> I create and sign a Document that does not have a URI: I intend to send it > over the net as a Java-serialised object (because I use a P2P net for > sending). So the XML does not really exist as a file anywhere and I would > like to set the BaseURI to "" (empty). Signing with this works, but the > verification gives me: WARNING: Verification failed for URI "".
You're confusing some terminology. A Base URI is not the URI of a document being signed, it's used to resolve relative URIs during various stages of work, and is irrelevant if you're trying to sign a complete document. Put another way, "" is sort of a degenerate absolute URI, so a Base URI isn't involved. > As I understand http://www.w3.org/TR/xmldsig-core/#sec-URI, the Reference > URI is allowed be empty: > > "If the URI attribute is omitted altogether, the receiving application is > expected to know the identity of the object." That's not the same thing as URI="". Omitting is not the same as setting to an empty string. > Source: > BaseURI = file.toURL().toString(); > XMLSignature sig = new XMLSignature(document, BaseURI, > XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1); That would mean you're signing the file itself. Possibly resulting in nothing signed if your transforms end up producing no data for digest. -- Scott
