[CAP] OK, so let's just try dive in

matt hoffman matthoffman at acm.org
Thu Mar 12 22:15:23 PDT 2009 

I gave this a shot against the Sun Java digital signature API (which, for
all I know, could be directly derived from Apache's, I haven't looked into
the code).   Oddly, it failed against the CAP message pasted below, but that
is probably because of something lost in the copy-and-paste.  Locally, I can
sign a file using one toolkit and verify it in the other.  I've uploaded
the signed CAP documents I came up with here:
http://www.mhoffman.org/capsignaturetestI'm happy to upload my sample code
as well, if anyone's curious.

Art, if you want to send me your signed XML file directly, as an attachment,
I can try it that way.

Obviously, an alternate language would be a better test than just a
different Java toolkit, but it's an interesting exercise.




On Thu, Mar 12, 2009 at 8:37 PM, Art Botterell <acb at incident.com> wrote:

> So... playing with the Apache XML Security API for Java, version 1.4.2 in
> Eclipse.  Here's a public key:
>
> Sun DSA Public Key
>    Parameters:
>    p:
>    fca682ce 8e12caba 26efccf7 110e526d b078b05e decbcd1e b4a208f3 ae1617ae
>    01f35b91 a47e6df6 3413c5e1 2ed0899b cd132acd 50d99151 bdc43ee7 37592e17
>    q:
>    962eddcc 369cba8e bb260ee6 b6a126d9 346e38c5
>    g:
>    678471b2 7a9cf44e e91a49c5 147db1a9 aaf244f0 5a434d64 86931d2d 14271b9e
>    35030b71 fd73da17 9069b32e 2935630e 1c206235 4d0da20a 6c416e50 be794ca4
>
>  y:
>    073e9026 471560e1 f34a4527 5b27d8e5 48f5e3f8 a852f61a 3c7274a1 9d1a218c
>    02329e43 01e1a15d 23be11d2 ae54f7d1 62bc8176 80668112 8f1cd71d 09396483
>
>
> And here's a CAP message signed using one of the sample classes:
>
> <?xml version="1.0" encoding="UTF-8"?><alert
> xmlns="urn:oasis:names:tc:emergency:cap:1.1">
>  <identifier>1236815505687</identifier>
>  <sender>Unknown</sender>
>  <sent>2009-03-11T16:51:45-07:00</sent>
>  <status>Test</status>
>  <msgType>Alert</msgType>
>  <scope>Public</scope>
>  <info>
>    <event>Undefined event</event>
>    <urgency>Unknown</urgency>
>    <severity>Unknown</severity>
>    <certainty>Unknown</certainty>
>    <resource>
>      <resourceDesc>Undefined resource</resourceDesc>
>    </resource>
>    <area>
>      <areaDesc>Undefined area</areaDesc>
>      <polygon>42,-124.2102 42,-120 39,-120 35.0,-114.6328 34.35,-114.1
> 33.108,-114.6259 33.0,-114.4 32.71,-114.4 32.7151,-114.7197
> 32.5338,-117.1247 34.28,-120.4418 38.9383,-123.817 40.4533,-124.4522
> 42,-124.2102</polygon>
>      <geocode>
>        <valueName>foo</valueName>
>        <value>bar</value>
>      </geocode>
>      <geocode>
>        <valueName>bas</valueName>
>        <value>bah</value>
>      </geocode>
>    </area>
>  </info>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/><SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/><Reference
> URI=""><Transforms><Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
> "/><DigestValue>jwJbxDfLh5+qPxH6LlrUgQkH56g=</DigestValue></Reference></SignedInfo><SignatureValue>GGqZbJ9BLUpEGNgtKujcQmtrPENqwmZP/JStWuCfyRhgnCvJAfySIA==</SignatureValue><KeyInfo><KeyValue><DSAKeyValue><P>/KaCzo4Syrom78z3EQ5SbbB4sF7ey80etKII864WF64B81uRpH5t9jQTxeEu0ImbzRMqzVDZkVG9
>
> xD7nN1kuFw==</P><Q>li7dzDacuo67Jg7mtqEm2TRuOMU=</Q><G>Z4Rxsnqc9E7pGknFFH2xqaryRPBaQ01khpMdLRQnG541Awtx/XPaF5Bpsy4pNWMOHCBiNU0Nogps
>
> QW5QvnlMpA==</G><Y>Bz6QJkcVYOHzSkUnWyfY5Uj14/ioUvYaPHJ0oZ0aIYwCMp5DAeGhXSO+EdKuVPfRYryBdoBmgRKP
> HNcdCTlkgw==</Y></DSAKeyValue></KeyValue></KeyInfo></Signature></alert>
>
>
> Can anyone make that verify?  Or if that's a really dumb first try, what
> would make a good simple demonstration?
>
> - Art
>
> _______________________________________________
> This list is for public discussion of the Common Alerting Protocol.  This
> list is NOT part of the formal record of the OASIS Emergency Management TC.
>  Comments for the OASIS record should be posted using the form at
> http://www.oasis-open.org/committees/comments/form.php?wg_abbrev=emergency
> CAP-list mailing list
> CAP-list at lists.incident.com
> http://lists.incident.com/mailman/listinfo/cap-list
>
> This list is not for announcements, advertising or advocacy of any
> particular program or product other than the CAP itself.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.incident.com/pipermail/cap-list/attachments/20090313/ee11e6cb/attachment.htm>

More information about the CAP-list mailing list