Skip to main content

How to tell XMLDSIG API to put X.509 certificate in a digital signature

2 replies [Last post]
franknatoli
Offline
Joined: 2007-04-13

The digital signature generated by XMLDSIG API includes element path Signature, KeyInfo, KeyValue, DSAKeyValue and P, Q, G and Y. I believe the standard allows element X509Data at the same level as KeyValue, but I don't know how to tell XMLDSIG to insert the X.509 certificate that encapsulates the public key into the digital signature at element path Signature, KeyInfo, X509Data. Can it be done? Thanks.

My fundamental intent is to validate the certificate path along with the digital signature, but don't know how to do that with only the public key data. Thanks again.

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
joehw
Offline
Joined: 2004-12-15

Hi Frank,

This is JAXP forum. Unfortunately I don't have a good answer to your question. You may want to try XWSS mailing list. I don't know what forum they are using.

Thanks.

franknatoli
Offline
Joined: 2007-04-13

The sample code provided by Sun, which only handles embedding a public key and nothing else in a digital signature, is as follows:

XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM", (Provider) Class.forName(providerName).newInstance());
KeyInfoFactory kif = fac.getKeyInfoFactory();
// Create a KeyValue containing the DSA PublicKey that was generated
KeyValue kv = kif.newKeyValue(publicKey);
// Create a KeyInfo and add the KeyValue to it
KeyInfo ki = kif.newKeyInfo(Collections.singletonList(kv));

In order to embed both a public key and the public key's X.509 certificate in a digital signature, do as follows:

XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM", (Provider) Class.forName(providerName).newInstance());
KeyInfoFactory kif = fac.getKeyInfoFactory();
// Create a KeyValue containing the DSA PublicKey that was generated
KeyValue kv = kif.newKeyValue(publicKey);
// Create an X509Data containing the X.509 certificate
X509Data x509d = kif.newX509Data(Collections.singletonList(cert));
// Create a KeyInfo and add the KeyValue to it
List keyInfoItems = new ArrayList();
keyInfoItems.add(kv);
keyInfoItems.add(x509d);
KeyInfo ki = kif.newKeyInfo(keyInfoItems);