Very incomplete notes from the XML Security using Apache session. The slides cover things better than my notes do but I thought I should save what I wrote down anyway. I gave up taking notes half way through once I realized I wasn’t really adding anything to the slides that should be available online anyway.

XML Security with Apache Signature JCP effort by Sun and IBM. Goal is to create an extensible provider based API DOM independent API Non-Goals Support for a higher level API Support user pluggable algorithms – no standard way for users to plugin extra algorithms. XML Specification Signature SignedInfo – all refs to data being signed. References Transforms KeyInfo – clues for how to find the key that was used. SignatureValue – the actual signature value. B asics: XMLSignatureFactory The entry point for the API. Has methods to create all elements requuired in the signature. Standard singleton pattern. Instantiated by: getInstance(); getInstance(“DOM”, new <placeholder_provider>()); Can create a signature out of the factory. The XMLSignature class is the main class for interaction. XMLSignatureFactory.newInstance(); or XMLSignatureFactory.unmarshalXMLSignature(); XMLSignatureFactory fac = XMLSignatureFactory.getInstance(); Reference ref= fac.newReference(“http://xml.apache.org/”, fac.newDigestMethod(DigestMethod.SHA1, null)); SignedInfo si = fac.newSignedInfo(fac.newCanonicalizationMethod(CanonicaalizationMetho.INCLUSIVE_WITH_COMMENTS, null), fac.newSignatureMethod(SignatureMethod.DSA_SHA1, null), Collections.signletonList(ref)); XMLSignature signature = fac.newXMLSignature(si, null); Use the Sign and ValidateContext to provide URIDerferencer, KeySelector and BaseURI. Also can set some generic properties – can be provider specific. Create a KeyPair kp Document do c= dbf.newDocumentBuilder().newDocument(); // We use document but can use any element as the root element to be signed. DOMSignContext signContext = new DOMSignContext(kp.getPrivate(), doc); signature.sign(signContext); Verifying Create an XMLSignature from XML Setup a KeySelector Create a XMLValidateContext Validate the Signature Parse the document. Document doc = dbf.newDocumentBuilder().parse(new FileInputStream(args[0])); // Find signature element. This only checks for a Signature root element. Can contain multiple signatures. Node signatureNode = doc.getElementsByTagN….. KeyInfos are created from their own factory. XMLSignatureFactory.getKeyInfoFactory(); Any XMLStructure is allowed inside a KeyInfo You can put anything in your key infos it doesn’ thave to be one of the predefined types in the spec. The KeyInfo is passed to the KeySelector on validation. When signing it is passed to the newXMLSignature method on XMLSignatureFactory for inclusion in the signature. Encryption Make sure you have a JCE provider. Remember to initialize the XML security library org.apache.xml.security.Init.init(); Not initializing will thow an Exception Overview Specify key algorithm – different than specifying an encryption algorithm Initialize KeyCipher Generate encryption keys Specify encryption algo … All algorithms specified in XMLCipher.