EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Signing xml error.cant load document

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#13500
Posted: 05/29/2010 01:40:30
by Tomislav Jakopović (Basic support level)
Joined: 05/22/2010
Posts: 38

Hi

Im trying to load a string into TELXMLDOMDocument but get TEEIXMLEncodingError when using document.loadStream function.

this is the code:

Code

TElXMLDOMDocument doc = new TElXMLDOMDocument();
            TElXMLReference refer = new TElXMLReference();

            MemoryStream stream = new MemoryStream();
            StreamWriter writer = new StreamWriter(stream,Encoding.UTF8);
    
            writer.Write(xml);
          
            writer.Flush();
            
            doc.LoadFromStream(stream,"utf-8",false);
            refer.LoadFromXML(doc.DocumentElement);


the detail says:
Code
TElXMLCodec: unexpected end of file
#13501
Posted: 05/29/2010 01:46:17
by Eugene Mayevski (EldoS Corp.)

First of all you need to rewind the stream (reset it's position to 0) between saving data and loading it back.

If this doesn't work, post the string that you want to load here or to HelpDesk. The best approach would be to put this string to the file, ZIP the file and attach the archive.


Sincerely yours
Eugene Mayevski
#13502
Posted: 05/29/2010 01:57:58
by Tomislav Jakopović (Basic support level)
Joined: 05/22/2010
Posts: 38

Quote
Eugene Mayevski wrote:
First of all you need to rewind the stream (reset it's position to 0) between saving data and loading it back.

If this doesn't work, post the string that you want to load here or to [URL=https://www.eldos.com/support/ticket_list.php]HelpDesk[/URL]. The best approach would be to put this string to the file, ZIP the file and attach the archive.
Quote
Eugene Mayevski wrote:
First of all you need to rewind the stream (reset it's position to 0) between saving data and loading it back.

If this doesn't work, post the string that you want to load here or to [URL=https://www.eldos.com/support/ticket_list.php]HelpDesk[/URL]. The best approach would be to put this string to the file, ZIP the file and attach the archive.
Quote
Eugene Mayevski wrote:
First of all you need to rewind the stream (reset it's position to 0) between saving data and loading it back.

If this doesn't work, post the string that you want to load here or to [URL=https://www.eldos.com/support/ticket_list.php]HelpDesk[/URL]. The best approach would be to put this string to the file, ZIP the file and attach the archive.


hi...
I made that work but when I use reference.LoadFromXMl(doc.Document) i get INvalid XML element exception

XML:

Code
<?xml version="1.0"?>
<soap:Envelope
xmlns:soap="http://www.w3.org/2001/12/soap-envelope"
soap:encodingStyle="http://www.w3.org/2001/12/soap-encoding">

<soap:Body xmlns:m="http://www.example.org/stock">
  <m:GetStockPrice>
    <m:StockName>IBM</m:StockName>
  </m:GetStockPrice>
</soap:Body>

</soap:Envelope>


basically,as you can see I need to sign a soap message I capture
#13511
Posted: 05/29/2010 04:45:03
by Dmytro Bogatskyy (EldoS Corp.)

Quote
I made that work but when I use reference.LoadFromXMl(doc.Document) i get INvalid XML element exception

LoadFromXML method loads a Reference object from an XML element, it should be in the following form:
Code
Schema definition:
   <element name="Reference" type="ds:ReferenceType"/>
   <complexType name="ReferenceType">
     <sequence>
       <element ref="ds:Transforms" minOccurs="0"/>
       <element ref="ds:DigestMethod"/>
       <element ref="ds:DigestValue"/>
     </sequence>
     <attribute name="Id" type="ID" use="optional"/>
     <attribute name="URI" type="anyURI" use="optional"/>
     <attribute name="Type" type="anyURI" use="optional"/>
   </complexType>

Maybe you want to reference a whole document?
Then you should set an URINode property:
reference.URI := '';
reference.URINode := doc.DocumentElement;
Quote
basically,as you can see I need to sign a soap message I capture

Please, check a XMLBlackbox\Signer sample.
#13513
Posted: 05/29/2010 05:40:12
by Eugene Mayevski (EldoS Corp.)

I guess Tomislav just needs to use TElXMLDOMDocument.Load... method instead.


Sincerely yours
Eugene Mayevski
#15110
Posted: 11/23/2010 09:41:35
by San P (Standard support level)
Joined: 11/07/2009
Posts: 37

Quote
Please, check a XMLBlackbox\Signer sample.
I have tested and run with Signer example, for a couple of days. I have learned how to use it to for instance add <X509Certificate> to XML etc.

I should further put that XML file into SOAP envelope, and have the envelope signed with detached type signature. The SOAP starts something like this
Code
<soapenv:Envelope xmlns:cor="http://bxd.fse/CorporateFileService" ...
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401
</wsse:Security>
...

Now my silly question. Should the Signer example or some functionality in XMLBlackbox be able to create and add all this SOAP envelope header part in to my existing XML file?

Will XMLBlackbox package do that for me, or do I myself always have to write all those SOAP nodes? Then I would only get the "detached type signature" string from XMLBlackbox and put it to SOAP?

Against the recommendation (RemObjects..) I am in a hope I could use THTTPRio anyway and get my SOAP-traffic to work. What I now need is a signed SOAP Header part.

I have noticed that there is no word "SOAP" listed anywhere in \BlackBox folder. (I myself also hate Soap things as much as anyone else.<g>)

So I understand there probably will not be very keen or specific SOAP comments available from this newsgroup. Yet I would be interested to at least hear if any of this Soap signing is possible to do with BlackBox tools.
If it would in theory, and XMLBlackbox will do some parts of this for me, then what would those parts be?

By the way, the Signer example in general would be much easier to understand if there were a few XML sample files before and after doing different XMLBlackbox signings and other tricks for them.

Thanks.
SP
#15116
Posted: 11/24/2010 05:22:11
by Dmytro Bogatskyy (EldoS Corp.)

Please, don't post your new questions as replies to other people posts. Create a new post instead.
Quote
Will XMLBlackbox package do that for me, or do I myself always have to write all those SOAP nodes? Then I would only get the "detached type signature" string from XMLBlackbox and put it to SOAP?

An XMLBlackbox doesn't have special classes for a SOAP envelope.
For example you have an xml document that you want to be placed in SOAP envelope, you will need to create a new document, create Envelope, Header, Body and Security elements using ElXMLDOMDocument.CreateElementNS and ElXMLDOMNode.AppendChild methods, copy your xml document nodes to new document using ElXMLDOMNode.CloneNode method, and then create an XML digital signature using enveloped signature type. If you would create a detached signature for your xml document and then copy it as a child of a Security element you can make it invalid, as canonicalization depends on of namespaces of the parent elements (however you can use inclusive canonicalization).
For example:
Code
NewDocument.AppendChild(NewDocument.CreateElementNS('http://schemas.xmlsoap.org/soap/envelope/', 'Envelope'));
HeaderElement := NewDocument.CreateElementNS('http://schemas.xmlsoap.org/soap/envelope/', 'Header');
NewDocument.DocumentElement.AppendChild(HeaderElement);
BodyElement := NewDocument.CreateElementNS('http://schemas.xmlsoap.org/soap/envelope/', 'Body');
NewDocument.DocumentElement.AppendChild(BodyElement);
BodyElement.AppendChild(YourDocument.DocumentElement.CloneNode(true, NewDocument));
BodyElement.AttribStrings['Id'] := 'Body';
SecurityElement := NewDocument.CreateElementNS('http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd', 'Security');
HeaderElement.AppendChild(SecurityElement);

// filling signature
Signer.SignatureType := xstEnveloped;
Signer.SignatureMethodType := xmtSig;
Signer.SignatureMethod := xsmRSA_SHA1;
Signer.IncludeKey := True;
Signer.References := Refs;
Ref := TElXMLReference.Create;
Ref.DigestMethod := xdmSHA1;
Ref.URINode := BodyElement;
Ref.URI := '#Body';
Signer.References.Add(Ref);

Signer.KeyData := X509KeyData; // your key

Signer.UpdateReferencesDigest;

SigNode := SecurityElement;
Signer.Save(SigNode);


Quote
By the way, the Signer example in general would be much easier to understand if there were a few XML sample files before and after doing different XMLBlackbox signings and other tricks for them.

Thank you for suggestion.
#15131
Posted: 11/25/2010 13:45:15
by San P (Standard support level)
Joined: 11/07/2009
Posts: 37

Quote
Dmytro Bogatskyy wrote:
Please, don't post your new questions as replies to other people posts.
Sorry, I was just trying to be kind of polite.., Not to start a whole new SOAP thread, but continue to an existing short thread.
Quote
If you would create a detached signature for your xml document and then copy it as a child of a Security element you can make it invalid, as canonicalization depends on of namespaces of the parent elements (however you can use inclusive canonicalization).
Errr..I hope this does not bring up a chance that the created signature possibly could fail anyway? I have to ask while SOAP and all signings etc in there are still a big mystery to me. Every part and version etc. in there is so fragile.

Does this line in your code refer to that canonicalization part,
Code
Signer.IncludeKey
and everything will be handled with that?

Or does canonicalization have something to do with TElXMLCanonicalizationMethod in SaveToStream function?

Currently I can get your sample to work, and I can see that does create that whole SOAP header I asked earlier. Then the sample halts with error message Your SecureBlackBox licence key doesn't enable the requested functionality on this line:
Code
Signer.Save(SigNode);

That probably is because of my XMLBlackbox Trial version? Now I can at least see that I an able to get something done with XMLBlackbox.

But will this then bring a solution to these damn two phase signed XML and SOAP thing problems anyway? When I have got to that point, could it be some kind of an incdicate of success already?
Now just to buy the licenced version, get Signer.Save alive and I maybe could get over this slippery soap?
Thanks for the sample,
SP
#15132
Posted: 11/25/2010 18:28:33
by Dmytro Bogatskyy (EldoS Corp.)

Quote

Errr..I hope this does not bring up a chance that the created signature possibly could fail anyway? I have to ask while SOAP and all signings etc in there are still a big mystery to me. Every part and version etc. in there is so fragile.

If you will create a detached signature in terms of XML-DSig standard, an xml document will contain Signature element as a document element. Like this:
Code
<ds:Signature xmlns:ds="...">
  <ds:SignedInfo>...</ds:SignedInfo>
  ...
</ds:Signature>


So, if you would than copy a Signature element as a child of Security element, like this:
Code
<soapenv:Envelope xmlns:soapenv="...">
  <wsse:Security xmlns:wsse="...">
    <ds:Signature xmlns:ds="...">
     <ds:SignedInfo>...</ds:SignedInfo>
      ...
    </ds:Signature>
  </wsse:Security>
  ...
</soapenv:Envelope>

Then it will breaks an existing signature for standard canonicalization, as SignedInfo element will be now canonicalized as:
Code
<ds:SignedInfo xmlns:ds="..." xmlns:soapenv="..." xmlns:wsse="...">...</ds:SignedInfo>  
// included a parent namespaces

on signing after canonicalization it was:
Code
<ds:SignedInfo xmlns:ds="...">...</ds:SignedInfo>  


That why I pointed this. But it is possible that in terms of SOAP a detached signature means that an Envelope element is created with all necessary information in a separate xml document. Then a code above that I wrote should be ok.

Quote

Does this line in your code refer to that canonicalization part, Code
Signer.IncludeKey

No. Canonicalization for a SignedInfo element is set using Signer.CanonicalizationMethod property
The IncludeKey controls if a signing key should be included in the signature (KeyInfo element). See: http://www.eldos.com/documentation/sb...dekey.html

Quote
Currently I can get your sample to work, and I can see that does create that whole SOAP header I asked earlier. Then the sample halts with error message Your SecureBlackBox licence key doesn't enable the requested functionality on this line:

You are using a trial key from a sample, or another license key (for a specific package)?
You can request the time-limited key, which removes time delays and the nag screen, using the web form on http://www.eldos.com/sbbdev/keyreq/
#15272
Posted: 12/11/2010 09:36:35
by San P (Standard support level)
Joined: 11/07/2009
Posts: 37

I am still fighting with this detached type SOAP signing. Now I ought to create ouptut like this:

Code
<ds:Signature Id="Signature-6435309" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
...
  <ds:KeyInfo Id="KeyId-12319308">
    <wsse:SecurityTokenReference wsu:Id="STRId-19776029" ...>
    <wsse:Reference URI="#CertId-9502902" ValueType="http://...>
    </wsse:SecurityTokenReference>
  </ds:KeyInfo>
</ds:Signature>
I seem not to find any means how to add those two wsse elements insde KeyInfo element.

The SecurityTokenReference token has something to do with Oasis SOAP Security aspects. http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf

Word "Oasis" seems not to appear anywhere on SBB site or documents. Yet I am still in good hope that in this partucular case there is no big magig involved in that. And I probably could get over with this problem with XmlBlackbox. If I just find a proper way how to write those two nodes in.

Thanks.
SP
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 7304 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!