I am trying to digitally sign some xml and am having a hard time understanding the canonicalization options. The code I'm using is derived from the examples at the bottom of:
http://java.sun.com/javase/6/docs/technotes/guides/security/xmldsig/overview.html
I am creating an "enveloped" signature. Here is the relevant code from the GenEnveloped example:
// Create a DOM XMLSignatureFactory that will be used to generate the
// enveloped signature
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
// Create a Reference to the enveloped document (in this case we are
// signing the whole document, so a URI of "" signifies that) and
// also specify the SHA1 digest algorithm and the ENVELOPED Transform.
Reference ref = fac.newReference("", fac.newDigestMethod(DigestMethod.SHA1, null),
Collections.singletonList(fac.newTransform(Transform.ENVELOPED,
(TransformParameterSpec)
null)),
null, null);
// Create the SignedInfo
SignedInfo si = fac.newSignedInfo(fac.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE,
(C14NMethodParameterSpec)
null),
fac.newSignatureMethod(SignatureMethod.DSA_SHA1, null),
Collections.singletonList(ref));
I would like the canonicalization method to ignore whitespace outside of xml elements. Thus, the addition of a blank line wouldn't change the signature. None of the standard options to newCanonicalizationMethod() [INCLUSIVE, INCLUSIVE_WITH_COMMENTS, EXCLUSIVE, EXCLUSIVE_WITH_COMMENTS] do this. Is it possible? This seems like a reasonable thing to do so I'm surprised it is not more obvious.