You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Alex O'Ree <sp...@gmail.com> on 2013/03/30 14:57:10 UTC
Is still example still valid?
I was looking at the sample signature validation code from the
distribution xml-security-1_5_3\samples\javax\xml\crypto\dsig\samples\Validate.java
I've seen other signature validation code that looks nearly identical,
except for the following snippet:
String providerName = System.getProperty
("jsr105Provider",
"org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI");
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM",
(Provider) Class.forName(providerName).newInstance());
I have a few questions.
1) Is that class still the correct one to use? The use of the
"internal" package name is what's throwing me off. In other examples
(outside of Santuario) it's just:
XMLSignatureFactory fac = XMLSignatureFactory.getInstance();
2) Using this snippet, will Santuario resolve automatically resolve
transforms included with the signature? (assuming that the signature
originated from somewhere else and that we don't know ahead of time
what type of transform will used)
3) From the samples in
xml-security-1_5_3\samples\org\apache\xml\security\samples\transforms,
is there a complete example of signing and validating a signature
using some kind of xpath or xslt transformation?
4) Last one, does Santuario provide of any kind certificate trust
chain building, or OCSP/CRL validation options?
Fwd: Is still example still valid?
Posted by Alex O'Ree <sp...@gmail.com>.
FYI, see below regarding using santuario as a digital signature library.
---------- Forwarded message ----------
From: Sean Mullan <se...@oracle.com>
Date: Mon, Apr 1, 2013 at 9:53 AM
Subject: Re: Is still example still valid?
To: dev@santuario.apache.org
Cc: Alex O'Ree <sp...@gmail.com>
On 03/30/2013 09:57 AM, Alex O'Ree wrote:
>
> I was looking at the sample signature validation code from the
> distribution xml-security-1_5_3\samples\javax\xml\crypto\dsig\samples\Validate.java
>
> I've seen other signature validation code that looks nearly identical,
> except for the following snippet:
>
> String providerName = System.getProperty
> ("jsr105Provider",
> "org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI");
> XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM",
> (Provider) Class.forName(providerName).newInstance());
>
> I have a few questions.
> 1) Is that class still the correct one to use? The use of the
> "internal" package name is what's throwing me off. In other examples
> (outside of Santuario) it's just:
> XMLSignatureFactory fac = XMLSignatureFactory.getInstance();
Yes, it is still correct, if you want to be sure you are using the JSR
105 provider that is included with Santuario. The code above will use
the first provider it finds.
> 2) Using this snippet, will Santuario resolve automatically resolve
> transforms included with the signature? (assuming that the signature
> originated from somewhere else and that we don't know ahead of time
> what type of transform will used)
Yes, but keep in mind that this is sample code. The code does not
verify the key used to sign the signature, which should ideally be
done before you validate the signature and process the transforms. See
http://www.w3.org/TR/xmldsig-bestpractices/#denial-of-service
> 3) From the samples in
> xml-security-1_5_3\samples\org\apache\xml\security\samples\transforms,
> is there a complete example of signing and validating a signature
> using some kind of xpath or xslt transformation?
Look at the tests in src/test/java. There are several examples.
> 4) Last one, does Santuario provide of any kind certificate trust
> chain building, or OCSP/CRL validation options?
No, you need to implement your own, or you can use the
java.security.cert.CertPathValidator APIs in the JDK.
--Sean
Re: Is still example still valid?
Posted by Sean Mullan <se...@oracle.com>.
On 03/30/2013 09:57 AM, Alex O'Ree wrote:
> I was looking at the sample signature validation code from the
> distribution xml-security-1_5_3\samples\javax\xml\crypto\dsig\samples\Validate.java
>
> I've seen other signature validation code that looks nearly identical,
> except for the following snippet:
>
> String providerName = System.getProperty
> ("jsr105Provider",
> "org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI");
> XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM",
> (Provider) Class.forName(providerName).newInstance());
>
> I have a few questions.
> 1) Is that class still the correct one to use? The use of the
> "internal" package name is what's throwing me off. In other examples
> (outside of Santuario) it's just:
> XMLSignatureFactory fac = XMLSignatureFactory.getInstance();
Yes, it is still correct, if you want to be sure you are using the JSR
105 provider that is included with Santuario. The code above will use
the first provider it finds.
> 2) Using this snippet, will Santuario resolve automatically resolve
> transforms included with the signature? (assuming that the signature
> originated from somewhere else and that we don't know ahead of time
> what type of transform will used)
Yes, but keep in mind that this is sample code. The code does not verify
the key used to sign the signature, which should ideally be done before
you validate the signature and process the transforms. See
http://www.w3.org/TR/xmldsig-bestpractices/#denial-of-service
> 3) From the samples in
> xml-security-1_5_3\samples\org\apache\xml\security\samples\transforms,
> is there a complete example of signing and validating a signature
> using some kind of xpath or xslt transformation?
Look at the tests in src/test/java. There are several examples.
> 4) Last one, does Santuario provide of any kind certificate trust
> chain building, or OCSP/CRL validation options?
No, you need to implement your own, or you can use the
java.security.cert.CertPathValidator APIs in the JDK.
--Sean