jason marshall wrote:
Okay. In the Apache XMLSec code, this happens more or less
automatically (That is, you verify the signature with
checkSignatureValue, which takes a key as an argument, and may or may
not also check references depending on what other settings you've
specified).
I'm not really all that familiar with the JDK 1.6 API. In looking at
it I see it changed quite considerably more than I expected, which
probably explains most of my confusion. I assumed that the bug was
against the apache implementation (this is the apache bug database,
right?), not JDK code.
Well I don't think it is a bug in either implementation, but it would
probably help to explain the difference in the Apache and JDK 6 (1.6)
XML Signature APIs/implementation.
The API included in JDK 6 is based on JSR 105 which was a standard XML
Signature API defined via the Java Community Process. The reference
implementation of JSR 105 that is included in JDK 6 is based on the
Apache Java XML Security implementation.
The JSR 105 API and code was contributed back to the Apache Software
Foundation. It will be included in the next Apache XML Security release
(1.4) which should be available soon. You can download the source and
build it yourself now if you choose.
Don't worry though - we plan to continue to include both the JSR 105 API
and the current Apache XML Security API though I would encourage you to
transition over time to the standard JSR 105 API.
--Sean
