All,
When using the DOM implementation you can request which elements of the X509
data you want to appear in the signature.
// add x509 data
X509Data x509data = new X509Data(document);
x509data.add(new XMLX509SubjectName(document, certificate));
x509data.add(new XMLX509IssuerSerial(document, certificate));
In the StAX implementation, we appear to be limited to the following
public static final KeyIdentifier KeyIdentifier_KeyValue = new
KeyIdentifier("KeyValue");
public static final KeyIdentifier KeyIdentifier_KeyName = new
KeyIdentifier("KeyName");
public static final KeyIdentifier KeyIdentifier_IssuerSerial = new
KeyIdentifier("IssuerSerial");
public static final KeyIdentifier KeyIdentifier_SkiKeyIdentifier = new
KeyIdentifier("SkiKeyIdentifier");
public static final KeyIdentifier KeyIdentifier_X509KeyIdentifier = new
KeyIdentifier("X509KeyIdentifier");
public static final KeyIdentifier KeyIdentifier_X509SubjectName = new
KeyIdentifier("X509SubjectName");
public static final KeyIdentifier KeyIdentifier_NoKeyInfo = new
KeyIdentifier("NoKeyInfo");
public static final KeyIdentifier KeyIdentifier_EncryptedKey = new
KeyIdentifier("EncryptedKey");
In the StAX implementation, I can either choose KeyIdentifier_IssuerSerial or
KeyIdentifier_X509SubutbjectName but not both as we could with the DOM code
fragment above.
The reason I ask is that we have a service provider who has stipulated a strict
format for the signature to be used when signing and sending data to them
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>xe/kONljHYOi5X1sw8AmgIjbHw/SX8zjAT98zpJahhI=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>7vdS9h04J/slnfUO1aoQ/RvbvWE=</SignatureValue>
<KeyInfo>
<X509Data>
<X509SubjectName>CN=rsa0,OU=rtp,O=org,L=location,ST=Unknown,C=</X509SubjectName>
<X509IssuerSerial>
<X509IssuerName>CN=sign0, OU=rtp, O=org, L=location,
ST=Unknown,C=</X509IssuerName>
<X509SerialNumber>1328092436</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</KeyInfo>
</Signature>
Regards
Tony
"FINASTRA" is the trade name of the FINASTRA group of companies. This email and
any attachments have been scanned for known viruses using multiple scanners.
This email message is intended for the named recipient only. It may be
privileged and/or confidential. If you are not the named recipient of this
email please notify us immediately and do not copy it or use it for any
purpose, nor disclose its contents to any other person. This email does not
constitute the commencement of legal relations between you and FINASTRA. Please
refer to the executed contract between you and the relevant member of the
FINASTRA group for the identity of the contracting party with which you are
dealing.
