SANTUARIO-510 - Adding JSR-105 support.
git-svn-id: https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk@1875459 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMRSAPSSSignatureMethod.java b/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMRSAPSSSignatureMethod.java
new file mode 100644
index 0000000..7764621
--- /dev/null
+++ b/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMRSAPSSSignatureMethod.java
@@ -0,0 +1,312 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+/*
+ * Copyright 2005 Sun Microsystems, Inc. All rights reserved.
+ */
+package org.apache.jcp.xml.dsig.internal.dom;
+
+import javax.xml.crypto.*;
+import javax.xml.crypto.dsig.*;
+import javax.xml.crypto.dsig.spec.SignatureMethodParameterSpec;
+
+import java.io.IOException;
+import java.security.*;
+import java.security.spec.AlgorithmParameterSpec;
+import java.security.spec.MGF1ParameterSpec;
+import java.security.spec.PSSParameterSpec;
+
+import org.w3c.dom.DOMException;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Text;
+import org.apache.jcp.xml.dsig.internal.SignerOutputStream;
+import org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.SignatureRSASSAPSS.DigestAlgorithm;
+import org.apache.xml.security.utils.Constants;
+import org.apache.xml.security.utils.XMLUtils;
+
+/**
+ * DOM-based abstract implementation of SignatureMethod for RSA-PSS.
+ *
+ */
+public abstract class DOMRSAPSSSignatureMethod extends AbstractDOMSignatureMethod {
+
+ private static final String DOM_SIGNATURE_PROVIDER = "org.jcp.xml.dsig.internal.dom.SignatureProvider";
+
+ private static final org.slf4j.Logger LOG =
+ org.slf4j.LoggerFactory.getLogger(DOMRSAPSSSignatureMethod.class);
+
+ private final SignatureMethodParameterSpec params;
+ private Signature signature;
+
+ // see RFC 6931 for these algorithm definitions
+ static final String RSA_PSS =
+ "http://www.w3.org/2007/05/xmldsig-more#rsa-pss";
+
+ private int trailerField = 1;
+ private int saltLength = 32;
+ private String digestName = "SHA-256";
+
+ /**
+ * Creates a <code>DOMSignatureMethod</code>.
+ *
+ * @param params the algorithm-specific params (may be <code>null</code>)
+ * @throws InvalidAlgorithmParameterException if the parameters are not
+ * appropriate for this signature method
+ */
+ DOMRSAPSSSignatureMethod(AlgorithmParameterSpec params)
+ throws InvalidAlgorithmParameterException
+ {
+ if (params != null &&
+ !(params instanceof SignatureMethodParameterSpec)) {
+ throw new InvalidAlgorithmParameterException
+ ("params must be of type SignatureMethodParameterSpec");
+ }
+ if (params == null) {
+ params = getDefaultParameterSpec();
+ }
+ checkParams((SignatureMethodParameterSpec)params);
+ this.params = (SignatureMethodParameterSpec)params;
+ }
+
+ /**
+ * Creates a <code>DOMSignatureMethod</code> from an element. This ctor
+ * invokes the {@link #unmarshalParams unmarshalParams} method to
+ * unmarshal any algorithm-specific input parameters.
+ *
+ * @param smElem a SignatureMethod element
+ */
+ DOMRSAPSSSignatureMethod(Element smElem) throws MarshalException {
+ Element paramsElem = DOMUtils.getFirstChildElement(smElem);
+ if (paramsElem != null) {
+ params = unmarshalParams(paramsElem);
+ } else {
+ params = getDefaultParameterSpec();
+ }
+ try {
+ checkParams(params);
+ } catch (InvalidAlgorithmParameterException iape) {
+ throw new MarshalException(iape);
+ }
+ }
+
+ @Override
+ void checkParams(SignatureMethodParameterSpec params)
+ throws InvalidAlgorithmParameterException
+ {
+ if (params != null) {
+ if (!(params instanceof RSAPSSParameterSpec)) {
+ throw new InvalidAlgorithmParameterException
+ ("params must be of type RSAPSSParameterSpec");
+ }
+
+ if (((RSAPSSParameterSpec)params).getTrailerField() > 0) {
+ trailerField = ((RSAPSSParameterSpec)params).getTrailerField();
+ LOG.debug("Setting trailerField from RSAPSSParameterSpec to: {}", trailerField);
+ }
+ if (((RSAPSSParameterSpec)params).getSaltLength() > 0) {
+ saltLength = ((RSAPSSParameterSpec)params).getSaltLength();
+ LOG.debug("Setting saltLength from RSAPSSParameterSpec to: {}", saltLength);
+ }
+ if (((RSAPSSParameterSpec)params).getDigestName() != null) {
+ digestName = ((RSAPSSParameterSpec)params).getDigestName();
+ LOG.debug("Setting digestName from RSAPSSParameterSpec to: {}", digestName);
+ }
+ }
+ }
+
+ public final AlgorithmParameterSpec getParameterSpec() {
+ return params;
+ }
+
+ void marshalParams(Element parent, String prefix)
+ throws MarshalException
+ {
+ Document ownerDoc = DOMUtils.getOwnerDocument(parent);
+
+ Element rsaPssParamsElement = ownerDoc.createElementNS(Constants.XML_DSIG_NS_MORE_07_05, "pss" + ":" + Constants._TAG_RSAPSSPARAMS);
+ rsaPssParamsElement.setAttributeNS(Constants.NamespaceSpecNS, "xmlns:" + "pss", Constants.XML_DSIG_NS_MORE_07_05);
+
+ Element digestMethodElement = DOMUtils.createElement(rsaPssParamsElement.getOwnerDocument(), Constants._TAG_DIGESTMETHOD,
+ XMLSignature.XMLNS, prefix);
+ try {
+ digestMethodElement.setAttributeNS(null, Constants._ATT_ALGORITHM, DigestAlgorithm.fromDigestAlgorithm(digestName).getXmlDigestAlgorithm());
+ } catch (DOMException | org.apache.xml.security.signature.XMLSignatureException e) {
+ throw new MarshalException("Invalid digest name supplied: " + digestName);
+ }
+ rsaPssParamsElement.appendChild(digestMethodElement);
+
+ Element saltLengthElement = rsaPssParamsElement.getOwnerDocument().createElementNS(Constants.XML_DSIG_NS_MORE_07_05, "pss" + ":" + Constants._TAG_SALTLENGTH);
+ Text saltLengthText = rsaPssParamsElement.getOwnerDocument().createTextNode(String.valueOf(saltLength));
+ saltLengthElement.appendChild(saltLengthText);
+
+ rsaPssParamsElement.appendChild(saltLengthElement);
+
+ Element trailerFieldElement = rsaPssParamsElement.getOwnerDocument().createElementNS(Constants.XML_DSIG_NS_MORE_07_05, "pss" + ":" + Constants._TAG_TRAILERFIELD);
+ Text trailerFieldText = rsaPssParamsElement.getOwnerDocument().createTextNode(String.valueOf(trailerField));
+ trailerFieldElement.appendChild(trailerFieldText);
+
+ rsaPssParamsElement.appendChild(trailerFieldElement);
+
+ parent.appendChild(rsaPssParamsElement);
+ }
+
+ SignatureMethodParameterSpec unmarshalParams(Element paramsElem)
+ throws MarshalException
+ {
+ if (paramsElem != null) {
+ Element saltLengthNode = XMLUtils.selectNode(paramsElem.getFirstChild(), Constants.XML_DSIG_NS_MORE_07_05, Constants._TAG_SALTLENGTH, 0);
+ Element trailerFieldNode = XMLUtils.selectNode(paramsElem.getFirstChild(), Constants.XML_DSIG_NS_MORE_07_05, Constants._TAG_TRAILERFIELD, 0);
+ int trailerField = trailerFieldNode == null ? 1: Integer.parseInt(trailerFieldNode.getTextContent());
+ String xmlAlgorithm = XMLUtils.selectDsNode(paramsElem.getFirstChild(), Constants._TAG_DIGESTMETHOD, 0).getAttribute(Constants._ATT_ALGORITHM);
+ DigestAlgorithm digestAlgorithm;
+ try {
+ digestAlgorithm = DigestAlgorithm.fromXmlDigestAlgorithm(xmlAlgorithm);
+ } catch (org.apache.xml.security.signature.XMLSignatureException e) {
+ throw new MarshalException("Invalid digest algorithm supplied: " + xmlAlgorithm);
+ }
+ String digestName = digestAlgorithm.getDigestAlgorithm();
+ int saltLength = saltLengthNode == null ? digestAlgorithm.getSaltLength() : Integer.parseInt(saltLengthNode.getTextContent());
+
+ RSAPSSParameterSpec params = new RSAPSSParameterSpec();
+ params.setTrailerField(trailerField);
+ params.setSaltLength(saltLength);
+ params.setDigestName(digestName);
+ return params;
+ }
+ return getDefaultParameterSpec();
+ }
+
+ boolean verify(Key key, SignedInfo si, byte[] sig,
+ XMLValidateContext context)
+ throws InvalidKeyException, SignatureException, XMLSignatureException
+ {
+ if (key == null || si == null || sig == null) {
+ throw new NullPointerException();
+ }
+
+ if (!(key instanceof PublicKey)) {
+ throw new InvalidKeyException("key must be PublicKey");
+ }
+ if (signature == null) {
+ try {
+ Provider p = (Provider)context.getProperty(DOM_SIGNATURE_PROVIDER);
+ signature = (p == null)
+ ? Signature.getInstance(getJCAAlgorithm())
+ : Signature.getInstance(getJCAAlgorithm(), p);
+ } catch (NoSuchAlgorithmException nsae) {
+ throw new XMLSignatureException(nsae);
+ }
+ }
+ signature.initVerify((PublicKey)key);
+ try {
+ signature.setParameter(new PSSParameterSpec(digestName, "MGF1", new MGF1ParameterSpec(digestName), saltLength, trailerField));
+ } catch (InvalidAlgorithmParameterException e) {
+ throw new XMLSignatureException(e);
+ }
+ LOG.debug("Signature provider: {}", signature.getProvider());
+ LOG.debug("Verifying with key: {}", key);
+ LOG.debug("JCA Algorithm: {}", getJCAAlgorithm());
+ LOG.debug("Signature Bytes length: {}", sig.length);
+
+ try (SignerOutputStream outputStream = new SignerOutputStream(signature)) {
+ ((DOMSignedInfo)si).canonicalize(context, outputStream);
+
+ return signature.verify(sig);
+ } catch (IOException ioe) {
+ throw new XMLSignatureException(ioe);
+ }
+ }
+
+ byte[] sign(Key key, SignedInfo si, XMLSignContext context)
+ throws InvalidKeyException, XMLSignatureException
+ {
+ if (key == null || si == null) {
+ throw new NullPointerException();
+ }
+
+ if (!(key instanceof PrivateKey)) {
+ throw new InvalidKeyException("key must be PrivateKey");
+ }
+ if (signature == null) {
+ try {
+ Provider p = (Provider)context.getProperty(DOM_SIGNATURE_PROVIDER);
+ signature = (p == null)
+ ? Signature.getInstance(getJCAAlgorithm())
+ : Signature.getInstance(getJCAAlgorithm(), p);
+ } catch (NoSuchAlgorithmException nsae) {
+ throw new XMLSignatureException(nsae);
+ }
+ }
+ signature.initSign((PrivateKey)key);
+ try {
+ signature.setParameter(new PSSParameterSpec(digestName, "MGF1", new MGF1ParameterSpec(digestName), saltLength, trailerField));
+ } catch (InvalidAlgorithmParameterException e) {
+ throw new XMLSignatureException(e);
+ }
+ LOG.debug("Signature provider: {}", signature.getProvider());
+ LOG.debug("Signing with key: {}", key);
+ LOG.debug("JCA Algorithm: {}", getJCAAlgorithm());
+
+ try (SignerOutputStream outputStream = new SignerOutputStream(signature)) {
+ ((DOMSignedInfo)si).canonicalize(context, outputStream);
+
+ return signature.sign();
+ } catch (SignatureException se) {
+ throw new XMLSignatureException(se);
+ } catch (IOException ioe) {
+ throw new XMLSignatureException(ioe);
+ }
+ }
+
+ @Override
+ boolean paramsEqual(AlgorithmParameterSpec spec) {
+ return getParameterSpec().equals(spec);
+ }
+
+ private SignatureMethodParameterSpec getDefaultParameterSpec() {
+ RSAPSSParameterSpec params = new RSAPSSParameterSpec();
+ params.setTrailerField(trailerField);
+ params.setSaltLength(saltLength);
+ params.setDigestName(digestName);
+ return params;
+ }
+
+ static final class RSAPSS extends DOMRSAPSSSignatureMethod {
+ RSAPSS(AlgorithmParameterSpec params)
+ throws InvalidAlgorithmParameterException {
+ super(params);
+ }
+ RSAPSS(Element dmElem) throws MarshalException {
+ super(dmElem);
+ }
+ @Override
+ public String getAlgorithm() {
+ return RSA_PSS;
+ }
+ @Override
+ String getJCAAlgorithm() {
+ return "RSASSA-PSS";
+ }
+ @Override
+ Type getAlgorithmType() {
+ return Type.RSA;
+ }
+ }
+
+}
diff --git a/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java b/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java
index 59083ac..f905559 100644
--- a/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java
+++ b/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java
@@ -86,8 +86,6 @@
"http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1";
static final String RSA_SHA512_MGF1 =
"http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1";
- static final String RSA_PSS =
- "http://www.w3.org/2007/05/xmldsig-more#rsa-pss";
static final String RSA_RIPEMD160_MGF1 =
"http://www.w3.org/2007/05/xmldsig-more#ripemd160-rsa-MGF1";
@@ -153,8 +151,8 @@
return new SHA384withRSAandMGF1(smElem);
} else if (alg.equals(RSA_SHA512_MGF1)) {
return new SHA512withRSAandMGF1(smElem);
- } else if (alg.equals(RSA_PSS)) {
- return new RSAPSS(smElem);
+ } else if (alg.equals(DOMRSAPSSSignatureMethod.RSA_PSS)) {
+ return new DOMRSAPSSSignatureMethod.RSAPSS(smElem);
} else if (alg.equals(RSA_RIPEMD160_MGF1)) {
return new RIPEMD160withRSAandMGF1(smElem);
} else if (alg.equals(SignatureMethod.DSA_SHA1)) {
@@ -515,28 +513,6 @@
}
}
- static final class RSAPSS extends DOMSignatureMethod {
- RSAPSS(AlgorithmParameterSpec params)
- throws InvalidAlgorithmParameterException {
- super(params);
- }
- RSAPSS(Element dmElem) throws MarshalException {
- super(dmElem);
- }
- @Override
- public String getAlgorithm() {
- return RSA_PSS;
- }
- @Override
- String getJCAAlgorithm() {
- return "RSASSA-PSS";
- }
- @Override
- Type getAlgorithmType() {
- return Type.RSA;
- }
- }
-
static final class RIPEMD160withRSAandMGF1 extends DOMSignatureMethod {
RIPEMD160withRSAandMGF1(AlgorithmParameterSpec params)
throws InvalidAlgorithmParameterException {
diff --git a/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMXMLSignatureFactory.java b/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMXMLSignatureFactory.java
index f803983..831ffed 100644
--- a/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMXMLSignatureFactory.java
+++ b/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMXMLSignatureFactory.java
@@ -260,8 +260,8 @@
return new DOMSignatureMethod.SHA384withRSAandMGF1(params);
} else if (algorithm.equals(DOMSignatureMethod.RSA_SHA512_MGF1)) {
return new DOMSignatureMethod.SHA512withRSAandMGF1(params);
- } else if (algorithm.equals(DOMSignatureMethod.RSA_PSS)) {
- return new DOMSignatureMethod.RSAPSS(params);
+ } else if (algorithm.equals(DOMRSAPSSSignatureMethod.RSA_PSS)) {
+ return new DOMRSAPSSSignatureMethod.RSAPSS(params);
} else if (algorithm.equals(DOMSignatureMethod.RSA_RIPEMD160_MGF1)) {
return new DOMSignatureMethod.RIPEMD160withRSAandMGF1(params);
} else if (algorithm.equals(SignatureMethod.DSA_SHA1)) {
diff --git a/src/main/java/org/apache/jcp/xml/dsig/internal/dom/RSAPSSParameterSpec.java b/src/main/java/org/apache/jcp/xml/dsig/internal/dom/RSAPSSParameterSpec.java
new file mode 100644
index 0000000..2e72908
--- /dev/null
+++ b/src/main/java/org/apache/jcp/xml/dsig/internal/dom/RSAPSSParameterSpec.java
@@ -0,0 +1,77 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.jcp.xml.dsig.internal.dom;
+
+import javax.xml.crypto.dsig.spec.SignatureMethodParameterSpec;
+
+public class RSAPSSParameterSpec implements SignatureMethodParameterSpec {
+
+ private int trailerField;
+ private int saltLength;
+ private String digestName;
+
+ public int getTrailerField() {
+ return trailerField;
+ }
+ public void setTrailerField(int trailerField) {
+ this.trailerField = trailerField;
+ }
+ public int getSaltLength() {
+ return saltLength;
+ }
+ public void setSaltLength(int saltLength) {
+ this.saltLength = saltLength;
+ }
+ public String getDigestName() {
+ return digestName;
+ }
+ public void setDigestName(String digestName) {
+ this.digestName = digestName;
+ }
+
+ @Override
+ public int hashCode() {
+ final int prime = 31;
+ int result = 1;
+ result = prime * result + ((digestName == null) ? 0 : digestName.hashCode());
+ result = prime * result + saltLength;
+ result = prime * result + trailerField;
+ return result;
+ }
+
+ @Override
+ public boolean equals(Object obj) {
+ if (this == obj)
+ return true;
+ if (obj == null)
+ return false;
+ if (getClass() != obj.getClass())
+ return false;
+ RSAPSSParameterSpec other = (RSAPSSParameterSpec)obj;
+ if (digestName == null) {
+ if (other.digestName != null)
+ return false;
+ } else if (!digestName.equals(other.digestName))
+ return false;
+ if (saltLength != other.saltLength)
+ return false;
+ return trailerField == other.trailerField;
+ }
+
+}
\ No newline at end of file
diff --git a/src/test/java/javax/xml/crypto/test/dsig/PKSignatureAlgorithmTest.java b/src/test/java/javax/xml/crypto/test/dsig/PKSignatureAlgorithmTest.java
index 7fed7f6..640a626 100644
--- a/src/test/java/javax/xml/crypto/test/dsig/PKSignatureAlgorithmTest.java
+++ b/src/test/java/javax/xml/crypto/test/dsig/PKSignatureAlgorithmTest.java
@@ -45,6 +45,7 @@
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.test.KeySelectors;
+import org.apache.jcp.xml.dsig.internal.dom.RSAPSSParameterSpec;
import org.junit.jupiter.api.Assumptions;
import org.junit.jupiter.api.BeforeAll;
import org.w3c.dom.Document;
@@ -64,7 +65,7 @@
private CanonicalizationMethod withoutComments;
private DigestMethod sha1;
private SignatureMethod rsaSha1, rsaSha224, rsaSha256, rsaSha384, rsaSha512, rsaRipemd160;
- private SignatureMethod rsaSha1Mgf1, rsaSha224Mgf1, rsaSha256Mgf1, rsaSha384Mgf1, rsaSha512Mgf1, rsaPss;
+ private SignatureMethod rsaSha1Mgf1, rsaSha224Mgf1, rsaSha256Mgf1, rsaSha384Mgf1, rsaSha512Mgf1, rsaPss, rsaPssSha512;
private SignatureMethod ecdsaSha1, ecdsaSha224, ecdsaSha256, ecdsaSha384, ecdsaSha512, ecdsaRipemd160;
private XMLSignatureFactory fac;
private KeyPair rsaKeyPair, ecKeyPair;
@@ -130,6 +131,11 @@
rsaSha384Mgf1 = fac.newSignatureMethod("http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1", null);
rsaSha512Mgf1 = fac.newSignatureMethod("http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1", null);
rsaPss = fac.newSignatureMethod("http://www.w3.org/2007/05/xmldsig-more#rsa-pss", null);
+ RSAPSSParameterSpec params = new RSAPSSParameterSpec();
+ params.setTrailerField(1);
+ params.setSaltLength(64);
+ params.setDigestName("SHA-512");
+ rsaPssSha512 = fac.newSignatureMethod("http://www.w3.org/2007/05/xmldsig-more#rsa-pss", params);
ecdsaSha1 = fac.newSignatureMethod("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1", null);
ecdsaSha224 = fac.newSignatureMethod("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224", null);
@@ -238,11 +244,17 @@
@org.junit.jupiter.api.Test
public void testRSA_PSS() throws Exception {
- Assumptions.assumeTrue(bcInstalled);
+ Assumptions.assumeTrue(bcInstalled || org.apache.xml.security.test.dom.TestUtils.isJava11Compatible());
test_create_signature_enveloping(rsaPss, sha1, rsaki,
rsaKeyPair.getPrivate(), kvks);
}
+ @org.junit.jupiter.api.Test
+ public void testRSA_PSS_SHA512() throws Exception {
+ Assumptions.assumeTrue(bcInstalled || org.apache.xml.security.test.dom.TestUtils.isJava11Compatible());
+ test_create_signature_enveloping(rsaPssSha512, sha1, rsaki,
+ rsaKeyPair.getPrivate(), kvks);
+ }
@org.junit.jupiter.api.Test
public void testECDSA_SHA1() throws Exception {
@@ -319,8 +331,7 @@
// XMLUtils.outputDOM(doc.getDocumentElement(), System.out);
- DOMValidateContext dvc = new DOMValidateContext
- (ks, doc.getDocumentElement());
+ DOMValidateContext dvc = new DOMValidateContext(ks, doc.getDocumentElement());
XMLSignature sig2 = fac.unmarshalXMLSignature(dvc);
assertEquals(sig, sig2);
diff --git a/src/test/java/org/apache/xml/security/test/dom/algorithms/PKSignatureAlgorithmTest.java b/src/test/java/org/apache/xml/security/test/dom/algorithms/PKSignatureAlgorithmTest.java
index e4283ed..378d57f 100644
--- a/src/test/java/org/apache/xml/security/test/dom/algorithms/PKSignatureAlgorithmTest.java
+++ b/src/test/java/org/apache/xml/security/test/dom/algorithms/PKSignatureAlgorithmTest.java
@@ -384,7 +384,7 @@
localNames.add("PaymentInfo");
sign(XMLSignature.ALGO_ID_SIGNATURE_RSA_PSS, document, localNames, rsaKeyPair.getPrivate(),
- new PSSParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, 64, 1));
+ new PSSParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, 32, 1));
// XMLUtils.outputDOM(document, System.out);
verify(document, rsaKeyPair.getPublic(), localNames);
}