Oracle XML Security 8-13 Normally you should use exclusive canonicalization alg_exclusiveC14N Depending on the type of your private key DSA or RSA use dsaWithSHA1 or rsaWithSHA1 XSSignedInfo sigInfo = sig.createSignedInfo XMLURI.alg_exclusiveC14N, XMLURI.alg_rsaWithSHA1, null sig.setSignedInfosigInfo; Create a Reference object to the importantInfo element You need to specify the id which you set up earlier, and also a digestMethod XSReference ref = sig.createReferencenull, foo1, null, XMLURI.alg_sha1; sigInfo.addReferenceref; Create an exclusive c14n Transform object If you do not add this transform object, it will use inclusive by default XSAlgorithmIdentifier transform = new XSAlgorithmIdentifierdoc, Transform, XMLURI.alg_exclusiveC14n; ref.addTransformtransform; Create a KeyInfo object XSKeyInfo keyInfo = sig.createKeyInfo; sig.setKeyInfokeyInfo; Create an X509Data element for your signingCert, inside this keyingo X509Data x509 = keyInfo.createX509DatasigningCert; keyInfo.addKeyInfoDatax509; Everything is setup, now do the actual signing This will actually do all the canonicalization, digesting, signing etc sig.signsignKey, null; Finally insert the signature somewhere in your document doc.getDocumentElement.appendChildsig.getElement;

8.8.2 Variations on the Basic Signing Procedure

Variations on the basic signing procedure include multiple references, enveloped signatures, XPath expressions, certificate hints, and HMAC key signing.

8.8.2.1 Multiple References

To include multiple references in a signature, simply add more XSReference objects to the XSSignedInfo object. Each XSReference object needs its own list of transforms. Note: After creating a child Wrapper object, you must call a set or add method to put it in its parent, and also remember to insert the top level Signature object into your document. 8-14 Oracle Fusion Middleware Reference for Oracle Security Developer Tools

8.8.2.2 Enveloped Signature

To use an enveloped signature, add the enveloped signature transform to the reference. This means inserting the following code just before the code that adds the exclusive transform: XSAlgorithmIdentifier transform1 = new XSAlgorithmIdentifierdoc, Transform, XMLURI.alg_envelopedSignature; ref.addTransformtransform1;

8.8.2.3 XPath Expression

To use an XPath expression instead of an ID-based reference, pass in an empty string instead of foo1 for the URI parameter of createReference, then add an XPath transform to the Reference as the first transform. String xpathExpr = ancestor-or-self:importantInfo; Element xpathElem = doc.createElementNSXMLURI.ns_dsig, dsig:XPath; xpathElem.appendChilddoc.createTextNodexpathExpr; XSAlgorithmIdentifier transform2 = new XSAlgorithmIdentifierdoc, Transform, XMLURI.alg_xpath; transform2.addParameterxpathElem; ref.addTransformtransform2;

8.8.2.4 Certificate Hint

If you do not want to include the entire certificate in the key info, but only a hint to the certificate, use the no-argument form of XSKeyInfo.createX509Data and call one of the methods X509Data.addIssuerSerial, addSubjectName, or addSubjectKeyID.

8.8.2.5 Sign with HMAC Key

TO sign with an HMAC key, instead of signing with an RSA or DSA private key, use the XSSignature.signbyte[] secret, String sigValueId method, and pass your HMAC key as the first argument. Also use a different kind of KeyInfo, such as a KeyName, by calling XSKeyInfo.createKeyName.

8.9 How to Verify Signatures with the Oracle XML Security API