XML Security Using Apache
Very incomplete notes from the XML Security using Apache session. The slides cover things better than my notes do but I thought I should save what I wrote down anyway. I gave up taking notes half way through once I realized I wasn’t really adding anything to the slides that should be available online anyway.
XML Security with Apache
Signature
JCP effort by Sun and IBM.
Goal is to create an extensible provider based API
DOM independent API
Non-Goals
Support for a higher level API
Support user pluggable algorithms - no standard way for users to plugin extra algorithms.
XML Specification
Signature
SignedInfo - all refs to data being signed.
References
Transforms
KeyInfo - clues for how to find the key that was used.
SignatureValue - the actual signature value.
B asics:
XMLSignatureFactory
The entry point for the API.
Has methods to create all elements requuired in the signature.
Standard singleton pattern.
Instantiated by:
getInstance();
getInstance(”DOM”, new
Can create a signature out of the factory. The XMLSignature class is the main class for interaction.
XMLSignatureFactory.newInstance();
or
XMLSignatureFactory.unmarshalXMLSignature();
XMLSignatureFactory fac = XMLSignatureFactory.getInstance();
Reference ref= fac.newReference(”http://xml.apache.org/”, fac.newDigestMethod(DigestMethod.SHA1, null));
SignedInfo si = fac.newSignedInfo(fac.newCanonicalizationMethod(CanonicaalizationMetho.INCLUSIVE_WITH_COMMENTS, null),
fac.newSignatureMethod(SignatureMethod.DSA_SHA1, null),
Collections.signletonList(ref));
XMLSignature signature = fac.newXMLSignature(si, null);
Use the Sign and ValidateContext to provide URIDerferencer, KeySelector and BaseURI. Also can set some generic properties - can be provider specific.
Create a KeyPair kp
Document do c= dbf.newDocumentBuilder().newDocument();
// We use document but can use any element as the root element to be signed.
DOMSignContext signContext = new DOMSignContext(kp.getPrivate(), doc);
signature.sign(signContext);
Verifying
Create an XMLSignature from XML
Setup a KeySelector
Create a XMLValidateContext
Validate the Signature
Parse the document.
Document doc = dbf.newDocumentBuilder().parse(new FileInputStream(args[0]));
// Find signature element. This only checks for a Signature root element. Can contain multiple signatures.
Node signatureNode = doc.getElementsByTagN…..
KeyInfos are created from their own factory.
XMLSignatureFactory.getKeyInfoFactory();
Any XMLStructure is allowed inside a KeyInfo You can put anything in your key infos it doesn’ thave to be one of the predefined types in the spec.
The KeyInfo is passed to the KeySelector on validation.
When signing it is passed to the newXMLSignature method on XMLSignatureFactory for inclusion in the signature.
Encryption
Make sure you have a JCE provider.
Remember to initialize the XML security library
org.apache.xml.security.Init.init();
Not initializing will thow an Exception
Overview
Specify key algorithm - different than specifying an encryption algorithm
Initialize KeyCipher
Generate encryption keys
Specify encryption algo
…
All algorithms specified in XMLCipher.