开发者

javax.xml.crypto.dsig validation using the public key in the xml

问答 作者:

Using javax.xml.crypto.dsig, how do I unmarshal and validate an XMLSignature without specifying the public key? The public key appears to be in the signed xml, but I can't figure out a way to get it.

DOMValidateContext valContext = new DOMValidateContext(key,signatureNode);
XMLSignature signature = fac.unmarshalXMLSignature(valContext);
boolean coreValidity = signature.validate(valContext);

As far as I can tell it's necessary to pass a KeySelector instead of a Key to the DOMValidateContext. However, I can't figure out how to implement a KeySelector.

Here is the only example I've found about how to implement a KeySelector: http://download.oracle.com/javase/6/docs/technotes/guides/security/xmldsig/XMLDigitalSignature.html

Unfortunately it doesn't work. In that implementation it does the following but a开发者_如何学Clways fails because there are no KeyValue elements (it appears that instead of KeyValue elements they are org.jcp.xml.dsig.internal.dom.DOMX509Data elements which don't have a way to ge the key from them).

List list = keyInfo.getContent();

for (int i = 0; i < list.size(); i++) {
    XMLStructure xs = (XMLStructure) list.get(i);
    if(xs instanceof KeyValue) {
        PublicKey pk = null;
        try {
            pk = ((KeyValue) xs).getPublicKey();
        } catch (KeyException ke) {
            throw new KeySelectorException(ke);
        }
        // make sure algorithm is compatible with method
        if (algEquals(sm.getAlgorithm(), pk.getAlgorithm())) {
            return new SimpleKeySelectorResult(pk);
        }
    }
}
throw new KeySelectorException("No KeyValue element found!");

So, is there a way to do this? I want to be able to validate the signature of an xml file without having to have the public key. I just want to get the public key from the xml.

Extend the if () condition you have checking to see if xs is an instance of KeyValue to also check instance of X509Data as follows:

else if (xs instanceof X509Data) {
     for (Object data : ((X509Data) xs).getContent()) {
          if (data instanceof X509Certificate) {
              pk = ((X509Certificate) data).getPublicKey();
          }
     }
}

just include xmldsig.jar to your build path and check the JDK of yours for 1.5 you have to add to your build path for 1.6 they have inbuilt in it so no need to add for reference http://java.sun.com/developer/technicalArticles/xml/dig_signature_api/

继续阅读:xml-signature

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9