Scott Cantor wrote:
You can also do this with JSR 105 - you can optionally specify whether
you want to be able to get the referenced data before it is transformed
and digested. I believe there is also a way to do that in the Apache
XMLSec APIs (don't have time to check right now).
It has to be *after* the transforms, or you still don't know what's been
signed.
Right, that's what I meant, was a typo on my part.
Ok, that's probably a starting point then. I don't believe xmlsec has any
way to do this with its own APIs other than running the processes twice,
which isn't really ideal.
I believe you are right.
Here's how it works in JSR 105, It is off by default so you need to
enable it first before you validate:
valContext.setProperty("javax.xml.crypto.dsig.cacheReference",
Boolean.TRUE);
boolean isValid = signature.validate(valContext);
Iterator i = signature.getSignedInfo().getReferences().iterator();
for (int j=0; i.hasNext(); j++) {
InputStream is = ((Reference) i.next()).getDigestInputStream();
// Display the data.
}
You can also get the dereferenced data (before it is transformed) by
calling reference.getDereferencedData().
--Sean
