The signature has to be calculated on the canonical form of a document, but I don't think there's any requirement that the signed document has to be serialized in canonical form. The point of requiring canonicalization is that the document may be altered in insignificant ways (such as attribute reordering) between signature generation and verification. As long as the verification operation puts the document into canonical form before calculating the hash, the presence or absence of an XML declaration in the input document should be immaterial, because the declaration is removed during canonicalization. It therefore should not be harmful to include the declaration in a signed document's serialized form.
On the other hand, the declaration is optional if the document is in canonical form. The only reason I can see to include it is to make it clear that the document not only looks like XML, it's intended to actually be XML. Or am I missing something? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raul Benito Sent: Thursday, March 23, 2006 1:39 PM To: [email protected] Subject: Re: Document removes xml header The <?xml ...> is removed by the Canocilazation method as it is mandated by the c14n spec. Regards, Raul On 3/23/06, Michael Kail <[EMAIL PROTECTED]> wrote: > Morning everybody! > > Could it be, that the java class org.w3c.dom.Document removes my xml > header information(<?xml version="1.0" encoding=...)??? > Before loading the xml file there is a header, after making an enveloped > xml signature and writing it back into file there is none. > Could it be that the Document class removes that information? Currently > am adding the header after signing with JDOM.... But I have to open and > parse > The file again(ugly!). > > Thanxs!!!!! > > There's my source code, if there's any error... tell me: > > javax.xml.parsers.DocumentBuilderFactory dbf = > javax.xml.parsers.DocumentBuilderFactory.newInstance(); > > //dbf.setNamespaceAware(true); > > javax.xml.parsers.DocumentBuilder db = > dbf.newDocumentBuilder(); > > org.w3c.dom.Document doc = db.parse(signatureFile); > > String BaseURI = signatureFile.toURL().toString(); > > > ElementProxy.setDefaultPrefix("http://www.w3.org/2000/09/xmldsig#","";); > > XMLSignature sig = new XMLSignature(doc, BaseURI, > > XMLSignature.ALGO_ID_SIGNATURE_DSA); > > //add signature information to document > Node nl = doc.getFirstChild(); > nl.appendChild(sig.getElement()); > > Transforms transforms = new Transforms(doc); > > > transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE); > > //add document "archivdescriptor" to signed content > sig.addDocument("", transforms, > Constants.ALGO_ID_DIGEST_SHA1); > > { > X509Certificate cert = > (X509Certificate) > ks.getCertificate(certificateAlias); > > sig.addKeyInfo(cert); > sig.addKeyInfo(cert.getPublicKey()); > sig.sign(privateKey); > } > > FileOutputStream f = new FileOutputStream(signatureFile); > > XMLUtils.outputDOMc14nWithComments(doc, f); > f.close(); > --
