You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by def abc <an...@yahoo.fr> on 2005/02/01 10:16:49 UTC

URI + enveloping signature

Hi all,

Those are beginner questions, but I'd like to me sure
I get things straight...
I'm simply trying to sign an XML document I've loaded.

- is there an easy way to provide a URI for a given
document ? I build a File object from the file's name,
and then call .toURL().toString(). Isn't there
anything simpler, once I have a Document object ?
Also, how would I retrieve the URI for only a given
element in the document ? I mean, suppose I have a big
XML document, but I want only to sign the <foo> </foo>
tag. How am I going to provide a URI for that element
? 

- how can I build an enveloping signature ? (not an
enveloped one). 

Regards
Axelle.




	

	
		
Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails ! 
Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/

Re: enveloping signature

Posted by Heiner Westphal <He...@verit.de>.

Axelle,

see my comments below.

Axelle wrote:
> Thanks very much for your reply. It actually answers
> my next post too :-)
> 
> So, the way to do it is to use importNode() ?
> However, I'm not really sure to understand the way it
> works:
> 
> 
>>        Document signedDoc =
>>documentBuilder.newDocument();
> 
> 
> Okay, we create the Document object for the signed
> document.
> 
> 
>>        XMLSignature sig = new
>>XMLSignature(signedDoc, baseUri, signatureMethod);
> 
> 
> We initialize the ds:Signature object.
> 
> 
>>        signedDoc.appendChild(sig.getElement());
> 
> 
> We add this so that the signed document includes the
> ds:Signature.
> 
> 
>>        ObjectContainer obj = new
>>ObjectContainer(signedDoc);
> 
> 
> We build a ds:Object object on the signed doc ?? there
> I don't get it... shouldn't the object container
> contain the document to sign (and not the signed
> document).
The <ds:SignedInfo> is signed as well, so this constructor puts
a reference on the enclosing document somewhere to get there later.
This is what I understood when scanning the code. Raul or Berin will
know for sure I guess.
> 
> 
>>signedDoc.importNode(doc.getDocumentElement(),
>>deepCopy);
> 
> 
> Not so sure about this either: we add the document to
> sign in the signed document. Why do we do this ? I
> would have expected to import the ds:Object (which
> contains the document to sign) but not the document to
> sign directly.
The importNode(...) just changes the document a node belongs to.
That is. Make a copy of doc's root element belong to signedDoc.
Javadoc of importNode(...) says: "
  Imports a node from another document to this document. The returned 
node has no parent;
  (parentNode is null). The source node is not altered or removed from 
the original document; this
  method creates a new copy of the source node.
"

In safe distance of xmlsec, I use dom4j to handle XML, because that is
less surprising than the org.w3c.dom stuff.
But xmlsecurity has to use the org.w3c interfaces IIRC.
> 
> 
> 
>>        sig.appendObject(obj);
> 
> 
> We make sure the signature will sign the ds:Object.
> 
> 
>>        sig.sign(privateKey);
> 
> 
> At last, we sign.
> 
> Best regards,
> Axelle.
> 
BTW. my starting point were the examples and test harness classes of
xmlsecurity. There is an
org...samples.signature.CreateEnvelopingSignature.java.

Regards,

Heiner

Re: enveloping signature

Posted by def abc <an...@yahoo.fr>.

Thanks very much for your reply. It actually answers
my next post too :-)

So, the way to do it is to use importNode() ?
However, I'm not really sure to understand the way it
works:

>         Document signedDoc =
> documentBuilder.newDocument();

Okay, we create the Document object for the signed
document.

>         XMLSignature sig = new
> XMLSignature(signedDoc, baseUri, signatureMethod);

We initialize the ds:Signature object.

>         signedDoc.appendChild(sig.getElement());

We add this so that the signed document includes the
ds:Signature.

>         ObjectContainer obj = new
> ObjectContainer(signedDoc);

We build a ds:Object object on the signed doc ?? there
I don't get it... shouldn't the object container
contain the document to sign (and not the signed
document).

> signedDoc.importNode(doc.getDocumentElement(),
> deepCopy);

Not so sure about this either: we add the document to
sign in the signed document. Why do we do this ? I
would have expected to import the ds:Object (which
contains the document to sign) but not the document to
sign directly.


>         sig.appendObject(obj);

We make sure the signature will sign the ds:Object.

>         sig.sign(privateKey);

At last, we sign.

Best regards,
Axelle.



	

	
		
Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails ! 
Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/

Re: enveloping signature

Posted by Heiner Westphal <He...@verit.de>.

Axelle wrote:
[ snip ]
> - how can I build an enveloping signature ? (not an
> enveloped one). 
I once used enveloping sigs in a project. I pulled the
essential code into a testcase and attached it.
The exception handling is left to junit in this case.

The build.xml simply creates a keystore
with private key and corresponding certificate.
The java-file thinks it's in package test.

Put junit.jar and xmlsec.jar on your classpath, compile and run
the example.

To look at the XML documents use toString(). My guess was it would
give me a Document@23456..., but it actualy prints out element and
attrubute names and values.

HTH,

Heiner