I currently am using the JWSDP's XML-signature library to sign and validate XML documents. I am able to successfully do this if I build a DOM document object from an InputStream. However, I also need to support receiving JDOM documents and converting those to DOM to sign and validate, as this is what the signature library supports.
The problem is that anytime I convert from JDOM to DOM, my signatures do not validate. However, when the same signed XML is loaded directly from an InputStream to DOM it validates. This leads me to believe that the problem is being caused by the way I am converting from JDOM to DOM:
This code is usually the standard example of how to perform the conversion and relies on the 3rd party APIs, no custom converter, etc.
Has anyone else run into this problem or have other suggestions?
There is no such thing as a JDOM document, JDOM parses and writes XML. As you have discovered, XML signatures are very sensitive to the exact format. If you want to treat the XML document with both DOM and JDOM, why not read the entire document into a String and parse it twice. Bill
Joined: Sep 08, 2006
Yes, that is a possible approach. However, the problem is more that the rest of my application works in JDOM, so it will be modifying other parts of that XML document and then writing it back to a file eventually. So I can write it back to a file, however, I'm worried that it's making enough changes then that it will invalidate the signature.
In my brief testing so far, I can read in a document, parse it with JDOM, and output it, with no formatting, and read it back into a DOM object and successfully validate it. However, it's interesting that if I apply the pretty printing formatter to that JDOM output, it caused invalidation of the signature later. This confused me because I am using the XML-C14 canonicalization method to create and validate the signature. I'm under the impression that this standard creates logically equivalent docs. If all the pretty print formatter does is indent the text nicely, why is it affecting the signature? Shouldn't the canonicalization take care of this?
Perhaps my only course of action will be to keep the static, signed portion of my XML in it's own file and the dynamic portion elsewhere. However, this seems to partially defeat the whole purpose of the W3C standard.
My larger concern here is that if I can't even work between XML libraries in Java and get this to work, what's happening to others who are working with web services across languages and libraries?
Thanks for the help,
Author and all-around good cowpoke
Joined: Mar 22, 2000
what's happening to others who are working with web services across languages and libraries?