is there posibility to sign xml document with attachments without baseURI?
Code:
SignedDataObjects signedDataObjects = new SignedDataObjects();
DataObjectReference dataObjectReference = new DataObjectReference("");
dataObjectReference.withTransform(new DataObjectTransform("http://www.w3.org/2000/09/xmldsig#enveloped-signature"));
signedDataObjects.withSignedDataObject(dataObjectReference);
signedDataObjects.withBaseUri(baseUri + File.separator);
attachments.forEach(attachment -> {
DataObjectDesc dataObjectReferenceForAttachment = new DataObjectReference(attachment.getName());
signedDataObjects.withSignedDataObject(dataObjectReferenceForAttachment);
});
XadesSigner signer = profile.newSigner();
signer.sign(signedDataObjects, xmlDocument.getDocumentElement());
I'd like to skip the line:
signedDataObjects.withBaseUri(baseUri + File.separator);
It is possible to send attachments in the form of byte []? There can be many such attachments. Unfortunately I am not able to save files to disk.
One important question to ask is: how is this signature going to be verified? If there's flexibility for some custom resource resolution at verification, I suggest using a custom URI scheme and a custom resource resolver.
The custom resolver checks if the URI is
attachment:and gets the contents for the given name from theattachmentscollection.Example: https://github.com/luisgoncalves/xades4j/blob/master/src/test/java/xades4j/production/SignedDataObjectsProcessorTest.java
Reference: http://luisgoncalves.github.io/xades4j/javadocs/1.6.0/reference/xades4j/production/SignedDataObjects.html#withResourceResolver(org.apache.xml.security.utils.resolver.ResourceResolverSpi)
If the verification end can't have logic to handle custom URIs, then I suggest embedding the attachments in the XML using
EnvelopedXmlObject.Side-notes:
There's an
EnvelopedSignatureTransformclass that you can use.The
withNNNmethods allow you write stuff fluently.