Hi.
If I have an XML signature (perhaps that was generated
by some toolkit != xmlsec) and that sig contains a
retrieval method and I want to actually get the key info
this retrieval method points to, do I do something about
like this?
// 1. Let's assume that I get the actual XML signature object OK -- that's
pretty clear
// 2. get the KeyInfo from that sig
org.apache.xml.security.keys.KeyInfo ki = signature.getKeyInfo();
org.apache.xml.security.keys.content.RetrievalMethod retMeth = null;
// 3. Let's assume this "if" evaluates true
// Will the below return the first RetrievalMethod in this sig?
if (ki.containsRetrievalMethod())
retMeth = ki.itemRetrievalMethod(0);
String uri = retMeth.getURI();
java.security.PublicKey pk = null;
java.security.cert.X509Certificate retCert = null;
org.w3c.dom.Document keyDoc = dBuilder.parse(new java.io.FileInputStream
(uri));
org.apache.xml.security.keys.KeyInfo keyInfo = new
org.apache.xml.security.keys.KeyInfo(keyDoc);
if (keyInfo.containsKeyValue()) {
pk = keyInfo.getPublicKey();
if (signature.checkSignatureValue((java.security.Key)pk))
returnInfo += "-- the signature is valid";
else throw new Exception("Error:XMLTestUtil.verifyApache:"
"The XML signature is invalid.");
}
// So is this series of steps the closest I can get to approximating
// a ki.getRetrievalMethod() method?
// (i.e. in the spirit of the ki.getPublicKey() and ki.getX509Certificate
())?
Thanks in advance.
Liz
