Reference validation in xml signatures
https://stackoverflow.com/questions/10005034
-
29-05-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am using ml signatures in my program to check if the message has been tampered with and to check if it has been signed by a valid person. The second part I understood. The problem is with the first part- i.e checking the reference validity. Here is the code that I am using. xmldoc is a document object containing the xml enveloped signature.
NodeList nl = xmldoc.getElementsByTagNameNS
(XMLSignature.XMLNS, "Signature");
DOMValidateContext valContext = new DOMValidateContext
(pbk1, nl.item(0));
As you can see the valContext contains only the signature element and the public key(this will be needed to verify the signature). But in the code below you can see that only by using the valContext object, the reference is validated. How is this possible? To validate the reference, it need to have access to the actual xmldoc from where it can extract the elements referenced in <reference> and then find the hash/digest of its values and compare them wih the <digest value>.
But somehow the code below works. I don't know how? Someone please explain.
Iterator i =
signature1.getSignedInfo().getReferences().iterator();
for (int j=0; i.hasNext(); j++) {
boolean refValid = ((Reference)
i.next()).validate(valContext);
System.out.println("ref["+j+"] validity status: " +
refValid);
}
Solution
A DOM Node object for an element is not just the element, it is the element as contained in the whole XML document. If you look at the Node interface documentation, you'll notice a method called getOwnerDocument(). So from the Node that you passed to your DOMValidateContext object, it is possible to access the whole XML document, and thus any content in that document that is referred to inside your Signature element.
