Hi, I create and sign a Document that does not have a URI: I intend to send it over the net as a Java-serialised object (because I use a P2P net for sending). So the XML does not really exist as a file anywhere and I would like to set the BaseURI to "" (empty). Signing with this works, but the verification gives me: WARNING: Verification failed for URI "".
If I create a file and use that as a BaseURI, it works, but I never write to that file or read from it, so what's the point? As I understand http://www.w3.org/TR/xmldsig-core/#sec-URI, the Reference URI is allowed be empty: "If the URI attribute is omitted altogether, the receiving application is expected to know the identity of the object." Obviously, I do know the identity, but how do I enable the verification with empty BaseURI? I have attached the source. Source: BaseURI = file.toURL().toString(); XMLSignature sig = new XMLSignature(document, BaseURI, XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1); Transforms transforms = new Transforms(document); String filter[][] = { { XPath2FilterContainer.INTERSECT, "//Body/message" } }; transforms.addTransform(Transforms.TRANSFORM_XPATH2FILTER, XPath2FilterContainer.newInstances(document, filter)); transforms.addTransform(Transforms.TRANSFORM_C14N_WITH_COMMENTS); sig.addDocument(BaseURI, transforms, Constants.ALGO_ID_DIGEST_SHA1); sig.addKeyInfo(publicKey); sig.sign(privateKey); Element sigElement = ParserHelper.uniqueElementExctractorNS( document.getDocumentElement(), "ds", "http://www.w3.org/2000/09/xmldsig#";, "Signature"); XMLSignature signature = new XMLSignature(sigElement, BaseURI); PublicKey pkembed = signature.getKeyInfo().getPublicKey(); if (signature.checkSignatureValue(pk)) System.out.println("hooray"); else System.out.println("dump"); Thanks, Ralph -- For contact details, please see www.ralphholz.de.
signature.asc
Description: This is a digitally signed message part.
