Oracle XML Security 8-11 The Oracle Security Developer Tools APIs internally maintain a table associating element names to wrapper class names. The XMLUtils.getInstance uses this table to invoke the appropriate constructor and return an instance of that wrapper class.

8.7.2 Obtain the DOM Element from the Wrapper Object

The underlying DOM element is readily available. All wrapper classes extend from XMLElement which provides a method, XMLElement.getElement, to get the underlying DOM element.

8.7.3 Parse Complex Elements

Whenever there are complex elements containing a hierarchy of subelements, there will also be an equivalent hierarchy of wrapper objects. For example, suppose you have an incoming document containing a signature: dsig:Signature dsig:SignedInfo dsig:CanonicalizationMethod ... ... dsig:SignedInfo dsig:SignatureValue..dsig:SignatureValue ... dsig:Signature Most of these elements have a corresponding wrapper class, such as dsig:Signature - XSSignature, dsig:SignedInfo - XSSignedInfo, dsig:SignatureValue - XSSignatureValue and so on. But when you construct the XSSignedInfo object from the dsig:Signature DOM element, it does not construct any of the child objects, in fact it does not even look at any of the child elements. The new XSSignaturesigElem is a quick call which simply creates an object with the data member pointing to the sigElem. The child objects are created every time. So when you call XSSignature.getSignedInfo it searches the child elements of dsig:Signature to find the dsig:SignedInfo element, constructs a wrapper object on that element, and returns it. This wrapper object is not stored anywhere. So if you invoke XSSignature.getSignedInfo again, it does the same thing, returning a different instance of the SignedInfo object; however both these objects point to the same DOM element, so they behave exactly the same way even though they are different instances.

8.7.4 Construct Complex Elements

Consider the same example as before, but now instead of the signature present in an incoming document, you want to create a document containing a signature and send this document to someone. dsig:Signature dsig:SignedInfo ... dsig:SignedInfo Note: Remember that the DOM is the source of truth, while the wrapper objects are throwaway objects. The get methods always create new wrapper objects, and if you modify the underlying DOM, the wrapper objects always see the most recent changes. 8-12 Oracle Fusion Middleware Reference for Oracle Security Developer Tools ... dsig:Signature To construct this complex element, you need to create individual wrapper objects and assemble them using set methods. For example: XSSignature sig = XSSignature.newInstancedoc, null; XSSignedInfo sigInfo = new XSSignedInfodoc, null; sig.setSignedInfosigInfo; Remember that the DOM is always the source of truth; the set methods do not store or copy the passed-in wrapper object, they just modify the underlying DOM. So in this case the setSignedInfo gets the dsig:SignedInfo element, and makes that a child of the dsig:Signature element. So after invoking setSignedInfosigInfo, if you do sigInfo = null, it will not affect anything. Finally you need to insert the top-level object somewhere into your DOM: elem.appendChildsig.getElement; 8.8 How to Sign Data with the Oracle XML Security API This section describes techniques for signing data with the Oracle XML Security APIs. 8.8.1 Basic Procedure to Create a Detached Signature To create a detached signature like this: myDoc importantInfo xml:id=foo1 ... importantInfo dsig:Signature ... dsig:Reference URI=foo1 ... dsig:Signature myDoc You need to do this: assume you have your data set up in doc Document doc = ... Element impElem = ... Now put an ID on the importantInfo element impElem.setAttributeNSXMLURI.ns_xml, xml:id, foo1; Then get the signing key and certificate from somewhere – e.g. you can load them from a keystore PrivateKey signKey = ... X509Certificate signCert = ... Create the Signature object XSSignature sig = XSSignature.newInstancedoc, null; Create the SignedInfo object Oracle XML Security 8-13 Normally you should use exclusive canonicalization alg_exclusiveC14N Depending on the type of your private key DSA or RSA use dsaWithSHA1 or rsaWithSHA1 XSSignedInfo sigInfo = sig.createSignedInfo XMLURI.alg_exclusiveC14N, XMLURI.alg_rsaWithSHA1, null sig.setSignedInfosigInfo; Create a Reference object to the importantInfo element You need to specify the id which you set up earlier, and also a digestMethod XSReference ref = sig.createReferencenull, foo1, null, XMLURI.alg_sha1; sigInfo.addReferenceref; Create an exclusive c14n Transform object If you do not add this transform object, it will use inclusive by default XSAlgorithmIdentifier transform = new XSAlgorithmIdentifierdoc, Transform, XMLURI.alg_exclusiveC14n; ref.addTransformtransform; Create a KeyInfo object XSKeyInfo keyInfo = sig.createKeyInfo; sig.setKeyInfokeyInfo; Create an X509Data element for your signingCert, inside this keyingo X509Data x509 = keyInfo.createX509DatasigningCert; keyInfo.addKeyInfoDatax509; Everything is setup, now do the actual signing This will actually do all the canonicalization, digesting, signing etc sig.signsignKey, null; Finally insert the signature somewhere in your document doc.getDocumentElement.appendChildsig.getElement;

8.8.2 Variations on the Basic Signing Procedure