Hi
We're using detached signatures to provide Digital Receipts for tax returns
sent to the Inland Revenue here in the UK. You can have a look at the
"techpack" that is published to allow 3rd party developers to produce
compliant applications here:
http://www.inlandrevenue.gov.uk/ebu/sa-techpack-04/ . I did supply them with
some sample code (using the Apache XML sig library) to generate the hash
(which is really the hardest part imo) under the Apache license although I'm
not sure where that is, so here's the important bit
// Hashing stuff
private final static String HASH_ALGORITHM = "SHA";
private final static String TRANSFORM_STRING = "<?xml
version='1.0'?>\n<dsig:Transforms
xmlns:dsig='http://www.w3.org/2000/09/xmldsig#'
xmlns:gt='http://www.govtalk.gov.uk/CM/envelope'
xmlns:ir='http://www.govtalk.gov.uk/taxation/SA'>\n<dsig:Transform
Algorithm='http://www.w3.org/TR/1999/REC-xpath-19991116'>\n<dsig:XPath>\ncou
nt(ancestor-or-self::node()|/gt:GovTalkMessage/gt:Body)=count(ancestor-or-se
lf::node())\n and count(self::ir:IRmark)=0 \n and
count(../self::ir:IRmark)=0
\n</dsig:XPath>\n</dsig:Transform>\n<dsig:Transform
Algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments'/>\n
</dsig:Transforms>\n";
private final static ByteArrayInputStream __transformStringAsBytes =
new ByteArrayInputStream(TRANSFORM_STRING.getBytes());
.
.
.
if(__transforms == null)
{
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
DocumentBuilder db = dbf.newDocumentBuilder();
Document transformDoc = db.parse(__transformStringAsBytes);
__transforms = new Transforms(transformDoc.getDocumentElement(),
null);
}
XMLSignatureInput input = new XMLSignatureInput(data);
XMLSignatureInput result = __transforms.performTransforms(input);
MessageDigest md = MessageDigest.getInstance(HASH_ALGORITHM);
md.update(result.getBytes());
byte digest[] = md.digest();
fireSubmissionLoadedEvent(data, digest, file.getName());
setStatusBarText(STATUS_LOADED_SUB_KEY);
I know it's not exactly what you wanted but hopefully it will help!
Edward
-----Original Message-----
From: David Wall @ Yozons, Inc. [mailto:[EMAIL PROTECTED]
Sent: 29 March 2004 03:46
To: [EMAIL PROTECTED]
Subject: Good, real-world examples of detached signatures
Can anybody point to any significant use of detached signatures in any open
source or other example Java code? I've looked at the samples that come
with the distro, and they mostly appear to be testing code than examples
that show anything that would be done in a typical application.
Like so much programming these days, there are no doubt many thousands of
users who have written code using XML DSigs, but seeing such examples is
really hard, and even books are hard to come by that show anything. I mean,
it's so easy to take a chunk of XML and digitally sign it -- and it's
extremely fast because there's no canonicalization or issues with where the
XML was rooted, namespace, etc. But then we have a worldwide standard for
doing this and there's almost nothing that I've found that gives clean,
crisp examples of using these capabilities. I know they are out there, I'm
just having trouble finding them.
Thanks,
David
