I was looking at the sample signature validation code from the
distribution
xml-security-1_5_3\samples\javax\xml\crypto\dsig\samples\Validate.java
I've seen other signature validation code that looks nearly identical,
except for the following snippet:
String providerName = System.getProperty
("jsr105Provider",
"org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI");
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM",
(Provider) Class.forName(providerName).newInstance());
I have a few questions.
1) Is that class still the correct one to use? The use of the
"internal" package name is what's throwing me off. In other examples
(outside of Santuario) it's just:
XMLSignatureFactory fac = XMLSignatureFactory.getInstance();
2) Using this snippet, will Santuario resolve automatically resolve
transforms included with the signature? (assuming that the signature
originated from somewhere else and that we don't know ahead of time
what type of transform will used)
3) From the samples in
xml-security-1_5_3\samples\org\apache\xml\security\samples\transforms,
is there a complete example of signing and validating a signature
using some kind of xpath or xslt transformation?
4) Last one, does Santuario provide of any kind certificate trust
chain building, or OCSP/CRL validation options?
