'add namespace to the SignedInfo node when signing an XML document
I am signing an XML document and everything works correctly, but they are rejecting the document because they tell me that the SignedInfo node does not contain namespaces as attributes this is the XML with the SignedInfo node that I am getting
<?xml version="1.0" encoding="UTF-8"?>
<Cancelacion xmlns="http://cancelacfd.sat.gob.mx" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" Fecha="2018-10-23T17:35:34" RfcEmisor="UFR9909228Z9">
<Folios>
<UUID>6A060FA2-CB85-4AEA-A75A-278FFE50B090</UUID>
</Folios>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo >
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>nPQPle8XKLA88xuGNMsdWzTqFeE=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>gcqzyUnesstrdS96ch8+kbdt8W9k9N0krvMCe/zBPObAtEucd3Ry8trO39uMGhzHj3Vx4nZPmuazhrkVaEJ+0pcnl52WERSstszDGhTjXNDZHgZPLjCKyDxwdH4u3G1b8hHkD7LOlCfcdDveEFc0ChH473+pZE+YE6UMGOwi7KlozYTosKrMbg8QEZ7bB1J4tg8REg2Q0G2yY06MnpxvXlyZN4I1tStzUEE0VntszVq6z3mqRQsOGKbw6BKxeuLaXwl3u5QiDJMRiZXD2KLSbr7BitUXcnZofWHek9GhPmzClK9v8fpdlOI8pomYFHjcAqSniZlTH+iBb3xMdlWPsA==</SignatureValue>
<KeyInfo>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>OID.1.2.840.113549.1.9.2=Responsable: Administración Central de Servicios Tributarios al Contribuyente, OID.2.5.4.45=SAT970701NN3, L=Cuauhtémoc, ST=Distrito Federal, C=MX, OID.2.5.4.17=06300, STREET="Av. Hidalgo 77, Col. Guerrero", [email protected], OU=Administración de Seguridad de la Información, O=Servicio de Administración Tributaria, CN=A.C. del Servicio de Administración Tributaria</X509IssuerName>
<X509SerialNumber>275106190557734483187066766810932856999912748337</X509SerialNumber>
</X509IssuerSerial>
<X509Certificate>MIIGRjCCBC6gAwIBAgIUMDAwMDEwMDAwMDA0MDIxMzkxNTEwDQYJKoZIhvcNAQELBQAwggGyMTgwNgYDVQQDDC9BLkMuIGRlbCBTZXJ2aWNpbyBkZSBBZG1pbmlzdHJhY2nDs24gVHJpYnV0YXJpYTEvMC0GA1UECgwmU2VydmljaW8gZGUgQWRtaW5pc3RyYWNpw7NuIFRyaWJ1dGFyaWExODA2BgNVBAsML0FkbWluaXN0cmFjacOzbiBkZSBTZWd1cmlkYWQgZGUgbGEgSW5mb3JtYWNpw7NuMR8wHQYJKoZIhvcNAQkBFhBhY29kc0BzYXQuZ29iLm14MSYwJAYDVQQJDB1Bdi4gSGlkYWxnbyA3NywgQ29sLiBHdWVycmVybzEOMAwGA1UEEQwFMDYzMDAxCzAJBgNVBAYTAk1YMRkwFwYDVQQIDBBEaXN0cml0byBGZWRlcmFsMRQwEgYDVQQHDAtDdWF1aHTDqW1vYzEVMBMGA1UELRMMU0FUOTcwNzAxTk4zMV0wWwYJKoZIhvcNAQkCDE5SZXNwb25zYWJsZTogQWRtaW5pc3RyYWNpw7NuIENlbnRyYWwgZGUgU2VydmljaW9zIFRyaWJ1dGFyaW9zIGFsIENvbnRyaWJ1eWVudGUwHhcNMTYwNDIwMTUyMjQzWhcNMjAwNDIwMTUyMjQzWjCB5jEoMCYGA1UEAxMfVU5JVkVSU08gREUgRlJBR0FOQ0lBUyBTQSBERSBDVjEoMCYGA1UEKRMfVU5JVkVSU08gREUgRlJBR0FOQ0lBUyBTQSBERSBDVjEoMCYGA1UEChMfVU5JVkVSU08gREUgRlJBR0FOQ0lBUyBTQSBERSBDVjElMCMGA1UELRMcVUZSOTkwOTIyOFo5IC8gWUFQRTU0MDcxMlRMMDEeMBwGA1UEBRMVIC8gWUFQRTU0MDcxMk1ORUJSTTAzMR8wHQYDVQQLExZVTklWRVJTTyBERSBGUkFHQU5DSUFTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiTNpJ1jftQoWSnVS028DCny3uQyQqaLAm0cPHrM2plnAPHA+7LYBoig3+RyObjM0AM+CKJepqyJm03VsuwrrHVeFQox7P5A513124o+qWqeQFcftV31iHzzhloZoF4U8RSvt4yOc8W/RGsRQUdVN0h5Nd+bN4IOdY1vT6mQW7LoPPwuQGXwGtrqpwaHVvO//wimEjca0t9VYf5MrP21+P5iKLoxXxyKS2rsZMgyG1QBsW/Rr2IpwPtNsUfqb8atv8APeqsFPTHgsm31n+xiP+0P1s7dbSiboYW04ny9MzkeJSAz/4bpVrfPUrRoRTVXTJYb3mpsNy8LJcN//DvpmTQIDAQABox0wGzAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIGwDANBgkqhkiG9w0BAQsFAAOCAgEAJszSReWEYl/g97nMfbuBSG47yrX1QB+ddLm1s8NmxLvQYeI8jf+9AzJovJyMA3epc2CoJtmS88/9QVGqfpdSO27YG22N6tI51U70Nc7He3jk/dfXB5w0E/fu/9x4O26a4Nrbie0XWZj/XiWaOxBY+HmrKiaJnNdHtm7uCHtw1coRpYkOP/3mryIhMs+vEFGleGNnt1//SZ3iM125TmJO6lCCxjukfJBbwVSOhk8/TGOyBdBcSbBVht2axv1sHGDZ73SYj66tV3Nv1NSaMLLI368+6cYNpwWpWacGghGJfAV5G63jp1nXtwJAWnxwvlrBt0I8OMJz+uLOeeABI7M14a3sap02FKqdTV6hIQfzCBjn07o3qUO+DUhy3fZRRHribKcp5/p+vBn+6xyik0JBoowayLa2ZYI+7cgVu5SIWwj0S5R6SAUwrvKZHRIP7g2CYWLlgMVrOCilSNer+MK4VrGYPlplitJFW/bQJdzAIzfrPWCZroeDPC/362shOSJVIic0wEaeZaTDHnCl8UG2Z6Y3XkyKWu8ddKx4Nn/5o7Kn0o0g0xg7j1T03asbzOpyE0IkpIcS+Fd6t8eQXBMLGEBgZdG19BaDViQ3exuCd3Z1PziMlavzmphRwEsOmfvzi/4xkgjVBnxcZL/PmqGQpYK04o4VeEVsPPRMMxLsqmo=</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</Cancelacion>
the example document that they provide me is the following
<?xml version="1.0" encoding="utf-8"?>
<Cancelacion xmlns="http://cancelacfd.sat.gob.mx" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Fecha="2017-06-28T18:49:15" RfcEmisor="XXXXXXXXXXXX">
<Folios>
<UUID>037A26FB-XXXX-4865-XXXX-4FCA9A051B38</UUID>
</Folios>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>uj49AdMRF4BGqGU/XVuE8eFn68w=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>m8I4zYXuHGV6H5Rw4qUSQXZk29jShpu1wn+0WBeFbwNDwMLBGedF/dfxQp6UrNeQIcmANAXH6OHeR52zBf6ymUo9fph6NCZzOlWYDyCUuhfprxq4A93XHHIOfbDbIeINGGFwyiCD/hsK5SRmy6xnPDjamPVao4y9DDK1XkeXylHPVUyrmFNiGTSpNr1M7EDTZNNZQktXduBoVTQaXTMGfoK3jksJc0awjiOrYLZrW8NNVeF97lqAWpQjQe4EM4jfGM8s9FF10mFU8i7GfWK8JSr5PZKCZDEl1n7zjH9JtgTVntZ41aJi+Y4iFCRggbACoPJjN+uixGSnHYVqKPNV+A==</SignatureValue>
<KeyInfo>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>C
</X509IssuerName>
<X509SerialNumber>286524172099382162235533054548081509963387843123</X509SerialNumber>
</X509IssuerSerial>
<X509Certificate>MIIF4jCCA8qgAwIBAgIUMjAwMDEwMDAwMDAzMDAwMjIzMjMwDQYJKoZIhvcNAQELBQAwggFmMSAwHgYDVQQDDBdBLkMuIDIgZGUgcHJ1ZWJhcyg0MDk2KTEvMC0GA1UECgwmU2VydmljaW8gZGUgQWRtaW5pc3RyYWNpw7NuIFRyaWJ1dGFyaWExODA2BgNVBAsML0FkbWluaXN0cmFjacOzbiBkZSBTZWd1cmlkYWQgZGUgbGEgSW5mb3JtYWNpw7NuMSkwJwYJKoZIhvcNAQkBFhphc2lzbmV0QHBydWViYXMuc2F0LmdvYi5teDEmMCQGA1UECQwdQXYuIEhpZGFsZ28gNzcsIENvbC4gR3VlcnJlcm8xDjAMBgNVBBEMBTA2MzAwMQswCQYDVQQGEwJNWDEZMBcGA1UECAwQRGlzdHJpdG8gRmVkZXJhbDESMBAGA1UEBwwJQ295b2Fjw6FuMRUwEwYDVQQtEwxTQVQ5NzA3MDFOTjMxITAfBgkqhkiG9w0BCQIMElJlc3BvbnNhYmxlOiBBQ0RNQTAeFw0xNjA3MjkyMzE1MzJaFw0yMDA3MjkyMzE1MzJaMIHOMSIwIAYDVQQDExlBWlVMIFNJTiBMSU1JVEVTIFNBIERFIENWMSIwIAYDVQQpExlBWlVMIFNJTiBMSU1JVEVTIFNBIERFIENWMSIwIAYDVQQKExlBWlVMIFNJTiBMSU1JVEVTIFNBIERFIENWMSUwIwYDVQQtExxEQUwwNTA2MDFMMzUgLyBGVUFCNzcwMTE3QlhBMR4wHAYDVQQFExUgLyBGVUFCNzcwMTE3TURGUk5OMDkxGTAXBgNVBAsUEFBBQyBDRkRJX1BSVUVCQVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuhhm16MtcFTmOaqVJiK4rb4Dyt+wTV23JCo5UcVmvUJnJlSaNWau7dbW4PQaBsxLLu2HDVCJ+X0GxsWo3Z+kJ/28yEu6k+WNGyYBFZy0APNzXkEH7fAKNKiInJ7gGyyWHHzeurUfP7XyTI9JOQoM+xXDxJu2LkIU/T8vaaXRlWzVQiMIT2Rx4CsZ5/lqsTZmvOq/QuDZo0KHj1jN66KC3AATF2Aq+Xnlswrkhtd7zt4fh/3wVS9NEYxeDtHtctwQTUeHwl7Ji3VA7qD/pPZ48Sb6QAun6HZTx4zX8s3t4j5yz/30t3mBsAX/CqbON5rhQs8nGVyRNjswVCM2Y7ILvAgMBAAGjHTAbMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgbAMA0GCSqGSIb3DQEBCwUAA4ICAQADLbB3nGXh5g+vqDiuMtzay7MtOrquzr7S+tZbi0SleNx5yjnqBvZB+iQg4V67hsQG/SfOFuFW0of1tYSTztXQCJKcTqZgAsvX6JaPf3hcVfxgY1KMZYsP8siFkpL8RY0oBcEFKoOWpFH08xRO+mADl1xJV7t8E20+ytPvixK5vJqgoeN2gKYihsde7DD8imEU3M3IWbLqdqF9B1zZDFHcVyY86Db7D/HeTMF5RgC5waYLNk+ymD1z65M0SaRYTMUKbfiZq7SZ0gSILzuZd0jXdatT3lpoV+79VPmdlSnc/wZzArohoW07CkvpXM+reWdIDRSOGJU5AxlH+dO18z8dbTFvKJlHn4JEJwV3VP61gvn5bGpgf2njkM1TmJTibNOJHMq6bTnrKKhCXg9aetA78OgJeIzDtqTEhSNayMZL3ELRIJkuEOn+R3vu/3au0NpXz2RuOY2W8/7RAsR2seN6W+KAd2G3PscgtHMHURi8394CxlkJ4tThfq+NEVTwowmoSRMN4wsOeCQOize2Cj/nSyX3s++XcQ2pF41HJ2F8Ici4VBZBjpp7kvMdRpLvezpxXkIaYH8nr4Qqy6I4Hn2//xHlQGd3FrQ+8e4NYjCPF9y9ulIrmrLSmy4UCt/igZgg6nbvK2XiyIGegLDXJzpBHcfMGga4HtCGmWmpDh+HJg==</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</Cancelacion>
The difference they mention to me is:
bad node: <SignedInfo>
expected node (with namespaces): <SignedInfo xmlns = "http://www.w3.org/2000/09/xmldsig#" xmlns: xsd = "http://www.w3.org/2001/XMLSchema" xmlns: xsi = "http: // www.w3.org/2001/XMLSchema-instance ">
My signature procces:
private String sign(String xml, KeyStore.PrivateKeyEntry privateKeyEntry) {
String xmlCancelacion = null;
try {
Init.init();
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
// Create a Reference to an external URI that will be digested
// using the SHA1 digest algorithm
Reference ref = fac.newReference("", fac.newDigestMethod(DigestMethod.SHA1, null),
Collections.singletonList(fac.newTransform(Transform.ENVELOPED, (TransformParameterSpec) null)),
null, null);
// Create the SignedInfo
SignedInfo si = fac.newSignedInfo(
fac.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE, (C14NMethodParameterSpec) null),
fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null),
Collections.singletonList(ref));
X509Certificate cert = (X509Certificate) privateKeyEntry.getCertificate();
KeyInfoFactory kif = fac.getKeyInfoFactory();
X509IssuerSerial issuerSerial = kif.newX509IssuerSerial(cert.getIssuerDN().getName(), cert.getSerialNumber());
List<Object> x509DataContent = new ArrayList<>();
// if (ambiente().equalsIgnoreCase("P")) {
x509DataContent.add(issuerSerial);
//}
x509DataContent.add(cert);
X509Data x509data = kif.newX509Data(x509DataContent);
KeyValue keyValue = kif.newKeyValue(cert.getPublicKey());
List<Object> keyInfoContent = new ArrayList<>();
keyInfoContent.add(x509data);
//keyInfoContent.add(keyValue);
KeyInfo ki = kif.newKeyInfo(keyInfoContent);
// Create the XMLSignature (but don't sign it yet)
XMLSignature signature = fac.newXMLSignature(si, ki);
// Create the Document that will hold the resulting XMLSignature
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true); // must be set
org.w3c.dom.Document doc = dbf.newDocumentBuilder().parse(new InputSource(new StringReader(xml)));
DOMSignContext signContext = new DOMSignContext(privateKeyEntry.getPrivateKey(), doc.getDocumentElement());
signContext.setNextSibling(doc.getDocumentElement().getNextSibling());
signature.sign(signContext);
signature.getSignatureValue();
TransformerFactory tf = TransformerFactory.newInstance();
Transformer transformer = tf.newTransformer();
transformer.setOutputProperty(OutputKeys.METHOD, "xml");
StringWriter writer = new StringWriter();
transformer.transform(new DOMSource(doc), new StreamResult(writer));
xmlCancelacion = writer.getBuffer().toString().replaceAll("\n|\r", "");
} catch (ParserConfigurationException | SAXException | IOException | KeyException | NoSuchAlgorithmException | InvalidAlgorithmParameterException | MarshalException | XMLSignatureException ex) {
Logger.getLogger(TimbradoCFDICarvajal33.class.getName()).log(Level.SEVERE, null, ex);
} catch (TransformerConfigurationException ex) {
Logger.getLogger(TimbradoCFDICarvajal33.class.getName()).log(Level.SEVERE, null, ex);
} catch (TransformerException ex) {
Logger.getLogger(TimbradoCFDICarvajal33.class.getName()).log(Level.SEVERE, null, ex);
}
return xmlCancelacion;
}
in which part of the process I could add the code to show the namespaces as requested, because if I add them after the signature does not validate the signature correctly
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|