We have xml that a client will send to us via a REST service. We would like to digitally sign this xml so we can be certain that it has not been tampered with during transmission. This is what we would like:
1. Client will generate it's own keystore
2. This keystore will then be used in the digital signature of the xml
3. The server side will then validate the signature to make sure no data has been altered.
The question is, is this possible to to it this way?
For your server to be able to validate the signature, it needs information about the client's key store. Usually you use an asymmetric key pair, where the server has the private key and the client has the public key.
If the server doesn't know anything about how the signature was generated, it cannot validate it.