0

I am trying to sign an XML document using Java and I'm following along with this tutorial. I was trying to sign the document using my private key, but when I looked at the API it says KeyValue only takes a PublicKey as the parameter. Also in the tutorial it has me sign a DOMSignContext with the private key and then the XMLSignature with the public key. 

DOMSignContext dsc = new DOMSignContext(kp.getPrivate(), doc.getDocumentElement()); 
KeyValue kv = kif.newKeyValue(kp.getPublic());
KeyInfo ki = kif.newKeyInfo(Collections.singletonList(kv)); 
XMLSignature signature = fac.newXMLSignature(si, ki);

I thought the whole point of a private key was so that people would trust you? Why would you need a public key for anything here? Can somebody explain the details here a little bit better for me?

snowe
  • 1,312
  • 1
  • 20
  • 41

1 Answers1

1

In general, when someone wants to verify/decrypt something encrypted with a private key, the associated public key must be known (which is the whole point of public-key/asymmetric cryptography).

In the XMLSignature context, someone wanting to verify a document with a XMLSignature will need to know what public key to use; thus the public key can be included in a XMLSignature structure for convenience.

Successful verification of the XMLSignature means one can trust that the data signed has not been modified since the signature was created. If the public key is known to be associated with a particular party, then one can trust that party created the signature.

As noted in the tutorial, you still have to "sign" the signature with:

signature.sign(dsc);
djungelorm
  • 51
  • 3