I had to use digital signatures recently to sign XML files. What can I say, java 6 certainly makes it easy. Signature is embedded in your XML and is XML istself. Kudos :)
It is described nicely here:
http://java.sun.com/javase/6/docs/technotes/guides/security/xmldsig/XMLDigitalSignature.html
And here:
http://java.sun.com/developer/technicalArticles/xml/dig_signature_api/
You can even include a public key as a part of a signature - but that basically decreases the protection level from authenticated message to "unchanged" message, i.e., undamaged during transfer because you will not be able to verify who created that public key. Seems not very useful to me.
Beware of one really painful caveat: you cannot format a "signature" part of message. Obviously, you cannot touch the signed content, but why you cannot touch the signature part of XML, that's beyond me. Was just adding whitespace to it to make it look nice. Spent quite some time debugging this (no source code).
This is is part of JCP, but source code is not available. It is available "under java research license", but how to get that license? And with the demise of Sun Microsystems, we may never see that source code again. Oh, well...
So if anyone knows how to get source code for JSR-105, please let me know.
Thursday, May 14, 2009
Subscribe to:
Posts (Atom)