Your application should perform the following steps to verify an XML digital signature stored as an XML instance.

Initializing the certificate verifier

Create a CertVerifier instance to validate X.509 certificates.

KeyAndCertificateSource keySource = new KeyAndCertificateSource();
CertVerifier certverifier = new CertVerifier(rootOfTrustX509Certificate, jndidirectory, null);
CertVerifier certverifier = (CertVerifier) user.getCertVerifier();
KeyAndCertificateSource wrapper.keySource = new KeyAndCertificateSource(certverifier);

Initializing the IXSIL library

Initialize the IXSIL library using the init methods of the following class.

iaik.ixsil.init.IXSILInit

For example:

class.URI initProps = new URI(<"init.properties_file_URL">);
IXSILInit.init(initProps);

Referencing the signature

Specify a URI that points to the XML document containing the XML signature.

URI baseURI = new URI(<URL>);

Where the <URL> is the URL of the resource containing XML signature, in any one of the following formats:

"file:/c:/etjava/examples/data/signedData.xml"

"file:signedData.xml"

"http://host/signedData.xml"

Open an input stream to the XML document containing the signature.

ExternalReferenceResolverImpl res = new ExternalReferenceResolverImpl(baseURI);
InputStream istream = res.resolve(baseURI);

Specify where in the XML document to find the <Signature> element using an XPath expression.

String signatureSelector = "<XPath_expression>";

Setting additional namespaces

Specify any additional namespace prefixes that can be used in the XPath expression.

String additionalNSPrefixes = null;

This is an optional parameter; if no additional namespaces exist, set this argument to null.

Provide a schema for elements without a namespace prefix if a validating parser should create the DOM document.

String noNamespaceSchemaLocation = null;

This argument is required if the XML source does not declare it in a schema instance declaration; otherwise, set it to null.

Provide schemas for various namespaces if a validating parser should create the DOM document.

String m_schemaLocations = null;

This parameter must either be null or conform to the following rules:

additionalSchemas ::= additionalSchema (space additionalSchema)*

additionalSchema ::= schemaNamespaceURI space schemaLocationURI

Verifying the certificates

Create an instance of iaik.ixsil.core.verifier from an input stream.

verifier = new Verifier(istream, baseURI, signatureSelector, additionalNSPrefixes, noNamespaceSchemaLocation, m_schemaLocations);

There is no base URI if your application reads the XML document directly from an InputStream. In this case, set the baseURI argument to null.

Set a com.entrust.toolkit.TrustManager object to validate the X.509 certificates contained in the <dsig:X509Data> elements, if these are part of the signature.

X509TrustManagerInterface trustManager = new Trustmanager(keySource);
KeyProviderInterface[] providers = ((KeyManagerImpl)verifier.getSignature().getKeyManager()).getKeyProviders();
for(int i=0; i<providers.length ; i++)
{
 if (providers[i] instanceof KeyProviderImplX509Data)
    {
        ((KeyProviderImplX509Data)providers[i].setTrustManager(trustManager);
    }
 else if(providers[i] instanceof KeyProviderImplSecurityTokenRef)
    {
        ((KeyProviderImplSecurityTokenRef)providers[i]).setTrustManager(trustManager);
    }
}

Validating the signature

Validate the XML signature.

VerifierSignature signature = verifier.getSignature();
signature.verify();

If this does not throw an exception, the signature has been verified. Still, the verification public key might have come from an explicit <KeyValue> XML signature element rather than a valid certificate. This would not detect an attack in which a person modified the signed XML document and replaced the <KeyValue> and <SignatureValue> elements with a public key and signature key that they have created.