServicePortTypeClient mws =
new MyWebService.myWebServicePortTypeClient(basicBinding, remoteAddress);
Do like (2), but instead of in the constructor, set the endpoint later, say, during the first call to the service:
private void SetMyEndpointAddress(MyWebService.myWebServicePortTypeClient mws)
{
mws.Endpoint.Address = new
System.ServiceModel.EndpointAddress("https://mysite2.com/?wsdl");
}
All of these can still quietly fail if the specifics of the service WSDL are problematic (probably not generated in a routine manner by a MS server; PHP NuSoap in my case). Assuming you have control over the server WSDL, the next section explains what to look for.
Removing Unnecessary URLs from the WSDL
The WSDL is a long document with overall structure shown next. If any of the phrases pointed to here by "<===" contains a URL (e.g., https://mysite.com/...), change its generation process so that this is no longer true.
<definitions ...
xmlns:tns="soap/MyWebServices" <===
...
targetNamespace="soap/MyWebServices"> <===
<types>
<xsd:schema elementFormDefault="qualified"
targetNamespace="soap/MyWebServices"> <===
...
</xsd:schema>
</types>
[multiple <message>...</message> sections, ones for each defined function.]
<portType name="myWebServicesPortType">...</portType>
<binding name="MyWebServicesBinding" type="tns:myWebServicesPortType">...</binding>
<service name="MyWebServices">...</service>
</definitions>
In addition, within the <binding>…</binding> section, the “soapAction” for each function should be only the function name. It should not include a URL prefix (followed by “#” and the function). Typical function:
<operation name="getMyData">
<soap:operation
soapAction="getMyData" <===
style="document"/>
<input><soap:body use="literal" namespace=""/></input>
<output><soap:body use="literal" namespace=""/></output>
</operation>
The ONLY place where a URL to the particular machine should appear is in the <service> section:
<service name="MyWebServices">
<port name="MyWebServicesPort" binding="tns:MyWebServicesBinding">
<soap:address location="https://mysite.com/?wsdl"/>
</port>
</service>

How to use Remember me in spring security for custom authentication

Can any one give me idea how to use Remember me check box in spring security for custom authentication,
this is my remember me field in login page
and this is the configuration in secuirty.xml
thanks
As defined in Spring Docs, when one declares a "remember-me", the "user-service-ref" should be:
"The remember-me services implementations require access to a
UserDetailsService, so there has to be one defined in the application
context."
However, in your case, your user-service-ref is a ref to a bean of type MyCustomAuthentication. This is why you get the ClassCastException "MyCustomAuthentication cannot be cast to UserDetailsService".
You should define something like:
<security:user-service id="userDetailsService">
<security:user name="username" password="pass" authorities="ROLE_USER" />
</security:user-service>
and use this id in the "user-service-ref"
P.S. IMHO you will have to fix your authentication-provider as well
HTH
For your request, to be more precise:
<http auto-config="true" use-expressions="true">
...
<remember-me user-service-ref="customUserDetailsManager"/>
</http>
<b:bean id="customUserDetailsManager"
class="com.something.something.MyCustomUserDetailsManager" />
<authentication-manager>
<authentication-provider user-service-ref="customUserDetailsManager">
</authentication-provider>
</authentication-manager>
</b:beans>
Note that MyCustomUserDetailsManager should implement UserDetailsManager
Another important note (from the docs):
Note that both (Spring's) implemementations require a
UserDetailsService. If you are using an authentication provider which
doesn't use a UserDetailsService (for example, the LDAP provider) then
it won't work unless you also have a UserDetailsService bean in your
application context.

Getting certificate chain to a private root

I'm trying to verify that the certificate from a signature chains back to a particular root certificate, which is not trusted by Windows (it's a private certificate for the app).
My current attempt to do this involves creating a chaining engine which only trusts the specific certificate I want as the root, so that no other chains can be generated.
HCERTSTORE hPrivateRootStore = CertOpenStore(CERT_STORE_PROV_FILENAME, dwEncoding,
NULL, CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_READONLY_FLAG,
_T("C:\\Test\\PrivateRoot.cer"));
CERT_CHAIN_ENGINE_CONFIG config;
memset(&config, 0, sizeof(config));
config.cbSize = sizeof(config);
config.hRestrictedTrust = hPrivateRootStore;
config.dwFlags = CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL | CERT_CHAIN_ENABLE_SHARE_STORE;
HCERTCHAINENGINE hEngine;
CertCreateCertificateChainEngine(&config, &hEngine);
CERT_CHAIN_PARA params;
memset(&params, 0, sizeof(params));
params.cbSize = sizeof(params);
PCCERT_CHAIN_CONTEXT chains = NULL;
if (CertGetCertificateChain(hEngine, pCertContext, NULL, hStore, &params,
0, NULL, &chains))
...
(error checking omitted for clarity; pCertContext and hStore came from CryptQueryObject extracting the signature and related certificates from a signed binary file.)
Unfortunately, this doesn't seem to work; despite using a custom chaining engine it still seems to be searching the OS store, and either doesn't find a chain or finds one to a different root (which is trusted by the OS). I can only get the chain I want by adding my private root certificate to the OS trusted store.
I've also tried setting config.hRestrictedOther to an empty memory store, since the docs suggest that having hRestrictedTrust non-NULL will bring in the system stores again, but that doesn't make any difference.
Is there something I'm missing, or a better way to do this?
Edit: just to give a bit more context, I'm trying to do something similar to the driver signing certificates, where the signing certificate chains back to two different roots: one standard CA root trusted by the OS and one internal root (which in drivers is also trusted by the OS but in my case will only be trusted by my app). The cross occurs somewhere mid-way up the "main" chain; there could potentially be a number of different files all signed with different "real" CAs but still chained back to my internal certificate.
I've found a half-baked workaround now; it's a little ugly but it does kinda work. I got the basic idea from Chromium's test suite; it involves installing a hook into Crypt32 such that when it tries to open the system stores to build the chain it gets my custom store instead, containing only my desired certificate.
The good is that this seems to force CertGetCertificateChain to go "past" the real CA certificate and chain all the way to my custom certificate, instead of stopping at the CA certificate (which is what it usually does when that is trusted).
The bad is that it doesn't seem to stop it from building chains to and trusting any other CA certificate. I can work around that by explicitly verifying that the root of the chain is the certificate I wanted, but it's less than ideal, and I'm not sure if there are situations which will trip it up.
Still looking for any better solutions; I'm definitely getting the impression that I'm taking the wrong path somewhere.
Ok, new plan. I'm now just walking the chain manually (since I know that all of the certificates I care about will be in the hStore extracted from the signed .exe), with basic structure like this:
Use WinVerifyTrust to do basic "is it not tampered" authentication.
Use CryptQueryObject to obtain certificate store hStore from the .exe
Use CryptMsgGetParam and CertFindCertificateInStore to find the signing certificate from hStore.
Starting from the signing certificate, use CertFindCertificateInStore with CERT_FIND_SUBJECT_NAME in a loop to find the potential issuer certificates; keep walking back until I hit a self-signed certificate or find my desired root (checking for a match via CertComparePublicKeyInfo).
Abandon a particular branch if CertVerifySubjectCertificateContext says that the signatures don't match.
Seems cleaner than the previous approaches I was trying. Thoughts/comments/alternatives?
(Something which in some ways does seem to make more sense would be to add an additional custom countersignature [similar to the timestamping] instead of trying to chain certificates like this, but I can't find any information on doing that, or what the pros/cons are.)

Complex Object in JAX-WS is created empty

I'm testing JAX-WS to access the Oracle IRM web serviecs. I can get it to work just fine with AXIS so this isn't an Oracle problem.
What's happening is that I'm getting the following error when making the call:
Expected xsd:anyType - unknown type provided
If I look at the SOAP packet is sent I see that the owner tag is blank under JAX-WS:
<ns1:browseAccounts>
<owner/>
<accountType>All</accountType>
</ns1:browseAccounts>
The same piece under AXIS is this:
<owner xsi:type="ns1:LicenseServer"
xmlns=""
xmlns:ns1="http://www.sealedmedia.com/ls/server/schema">
<serverKey>#############</serverKey>
</owner>
Obviously the owner tag is not getting properly created, this is what I'm using to create that:
AccountServicesPort AA = ORI.getAccountServices();
LicenseServer LicSer = new LicenseServer();
LicSer.setServerKey("#######################");
List<Account> Acts = AA.browseAccounts(LicSer,AccountAccountType.ALL);
Is there some other process that I need to go through to create the object properly?
EDIT
I thought maybe running the LicenseServer creation through ObjectFactory would help. Unfortunately, it doesn't.
Despite the Oracle IRM documentation stating that BrowseAccounts accepts either a LicenseServer object or a Context object for the owner parameter it actually accepts an LicenseServer_ref.
EDIT
Further, I was running JAX-WS under JDK 1.6.0 which is a lower version than JDK 1.6.0_14. The new version supports XMLSeeAlso annotation which allowed JAX-WS to use the proper class for serialization.