[XML Security Suite]

XML-Signature Implementation

This package is an implementation of XML-Signature Core Syntax and Processing [W3C REC 12-February-2002]. This package requires Java2 SDK v1.2 or later.


Supported Features:
Not supported Features:

Run Sample Programs


  1. Please confirm Xerces-J (v1.4.3 or later), Xalan-J v2.3, xss4j.jar and the sample directory of this package are set to CLASSPATH.
    E:\xss4j> set CLASSPATH="E:\xerces-1_4_3\xerces.jar;E:\xalan-j_2_3_0\xalan.jar;E:\xss4j\xss4j.jar;E:\xss4j\samples;"
  2. If you want to sign, generate a key pair using keytool command. This operation is not needed for verification of signatures. For example:
    E:\xss4j> keytool -genkey -dname "CN=John Smith, OU=Java Technology Center, O=IBM, L=Cupertino, S=California, C=US" -alias john(1) -storepass your-storepassword(2) -keypass your-keypassword(3)

    The command generates a key pair for DSA. If you want to generate a key pair for RSA signing, add `-keyalg RSA' to the command line.



SampleSign2 is a sample application to create an XML-Signature. With this application, you can create:

Use this program as follows:

E:\xss4j> java dsig.SampleSign2 your-alias(1) your-storepassword(2) your-keypassword(3) <resource> <resource> .... > signature.xml

You can specify <resource> as follows:

This program always uses DSS for signing, SHA1 for digesting, `Canonical XML' Recommendation for canonicalizing SignedInfo.


With TemplateSign, you can create detached, enveloping, or enveloped signature. You must prepare a template, which is an incomplete signature document. It has no KeyInfo element and no content of the SignatureValue element and DigestValue elements. We provide three sample templates in the xss4j/data/dsig/ directory, detached-dsa.templ, detached-rsa.templ, enveloped-dsa.templ, enveloping-dsa.templ, enveloping-rsa.templ.

Use this program as follows:

E:\xss4j> java dsig.TemplateSign your-alias(1) your-storepassword(2) your-keypassword(3) <template-url> > signature.xml

Verifying a signature document

Input the following command:

E:\xss4j> java dsig.VerifyGUI < signature.xml

VerifyGUI reports validity of each resource and validity of the signature. If the signature and all of signed resources were not modified, VerifyGUI reports the result of verificaion as "Core Validity: Ok".

If a resource was modified, VerifyGUI reports as "Core Validity: NG".

dsig.VerifyCUI has the same function as dsig.VerifyGUI. dsig.VerifyCUI prints the result to the console.

Application Development


Note: version numbers are only for XML-Signature implementation, not for whole of XML Security Suite.

2002.04.22 v0.9.7
We can specify prefix of DOM tree generated by KeyInfo and TemplateGenerator.
dsig.SampleSign2: Add -prefix option.
Add FAQ items:
2002.04.01 v0.9.6
W3CCanonicalizer: Does not call setEntityResolver() with null.
Fixed a bug that a registered EntityResolver is not called for a URI followed by "#id".
Switched to Xalan-J 2.3
Samples use XPathCanonicalizer instead of XMLSerializer of Xerces-J. XMLSerializer of Xerces-J 2.0.0 breaks namespace context.
Update for Exclusive XML Canonicalization Candidate Recommendation.
Fixed a bug of XPathCanonicalizer about xml:-prefix attributes.
Added -o option to dsig.TemplateSign, dsig.TemplateSignHMAC and dsig.TemplateManifest
Added -v option to dsig.TemplateSign
Added -keyfile option to dsig.TemplateSignHMAC
Added new samples: dsig.VerifyCUI, dsig.VerifyManifestCUI
2001.10.29 v0.9.5
Added XPath FAQ to dsig-howto.html
Change Alrorithm URI for Exclusive C14n: http://www.w3.org/Signature/Drafts/xml-exc-c14n to http://www.w3.org/TR/2001/xml-exc-c14n.html
Fixed a bug of EntityResolver calling.
Replaced remained setAttribute("xmlns:...", ns) with setAttributeNS(XMLNS_NS, "xmlns:...", ns).
Moved dsig.SimpleKey to dsig.util.SimpleKey
Moved dsig.Base64 to dsig.util.Base64
Renamed dsig.SignatureGenerator to dsig.TemplateGenerator
Deprecated dsig.KeyInfoGenerator and related methods. Use KeyInfo#insertTo()
Introduced new dsig.XSignatureException, which wraps various exceptions for some methods.
Fixed a bug of comments handling in Canonical XML transformer. Thanks to Angela Shi.
Support for new DName encoding.
dsig.SampleSign2: Use REC-xml-c14n.
KeyInfo: Changed return type of X509Data.getCRL()
Removed DigestMethod class.
Removed obsolete functions of XSignature.
Experimental implementation of Exclusive C14n for CanonicalizationMethod/Transform.
Switched to Xalan-J 2.0
Implemented RetrievalMethod.
KeyInfo: getKeyValues() -> getKeyValue().
Changed ResourceShower interface definition.
Updated algorithm URI for Canonical XML.
Some bug fixes.
Some bug fixes.
New KeyInfo class, that realizes flexible KeyInfo handling.
Conforming to CR-xmldsig-core-20001031
Introduced SignatureContext, NullURIHandler, KeyInfo and so on.
Conforming to WD-xmldsig-core-20001012
Conforming to WD-xmldsig-core-20000711
Added Manifest generation/verification
Changed architecture of the library.
Conforming to WD-xmldsig-core-20000601
Rewrote for WD-xmldsig-core-19991119
Renamed class names.
Document: Added a remark for Linux.

$Id: dsig.html,v 1.17 2002/04/22 04:33:04 kent Exp $