Hi Jesse, You are completly right the C14n is only needed to calculate the digest value.
But the post above was using the c14n methods to serialize the document(Using XMLUtils.outputDOMc14nWithComments(doc, f); expression). So he sees no xml declaration in his output result. But If he uses other kind of serialization or want to write it himself in output stream it can write it, and the signature will be completely valid as there is nothing in the spec against it. On 3/23/06, Jesse Pelton <[EMAIL PROTECTED]> wrote: > The signature has to be calculated on the canonical form of a document, > but I don't think there's any requirement that the signed document has > to be serialized in canonical form. The point of requiring > canonicalization is that the document may be altered in insignificant > ways (such as attribute reordering) between signature generation and > verification. As long as the verification operation puts the document > into canonical form before calculating the hash, the presence or absence > of an XML declaration in the input document should be immaterial, > because the declaration is removed during canonicalization. It > therefore should not be harmful to include the declaration in a signed > document's serialized form. > > On the other hand, the declaration is optional if the document is in > canonical form. The only reason I can see to include it is to make it > clear that the document not only looks like XML, it's intended to > actually be XML. > > Or am I missing something? > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Raul Benito > Sent: Thursday, March 23, 2006 1:39 PM > To: security-dev@xml.apache.org > Subject: Re: Document removes xml header > > The <?xml ...> is removed by the Canocilazation method as it is > mandated by the c14n spec. > > Regards, > > Raul > > On 3/23/06, Michael Kail <[EMAIL PROTECTED]> wrote: > > Morning everybody! > > > > Could it be, that the java class org.w3c.dom.Document removes my xml > > header information(<?xml version="1.0" encoding=...)??? > > Before loading the xml file there is a header, after making an > enveloped > > xml signature and writing it back into file there is none. > > Could it be that the Document class removes that information? > Currently > > am adding the header after signing with JDOM.... But I have to open > and > > parse > > The file again(ugly!). > > > > Thanxs!!!!! > > > > There's my source code, if there's any error... tell me: > > > > javax.xml.parsers.DocumentBuilderFactory dbf = > > > javax.xml.parsers.DocumentBuilderFactory.newInstance(); > > > > //dbf.setNamespaceAware(true); > > > > javax.xml.parsers.DocumentBuilder db = > > dbf.newDocumentBuilder(); > > > > org.w3c.dom.Document doc = db.parse(signatureFile); > > > > String BaseURI = signatureFile.toURL().toString(); > > > > > > > ElementProxy.setDefaultPrefix("http://www.w3.org/2000/09/xmldsig#","";); > > > > XMLSignature sig = new XMLSignature(doc, BaseURI, > > > > XMLSignature.ALGO_ID_SIGNATURE_DSA); > > > > //add signature information to document > > Node nl = doc.getFirstChild(); > > nl.appendChild(sig.getElement()); > > > > Transforms transforms = new Transforms(doc); > > > > > > transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE); > > > > //add document "archivdescriptor" to signed content > > sig.addDocument("", transforms, > > Constants.ALGO_ID_DIGEST_SHA1); > > > > { > > X509Certificate cert = > > (X509Certificate) > > ks.getCertificate(certificateAlias); > > > > sig.addKeyInfo(cert); > > sig.addKeyInfo(cert.getPublicKey()); > > sig.sign(privateKey); > > } > > > > FileOutputStream f = new > FileOutputStream(signatureFile); > > > > XMLUtils.outputDOMc14nWithComments(doc, f); > > f.close(); > > > > > -- > -- http://r-bg.com
