santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jesse Pelton" <...@PKC.com>
Subject RE: Document removes xml header
Date Thu, 23 Mar 2006 19:12:35 GMT
The signature has to be calculated on the canonical form of a document,
but I don't think there's any requirement that the signed document has
to be serialized in canonical form.  The point of requiring
canonicalization is that the document may be altered in insignificant
ways (such as attribute reordering) between signature generation and
verification.  As long as the verification operation puts the document
into canonical form before calculating the hash, the presence or absence
of an XML declaration in the input document should be immaterial,
because the declaration is removed during canonicalization.  It
therefore should not be harmful to include the declaration in a signed
document's serialized form.

On the other hand, the declaration is optional if the document is in
canonical form.  The only reason I can see to include it is to make it
clear that the document not only looks like XML, it's intended to
actually be XML.

Or am I missing something?

-----Original Message-----
From: raul.benito.garcia@gmail.com [mailto:raul.benito.garcia@gmail.com]
On Behalf Of Raul Benito
Sent: Thursday, March 23, 2006 1:39 PM
To: security-dev@xml.apache.org
Subject: Re: Document removes xml header

The <?xml ...> is removed by the Canocilazation method as it is
mandated by the c14n spec.

Regards,

Raul

On 3/23/06, Michael Kail <michael.kail@rl-ag.com> wrote:
> Morning everybody!
>
> Could it be, that the java class org.w3c.dom.Document removes my xml
> header information(<?xml version="1.0" encoding=...)???
> Before loading the xml file there is a header, after making an
enveloped
> xml signature and writing it back into file there is none.
> Could it be that the Document class removes that information?
Currently
> am adding the header after signing with JDOM.... But I have to open
and
> parse
> The file again(ugly!).
>
> Thanxs!!!!!
>
> There's my source code, if there's any error... tell me:
>
> javax.xml.parsers.DocumentBuilderFactory dbf =
>
javax.xml.parsers.DocumentBuilderFactory.newInstance();
>
>            //dbf.setNamespaceAware(true);
>
>            javax.xml.parsers.DocumentBuilder db =
> dbf.newDocumentBuilder();
>
>            org.w3c.dom.Document doc = db.parse(signatureFile);
>
>            String BaseURI = signatureFile.toURL().toString();
>
>
>
ElementProxy.setDefaultPrefix("http://www.w3.org/2000/09/xmldsig#","");
>
>               XMLSignature sig = new XMLSignature(doc, BaseURI,
>
> XMLSignature.ALGO_ID_SIGNATURE_DSA);
>
>               //add signature information to document
>               Node nl = doc.getFirstChild();
>               nl.appendChild(sig.getElement());
>
>               Transforms transforms = new Transforms(doc);
>
>
> transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
>
>               //add document "archivdescriptor" to signed content
>               sig.addDocument("", transforms,
> Constants.ALGO_ID_DIGEST_SHA1);
>
>               {
>                  X509Certificate cert =
>                     (X509Certificate)
> ks.getCertificate(certificateAlias);
>
>                  sig.addKeyInfo(cert);
>                  sig.addKeyInfo(cert.getPublicKey());
>                  sig.sign(privateKey);
>               }
>
>               FileOutputStream f = new
FileOutputStream(signatureFile);
>
>               XMLUtils.outputDOMc14nWithComments(doc, f);
>               f.close();
>


--

Mime
View raw message