Skip to content Skip to sidebar Skip to footer
Home / Android / Xml

Android - Verify The Signature Of Xml

Post a Comment
I have signed XML document (by pure Java with RSA and X509 tags) on the web and I have implemented XML pull parser - before I parse some information from my XML document to specifi

Solution 1:

In J2EE Java you would use javax.xml.crypto as detailed here

http://java.sun.com/developer/technicalArticles/xml/dig_signature_api/

However these are not part of the standard Android package.

It may be a manageable amount of work to make your own package of the bits of the source you need.

http://google.com/codesearch/p?hl=en#-WpwJU0UKqQ/src/share/classes/javax/xml/crypto/dom/DOMCryptoContext.java&d=5

Solution 2:

You can use Apache Santuario but you need to strip it down. Look at https://web.archive.org/web/20140902223147/http://www.xinotes.net/notes/note/1302/ for more details.

Solution 3:

You can add the following stripped version of Apache Santuario with the XML security features: http://mvnrepository.com/artifact/org.apache.santuario/xmlsec/2.0.2

Then you just need to create some verifier class, for example:

import java.io.*;
import javax.xml.parsers.*;
import java.security.PublicKey;
import java.security.cert.X509Certificate;

import org.w3c.dom.*;

import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.utils.Constants;
import org.apache.xml.security.utils.XMLUtils;

enter code here

publicclassWhatever {
    booleanverifySignature() {
    booleanvalid=false;
    try {
        // parse the XMLInputStreamin= obtainInputStreamToXMLSomehow();
        DocumentBuilderFactoryf= DocumentBuilderFactory.newInstance();
        f.setNamespaceAware(true);
        Documentdoc= f.newDocumentBuilder().parse(in);
        in.close();

        // verify signatureNodeListnodes= doc.getElementsByTagNameNS(Constants.SignatureSpecNS, "Signature");
        if (nodes.getLength() == 0) {
        thrownewException("Signature NOT found!");
        }

        ElementsigElement= (Element) nodes.item(0);
        XMLSignaturesignature=newXMLSignature(sigElement, "");

        KeyInfoki= signature.getKeyInfo();
        if (ki == null) {
        thrownewException("Did not find KeyInfo");
        }

        X509Certificatecert= signature.getKeyInfo().getX509Certificate();
        if (cert == null) {
        PublicKeypk= signature.getKeyInfo().getPublicKey();
        if (pk == null) {
            thrownewException("Did not find Certificate or Public Key");
        }
        valid = signature.checkSignatureValue(pk);
        }
        else {
        valid = signature.checkSignatureValue(cert);
        }
    }
    catch (Exception e) {
        e.printStackTrace();
    }

    return valid;
    }

    // This is important!static {
    org.apache.xml.security.Init.init();
    }
}

Edit Seems like including XML parsing libraries in Android is trickier than expected. First you need to generate the jar file and then modify some of the library namespaces (using JarJar tool). After that, add it to the project's library directory (/lib or /libs). Source

I switched from signed XML to Signed JSON (RFC 7515)

Solution 4:

Maybe you can use Apache Santuario. http://santuario.apache.org/

You may like these posts

Post a Comment for "Android - Verify The Signature Of Xml"