Folks:
It seems that I'm a bit confused with what XML Signature signs and
how to check its validity. According to what I have read the canonicalized
SignedInfo element is the one signed. Is this true? So then, if I do:
XMLSignature signature = new XMLSignature(sigElement, _BASE_URI);
org.apache.xml.security.signature.SignedInfo si = signature.getSignedInfo();
byte[] canonicalized_signedinfo_octet = si.getCanonicalizedOctetStream();
byte[] signature_octet = signature.getSignatureValue();
boolean valid = checkValidity(canonicalized_signedinfo_octet,
signature_octet,
previously_stored_public_key);
Where the method checkValidity will sign the first parameter with RSA and
compare it with the signature octet.
Is this the right approach?
Cheers,
Jose M. Selman
