Sample Application - XMLSig

Description

XMLSig is a sample application for illustrating how to process XML Signatures containing Decryption Transform. It enables to generate or validate certain Signature elements in a document.

Preparation

If you don't have any public/private key pair, you have to prepare it using keytool provided by Java2 with a command like:

  >keytool -genkey -alias key
                   -keyalg RSA
                   -dname "CN=Takeshi Imamura, OU=TRL, O=IBM, C=JP"
                   -keypass keypass
                   -keystore keystore
                   -storepass storepass

Also you have to prepare both keyinfo and template documents. The former is used for providing information on a keystore and keys in it, e.g., key aliases and passwords. keyinfo2.xml is a sample keyinfo document. The latter is used for specifying the structure of a Signature element, which determines the algorithm and key being used and the resulting Signature element. template4.xml is a sample template document.

Usage

Before running XMLSig, make sure that all packages (including this) have been installed correctly. Consult the Installation Guide for details.

The usage of XMLSig is as follows:

  >java enc.XMLSig option [arg...]

where option is:

-g keyinfo source [path...]:
Generate the Signature elements specified by paths in source and print the resulting document to stdout. The keys are obtained from the keystore specified in keyinfo by regarding the identifiers specified by the KeyName elements within the Signature elements as key aliases.
-v keyinfo source [path...]:
Validate the Signature elements specified by paths in source and print the results, i.e., "OK" if validation succeeds; "NG", otherwise. The keys are obtained from the keystore specified in keyinfo by regarding the identifiers specified by the KeyName elements within the Signature elements as key aliases.
-h:
Print this message.

Examples

Suppose that you are in data\enc\ of this package. If you want to generate the Signature element in template4.xml with a key in the keystore specified in keyinfo2.xml, type:

  >java enc.XMLSig -g keyinfo2.xml
                      template4.xml
                      "//*[namespace-uri()='http://www.w3.org/2000/09/xmldsig#'
                           and local-name()='Signature']"

You will see the resulting document in stdout. Note that the Signature element contains Decryption Transform in order to facilitate subsequent encryption of the document. It can be done using DOMCipher or XNICipher.

Then if you want to validate the generated Signature element with the corresponding key in the keystore specified in keyinfo1.xml, type:

  >java enc.XMLSig -v keyinfo1.xml
                      foo.xml
                      "//*[namespace-uri()='http://www.w3.org/2000/09/xmldsig#'
                           and local-name()='Signature']"

where it is assumed that you stored the signature document in foo.xml. You will see that the Signature element can be validated properly even after subsequent encryption.

Takeshi Imamura

Hiroshi Maruyama