CODEWITHSUNDEEP
javaxades4j
thehespe
thehespe

Reputation: 107

Xades4j signing xml files with attachments

is there posibility to sign xml document with attachments without baseURI?

Code:

        SignedDataObjects signedDataObjects = new SignedDataObjects();
        DataObjectReference dataObjectReference = new DataObjectReference("");
        dataObjectReference.withTransform(new DataObjectTransform("http://www.w3.org/2000/09/xmldsig#enveloped-signature"));
        signedDataObjects.withSignedDataObject(dataObjectReference);
        signedDataObjects.withBaseUri(baseUri + File.separator);

        attachments.forEach(attachment -> {
            DataObjectDesc dataObjectReferenceForAttachment = new DataObjectReference(attachment.getName());
            signedDataObjects.withSignedDataObject(dataObjectReferenceForAttachment);
        });

        XadesSigner signer = profile.newSigner();
        signer.sign(signedDataObjects, xmlDocument.getDocumentElement());

I'd like to skip the line:

signedDataObjects.withBaseUri(baseUri + File.separator);

It is possible to send attachments in the form of byte []? There can be many such attachments. Unfortunately I am not able to save files to disk.

Upvotes: 0

Views: 439

Answers (1)

lgoncalves
lgoncalves

Reputation: 2090

One important question to ask is: how is this signature going to be verified? If there's flexibility for some custom resource resolution at verification, I suggest using a custom URI scheme and a custom resource resolver.

// Only once
signedDataObjects.withResourceResolver(new AttachmentsResolver(attachments));
// In the loop
DataObjectDesc dataObjectReferenceForAttachment = new DataObjectReference("attachment:" + attachment.getName());

The custom resolver checks if the URI is attachment: and gets the contents for the given name from the attachments collection.

Example: https://github.com/luisgoncalves/xades4j/blob/master/src/test/java/xades4j/production/SignedDataObjectsProcessorTest.java

Reference: http://luisgoncalves.github.io/xades4j/javadocs/1.6.0/reference/xades4j/production/SignedDataObjects.html#withResourceResolver(org.apache.xml.security.utils.resolver.ResourceResolverSpi)

If the verification end can't have logic to handle custom URIs, then I suggest embedding the attachments in the XML using EnvelopedXmlObject.

Side-notes:

  • There's an EnvelopedSignatureTransform class that you can use.

  • The withNNN methods allow you write stuff fluently.

    new DataObjectReference("").withTransform(new EnvelopedSignatureTransform());

Upvotes: 0

Related Questions