You are viewing a plain text version of this content. The canonical link for it is here.
Posted to security-users@xml.apache.org by Anderson Jonathan <an...@bah.com> on 2004/02/27 01:42:27 UTC
Verify signature references against a set of required elements?
Greetings,
I'm curious - is there an efficient way to verify signature references
against a set of required elements? I'm trying to write some code that
enforces signature "coverage," and I'm struggling to find an elegant way to
do it. Here's what I've got so far:
List coveredElementNodes = new ArrayList();
for (int i=0; i < sig.getSignedInfo().getLength(); i++)
{
Reference ref = sig.getSignedInfo().item(i);
XMLSignatureInput input = ref.getContentsBeforeTransformation();
Set nodes = input.getNodeSet();
for (Iterator iterator = nodes.iterator(); iterator.hasNext();)
{
Node node = (Node) iterator.next();
if (node.getNodeType() == Node.ELEMENT_NODE)
{
coveredElementNodes.add(node);
}
}
}
And then I simply do a coverElementNodes.contains() for every Element in the
DOM that I want to ensure has been signed. It's ugly, it's inefficient, and
I'm curious - is there a better way?
Any and all feedback would be appreciated (including "wow, that is some ugly
code you've got there" comments). :) Thanks in advance.
-Jon
RE: Verify signature references against a set of required elements?
Posted by Anderson Jonathan <an...@bah.com>.
Thanks for the response Berin. :)
To answer you're question: I've got anywhere between 4-8 Reference elements,
the NodeSets of which usually contain 50-100 Nodes. Of course the Nodes are
not just Element nodes, but rather all of the child nodes of the original
elements that were referenced, and they are in no particular order in the
Set.
So, if I've got 4-8 required Elements and 4-8 References, I thought it would
be even uglier to do something like:
foreach (NodeSet)
{
foreach (ElementToCheck)
{
NodeSet.contains(ElementToCheck)
}
}
due to the efficiency of ArrayList.contains(). My biggest problem is that
(to my current knowledge and understanding) I cannot determine the top level
Node that the Reference actually referenced from the current XML-Security
APIs. Hence the ugly 2 dimensional loop.
If you've got any helpful hints, they would be greatly appreciated. :)
-Jon
-----Original Message-----
From: Berin Lautenbach [mailto:berin@wingsofhermes.org]
Sent: Friday, February 27, 2004 6:10 AM
To: security-users@xml.apache.org
Subject: Re: Verify signature references against a set of required
elements?
Jon,
Wow, that is some ugly code you have there!
<GRIN>.
There is no "nice" way I know of to do what you want - but one question
- why do you first extract everything from the set and put into a list?
Can't you call nodes.contains() for each node you are interested in?
Cheers,
Berin
Anderson Jonathan wrote:
> Greetings,
> I'm curious - is there an efficient way to verify signature references
> against a set of required elements? I'm trying to write some code that
> enforces signature "coverage," and I'm struggling to find an elegant way
to
> do it. Here's what I've got so far:
>
> List coveredElementNodes = new ArrayList();
> for (int i=0; i < sig.getSignedInfo().getLength(); i++)
> {
> Reference ref = sig.getSignedInfo().item(i);
> XMLSignatureInput input = ref.getContentsBeforeTransformation();
> Set nodes = input.getNodeSet();
> for (Iterator iterator = nodes.iterator(); iterator.hasNext();)
> {
> Node node = (Node) iterator.next();
> if (node.getNodeType() == Node.ELEMENT_NODE)
> {
> coveredElementNodes.add(node);
> }
> }
> }
>
> And then I simply do a coverElementNodes.contains() for every Element in
the
> DOM that I want to ensure has been signed. It's ugly, it's inefficient,
and
> I'm curious - is there a better way?
>
> Any and all feedback would be appreciated (including "wow, that is some
ugly
> code you've got there" comments). :) Thanks in advance.
>
> -Jon
>
>
>
>
Re: Verify signature references against a set of required elements?
Posted by Berin Lautenbach <be...@wingsofhermes.org>.
Jon,
Wow, that is some ugly code you have there!
<GRIN>.
There is no "nice" way I know of to do what you want - but one question
- why do you first extract everything from the set and put into a list?
Can't you call nodes.contains() for each node you are interested in?
Cheers,
Berin
Anderson Jonathan wrote:
> Greetings,
> I'm curious - is there an efficient way to verify signature references
> against a set of required elements? I'm trying to write some code that
> enforces signature "coverage," and I'm struggling to find an elegant way to
> do it. Here's what I've got so far:
>
> List coveredElementNodes = new ArrayList();
> for (int i=0; i < sig.getSignedInfo().getLength(); i++)
> {
> Reference ref = sig.getSignedInfo().item(i);
> XMLSignatureInput input = ref.getContentsBeforeTransformation();
> Set nodes = input.getNodeSet();
> for (Iterator iterator = nodes.iterator(); iterator.hasNext();)
> {
> Node node = (Node) iterator.next();
> if (node.getNodeType() == Node.ELEMENT_NODE)
> {
> coveredElementNodes.add(node);
> }
> }
> }
>
> And then I simply do a coverElementNodes.contains() for every Element in the
> DOM that I want to ensure has been signed. It's ugly, it's inefficient, and
> I'm curious - is there a better way?
>
> Any and all feedback would be appreciated (including "wow, that is some ugly
> code you've got there" comments). :) Thanks in advance.
>
> -Jon
>
>
>
>