• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Devaka Cooray
  • Ron McLeod
  • Jeanne Boyarsky
Sheriffs:
  • Liutauras Vilda
  • paul wheaton
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Piet Souris
  • Carey Brown
  • Tim Holloway
Bartenders:
  • Martijn Verburg
  • Frits Walraven
  • Himai Minh

Using Java XML Digital Signature

 
Ranch Hand
Posts: 70
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

We have xml that a client will send to us via a REST service. We would like to digitally sign this xml so we can be certain that it has not been tampered with during transmission. This is what we would like:

1. Client will generate it's own keystore
2. This keystore will then be used in the digital signature of the xml
3. The server side will then validate the signature to make sure no data has been altered.

The question is, is this possible to to it this way?

Any tips on what libraries etc. to use?

Thanks!
 
Rancher
Posts: 43028
76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The library you're looking for is Apache Santuario, the de facto standard implementation of XML-Sig and XML-Enc.
 
Henrik Engert
Ranch Hand
Posts: 70
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks!

So it is something that can be done right? Just wanted to post the question so we don't pursue something that is not possible to do.

Again Thanks!
 
Sheriff
Posts: 22701
129
Eclipse IDE Spring VI Editor Chrome Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
For your server to be able to validate the signature, it needs information about the client's key store. Usually you use an asymmetric key pair, where the server has the private key and the client has the public key.
If the server doesn't know anything about how the signature was generated, it cannot validate it.
 
Legend has it that if you rub the right tiny ad, a genie comes out.
the value of filler advertising in 2021
https://coderanch.com/t/730886/filler-advertising
reply
    Bookmark Topic Watch Topic
  • New Topic