santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sean Mullan <sean.mul...@oracle.com>
Subject Re: Is still example still valid?
Date Mon, 01 Apr 2013 13:53:54 GMT
On 03/30/2013 09:57 AM, Alex O'Ree wrote:
> I was looking at the sample signature validation code from the
> distribution xml-security-1_5_3\samples\javax\xml\crypto\dsig\samples\Validate.java
>
> I've seen other signature validation code that looks nearly identical,
> except for the following snippet:
>
>   String providerName = System.getProperty
>              ("jsr105Provider",
> "org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI");
>          XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM",
>              (Provider) Class.forName(providerName).newInstance());
>
> I have a few questions.
> 1) Is that class still the correct one to use? The use of the
> "internal" package name is what's throwing me off. In other examples
> (outside of Santuario) it's just:
> XMLSignatureFactory fac = XMLSignatureFactory.getInstance();

Yes, it is still correct, if you want to be sure you are using the JSR 
105 provider that is included with Santuario. The code above will use 
the first provider it finds.

> 2) Using this snippet, will Santuario resolve automatically resolve
> transforms included with the signature? (assuming that the signature
> originated from somewhere else and that we don't know ahead of time
> what type of transform will used)

Yes, but keep in mind that this is sample code. The code does not verify 
the key used to sign the signature, which should ideally be done before 
you validate the signature and process the transforms. See 
http://www.w3.org/TR/xmldsig-bestpractices/#denial-of-service

> 3) From the samples in
> xml-security-1_5_3\samples\org\apache\xml\security\samples\transforms,
> is there a complete example of signing and validating a signature
> using some kind of xpath or xslt transformation?

Look at the tests in src/test/java. There are several examples.

> 4) Last one, does Santuario provide of any kind certificate trust
> chain building, or OCSP/CRL validation options?

No, you need to implement your own, or you can use the 
java.security.cert.CertPathValidator APIs in the JDK.

--Sean

Mime
View raw message