[Fwd: [jdom-interest] Signing a JDOM Document]

New, Cecil (GE Trans) cecil.new at ae.ge.com
Thu Dec 2 04:01:09 PST 2004

As Elliotte Harold is fond of pointing out, the proper wire format for an
XML document is, <<drum roll>>, the document itself.  By trying to use a
Java serialization format you would automatically exclude anything other
than java trying to use it on the other end.  And it probably must the same
version of Java...  so just serialize to a StringWriter and send it as a


-----Original Message-----
From: Alistair Young [mailto:alistair at smo.uhi.ac.uk]
Sent: Wednesday, December 01, 2004 6:00 PM
To: Per Norrman
Cc: Alan Deikman; jdom-interest at jdom.org
Subject: Re: [Fwd: [jdom-interest] Signing a JDOM Document]

You're a nice person Per :) I certainly have a business case for signing
JDOM docs. Interesting point arises though - the whole point of signing is
to transmit on the wire to something else. Something that probably doesn't
speak JDOM. So you still have to convert to w3c to be interoperable.
I'm in the same boat as you Per, learning about Java security.
It would certainly be nice to be JDOM on either side, with w3c between, on
the wire.
Are there any benchmark comparisons between the memory footprints of JDOM
vs w3c Documents?
If I can help with your project, just dump the code on me :)

Alistair Young
Senior Software Engineer
UHI at Sabhal Mòr Ostaig
Isle of Skye

> Alistair Young wrote:
>> short of writing a JDOM version of XMLSignature, I can't think of any
>> other way to do it.
>> Alistair
> Ahem,
> I have a half-baked, probably-will-not-ever-finish project, that
> I called jdom-dsig. I started it mainly because I wanted to learn
> more about the Java security API; I really never had any 'business'
> use case for it.
> However, pieces of it actually works, such that you can easily sign
> and verify the basic-basic stuff. Short, concise code was a primary
> design objective:
> Verifying:
>     Document doc = new SAXBuilder().build(...);
>     XMLSignature sig = XMLSignature.buildFrom(doc);
>     boolean result = sig.verify();
> Enveloped signature with defaults:
>     Document doc = new Document(...);
>     PublicKey publicKey = ...
>     PrivateKey privateKey = ...
>     KeyPair keyPair = new KeyPair(publicKey, privateKey);
>     XMLSignature.signEnveloped(doc, keyPair);
> A detached signature:
>     Document doc = ...
>     Element e = new Element("xyzzy");
>     Attribute a = new Attribute("id", "dent", Attribute.ID_TYPE);
>     e.setAttribute(a);
>     ...
>     XMLSignature sig = new XMLSignature();
>     Reference ref = Reference.createFor(e, Identifier.DIGEST_SHA1);
>     ref.addTransform(Transform.newInstance(Transform.C14N_EXC));
>     sig.addReference(ref);
>     sig.addPublicKey(publicKey);
>     doc.getRootElement().addContent(sig.getElement());
>     sig.sign(privateKey);
> Lots and lots of stuff is missing in order to comply to the entire
> spec. If anyone is interested in the code, I'll give it away free to use
> for
> anything, anywhere by anyone.
> /pmn

To control your jdom-interest membership:

More information about the jdom-interest mailing list