4/8/12

Programming With the Java XML Digital Signature API:: :: Articles News Information

Sign Up | Login

Offshore Outsourcing will help you to reduce cost and enhance your productivity

Home
Offshoring Outsourcing BPO

About Us

Services

Partners

Articles

Classifieds

Directory

Contact Us

Home>> Articles>> >>

Programming With the Java XML Digital Signature API

One of the significant new features of the Java Platform, Standard Edition 6 (Java SE 6) is the Java XML Digital Signature API. This API allows you to generate and validate XML signatures. XML signatures are a standard for digital signatures in the XML data format, and they allow you to authenticate and protect the integrity of data in XML and web service transactions. This article will give you an overview of XML signatures and show you how to use the API in your applications. Overview of XML Signatures What is a digital signature? RFC 2828 defines a digital signature as "a value computed with a cryptographic algorithm and appended to a data object in such a way that any recipient of the data can use the signature to verify the data's origin and integrity." JDK 6 includes a cryptographic digital signature API that is described in more detail in a lesson on the security trail in the Java Tutorial. An XML signature is a digital signature with several key properties. It defines a process and a format for generating digital signatures in the XML format, and it has many additional features. For instance, it allows you to sign more than one piece of data -- in binary or XML -- and to use any underlying cryptographic signature algorithm. An XML signature can sign arbitrary data, whether it is XML or binary. It can also sign only a portion or a subset of an XML document rather than the entire document. The data to be signed is identified by Uniform Resource Identifiers (URIs). XML signatures are often described as being of one or more of three types: A detached signature is over data that is external to the S g a u eelement. This could intr be data outside of the document, such as a web page retrieved by way of HTTP, but it could also be data that is in the same document, such as a sibling element of the signature. An enveloping signature is over data that is inside the S g a u eelement. intr An enveloped signature is a signature that is over data that contains the S g a u e intr element itself, such as the entire document. Perhaps the best way to describe an XML signature is to step through the contents of an example in detail. The example that this article will use is an enveloped XML signature generated over the contents of an XML document, a sample purchase order. The article will also use this sample in the subsequent sections on using the API. XML Sample 1 shows the contents of the purchase order before it is signed. XML Sample 1 <xlvrin"."ecdn=UF8? ?m eso=10 noig"T-"> <ucaere> PrhsOdr <tmnme=104533" Ie ubr"306921> <ecito>ie Gm<Dsrpin DsrpinVdo ae/ecito> <rc>02<Pie Pie1.9/rc> <Ie> /tm <ue i=8930> Byr d"424" <aeM Nm<Nm> Nm>y ae/ae <drs> Ades <tetOeNtokDie/tet Sre>n ewr rv<Sre> <onBrigo<Tw> Tw>ulntn/on <tt>A/tt> SaeM<Sae

Computers Networks Internet Operating Systems Data Storage Telecommunications Programming Software Engineering Information Technology Online Rights - Law Business E-Commerce IT Outsourcing Business Consulting Finance & Accounting Graphic Design Web Services Search Engine Optimization Open Source Hardware Security Others Games

<onr>ntdSae<Cuty CutyUie tts/onr> <otloe083/otloe PsaCd>10<PsaCd> <Ades /drs> www.outsourcingi.com/art-271-Programming-With-the-Java-XML-Digital-Signature-API.html

1/9

4/8/12

Programming With the Java XML Digital Signature API:: :: Articles News Information

<Byr /ue> <PrhsOdr /ucaere>

The resulting enveloped XML signature, indented and formatted for readability, appears in XML Sample 2. XML Sample 2 <xlvrin"."ecdn=UF8? ?m eso=10 noig"T-"> <ucaere> PrhsOdr <tmnme=104533" Ie ubr"306921> <ecito>ie Gm<Dsrpin DsrpinVdo ae/ecito> <rc>02<Pie Pie1.9/rc> <Ie> /tm <ue i=8930> Byr d"424" <aeM Nm<Nm> Nm>y ae/ae <drs> Ades <tetOeNtokDie/tet Sre>n ewr rv<Sre> <onBrigo<Tw> Tw>ulntn/on <tt>A/tt> SaeM<Sae <onr>ntdSae<Cuty CutyUie tts/onr> <otloe083/otloe PsaCd>10<PsaCd> <Ades /drs> <Byr /ue> <intr xls"tp/www.r/000/mdi#> Sgaue mn=ht:/w.3og20/9xlsg" <indno SgeIf> <aoiaiainehd CnnclztoMto Agrtm"tp/www.r/R20/E-m-1n2001"> loih=ht:/w.3ogT/01RCxlc4-0135/ <intrMto Sgaueehd Agrtm"tp/www.r/000/mdi#s-h1/ loih=ht:/w.3og20/9xlsgrasa"> <eeec UI"> Rfrne R=" <rnfrs Tasom> <rnfr Tasom Agrtm"tp/www.r/000/mdi#neoe-intr"> loih=ht:/w.3og20/9xlsgevlpdsgaue/ <Tasom> /rnfrs <ietehdAgrtm"tp/www.r/000/mdi#h1/ DgsMto loih=ht:/w.3og20/9xlsgsa"> <ietau>VchV8HVFU15LO=/ietau> DgsVletiG6+cbYI9o+3Q<DgsVle <Rfrne /eeec> <SgeIf> /indno <intrVle Sgaueau> dDiQaNiuAA5enzBtuwPg7yoYoB7cZ JHGMK8PWpL7Vx2QyjfSEHKxtR9ox 8U4wt3ZRIvo3fRngIChXwGH/Z04jz Z40HE9wGjwrWUxIn1CMXopH/czea DCE4mOViVwWOkDa8aYiGwbe8XoJDE uNqM4UTEucAMfHM2wQOcMZ3U0P2O= <Sgaueau> /intrVle <eIf> Kyno <59aa X0Dt> <59ujcNm> X0Sbetae C=yNm,=etCriiae Ic,=S NM aeOTs etfcts n.CU <X0Sbetae /59ujcNm> <59etfct> X0Criiae MI9CACAIAIRwkABkhi90AUABMsCY IBzCWgwBgEZdzNgqkGwBQFDAQwQD VQEJUEM0AUCMVVdBZJaZYFZMS5LE QGwVzfBG1EhWGzCDX0Wp20XgWjjQ M4AUAMTkTFZAF0NAMMMEMFF0MAMU AG1ExHXgmtTewwzxDyT4TawzT4jy .. . <X0Criiae /59etfct> <X0Dt> /59aa <Kyno /eIf> <Sgaue /intr> <PrhsOdr /ucaere>
www.outsourcingi.com/art-271-Programming-With-the-Java-XML-Digital-Signature-API.html 2/9

4/8/12

Programming With the Java XML Digital Signature API:: :: Articles News Information

Note that the S g a u eelement has been inserted inside the content that it is signing, intr thereby making it an enveloped signature. XML Sample 3 shows the S g e I f element that indno contains the information that is actually signed XML Sample 3 <indno SgeIf> <aoiaiainehd CnnclztoMto Agrtm"tp/www.r/R20/E-m-1n2001"> loih=ht:/w.3ogT/01RCxlc4-0135/ <intrMto Sgaueehd Agrtm"tp/www.r/000/mdi#s-h1/ loih=ht:/w.3og20/9xlsgrasa"> <eeec UI"> Rfrne R=" <rnfrs Tasom> <rnfr Tasom Agrtm"tp/www.r/000/mdi#neoe-intr"> loih=ht:/w.3og20/9xlsgevlpdsgaue/ <Tasom> /rnfrs <ietehdAgrtm"tp/www.r/000/mdi#h1/ DgsMto loih=ht:/w.3og20/9xlsgsa"> <ietau>VchV8HVFU15LO=/ietau> DgsVletiG6+cbYI9o+3Q<DgsVle <Rfrne /eeec> <SgeIf> /indno

The C n n c l z t o M t o element defines as a URI the algorithm used to canonicalize the aoiaiainehd S g e I f element before it is signed or validated. Canonicalization is the process of indno converting XML content to a physical representation, called the canonical form, in order to eliminate subtle changes that can invalidate a signature over that data. Canonicalization is necessary due to the nature of XML and the way it is parsed by different processors and intermediaries, which can change the data in such a way that the signature is no longer valid but the signed data is still logically equivalent. Canonicalization eliminates these permissible syntactic variances by converting the XML to a canonical form before generating or validating the signature. The S g a u e e h delement defines as a URI the digital signature algorithm used to intrMto generate the signature, in this case the PKCS#1 RSA-SHA1 algorithm as described in RFC 2437. One or more R f r n eelements identify the data that is signed. Each R f r n e eeec eeec element identifies the data by way of a URI. The example in XML Sample 3 contains a single R f r n eelement, and the URI is the empty String, "", which indicates the root of the eeec document -- in other words, the whole document. The R f r n eURIs could also point to eeec external data, such as " t p / j v . u . o " or to references within the same document, ht:/aasncm, such as " p r h s O d r . #ucaere" The optional T a s o m element contains a list of one or more T a s o melements, each of rnfrs rnfr which describes a transformation algorithm used to transform the data before it is digested and signed, or validated. This example contains one T a s o melement for the enveloped rnfr transform algorithm. The enveloped transform is required for enveloped signatures so that the S g a u eelement itself is removed before calculating the signature value. Otherwise, the intr signature would include itself in the data to be signed, which is not correct. Another example of a useful transform algorithm is the XPath Filter transform, which allows you to specify an XPath expression that selects a subset of nodes to be signed. The D g s M t o element defines as a URI the algorithm used to digest the data, in this case, ietehd SHA1. The D g s V l eelement contains the actual base64-encoded digest value. ietau The S g a u e a u element contains the base64-encoded signature value of the signature intrVle over the S g e I f element, as XML Sample 4 shows. indno XML Sample 4 <intrVle Sgaueau> dDiQaNiuAA5enzBtuwPg7yoYoB7cZ JHGMK8PWpL7Vx2QyjfSEHKxtR9ox 8U4wt3ZRIvo3fRngIChXwGH/Z04jz Z40HE9wGjwrWUxIn1CMXopH/czea DCE4mOViVwWOkDa8aYiGwbe8XoJDE uNqM4UTEucAMfHM2wQOcMZ3U0P2O= <Sgaueau> /intrVle

The optional K y n oelement contains information about the key that is needed to validate eIf the signature, as in XML Sample 5. www.outsourcingi.com/art-271-Programming-With-the-Java-XML-Digital-Signature-API.html

3/9

4/8/12

Programming With the Java XML Digital Signature API:: :: Articles News Information the signature, as in XML Sample 5.

XML Sample 5 <eIf> Kyno <59aa X0Dt> <59ujcNm>NM Nm,=etCriiae Ic,=S/59ujcNm> X0SbetaeC=y aeOTs etfcts n.CU<X0Sbetae <59etfct> X0Criiae MI9CACAIAIRwkABkhi90AUABMsCY IBzCWgwBgEZdzNgqkGwBQFDAQwQD VQEJUEM0AUCMVVdBZJaZYFZMS5LE QGwVzfBG1EhWGzCDX0Wp20XgWjjQ M4AUAMTkTFZAF0NAMMMEMFF0MAMU AG1ExHXgmtTewwzxDyT4TawzT4jy .. . <X0Criiae /59etfct> <X0Dt> /59aa <Kyno /eIf>

The K y n oelement can contain various kinds of content, such as X.509 certificates and Pretty eIf Good Privacy (PGP) key identifiers. See the KeyInfo section of the XML Signature standard for more information on K y n oand the types of information it may contain. In this example, eIf K y n ocontains an X 0 D t element that contains an X 0 S b e t a eelement identifying eIf 59aa 59ujcNm the subject D s i g i h d N m of the signer's X.509 certificate and an X 0 C r i i a e itnuse ae 59etfct element containing the signer's base64-encoded certificate. This certificate contains the public key needed to validate the signature. The KeyInfo section of the XML Signature Recommendation provides more information on the different K y n otypes. eIf It is important to note that the XML signature standard does not define how the recipient establishes trust in the key that is needed to validate the signature. The K y n oelement is eIf merely a collection of information that the recipient can use to help find and subsequently establish trust in that key. API Architecture The Java XML Digital Signature API was defined under the Java Community Process program as JSR 105. The API is designed to support all of the required or recommended features of the W3C Recommendation for XML-Signature Syntax and Processing. The API is based on the Java Cryptography Service Provider Architecture. This allows you to develop a service provider implementation of the API. Service providers implement a specific XML mechanism that identifies the XML-parsing mechanism that the implementation uses. The service provider in Sun's implementation of Java SE 6 supports the Document Object Model (DOM) mechanism. See the XML Digital Signature API overview for more information on service providers. The API contains six new packages, as Table 1 indicates. Table 1. New Packages in the Java XML Digital Signature API Package Contents Contains common classes that are used to perform XML javax.xml.crypto cryptographic operations. javax.xml.crypto.dom Contains DOM-specific classes for the j v x x l c y t package. aa.m.rpo Contains classes that represent the core elements defined in the XML digital signature specification. Of primary significance is the X L i n t r class, which allows you to sign and validate an XML MSgaue javax.xml.crypto.dsig digital signature. The X L i n t r F c o y class is an abstract MSgaueatr factory that is used to create objects that implement these interfaces. Contains DOM-specific classes for the j v x x l c y t . s g aa.m.rpodi javax.xml.crypto.dsig.dom package. Contains classes that represent the K y n ostructures defined in eIf the XML digital signature recommendation. The K y n o a t r eIfFcoy javax.xml.crypto.dsig.keyinfo class is an abstract factory that is used to create objects that implement these interfaces. Contains classes representing input parameters for the digest, javax.xml.crypto.dsig.spec signature, transform, or canonicalization algorithms used in the processing of XML signatures. Generating an XML Signature This section will show you how to use the API to generate an XML signature over the contents of the P r h s O d relement that the article introduced earlier. ucaere www.outsourcingi.com/art-271-Programming-With-the-Java-XML-Digital-Signature-API.html 4/9

4/8/12

Programming With the Java XML Digital Signature API:: :: Articles News Information of the P r h s O d relement that the article introduced earlier. ucaere

For this example, you will use DOM to parse the XML data that you will be signing. Code Sample 1 shows a few of the key steps in generating an XML signature: Code Sample 1 / Cet aDMXLintrFcoyta wl b ue t / rae O MSgaueatr ht il e sd o / gnrt teevlpdsgaue / eeae h neoe intr. XLintrFcoyfc=XLintrFcoygtntne"O"; MSgaueatr a MSgaueatr.eIsac(DM) / Cet aRfrnet teevlpddcmn (nti cs, / rae eeec o h neoe ouet i hs ae / yuaesgigtewoedcmn,s aUIo " sgiis / o r inn h hl ouet o R f " infe / ta,adas seiyteSA dgs agrtmad / ht n lo pcf h H1 iet loih n / teEVLPDTasom / h NEOE rnfr. Rfrnerf=fcnweeec eeec e a.eRfrne (" fcnwietehdDgsMto.H1 nl) ", a.eDgsMto(ietehdSA, ul, Cletossnltnit olcin.igeoLs (a.eTasom fcnwrnfr (rnfr.NEOE,(rnfrPrmtrpc nl), TasomEVLPD TasomaaeeSe) ul) nl,nl) ul ul; / Cet teSgeIf. / rae h indno SgeIf s =fcnwindno indno i a.eSgeIf (a.eCnnclztoMto fcnwaoiaiainehd (aoiaiainehdICUIE CnnclztoMto.NLSV, (1NehdaaeeSe)nl) C4MtoPrmtrpc ul, fcnwintrMto(intrMto.S_H1 nl) a.eSgaueehdSgaueehdRASA, ul, Cletossnltnitrf) olcin.igeoLs(e);

The first step in the generation of an XML signature is to instantiate an X L i n t r F c o y MSgaueatr mechanism. The g t n t n emethod of the X L i n t r F c o yclass looks for a service eIsac MSgaueatr provider that supports DOM and returns an X L i n t r F c o yimplementation from the MSgaueatr provider with the highest preference. The X L i n t r F c o yis a key class in the API and, MSgaueatr as shown in Code Sample 1, is used to assemble the different components of the XLintr. MSgaue The second block of code in Code Sample 1 creates the R f r n eobject, which identifies the eeec data that will be digested and signed. The R f r n eobject is assembled by creating and eeec passing as parameters each of its components: the URI, the D g s M t o , and a list of ietehd Tasom. rnfrs The third block of code in Code Sample 1 creates the S g e I f object that the signature is indno calculated over. Like the R f r n eobject, the S g e I f object is assembled by creating and eeec indno passing as parameters each of its components: the C n n c l z t o M t o , the aoiaiainehd S g a u e e h d and a list of R f r n e . intrMto, eeecs Code Sample 2 shows the steps involved in constructing the K y n oobject. eIf Code Sample 2 / La teKytr adgttesgigkyadcriiae / od h eSoe n e h inn e n etfct. Kytr k =Kytr.eIsac(JS) eSoe s eSoegtntne"K"; k.odnwFlIpttem"yesoejs) "hnet.ohrra() sla(e ienuSra(mkytr.k", cagi"tCaAry); Kytr.rvtKynr kynr = eSoePiaeeEty eEty (eSoePiaeeEty k.eEty Kytr.rvtKynr) sgtnr (mky,nwKytr.asodrtcin"hnet.ohrra(); "ye" e eSoePswrPoeto(cagi"tCaAry)) X0Criiaecr =(59etfct)kynr.eCriiae) 59etfct et X0Criiae eEtygtetfct(; / Cet teKynocnann teX0Dt. / rae h eIf otiig h 59aa Kynoatr kf=fcgteIfFcoy) eIfFcoy i a.eKynoatr(; Ls x0Cnet=nwAryit) it 59otn e raLs(; x0Cnetadcr.eSbet50rnia(.eNm() 59otn.d(etgtujcX0Picpl)gtae); x0Cnetadcr) 59otn.d(et; X0Dt x =kfnw59aax0Cnet; 59aa d i.eX0Dt(59otn) Kynok =kfnweIf(olcin.igeoLs(d) eIf i i.eKynoCletossnltnitx);

www.outsourcingi.com/art-271-Programming-With-the-Java-XML-Digital-Signature-API.html

5/9

4/8/12

Programming With the Java XML Digital Signature API:: :: Articles News Information

For this example, the signing key and certificate are stored in a K y t r file. The first block of eSoe code retrieves the signer's X.509 certificate from the keystore. The second block of code creates the K y n oobject, using a K y n o a t r , which is a factory for assembling K y n o eIf eIfFcoy eIf objects. The K y n oobject consists of an X 0 D t object containing the certificate and the eIf 59aa subject Distinguished Name. Now you instantiate the document to be signed, create the X L i n t r object, and generate MSgaue the signature, as Code Sample 3 shows. Code Sample 3

/ Isataetedcmn t b sge. / ntnit h ouet o e ind DcmnBidratr df=DcmnBidratr.eIsac(; ouetuleFcoy b ouetuleFcoynwntne) dfstaepcAaetu) b.eNmsaewr(re; Dcmn dc=dfnwouetule(.as ouet o b.eDcmnBidr)pre (e FlIpttem"ucaere.m") nw ienuSra(prhsOdrxl); / Cet aDMinotx adseiyteRAPiaee ad / rae OSgCnet n pcf h S rvtKy n / lcto o tersligXLintr' prn eeet / oain f h eutn MSgaues aet lmn. DMinotx dc=nwDMinotx OSgCnet s e OSgCnet (eEtygtrvtKy) dcgtouetlmn() kynr.ePiaee(, o.eDcmnEeet); / Cet teXLintr,btdntsg i yt / rae h MSgaue u o' in t e. XLintr sgaue=fcnwMSgaues,k) MSgaue intr a.eXLintr(i i; / Mrhl gnrt,adsg teevlpdsgaue / asa, eeae n in h neoe intr. sgauesg(s) intr.indc;

The D c m n now contains the S g a u eelement. You can verify this by using the JAXP ouet intr Transformer API to dump the contents of the document to a file, as Code Sample 4 shows. Code Sample 4 / Otu tersligdcmn. / upt h eutn ouet OtuSra o =nwFlOtuSra(sgePrhsOdrxl) upttem s e ieupttem"inducaere.m"; Tasomratr t =Tasomratr.eIsac(; rnfreFcoy f rnfreFcoynwntne) Tasomrtas=t.eTasomr) rnfre rn fnwrnfre(; tastasomnwDMoredc,nwSraRsl(s) rn.rnfr(e OSuc(o) e temeuto);

Validating an XML Signature You will now learn to use the API to validate an XML signature over the contents of the P r h s O d relement that you just signed. Code Sample 5 shows the key steps in validating ucaere an XML signature. Code Sample 5 / Fn Sgaueeeet / id intr lmn. NdLs n = oeit l dcgtlmnsyaNmN(MSgaueXLS "intr"; o.eEeetBTgaeSXLintr.MN, Sgaue) i (lgtegh)= 0 { f n.eLnt( = ) trwnwEcpin"antfn Sgaueeeet) ho e xeto(Cno id intr lmn"; } / Cet aDMaiaeotx adseiyaKyeetr / rae OVldtCnet n pcf eSlco / addcmn cnet / n ouet otx. DMaiaeotx vlotx =nwDMaiaeotx OVldtCnet aCnet e OVldtCnet (e X0Kyeetr) n.tm0) nw 59eSlco(, lie(); / UmrhlteXLintr. / nasa h MSgaue XLintr sgaue=fcumrhlMSgauevlotx) MSgaue intr a.nasaXLintr(aCnet; / Vldt teXLintr. / aiae h MSgaue boencrVldt =sgauevldt(aCnet; ola oeaiiy intr.aiaevlotx)

www.outsourcingi.com/art-271-Programming-With-the-Java-XML-Digital-Signature-API.html

6/9

4/8/12

Programming With the Java XML Digital Signature API:: :: Articles News Information

First, you must find the location of the S g a u eelement that you wish to validate. One way intr to do this is to use the DOM g t l m n s y a N m N method as shown in Code Sample 5. The eEeetBTgaeS second block of code creates a D M a i a e o t x object containing a K y e e t robject and OVldtCnet eSlco a reference to the S g a u eelement. The purpose of the K y e e t robject is to obtain the intr eSlco public key using the information in the K y n oelement and hand it back to be used as the eIf validation key. The next section will discuss K y e e t r in more detail. The last two lines of eSlcos code unmarshal and validate the signature. The v l d t method returns t u if the signature aiae re is valid and f l eif it is invalid. as If the signature is invalid, some additional code is necessary to determine the cause of the failure, as Code Sample 6 shows. Code Sample 6 / Cekcr vldto sau. / hc oe aiain tts i (oeaiiy= fle { f crVldt = as) Sse.r.rnl(Sgauefie cr vldto"; ytmerpitn"intr ald oe aiain) boens =sgauegtintrVle)vldt(aCnet; ola v intr.eSgaueau(.aiaevlotx) Sse.u.rnl(sgauevldto sau:"+s) ytmotpitn"intr aiain tts v; i (v= fle { f s = as) / Cektevldto sau o ec Rfrne / hc h aiain tts f ah eeec. Ieao i=sgauegtindno)gteeecs)ieao(; trtr intr.eSgeIf(.eRfrne(.trtr) fr(n j0 ihset) j+ { o it =; .aNx(; +) boenrfai =(Rfrne inx()vldt(aCnet; ola eVld (eeec) .et).aiaevlotx) Sse.u.rnl(rf"j" vldt sau:"+rfai) ytmotpitn"e[++] aiiy tts eVld; } } }es { le Sse.u.rnl(Sgauepse cr vldto"; ytmotpitn"intr asd oe aiain) }

The code in Code Sample 6 determines the cause of an invalid signature as one of two possibilities: An invalid signature. The cryptographic verification of the signature failed. This can be caused by an incorrect validation key or a change to the S g e I f contents since the indno signature was generated. An invalid reference or references. The verification of the digest of a reference failed. This can be caused by a change to the referenced data since the signature was generated. Before moving on to the next section, it is important to note that transforms can change the contents of the data that is referenced before it is signed. Therefore, it may be important to show the contents of exactly what has been signed to the validating user. You can do this by enabling reference caching in the D M a i a e o t x object before validating the signature OVldtCnet and invoking the g t i e t n u S r a method of the R f r n eobjects contained in the eDgsIpttem eeec signature, as Code Sample 7 shows. Code Sample 7 vlotx.ePoet(jvxxlcyt.sgcceeeec" BoenTU) aCnetstrpry"aa.m.rpodi.ahRfrne, ola.RE; / UmrhlteXLintr. / nasa h MSgaue XLintr sgaue=fcumrhlMSgauevlotx) MSgaue intr a.nasaXLintr(aCnet; / Vldt teXLintr. / aiae h MSgaue boencrVldt =sgauevldt(aCnet; ola oeaiiy intr.aiaevlotx) Ieao i=sgauegtindno)gteeecs)ieao(; trtr intr.eSgeIf(.eRfrne(.trtr) fr(n j0 ihset) j+ { o it =; .aNx(; +) Ipttemi =(Rfrne inx()gtietnuSra(; nuSra s (eeec) .et).eDgsIpttem) / Dslytedt. / ipa h aa }

These and other security concerns are discussed in more detail in the security considerations section of the XML Signature Recommendation. The K y e e t rClass eSlco
www.outsourcingi.com/art-271-Programming-With-the-Java-XML-Digital-Signature-API.html 7/9

4/8/12

Programming With the Java XML Digital Signature API:: :: Articles News Information

A K y e e t ris an abstract class that is responsible for finding and returning a key using the eSlco data contained in a K y n oobject. In Code Sample 5, you passed an X 0 K y e e t robject, eIf 59eSlco which is a very simple implementation of K y e e t rthat looks for and returns a public key of eSlco an X.509 certificate, as Code Sample 8 shows. Code Sample 8 pbi casX0KyeetretnsKyeetr{ ulc ls 59eSlco xed eSlco pbi Kyeetreutslc(eIf kyno ulc eSlcoRsl eetKyno eIf, KyeetrProeproe eSlco.ups ups, Agrtmehdmto, loihMto ehd XLrpootx cnet MCytCnet otx) trw Kyeetrxeto { hos eSlcoEcpin Ieao k =kynogtotn(.trtr) trtr i eIf.eCnet)ieao(; wie(ihset) { hl k.aNx() XLtutr if =(MSrcue k.et) MSrcue no XLtutr) inx(; i ((noisaco X0Dt) f !if ntnef 59aa) cniu; otne X0Dt x0Dt =(59aa if; 59aa 59aa X0Dt) no Ieao x =x0Dt.eCnet)ieao(; trtr i 59aagtotn(.trtr) wie(ihset) { hl x.aNx() Ojc o=x.et) bet inx(; i (( isaco X0Criiae) f !o ntnef 59etfct) cniu; otne fnlPbiKyky=(X0Criiaeo.ePbiKy) ia ulce e (59etfct))gtulce(; / Mk sr teagrtmi cmail / ae ue h loih s optbe / wt temto. / ih h ehd i (lEul(ehdgtloih(,kygtloih() { f agqasmto.eAgrtm) e.eAgrtm)) rtr nwKyeetreut){ eun e eSlcoRsl( pbi Kygte( {rtr ky } ulc e eKy) eun e; } ; } } } trwnwKyeetrxeto(N kyfud"; ho e eSlcoEcpin"o e on!) } sai boenagqasSrn agR,Srn agae { ttc ola lEul(tig lUI tig lNm) i (agaeeulInrCs(DA)& f (lNm.qasgoeae"S" & agR.qasgoeaeSgaueehdDASA) | lUIeulInrCs(intrMto.S_H1) | (lNm.qasgoeae"S" & agaeeulInrCs(RA) & agR.qasgoeaeSgaueehdRASA)){ lUIeulInrCs(intrMto.S_H1) rtr tu; eun re }es { le rtr fle eun as; } } }

This is a very simple implementation of a K y e e t rthat returns the public key from the first eSlco X.509 certificate it finds in the X 0 D t . It is for demonstration purposes only and should not 59aa be used in real-world applications. A more complete X.509 key selector implementation would check other types of X 0 D t and establish trust in the validation key by using a keystore of 59aa trusted keys, or by finding and validating a certificate chain from a trust anchor to the certificate containing the public key. See the Java PKI Programmer's Guide for more information about trust anchors and Java APIs that you can use to establish trust in keys. Logging and Debugging The Java SE 6 implementation of the XML Signature API has extensive logging support that, when enabled, will provide you with additional information to help you debug validation failures. The log messages use the JDK logging facility, java.util.logging. T eal XLsgauelgig yums frtcniuetelgigfclt s o nbe M intr ogn, o ut is ofgr h ogn aiiy o ta teXLsgauelgigmsae aeeitd Yucnd ti b eiigte ht h M intr-ogn esgs r mte. o a o hs y dtn h JEsdfutlgigpoete fl drcl,o b cetn yu onfl ad R' eal ogn.rpris ie iety r y raig or w ie n stigi wt tejv.tllgigcni.iepoet,freape etn t ih h aaui.ogn.ofgfl rpry o xml:
www.outsourcingi.com/art-271-Programming-With-the-Java-XML-Digital-Signature-API.html 8/9

4/8/12

Programming With the Java XML Digital Signature API:: :: Articles News Information

jv -jv.tllgigcni.ielgigpoete .. aa Daaui.ogn.ofgfl=ogn.rpris .

weelgigpoete cnan tefloigcd: hr ogn.rpris otis h olwn oe hnlr=jv.tllgigCnoeade ades aaui.ogn.oslHnlr .ee=IF lvl NO jv.tllgigCnoeade.ee =FNR aaui.ogn.oslHnlrlvl IE jv.tllgigCnoeade.omte =jv.tllgigSmlFratr aaui.ogn.oslHnlrfratr aaui.ogn.ipeomte ogjpxldi.nenllvl=FNR r.c.m.sgitra.ee IE cmsnogaah.m.nenlscrt.ee =FNR o.u.r.pcexlitra.euiylvl IE

Ti wl ei lgmsae o lvlFNRadhge t tecnoe Alohr hs il mt o esgs f ee IE n ihr o h osl. l te cmoet wl ei lgmsae o lvlIF adhge. opnns il mt o esgs f ee NO n ihr Ti atcewl ntdsrb eeylgmsaei dti,btTbe2lsssm o hs ril il o ecie vr o esg n eal u al it oe f tems hlflmsae. h ot epu esgs Table 2: Some Useful Log Messages Explanation This message displays the content of the referenced data just before it was digested. [aa FNR Pedgse ipt .. jv] IE: r-ietd nu: . This is useful for debugging reference validation failures. These messages display the expected and [aa FN:Epce dgs:.. jv] IE xetd iet . actual base64-encoded digest values of a [aa FN:Ata dgs:.. jv] IE cul iet . R f r n eelement. This is also useful for eeec debugging reference validation failures. This message displays the canonicalized S g e I f element before it is signed. This is indno [aa FN:CnnclzdSgeIf:.. jv] IE aoiaie indno . useful for debugging canonicalization and signature verification failures. Home | About Us | C ontact Us | Services | Articles | Site Map | Why Us | Products | Anonymous Surfing | C ity Guide 2006-2007 Offshore Outsourcing
C ustom Web Development & Website Design by Dizyn

Log Message

www.outsourcingi.com/art-271-Programming-With-the-Java-XML-Digital-Signature-API.html

9/9