Sean Mullan's Blog

Extending JSR 105 to support more URI reference types

In XML Signatures, Reference elements use URIs to describe the data that is to be digested and signed. Adding support for your own URI dereferencing implementation is pretty straightforward in JSR 105. First you need to create a concrete implementation of the javax.xml.crypto.URIDereferencer interface, ex:

public class MyURIDereferencer implements URIDereferencer {
...

There is only one method in URIDereferencer that you need to provide an implementation for: the dereference method:

Data dereference(URIReference uriReference,
XMLCryptoContext context)
throws URIReferenceException

This method takes a URIReference object describing the URI to be dereferenced and an XMLCryptoContext object that may contain additional information (such as the base URI) that is helpful in dereferencing the URI. The method returns a Data object containing the dereferenced data. The API defines two subclasses of Data: OctetStreamData for holding byte streams, and NodeSetData for holding node-sets.

Once you have implemented your URIDereferencer, it can be set as the default URIDereferencer by invoking the XMLCryptoContext.setURIDereferencer method (which takes a URIDereferencer argument), ex:


context.setURIDereferencer(new MyURIDereferencer());


Does this mean MyURIDereferencer is responsible for dereferencing all URI types? Yes. But what if I want to continue to use the built-in support and only add support for new types? Well you can do that too. In your URIDereferencer implementation, you should add some code to fallback to the built-in URIDereferencer for URI types that you do not support. You can do this by calling the XMLSignatureFactory.getURIDereferencer method which returns a reference to the XMLSignatureFactory's built-in implementation of URIDereferencer.

You can get the reference implementation of JSR 105 from the Java Web Service Developer's Pack v2.0, the beta 2 release or latest snapshot of JDK 6 (Mustang), or GlassFish.

Comments

• Dear Sean,

  I only have a URIReferenceException while using URI type of "file:/...", ot with "http://..". I'm not sure if your solution answers to my problem.

  I've got a
  "Exception in thread "main" javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.URIReferenceException: java.lang.NullPointerException"
  which occurs at the line below.
  -------
  signature.sign(dsc);
  -------

  The cause of the problem is the use of a URI-type reference: if I use a "file:/..." one, Exception occurs, if I use a "http://..." one, then there is no Exception
  --------
  Reference ref_1 = xsfac.newReference("file:/C:/temp/myPix.jpg",xsfac.newDigestMethod(DigestMethod.SHA1, null));
  Reference ref_2 = xsfac.newReference("file:///C:/temp/myPix.jpg",xsfac.newDigestMethod(DigestMethod.SHA1, null));
  Reference ref_3 = xsfac.newReference("http://www.mycompany.com/data/myPix.jpg", xsfac.newDigestMEthod(DigestMethod.SHA1,null));
  --------

  Below is the full code

  import javax.xml.crypto.dsig.XMLSignatureFactory;
  public class GenSig{
  XMLSignatureFactory xsfac = XMLSignatureFactory.getInstance("DOM");
  Reference ref_1 = xsfac.newReference("file:/C:/temp/myPix.jpg",xsfac.newDigestMethod(DigestMethod.SHA1, null));
  Reference ref_2 = xsfac.newReference("file:///C:/temp/myPix.jpg",xsfac.newDigestMethod(DigestMethod.SHA1, null));
  Reference ref_3 = xsfac.newReference("http://www.mycompany.com/data/myPix.jpg", xsfac.newDigestMEthod(DigestMethod.SHA1,null));
  
  DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
  dbf.setNamespaceAware(true);
  Document doc = dbf.newDocumentBuilder().newDocument();
  
  SignedInfo si = fac.newSignedInfo(
  fac.newCanonicalizationMethod(
  CanonicalizationMethod.INCLUSIVE_WITH_COMMENTS,
  (C14NMethodParameterSpec)null),
  fac.newSignatureMethod(SignatureMethod.DSA_SHA1, null),
  Collections.singletonList(ref_1));
  
  KeyPairGenerator kpg = KeyPairGenerator.getInstance("DSA");
  kpg.initialize(512);

  KeyPair kp = kpg.generateKeyPair();
  KeyInfoFactory kif = fac.getKeyInfoFactory();
  KeyValue kv = kif.newKeyValue(kp.getPublic());
  
  KeyInfo ki = kif.newKeyInfo(Collections.singletonList(kv));
  
  XMLSignature signature = fac.newXMLSignature(si, ki);
  
  DOMSignContext dsc = new DOMSignContext(kp.getPrivate(), doc);
  
  signature.sign(dsc);
  
  OutputStream os;
  if (args.length > 0){
  os = new FileOutputStream(args[1]);
  }else{
  os = System.out;
  }
  
  TransformerFactory tf = TransformerFactory.newInstance();
  Transformer trans = tf.newTransformer();
  trans.transform(new DOMSource(doc), new StreamResult(os));
  }

  The full error message is as below:

  -------------------
  [java] Exception in thread "main" javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.URIReferenceException: java.lang.NullPointerException
  [java] at org.jcp.xml.dsig.internal.dom.DOMReference.dereference(Unknown Source)
  [java] at org.jcp.xml.dsig.internal.dom.DOMReference.digest(Unknown Source)
  [java] at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.digestReference(Unknown Source)
  [java] at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(Unknown Source)
  [java] at dsig.detached.GenSig.main(GenSig.java:90)
  [java] Caused by: javax.xml.crypto.URIReferenceException: java.lang.NullPointerException
  [java] at org.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(Unknown Source)
  [java] ... 5 more
  [java] Caused by: java.lang.NullPointerException
  [java] at com.sun.org.apache.xml.internal.security.utils.resolver.implementations.ResolverDirectHTTP.engineCanResolve(Unknown Source)
  [java] at com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolver.canResolve(Unknown Source)
  [java] at com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolver.getInstance(Unknown Source)
  [java] ... 6 more
  [java] javax.xml.crypto.URIReferenceException: java.lang.NullPointerException
  [java] at org.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(Unknown Source)
  [java] at org.jcp.xml.dsig.internal.dom.DOMReference.dereference(Unknown Source)
  [java] at org.jcp.xml.dsig.internal.dom.DOMReference.digest(Unknown Source)
  [java] at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.digestReference(Unknown Source)
  [java] at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(Unknown Source)
  [java] at dsig.detached.GenSig.main(GenSig.java:90)
  [java] Caused by: java.lang.NullPointerException
  [java] at com.sun.org.apache.xml.internal.security.utils.resolver.implementations.ResolverDirectHTTP.engineCanResolve(Unknown Source)
  [java] at com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolver.canResolve(Unknown Source)
  [java] at com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolver.getInstance(Unknown Source)
  [java] ... 6 more
  [java] Java Result: 1
  -------------------

  Thank you

  Posted by: segnilape on June 05, 2007 at 08:03 AM

• Oops, sorry, I didn't know that the comment bos has no document format.

  I've posted my question here:
  http://72.5.124.111/thread.jspa?threadID=745105&tstart=316

  Thanks

  Posted by: segnilape on June 05, 2007 at 08:05 AM

• See my reply to your forum posting at http://forum.java.sun.com/thread.jspa?threadID=745105

  Posted by: mullan on June 05, 2007 at 11:04 AM

• Thank you Sean
  I also see that the DSigResolver.java in the package xwss-3.0.zip provided by the GlasFish project implements your idea about implementing a new URIDereferencer class. I am still having a problem in trying to use that new DSigResolver (Don't know how to use it)

  I will read your pointing to an apache remedy
  Segnilape

  Posted by: segnilape on June 06, 2007 at 06:32 AM

This work is licensed under a Creative Commons License.