santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arshad Noor <arshad.n...@strongauth.com>
Subject Re: how to build a valid XML Signature when the signature already exists
Date Thu, 28 Jul 2005 17:37:52 GMT
Applications that create XMLSignatures work no differently from any
other application that digitally sign content.  The only difference is,
in the past, the output used to be a PKCS7 object, but for XML-based
applications, the XMLSignature object is more appropriate.  A private
key is absolutely essential to the signature creation process.

What business purpose is the digital signature serving you?  Is it for
data integrity, i.e. did your company sign the documents originally so
that it could always verify that the document had not been modified and
that its integrity is intact?  Or, is it for non-repudiation, i.e. do
you need to prove that someone (or some company) that had the original
digital certificate signed the document?  Or is it both?

If all you're focused on is data-integrity, and your company originally
signed the document, then you can go out and get yourself another
digital certificate (after generating the key-pair) from the same (or
another) Certification Authority (CA), and build the XMLSignatures on
the source documents using the software listed below.

If you need non-repudiation, do you need this signed by someone from
your company, or from someone in another company?  If it is the former,
(and if the person still works there), you can get them a new digital
certificate and build the XMLSignatures.  If the signatures need to be
from another company, then you need to ask them to get a new digital
certificate (if they don't have one already) and then build the software
they will use to generate the XMLSignatures.

If these are text, spreadsheet or presentation type documents, consider
using OpenOffice 1.9x (http://download.openoffice.org/680/index.html),
a free software product that generates XMLSignature objects once you've
configured the digital certificates into the product (as simple as
configuring digital certificates for your browser).  You won't need to
write the XMLSignature software - just read in the document into
OpenOffice and save it with a digital signature.  While OpenOffice will
always verify the signature when you re-open the document, if you need
to verify the signature with some other software, you can always unzip
the OO document and verify the XMLSignature that is buried inside the
zipped file.

You're welcome, Philippe :-)

Arshad Noor
StrongAuth, Inc.

Frankinet Philippe wrote:

> Perhaps i don't understand how XMLDSIg works but we haven't the private key and i think
this object is required to proceed the XML Signature.
> How do you proceed if the private key was lost or if the signature is computed by another
computer/application (not a hardware crypto system) ?
> 
> We have the original source document, the certificate and the signature. I will check
your links to see if i can build an XML Signature based on these components (and without using
the Pk).
> 
> Feel free to give other advice ;-)
> 
> 
> Philippe.
> 
> -----Message d'origine-----
> De : Arshad Noor [mailto:arshad.noor@strongauth.com] 
> Envoyé : mercredi 27 juillet 2005 19:36
> À : security-dev@xml.apache.org
> Objet : Re: how to build a valid XML Signature when the signature already exists
> 
> I'm not certain why you would want to take a PKCS7-based signature and convert it to
an XMLSignature document, Philippe - unless, of course, your application that used to deal
with PKCS7 objects, now wants XMLSignature documents and you're trying to get the existing
signatures into this new format.
> 
> If that is the case, you'll probably find it easier to create new XMLSignatures using
the original source document for which the
> PKCS7 exists, rather than trying to build XMLSignature documents from PKCS7 components.
> 
> http://www.w3.org/Signature/#Code provides many toolkits to do this.
> Sun recently released a JSR-105 compliant reference toolkit to do this too, which you
can download at:
> http://jcp.org/aboutJava/communityprocess/final/jsr105/index.html
> 
> Arshad Noor
> StrongAuth, Inc.
> 
> 
> Frankinet Philippe wrote:
> 
>>Dear,
>>How to do if the signature already exists (e.g stored as PKCS7 format 
>>on a backup system) ?? How to give the existing signature bytes, 
>>certificate, ... to the XML signature process ?
>>
>>We have all elements in hands but we don't know how to proceed.
>>Sample code will be appreciated
>>

Mime
View raw message