I am Computer Engineering student and I'm working in my final project
XML digital signatures.
I am using your Java XML Digital Signature API and I have a problem to
want to sign a detached file. I tried to use your sample code. It
The problem is that I don't want the signature to be dependent on the
of the detached document. So, what I would like to do was to have an
on the reference so that the user could tell the signer/verifier
where the file is located at that time.
If you look at the w3c signature spec it says
URI="" Identifies the node-set (minus any comment nodes) of the XML
resource containing the signature
so having "" in the uri value is not the right solution you are looking
You could try setting your own URI resolver (look at URIDereferencer in
JSR 105 apis) which could retrieve the information from the user that
needs to be signed for given URI value.
Yes, I agree with Venu that using the empty String URI is not the
correct approach. However, you probably want to omit the URI attribute
altogether, as I believe this meets your use case. See section 220.127.116.11
of , specifically the following paragraph:
"If the URI attribute is omitted altogether, the receiving application
is expected to know the identity of the object. For example, a
lightweight data protocol might omit this attribute given the identity
of the object is part of the application context. This attribute may be
omitted from at most one Reference in any particular SignedInfo, or
Just pass a null URI to the XMLSignatureFactory.newReference method.
And as Venu also mentions, you'll need to create a URIDereferencer which
knows how to get the contents and set this before generating or
validating the signature using the XMLCryptoContext.setURIDereferencer