I had a long think about this one. I can't think of a better way to achieve what you are trying to do, other than potentially using a manifest embedded in the body of your document.
However a manifest is hashed and checked during signature verification, so if the file name changed, you would break the sig - and I think that breaks your intention?
If the document you are creating only ever has to be validated by your application (i.e. there are not interoperability issues), then using your own transformation shouldn't be a problem.
Not much help I fear.
Cheers,
BerinJohan Vanbockryck (jvanbock) wrote:
Hi,
I'm trying to sign an XML file that requires external files (attachments) to be signed together with parts of the XML document itself. These attachment files - which can be of any type (plain text, binary, ...) are referenced from within the document by including them in the 'href' attribute of certain elements in the document. Currently, I'm signing them by using a custom Transformation (our own URI as transformation URI and a custom class that extends the TransformSpi class to provide the file contents to the XML Security signature classes) to sign these files.
The reason for using a custom transformation instead of including the filename of the external file directly in the signature XML (I guess as baseURI) is that the href value can change (if the filename of the external attachment changes) without the signature breaking, as long as the content of the file doesn't change. What I'm wondering is if there is a method to create a signature over external data by saying something like 'the contents of the file that is specified in the href attribute of the aml-block:Data tag'.
Example of XML file that will include signature:
<soap-env:Envelope xmlns:soap-env="http://www.w3.org/2003/05/soap-envelope";> <soap-env:Header> ... </soap-env:Header> <soap-env:Body> ... <aml-block:Attachment aml-block:id="3fe29258d1efb468:1da669c:faf61069c1:-7ffc" type="external"> <aml-block:Data href="file:///d:/tmp/xyz.xml" /> </aml-block:Attachment> </soap-env:Body> </soap-env:Envelope>
So the transforms that I currently use:
<ds:Transforms xmlns:aml-block="..."> <ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";> <dsig-xpath:XPath Filter="intersect" xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2";> //aml-block:[EMAIL PROTECTED]:id='3fe29258d1efb468:1da669c:faf61069c 1:-7ffc'] </dsig-xpath:XPath> </ds:Transform> <ds:Transform Algorithm="http://test_uri"; /> </ds:Transforms>
Where the 'http://test_uri' transformation will parse the <aml-block:Attachment> that is passed to it as input and return the contents of the file in the <aml-block:Data> href attribute (in this case file:///d:/tmp/xyz.xml) as output.
Any hints will be greatly appreciated.
Regards,
Johan Vanbockryck
