|
JSR 105, v1.0 (Final Draft) | |||||||||
PREV NEXT | FRAMES NO FRAMES |
See:
Description
JSR 105 Packages | |
---|---|
javax.xml.crypto | Common classes for XML cryptography. |
javax.xml.crypto.dom | DOM-specific classes for the javax.xml.crypto package. |
javax.xml.crypto.dsig | Classes for generating and validating XML digital signatures. |
javax.xml.crypto.dsig.dom | DOM-specific classes for the javax.xml.crypto.dsig package. |
javax.xml.crypto.dsig.keyinfo | Classes for parsing and processing KeyInfo elements and structures. |
javax.xml.crypto.dsig.spec | Parameter classes for XML digital signatures. |
Please send all comments to: jsr-105-comments@sun.com. We appreciate your comments and the time taken to review the API.
When this specification is final, there will be a Reference Implementation which will demonstrate the capabilities of this API and will provide an operational definition of this specification. A Technology Compatibility Kit (TCK) will also be available that will verify whether an implementation of the specification is compliant. These are required as per the Java Community Process SM 2.1.
The JSR 105 API is intended to target the following two types of users:
javax.xml.crypto.dom
and javax.xml.crypto.dsig.dom
packages.
TransformService
class):
Allowing developers to plug in their own implementations of XML Signature
algorithms without requiring them to create a complete JSR 105
implementation seems like a worthy goal but SHALL NOT be REQUIRED for this
release of JSR 105. A solution we are investigating for a subsequent
release of J2SE is to enhance the underlying JCA/JCE to add better support
for registering, parsing and processing XML security algorithms,
parameters, and key information.
javax.xml.crypto
javax.xml.crypto.dom
javax.xml.crypto.dsig
javax.xml.crypto.dsig.dom
javax.xml.crypto.dsig.keyinfo
javax.xml.crypto.dsig.spec
javax.xml.crypto
package contains common classes that
are used to perform XML cryptographic operations, such as generating
an XML signature or encrypting XML data. Two notable classes in this
package are the KeySelector
class,
the purpose of which is to allow developers to supply implementations which
locate and optionally validate keys using the information contained in a
KeyInfo
object, and the URIDereferencer
class which allows developers to create and specify their
own URI dereferencing implementations.
The javax.xml.crypto.dsig
package includes interfaces that represent
the core elements defined in the W3C XML digital signature specification. Of
primary significance is the
XMLSignature
class, which allows
you to sign and validate an XML digital signature. Most of the XML signature
structures or elements are represented by a corresponding interface
(except for the KeyInfo
structures, which are included in their
own package, and discussed in the next paragraph). These interfaces include:
SignedInfo
,
CanonicalizationMethod
,
SignatureMethod
,
Reference
,
Transform
,
DigestMethod
,
XMLObject
,
Manifest
,
SignatureProperty
, and
SignatureProperties
. The
XMLSignatureFactory
class is
an abstract factory that is used to create objects that implement these
interfaces.
The javax.xml.crypto.dsig.keyinfo
package contains interfaces
that represent most of the KeyInfo
structures defined in the W3C
XML digital signature recommendation, including
KeyInfo
,
KeyName
,
KeyValue
,
X509Data
,
X509IssuerSerial
,
RetrievalMethod
,
and PGPData
. The
KeyInfoFactory
class is an
abstract factory that is used to create objects that implement these
interfaces.
The javax.xml.crypto.dsig.spec
package contains
interfaces and classes representing input parameters for the
digest, signature, transform, or canonicalization algorithms used in
the processing of XML signatures.
Finally, the javax.xml.crypto.dom
and javax.xml.crypto.dsig.dom
packages contains DOM-specific classes for the javax.xml.crypto
and
javax.xml.crypto.dsig
packages, respectively.
Only developers and users who are creating or using a DOM-based
XMLSignatureFactory
or
KeyInfoFactory
implementation should need to make direct use of these packages.
XMLSignatureFactory
and
KeyInfoFactory
classes and
is responsible for creating objects and algorithms that parse, generate and
validate XML Signatures and KeyInfo structures. A concrete implementation of
XMLSignatureFactory
MUST provide support for each of the
REQUIRED algorithms as specified by the W3C recommendation for XML Signatures.
It MAY support other algorithms as defined by the W3C recommendation or
other specifications.
JSR 105 leverages the
JCA provider model for registering and loading
XMLSignatureFactory
and KeyInfoFactory
implementations.
Each concrete XMLSignatureFactory
or KeyInfoFactory
implementation supports a specific XML mechanism type that identifies
the XML processing mechanism that an implementation uses internally to parse
and generate XML signature and KeyInfo structures. This JSR supports one
standard type: DOM.
Support for new standard types (such as JDOM) MAY be added in the future.
A JSR 105 implementation SHOULD use underlying JCA engine classes, such as
java.security.Signature
and
java.security.MessageDigest
to perform
cryptographic operations.
In addition to the XMLSignatureFactory
and
KeyInfoFactory
classes, JSR 105 supports a service provider
interface for transform and canonicalization algorithms. The
TransformService
class allows you to develop and
plug in an implementation of a specific transform or canonicalization
algorithm for a particular XML mechanism type. The TransformService
class uses the standard JCA provider model for registering and loading
implementations. Each JSR 105 implementation SHOULD use the
TransformService
class to find a provider that supports
transform and canonicalization algorithms in XML Signatures that it
is generating or validating.
XMLSignatureFactory
, KeyInfoFactory
or
TransformService
in order to minimize interoperability problems:
unmarshalXMLSignature
method of XMLSignatureFactory
MUST support DOMValidateContext
types. If the type is DOMValidateContext
,
it SHOULD contain an Element
of type
Signature
. Additionally, the
unmarshalXMLSignature
method MAY populate the
Id/Element mappings of the passed-in DOMValidateContext
.
sign
method of
XMLSignature
s produced by
XMLSignatureFactory
MUST support
DOMSignContext
types and
the validate
method
MUST support DOMValidateContext
types. This requirement also applies to the validate
method of SignatureValue
and the validate
method of Reference
.
DOMStructure
s as the mechanism for the application to specify
extensible content (any elements or mixed content).
dereference
method of user-specified URIDereferencer
s
returns NodeSetData
objects, the
iterator
method MUST return an iteration over objects of type
org.w3c.dom.Node
.
URIReference
objects passed to the dereference
method of user-specified URIDereferencer
s MUST be
of type DOMURIReference
and XMLCryptoContext
objects MUST implement
DOMCryptoContext
.
URIDereferencer
s
returned by the getURIDereferencer
method of
XMLSignatureFactory
and KeyInfoFactory
.
unmarshalKeyInfo
method of KeyInfoFactory
MUST support DOMStructure
types. If the type is DOMStructure
,
it SHOULD contain an Element
of type
KeyInfo
.
transform
method
of Transform
MUST support
DOMCryptoContext
context parameter types.
newtransform
and newCanonicalizationMethod
methods of XMLSignatureFactory
MUST support
DOMStructure
parameter types.
init
, and
marshalParams
methods of TransformService
MUST support
DOMStructure
and
DOMCryptoContext
types.
unmarshalXMLSignature
method of XMLSignatureFactory
MUST support DOMStructure
types. If the type is DOMStructure
,
it SHOULD contain an Element
of type
Signature
.
marshal
method of KeyInfo
MUST support
DOMStructure
and
DOMCryptoContext
parameter types.
XMLSignatureFactory
might use
a SAX parser internally to canonicalize data.
<Reference URI="document.xml">
<Transforms>
<Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<XPath>id("foo")</XPath>
</Transform>
</Transforms>
</Reference>
Dereferencing the external document results in an octet stream which
is subsequently converted to a NodeSet by the JSR 105 implementation.
But the API does not provide a mechanism for registering ID attributes
of external documents and therefore the XPath Transform implementation
may be unable to identify the "foo" ID.XMLStructure
, AlgorithmMethod
to a new package
(ex: javax.xml.security
) for use by other XML
security JSRs such as JSR 106, JSR 104, & JSR 183.javax.xml.crypto
and moving existing packages to the
new hierarchy.
String
to avoid API dependencies
on java.net.URI
class introduced in J2SE 1.4 (see API
dependency requirements).
DOMIdMap
to register
ID/Element pairs in v0.8.
XMLCryptoContext.setURIDereferencer
method for overriding provider's default URIDereferencer
implementation.URIDereferencer
overrides default. Added methods to
XMLSignatureFactory
and KeyInfoFactory
that
return a reference to the default URIDereferencer
.
Signature
elements with empty DigestValue
and
SignatureValue
elements).XMLSignature
and re-signing it. If new key
info needs to be inserted, it can be specified by constructing a new
XMLSignature
with the signed info & embedded objects
of an unmarshaled signature, along with the new key info structure.
KeyInfo
types or
XMLObject
s of an existing XMLSignature
.DOMKeyValue
& RSAKeyValue
so
that keys of these types can be unmarshalled and processed by a
KeySelector
that supports resolving
RetrievalMethod
structures.java.security.KeyFactory
class to decode XML key
values.
XMLSignContext
property that allows the user to
specify a source of randomness for signing (i.e, a
SecureRandom
object).
Resolution: no changes made
DOMNodeSetData
a class to make it easier to implement
DOM-based URIDereferencer
s.
Resolution: fixed in v0.10
KeySelector.Purpose
class.
Resolution: no changes made
KeySelector
that finds a trusted key from X.509 content
contained in X509Data
KeyInfo
types.
Example 6 demonstrates how to construct, sign and validate a SOAP message
using the SAAJ and JSR 105 APIs.
|
JSR 105, v1.0 (Final Draft) | |||||||||
PREV NEXT | FRAMES NO FRAMES |