AW: Detached Signature questions

[Frank. Christopher]

Onk!   The signature is part of the XML while your payload is not, nevertheless, the signature-relevant digest on this payload was/is part of the signature you generated (in the "Reference" elements). Signature is generated over any "Reference" content you add and is then validated (on receipt) the same way. How you provide the XML signature input, is on you. The XMLDS is allowing to register "external" resource resolvers on references.   Therefore both questions should be answered by creating an own (clever but simple) resource resolver class (org.apache.xml.security.utils.resolver.ResourceResolverSpi) using org.apache.xml.security.signature.XMLSignature.addResourceResolver(new YourResolverclass()) to let it be used. Once you created a resource resolver, you need to add it to the list of resource resolvers and you need to register on which references this resource resolver should be invoked. Once the reference matches, your classes "engineCanResolve" is called and if you return true your "engineResolve", if you only need to add a file content to be added your engineResolve would look like this (despite the issue of identifying the file which is actually to link here:-):   /* (non-Javadoc) * @see org.apache.xml.security.utils.resolver.ResourceResolverSpi#engineResolve(org.w3c.dom.Attr, java.lang.String) */ public XMLSignatureInput engineResolve( Attr uri, String sBaseURI) throws ResourceResolverException {     //else (how easy this could be), set the file source:     FileInputStream inputStream = new FileInputStream("/data/myfiles/thetestsource.txt");     XMLSignatureInput result = new XMLSignatureInput(inputStream);     result.setSourceURI("/data/myfiles/thetestsource.txt");     //that's it:     return result; }//engineResolve I did something similar to what you describe to include attachments in an XMLDS signature. To solve that I created a "LocalFileLinkResolver" extending ResourceResolverSpi finding the local copy of the signed file and returning a FileInputStream on it. e.g. aXMLSignature.addDocument( sURI, transforms,Constants.ALGO_ID_DIGEST_SHA1)); LocalFileLinkResolver lfResolver = new LocalFileLinkResolver(); lfResolver.register("myPrivateURL", "e:\\_test\\ebxml\\payload\\example_00_product.xml1"); lfResolver.register("blubberBla", "somewhere"); // aXMLSignature.addResourceResolver(new ResolverLocalFilesystem()); aXMLSignature.addResourceResolver(new MIMEAttachmentResolver()); aXMLSignature.addResourceResolver(lfResolver);   hth   Tot ziens Atlana     -----Urspr�ngliche Nachricht----- Von: Stephen Chell (DSL AK) [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 13. Februar 2004 02:18 An: '[EMAIL PROTECTED]' Betreff: Detached Signature questions Hi all,   I want to create a detached XML signature over the contents of an arbitrary file.  (The file could be XML or binary.)     Because the file will not be in a fixed location and will be moved around, I presume I should omit the URI attribute from the SignedInfo/Reference element.  It will be up to the receiving application to know which signature relates to which file via other means.   Am I making sense so far?   Is there some example Java code that illustrates how to a) create a signature in the above manner using the XML Security library, and b) how to verify a signature so created.  At the time of verification the app would need to indicate which object the signature relates to, as the signature would not contain a reference to the object itself.   Any help would be much appreciated.   Thanks in advance ...   Stephen Chell