XML-Signature Implementation

This package is an implementation of XML-Signature Core Syntax and Processing [W3C REC 12-February-2002]. This package requires Java2 SDK v1.2 or later.

Status

Supported Features:

• SHA1
• Base64
• HMAC-SHA1, DSS, RSA-SHA1 (requires Java2 SDK 1.3)
• W3C Canonical XML (20000119), W3C Canonical XML with/without comments (20010315)
• XSLT, XPath, Enveloped Signature
• Manifest generation/verification
• RetrievalMethod
• Exclusive XML Canonicalization (20020212)

Not supported Features:

• Some KeyInfo features are incomplete.

Run Sample Programs

Preparation

1. Please confirm Xerces-J (v1.4.3 or later), Xalan-J v2.3, xss4j.jar and the sample directory of this package are set to CLASSPATH.

   E:\xss4j> set CLASSPATH="E:\xerces-1_4_3\xerces.jar;E:\xalan-j_2_3_0\xalan.jar;E:\xss4j\xss4j.jar;E:\xss4j\samples;"

2. If you want to sign, generate a key pair using keytool command. This operation is not needed for verification of signatures. For example:

   E:\xss4j> keytool -genkey -dname "CN=John Smith, OU=Java Technology Center, O=IBM, L=Cupertino, S=California, C=US" -alias john₍₁₎ -storepass your-storepassword₍₂₎ -keypass your-keypassword₍₃₎

   The command generates a key pair for DSA. If you want to generate a key pair for RSA signing, add `-keyalg RSA' to the command line.

Signing

SampleSign2

SampleSign2 is a sample application to create an XML-Signature. With this application, you can create:

• detached signature for external resources without transformations, and
• enveloping signature for XML resources, which are embeded by Object elements.

Use this program as follows:

E:\xss4j> java dsig.SampleSign2 your-alias₍₁₎ your-storepassword₍₂₎ your-keypassword₍₃₎ <resource> <resource> .... > signature.xml

You can specify <resource> as follows:

• -ext URL for an external resource
• -embxml URL for an embeded XML resource (Content of specified URL is embeded in the signature.)

This program always uses DSS for signing, SHA1 for digesting, `Canonical XML' Recommendation for canonicalizing SignedInfo.

TemplateSign

With TemplateSign, you can create detached, enveloping, or enveloped signature. You must prepare a template, which is an incomplete signature document. It has no KeyInfo element and no content of the SignatureValue element and DigestValue elements. We provide three sample templates in the xss4j/data/dsig/ directory, detached-dsa.templ, detached-rsa.templ, enveloped-dsa.templ, enveloping-dsa.templ, enveloping-rsa.templ.

Use this program as follows:

E:\xss4j> java dsig.TemplateSign your-alias₍₁₎ your-storepassword₍₂₎ your-keypassword₍₃₎ <template-url> > signature.xml

Verifying a signature document

Input the following command:

E:\xss4j> java dsig.VerifyGUI < signature.xml

VerifyGUI reports validity of each resource and validity of the signature. If the signature and all of signed resources were not modified, VerifyGUI reports the result of verificaion as "Core Validity: Ok".

If a resource was modified, VerifyGUI reports as "Core Validity: NG".

dsig.VerifyCUI has the same function as dsig.VerifyGUI. dsig.VerifyCUI prints the result to the console.

Application Development

• Programming Guide
• Frequently Asked Questions
• API documents

Changes

Note: version numbers are only for XML-Signature implementation, not for whole of XML Security Suite.

2002.04.22 v0.9.7

We can specify prefix of DOM tree generated by KeyInfo and TemplateGenerator.

dsig.SampleSign2: Add -prefix option.

Add FAQ items:

• How to specify prefixes of elements in generated template?
• Does whitespace modification break signatures? Does prefix rewriting break signatures?
• How to sign/verify other parts of a MIME multipart message? How to sign/verify a URI of which protocol is not supported by Java2 Runtime?

2002.04.01 v0.9.6

W3CCanonicalizer: Does not call setEntityResolver() with null.

Fixed a bug that a registered EntityResolver is not called for a URI followed by "#id".

Switched to Xalan-J 2.3

Samples use XPathCanonicalizer instead of XMLSerializer of Xerces-J. XMLSerializer of Xerces-J 2.0.0 breaks namespace context.

Update for Exclusive XML Canonicalization Candidate Recommendation.

Fixed a bug of XPathCanonicalizer about xml:-prefix attributes.

Added -o option to dsig.TemplateSign, dsig.TemplateSignHMAC and dsig.TemplateManifest

Added -v option to dsig.TemplateSign

Added -keyfile option to dsig.TemplateSignHMAC

Added new samples: dsig.VerifyCUI, dsig.VerifyManifestCUI

2001.10.29 v0.9.5

Added XPath FAQ to dsig-howto.html

Change Alrorithm URI for Exclusive C14n: http://www.w3.org/Signature/Drafts/xml-exc-c14n to http://www.w3.org/TR/2001/xml-exc-c14n.html

Fixed a bug of EntityResolver calling.

Replaced remained setAttribute("xmlns:...", ns) with setAttributeNS(XMLNS_NS, "xmlns:...", ns).

Moved dsig.SimpleKey to dsig.util.SimpleKey

Moved dsig.Base64 to dsig.util.Base64

Renamed dsig.SignatureGenerator to dsig.TemplateGenerator

Deprecated dsig.KeyInfoGenerator and related methods. Use KeyInfo#insertTo()

Introduced new dsig.XSignatureException, which wraps various exceptions for some methods.

2001.8.31

Fixed a bug of comments handling in Canonical XML transformer. Thanks to Angela Shi.

Support for new DName encoding.

dsig.SampleSign2: Use REC-xml-c14n.

KeyInfo: Changed return type of X509Data.getCRL()

Removed DigestMethod class.

Removed obsolete functions of XSignature.

Experimental implementation of Exclusive C14n for CanonicalizationMethod/Transform.

2001.4.19

Switched to Xalan-J 2.0

Implemented RetrievalMethod.

KeyInfo: getKeyValues() -> getKeyValue().

Changed ResourceShower interface definition.

Updated algorithm URI for Canonical XML.

Some bug fixes.

2001.1.26

Some bug fixes.

New KeyInfo class, that realizes flexible KeyInfo handling.

2000.11.30

Conforming to CR-xmldsig-core-20001031

Introduced SignatureContext, NullURIHandler, KeyInfo and so on.

2000.10.18

Conforming to WD-xmldsig-core-20001012

2000.7.21

Conforming to WD-xmldsig-core-20000711

Added Manifest generation/verification

2000.6.27

Changed architecture of the library.

Conforming to WD-xmldsig-core-20000601

1999.12.7

Rewrote for WD-xmldsig-core-19991119

1999.4.27

Renamed class names.

Document: Added a remark for Linux.