Generating an Enveloped XML Signature
In this section, you'll be using an X509 certificate to generate an enveloped XML signature. To do this, follow these steps (many steps are identical to those in the previous section):
- Create an
XMLSigantureFactory Object: You'll use the getInstance method. This method searches a DOM-supporting provider and returns the XMLSignatureFactory implementation.
- Create a Reference Object: You'll specify the URI (
"" represents the whole document) and create a DigestMethod object and a Transform object. You'll use the Reference object to identify the data that will be signed. All these objects are created using the XMLSignatureFactory created during Step 1.
- Create a SignedInfo Object: This object is created using the
CanonicalizationMethod object, a SignatureMethod object, and a list of References.
- Load the Certificate: To do this, use the
KeyStore class in the usual manner. Now, the public/private keys will come from this KeyStore.
- Create the
KeyInfo Object.
- Prepare the Document to be Signed: This is an easy job, based on a simple DOM routine for obtaining the
Document object.
- Signing the Document: First, you'll need to create an instance of the
DOMSignContext by using the private key and the Document root. This object will be passed to the sign method later. Next, to sign the document, create an XMLSignature object (using the SignedInfo and the KeyInfo objects) and call the sign method.
- Write the Signed Document into a File: This task can be accomplished in various ways (per example, using a Transformer).
The document to be signed is called in.xml and the output will be saved into a file named outCertEnveloped.xml, shown in Listing 3.
The output of this code is shown below:
<?xml version="1.0" encoding="UTF-8" standalone="no"?><math>
<simple-equations>
<first_degree_equation>
First-degree equation:
<terms_first_degree a="0.0" b="0.0"/>
<solution>"-b/a"</solution>
</first_degree_equation>
</simple-equations>
<Signature xmlns=
"http://www.w3.org/2000/09/xmldsig#"><SignedInfo>
<CanonicalizationMethod Algorithm=
"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm=
"http://www.w3.org/2000/09/xmldsig#dsa-sha1"/><Reference URI=
""><Transforms><Transform Algorithm=
"http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms>
<DigestMethod Algorithm=
"http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>PlQASEXK+FR8BAhzfgt
Kfh79LmM=</DigestValue></Reference></SignedInfo><SignatureValue>
ZCyu/5dfCcfQYYQxlKGzCDUq8DRVOMwF08PGgt3UNCLBZxQss5Q+KQ==</SignatureValue>
<KeyInfo><X509Data><X509SubjectName>CN=localhost,OU=none,O=none,
L=Bucharest,ST=Bucharest,C=RO</X509SubjectName><X509Certificate>
MIIDAzCCAsECBEbrjK0wCwYHKoZIzjgEAwUAMGcxCzAJBgNVBAYTAlJPMRIwEAYDVQQIEwlCdWNo
YXJlc3QxEjAQBgNVBAcTCUJ1Y2hhcmVzdDENMAsGA1UEChMEbm9uZTENMAsGA1UECxMEbm9uZTES
MBAGA1UEAxMJbG9jYWxob3N0MB4XDTA3MDkxNTA3NDEzM1oXDTA3MTIxNDA3NDEzM1owZzELMAkG
A1UEBhMCUk8xEjAQBgNVBAgTCUJ1Y2hhcmVzdDESMBAGA1UEBxMJQnVjaGFyZXN0MQ0wCwYDVQQK
EwRub25lMQ0wCwYDVQQLEwRub25lMRIwEAYDVQQDEwlsb2NhbGhvc3QwggG4MIIBLAYHKoZIzjgE
ATCCAR8CgYEA/X9TgR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow
9subVWzXgTuAHTRv8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVU
E1oWkTL2dfOuK2HXKu/yIgMZndFIAccCFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QKBgQD34aCF1ps9
3su8q1w2uFe5eZSvu/o66oL5V0wLPQeCZ1FZV4661FlP5nEHEIGAtEkWcSPoTCgWE7fPCTKMyKbh
PBZ6i1R8jSjgo64eK7OmdZFuo38L+iE1YvH7YnoBJDvMpPG+qFGQiaiD3+Fa5Z8GkotmXoB7VSVk
AUw7/s9JKgOBhQACgYEAj2njSzMkk4YoB33OoLz0Bk04QBQF+qdxUyZ/qtgZCuhcMsl0SxtYJ5oY
NtWT+LcFtrNwsgvauSj+lf8MJ4DUsWLBCepWKYovxCOvQyWgH8/bge/O3NSiIsGxamVuaa+PAJ48
kjzbDeg4TdRSnBqqkYkzVVRzH/b+uLBn6RWMzrUwCwYHKoZIzjgEAwUAAy8AMCwCFCvKAwmcwzG5
ja7ERrAtts7a+crGAhQ+kh+qTk8MhnCKPPhPqQfWAbRMAg==
</X509Certificate></X509Data></KeyInfo>
</Signature></math>
Generate a Detached XML Signature
A detached XML signature is a signature that signs external data to the <Signature> element. For example, external data is data outside the document (like in an HTTP page) or data that's in the same document (a sibling element of the <Signature>).
Generally, you can follow the same steps from Page 2 to generate a detached XML signature. The main thing is that the URI passed to the Reference object must indicate data external to the <Signature> element. For example, in the application in Listing 4, the data is represented by a web page that can be accessed with the link http://www.w3.org/TR/xml-stylesheet.
The output looks like this:
<?xml version="1.0" encoding="UTF-8" standalone=
"no"?><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo>
<CanonicalizationMethod Algorithm=
"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm=
"http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="http://www.w3.org/TR/xml-stylesheet">
<DigestMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>60NvZvtdTB+7UnlLp/H24p7h4bs=</DigestValue>
</Reference></SignedInfo><SignatureValue>
HZVMG4lz28cmffaTJBDOqCr5fpG7EAG8QPvvMYsmcVrVrbheCppLA66yXFnikno5Ltbo+PmyKzLN
C7TuOJyQuQ==
</SignatureValue><KeyInfo><KeyValue>
<RSAKeyValue><Modulus>
lsWqIY2EDNKqnFmxB0ODCC5mlL3bXZSiDo91oMZrAzKcrk0fhARIpj58oFMqpu3epVquT9KQ3kSG
EtP+MVQKEw==
</Modulus><Exponent>AQAB</Exponent>
</RSAKeyValue></KeyValue></KeyInfo></Signature>
New on the Java Boutique:
New Review:
Time Management Made Easy with the Quartz Enterprise Job Scheduler
Why not just use the Java timer API? This open source scheduling
API boasts simplicity, ease-of-integration, a well-rounded feature
set, and it's free!
New Applet:
Reverse Complement
Reverse Complement is a simple applet that converts DNA or RNA
sequences into three useful formats.
Elsewhere on internet.com:
WebDeveloper Java
Lots of Java information on webdeveloper.com
WDVL Java
Thorough Java resource at the Web Developer's Virtual Library.
ScriptSearch Java
Hundreds of free Java code files to download.
jGuru: Your View of the Java Universe
Customizable portal with online training, FAQs, regular news updates, and tutorials.
|
