[Fwd: [jdom-interest] Signing a JDOM Document]

Alistair Young alistair at smo.uhi.ac.uk
Wed Dec 1 15:00:05 PST 2004


You're a nice person Per :) I certainly have a business case for signing
JDOM docs. Interesting point arises though - the whole point of signing is
to transmit on the wire to something else. Something that probably doesn't
speak JDOM. So you still have to convert to w3c to be interoperable.
I'm in the same boat as you Per, learning about Java security.
It would certainly be nice to be JDOM on either side, with w3c between, on
the wire.
Are there any benchmark comparisons between the memory footprints of JDOM
vs w3c Documents?
If I can help with your project, just dump the code on me :)
cheers,
Alistair


-- 
Alistair Young
Senior Software Engineer
UHI at Sabhal Mòr Ostaig
Isle of Skye
Scotland

> Alistair Young wrote:
>> short of writing a JDOM version of XMLSignature, I can't think of any
>> other way to do it.
>> Alistair
>>
>
> Ahem,
>
> I have a half-baked, probably-will-not-ever-finish project, that
> I called jdom-dsig. I started it mainly because I wanted to learn
> more about the Java security API; I really never had any 'business'
> use case for it.
>
> However, pieces of it actually works, such that you can easily sign
> and verify the basic-basic stuff. Short, concise code was a primary
> design objective:
>
> Verifying:
>     Document doc = new SAXBuilder().build(...);
>     XMLSignature sig = XMLSignature.buildFrom(doc);
>     boolean result = sig.verify();
>
> Enveloped signature with defaults:
>     Document doc = new Document(...);
>     PublicKey publicKey = ...
>     PrivateKey privateKey = ...
>     KeyPair keyPair = new KeyPair(publicKey, privateKey);
>     XMLSignature.signEnveloped(doc, keyPair);
>
> A detached signature:
>     Document doc = ...
>     Element e = new Element("xyzzy");
>     Attribute a = new Attribute("id", "dent", Attribute.ID_TYPE);
>     e.setAttribute(a);
>     ...
>
>     XMLSignature sig = new XMLSignature();
>     Reference ref = Reference.createFor(e, Identifier.DIGEST_SHA1);
>     ref.addTransform(Transform.newInstance(Transform.C14N_EXC));
>     sig.addReference(ref);
>
>     sig.addPublicKey(publicKey);
>     doc.getRootElement().addContent(sig.getElement());
>     sig.sign(privateKey);
>
> Lots and lots of stuff is missing in order to comply to the entire
> spec. If anyone is interested in the code, I'll give it away free to use
> for
> anything, anywhere by anyone.
>
> /pmn
>



More information about the jdom-interest mailing list