Hi, I want to sign an MTOM attachment only, not the soap message. I am aware
that the WSS4J-interceptor doesn't sign the attachment, so I'm trying to do
it in plain java instead.
Please note that the soap message should be unsigned, only the attachment
should be signed.
So far I have managed to sign an attachment and save it to disk, then read
it and send with cxf. No problem, but I would like to get rid of the "save
to disk" part since it seems unnecessary.
Unfortunately though, I don't know how to. I have no idea how a Datahandler
can handle a DeferredDocumentImpl. Any help is appreciated!
This is the code that signs, saves to disk, reads from disk and prepares the
request:
/**
* @param fileInputStream The data to sign
* @return A signed document
*/
DeferredDocumentImpl createSignedDocument(FileInputStream fileInputStream){
// Create a DOM XMLSignatureFactory that will be used to
generate the
// enveloped signature
XMLSignatureFactory fac =
XMLSignatureFactory.getInstance("DOM");
// Create a Reference to the enveloped document (in this case
we are
// signing the whole document, so a URI of "" signifies that)
and
// also specify the SHA1 digest algorithm and the ENVELOPED
Transform.
Reference ref = fac.newReference("", fac.newDigestMethod(
DigestMethod.SHA1, null),
Collections.singletonList(fac
.newTransform(Transform.ENVELOPED,
(TransformParameterSpec) null)), null, null);
// Create the SignedInfo
SignedInfo si = fac
.newSignedInfo(fac.newCanonicalizationMethod(
CanonicalizationMethod.INCLUSIVE_WITH_COMMENTS,
(C14NMethodParameterSpec) null), fac
.newSignatureMethod(SignatureMethod.RSA_SHA1,
null),
Collections.singletonList(ref));
KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream("myKeystore.jks"),
"aPassword".toCharArray());
PrivateKey privateKey = (PrivateKey)keystore.getKey( "MyAlias",
"aPassword".toCharArray());
KeyStore.PasswordProtection password = new
KeyStore.PasswordProtection("aPassword".toCharArray());
KeyStore.PrivateKeyEntry thePrivKeyEntry =
(KeyStore.PrivateKeyEntry)
keystore.getEntry("myAlias", password);
X509Certificate cert = (X509Certificate)
thePrivKeyEntry.getCertificate();
// Create the KeyInfo containing the X509Data.
KeyInfoFactory kif = fac.getKeyInfoFactory();
List x509Content = new ArrayList();
x509Content.add(cert.getSubjectX500Principal().getName());
x509Content.add(cert);
X509Data xd = kif.newX509Data(x509Content);
KeyInfo ki = kif.newKeyInfo(Collections.singletonList(xd));
// Instantiate the document to be signed
DocumentBuilderFactory dbf =
DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
Document doc = dbf.newDocumentBuilder().parse(fileInputStream);
// Create a DOMSignContext and specify the DSA PrivateKey and
// location of the resulting XMLSignature's parent element
DOMSignContext dsc = new DOMSignContext(privateKey, doc
.getDocumentElement());
// Create the XMLSignature (but don't sign it yet)
XMLSignature signature = fac.newXMLSignature(si, ki);
// Marshal, generate (and sign) the enveloped signature
signature.sign(dsc);
return doc;
}
public void sendAnAttachmentWithSignature(){
// Sign the dokument
DeferredDocumentImpl signedDoc = new XmlSign().createSignedDocument( new
FileInputStream("a_file.xml") );
// Save it to disk
OutputStream os = new FileOutputStream( "a_signed_file.xml" );
TransformerFactory tf =
TransformerFactory.newInstance();
Transformer trans = tf.newTransformer();
trans.transform(new DOMSource(signedDoc ), new
StreamResult(os));
// Create a DataHandler to attach to the web service klient
DataHandler dh = new DataHandler(
new FileDataSource(
new File("a_signed_file.xml" )) );
// Add the datahandler to the request object
WebServiceRequest req = new WebServiceRequest();
req.setData( dh );
// Then send the request...
}
--
View this message in context:
http://old.nabble.com/Signing-an-MTOM-attachment-only%2C-not-the-entire-message-tp26528881p26528881.html
Sent from the cxf-user mailing list archive at Nabble.com.
