2 messages in net.java.dev.jwsdp.usersRe: XML Digital Signature| From | Sent On | Attachments |
|---|---|---|
| tf...@mega.ist.utl.pt | Jul 11, 2005 7:25 am | |
| Sean Mullan | Jul 18, 2005 1:40 pm |
| Subject: | Re: XML Digital Signature | |
|---|---|---|
| From: | Sean Mullan (Sean...@Sun.COM) | |
| Date: | Jul 18, 2005 1:40:35 pm | |
| List: | net.java.dev.jwsdp.users | |
Venu Gopal wrote:
tf...@mega.ist.utl.pt wrote:
Hello.
I am Computer Engineering student and I'm working in my final project wich uses XML digital signatures.
I am using your Java XML Digital Signature API and I have a problem to solve: I want to sign a detached file. I tried to use your sample code. It works fine. The problem is that I don't want the signature to be dependent on the location of the detached document. So, what I would like to do was to have an empty URI on the reference so that the user could tell the signer/verifier application where the file is located at that time.
If you look at the w3c signature spec[1] it says
URI="" Identifies the node-set (minus any comment nodes) of the XML resource containing the signature
so having "" in the uri value is not the right solution you are looking for.
You could try setting your own URI resolver (look at URIDereferencer in JSR 105 apis) which could retrieve the information from the user that needs to be signed for given URI value.
Yes, I agree with Venu that using the empty String URI is not the correct approach. However, you probably want to omit the URI attribute altogether, as I believe this meets your use case. See section 4.3.3.1 of [1], specifically the following paragraph:
"If the URI attribute is omitted altogether, the receiving application is expected to know the identity of the object. For example, a lightweight data protocol might omit this attribute given the identity of the object is part of the application context. This attribute may be omitted from at most one Reference in any particular SignedInfo, or Manifest."
Just pass a null URI to the XMLSignatureFactory.newReference method.
And as Venu also mentions, you'll need to create a URIDereferencer which knows how to get the contents and set this before generating or validating the signature using the XMLCryptoContext.setURIDereferencer method.
[1] http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/#sec-URI