Creating an enveloping XML signature
Your application should perform the following steps to create an enveloping XML signature using the toolkit.
Logging the user
Log in the user with the selected credentials.
user.login(credReader, <password>);Logging the user
Instantiate a source for the keys and certificates using a com.entrust.toolkit.KeyAndCertificateSource object.
user.login(credReader, <password>);Provide a signing key and verification certificate.
PrivateKey pk = user.getSigningKey();X509Certificate cert = user.getVerificationCertificate();Set the signing key and the verification certificate.
keySource.setSigningInfo(pk, cert);Initializing the IXSIL library
Retrieve the init.properties file and initialize the IXSIL library.
iaik.ixsil.util.URI initProps = new URI(<init_properties_file_URI>);IXSILInit.init(initProps);Refer to the readme file for more information on editing the init.properties file.
etjava\examples\source\com\entrust\toolkit\examples\xml\xml_readme.htmlRefer also to the Javadoc documentation of the following class.
iaik.ixsil.init.IXSILInitCreating the signer
Create a Signer object to represent an XML document.
Signer signer = new Signer(<absolute_URI_of_data_to_sign>);Create a SignerSignature object to represent the <Signature> element of the XML document.
SignerSignature signature = signer.getSignature();Set the ID attribute of the <Signature> element.
signature.setId("Signature001");Create an object to represent the <SignedInfo> element of the XML signature.
SignerSignedInfo signedInfo = signature.getSignerSignedInfo();Selecting the canonicalization algorithm
Use the following class to specify the canonicalization algorithm for the signature.
iaik.ixsil.algorithms.CanonicalizationAlgorithmImplCanonicalXMLCreate a new instance.
CanonicalizationAlgorithmImplCanonicalXML c14nAlg = new CanonicalizationAlgorithmImplCanonicalXML();Set the algorithm URI.
c14nAlg.setURI(new URI("http://www.w3.org/TR/2000/WD-xml-c14n-20000907"));Set the canonicalization algorithm.
signedInfo.setCanonicalizationAlgorithm(c14nAlg);Selecting the signature algorithm
Specify and set the signature algorithm using the following classes.
iaik.ixsil.algorithms.SignatureAlgorithmImplDSAiaik.ixsil.algorithms.SignatureAlgorithmImplRSAiaik.ixsil.algorithms.SignatureAlgorithmInstantiate a signature algorithm of the appropriate kind and set the corresponding URI.
SignatureAlgorithm signatureAlg = null ;PrivateKey privatekey = keySource.getSigningKey();if(privatekey.getAlgorithm().equals("DSA")){ signatureAlg = new SignatureAlgorithmImplDSA(); signatureAlg.setURI(new URI("http://www.w3.org/2000/09/xmldsig#dsa-sha1"));}else{ signatureAlg = new SignatureAlgorithmImplRSA(); signatureAlg.setURI(new URI("http://www.w3.org/2000/09/xmldsig#rsa-sha1"));}Set the private key.
signatureAlg.setSignerKey(privatekey);Set the algorithm.
signedInfo.setSignatureAlgorithm(signatureAlg);Referencing the signed data
Create a reference to the resource you want to sign.
SignerReference firstRef = signedInfo.createReference();Configure the reference for the enveloping digital signature—an internal reference to an XML digital signature Object that embeds the document.
URI baseURI = new URI(uriTobeSigned);ExternalReferenceResolverImpl res = new ExternalReferenceResolverImpl(baseURI);InputStream istrURI = res.resolve(baseURI);Embedding the document
Retrieve a DOM representation of the document to be signed.
Document doc = DOMUtils.createDocumentFromXMLInstance(istrURI, baseURI, DOMUtils.VALIDATION_NO_);Element elemObject = doc.getDocumentElement();Import the DOM representation into the document with the <Signature> element as the root element —the document specified in the Signer instance.
DOMUtilsImpl utils = new DOMUtilsImpl();utils.serializeElement(elemObject, new java.io.ByteArrayOutputStream());((DocumentImpl)signer.toDocument()).adoptNode(elemObject);Create a digital signature object to contain the imported document.
iaik.ixsil.core.Object objectURI = signature.createObject(elemObject);objectURI.setId("Resource1");signature.addObject(objectURI);reference.setURI(new URI("#Resource1"));Selecting the digest algorithm
Create a new instance of the digest algorithm.
DigestAlgorithmImplSHA1 digestAlg1 = new DigestAlgorithmImplSHA1();Set the URI of the digest algorithm.
digestAlg1.setURI(new URI("http://www.w3.org/2000/09/xmldsig#sha1"));Set the digest algorithm.
firstRef.setDigestAlgorithm(digestAlg1);Add the resource reference to the signature.
signedInfo.addReference(firstRef);Adding key information
Instantiate a key manager.
Document signatureDOMDoc = signer.toDocument();KeyManagerImpl keyManager = new KeyManagerImpl(signatureDOMDoc);Create and configure a KeyInfo provider for the X509Data clause.
KeyProviderImplX509Data keyProviderX509Data = new KeyProviderImplX509Data(signatureDOMDoc);Include the user's verification certificate in the <KeyInfo> element.
X509Certificate certificate = keySource.getVerificationCertificate();X509Data x509 = new X509Data();x509.insertHintAt(certificate, 0) ;Include the user's distinguished name in the <KeyInfo> element.
X509SubjectName x509Name = new X509SubjectName((Name) certificate.getSubjectDN());x509.insertHintAt(x509Name, 0);keyProviderX509Data.insertX509DataAt(x509, 0);Create and configure a KeyInfo provider for the KeyValue clause.
KeyProviderImplKeyValue keyProviderKeyValue = new KeyProviderImplKeyValue(signatureDOMDoc);keyProviderKeyValue.setVerifierKey(certificate.getPublicKey());Add any of these KeyInfo providers.
keyManager.addKeyProvider(keyProviderKeyValue);keyManager.addKeyProvider(keyProviderX509Data);Set the signature's key manager.
signer.getSignature().setKeyManager((SignerKeyManager) keyManager);Adding the KeyInfo element
If your application supports non-repudiation of XML digital signatures, create a reference for the <KeyInfo> element.
SignerReference ref = signedInfo.createReference();Identify the <KeyInfo> element reference with a URI.
String keyInfoId = keyManager.getId();ref.setURI(new URI(null, null, null, null, keyInfoId));Add the <KeyInfo> element reference to the resources to be signed.
signedInfo.addReference(ref);Generating the signature
Calculate the signature value.
signer.getSignature().sign();Return the signed document to complete the procedure.
return signer.toDocument();