• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Using Java XML Digital Signature

 
Henrik Engert
Ranch Hand
Posts: 70
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

We have xml that a client will send to us via a REST service. We would like to digitally sign this xml so we can be certain that it has not been tampered with during transmission. This is what we would like:

1. Client will generate it's own keystore
2. This keystore will then be used in the digital signature of the xml
3. The server side will then validate the signature to make sure no data has been altered.

The question is, is this possible to to it this way?

Any tips on what libraries etc. to use?

Thanks!
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The library you're looking for is Apache Santuario, the de facto standard implementation of XML-Sig and XML-Enc.
 
Henrik Engert
Ranch Hand
Posts: 70
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks!

So it is something that can be done right? Just wanted to post the question so we don't pursue something that is not possible to do.

Again Thanks!
 
Rob Spoor
Sheriff
Pie
Posts: 20546
57
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
For your server to be able to validate the signature, it needs information about the client's key store. Usually you use an asymmetric key pair, where the server has the private key and the client has the public key.
If the server doesn't know anything about how the signature was generated, it cannot validate it.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic