Am Donnerstag, 4. November 2004 16:53 schrieb Jose M. Selman:
> Folks:
>
> It seems that I'm a bit confused with what XML Signature signs and
> how to check its validity. According to what I have read the canonicalized
> SignedInfo element is the one signed. Is this true? So then, if I do:
>
> XMLSignature signature = new XMLSignature(sigElement, _BASE_URI);
> org.apache.xml.security.signature.SignedInfo si =
> signature.getSignedInfo(); byte[] canonicalized_signedinfo_octet =
> si.getCanonicalizedOctetStream(); byte[] signature_octet =
> signature.getSignatureValue();
>
> boolean valid = checkValidity(canonicalized_signedinfo_octet,
> signature_octet,
> previously_stored_public_key);
>
>
> Where the method checkValidity will sign the first parameter with RSA and
> compare it with the signature octet.
A validation never needs to sign anything.
Maybe you can get some hints from the following snipet:
/**
* Checks the signature and returns all signed parts.
* @param doc
* document with signature
* @param context
* contains the test key
* @return array containing all valid signed parts
*/
public static Document[] verifyDocument(Document doc, Context context) {
Document[] result = new Document[0];
try {
Element nscontext = XMLUtils.createDSctx(doc, "ds",
Constants.SignatureSpecNS);
Element sigElement = (Element) XPathAPI.selectSingleNode(doc,
"//ds:Signature[1]", nscontext);
if (sigElement == null) {
//
// throw exception?
//
} else {
XMLSignature sig = new XMLSignature(sigElement, "file://");
//
// test signature
//
boolean valid = false;
X509Certificate cert = context.getPartnerTestCertificate();
if (cert == null) {
//
// throw exception?
//
} else {
PublicKey pubk = cert.getPublicKey();
valid = sig.checkSignatureValue(pubk);
if (debug) {
System.out
.println("The XML Signature is "
+ (valid ? "valid (good)"
: "invalid!!! (bad)"));
}
} // if cert
if (!valid) {
//
// throw exception?
//
} else {
//
// get references
//
SignedInfo si = sig.getSignedInfo();
Vector tmp = new Vector();
for (int i = 0; i < si.getLength(); i++) {
Reference ref = si.item(i);
byte[] refarr = ref.getReferencedBytes();
Document d0 = db
.parse(new ByteArrayInputStream(refarr));
Element e0 = d0.getDocumentElement();
Document d1 = db.newDocument();
NodeList l0 = e0.getChildNodes();
Node n0 = null;
for (int j = 0; j < l0.getLength(); j++) {
n0 = l0.item(j);
if (n0.getNodeType() == Node.ELEMENT_NODE) {
break;
}
}
n0 = d1.importNode(n0, true);
d1.appendChild(n0);
tmp.addElement(d1);
}
Object[] o = tmp.toArray();
result = new Document[o.length];
for (int i = 0; i < o.length; i++) {
result[i] = (Document) o[i];
}
} // if valid
} // if sig
} catch (NullPointerException npe) {
System.err.println("Exception in verifyDocument.");
npe.printStackTrace();
} catch (TransformationException te) {
System.err.println("Exception in verifyDocument.");
te.printStackTrace();
} catch (KeyResolverException kre) {
System.err.println("Exception in verifyDocument.");
kre.printStackTrace();
} catch (ReferenceNotInitializedException rnie) {
System.err.println("Exception in verifyDocument.");
rnie.printStackTrace();
} catch (XMLSignatureException xge) {
System.err.println("Exception in verifyDocument.");
xge.printStackTrace();
} catch (XMLSecurityException xse) {
System.err.println("Exception in verifyDocument.");
xse.printStackTrace();
} catch (SAXException se) {
System.err.println("Exception in verifyDocument.");
se.printStackTrace();
} catch (TransformerException te2) {
System.err.println("Exception in verifyDocument.");
te2.printStackTrace();
} catch (IOException ie) {
System.err.println("Exception in verifyDocument.");
ie.printStackTrace();
} catch (Exception e) {
System.err.println("Exception in verifyDocument.");
e.printStackTrace();
}
return result;
}
Best regards,
Thomas
--
Dipl.-Inf. Thomas Kriegelstein [EMAIL PROTECTED]
Institut für Systemarchitektur Tel.: +49 351 463 38448
Technische Universität Dresden Hans Grundig Straße 25 Raum 115
