Skip Headers
Oracle® Security Developer Tools Reference
10g Release 2 (10.1.2)
B15975-01
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

8 Oracle XML Security

Extensible Markup Language (XML) is an application of Standard Generalized Markup Language (SGML). XML is a meta-language that allows implementors to define their own self-describing markup. Implementors use XML to define their own set of custom tags. The tags are similar to those found in an HTML document; like XML, HTML is also an application of SGML.

For a document to be valid, it must conform to all the constraints imposed by a given Document Type Definition (DTD) or schema. A valid XML document is said to be semantically correct.

XML security refers to standard security requirements of XML documents such as confidentiality, integrity, message authentication, and non-repudiation. The need for digital signature and encryption standards for XML documents prompted the World Wide Web Consortium (W3C) to put forth an XML Signature standard and an XML Encryption standard. The XML Signature standard is the product of a joint working group that also includes the Internet Engineering Task Force (IETF). In addition, the W3C and IETF have also jointly proposed an XML Key Management Specification (XKMS) that defines protocols for distributing and registering public keys associated with XML signatures and XML encryption.

This chapter describes key features and benefits of Oracle XML Security, and explains how to set up your environment to use Oracle XML Security.

This chapter contains these topics:


See Also:

The following resources provide more information about XML and XML standards:
  • W3C's Recommendation for XML 1.0

  • JavaSoft's XML FAQ

  • O'Reilly's XML Web site

  • The Internet Engineering Task Force Web Site

  • W3C's Recommendation for XML Signatures

  • W3C's Recommendation for XML Encryption

  • The proposed XML Key Management specification

Links to these resources are available in Appendix A, "References".


8.1 Oracle XML Security Features and Benefits

The Oracle XML Security SDK is a pure Java solution which provides the following features:

Links to these standards are available in Appendix A, "References".

8.2 Setting Up Your Oracle XML Security Environment

The Oracle Security Developer Tools are installed with Oracle Application Server in ORACLE_HOME.

This section explains how to set up your environment for Oracle XML Security. It contains these topics:

8.2.1 System Requirements for Oracle XML Security

In order to use Oracle XML Security, your system must have the following components installed:

  • The Java Development Kit (JDK) version 1.2.2 or higher

  • A JAXP-compatible XML parser and XSLT processor

Oracle XML Security has been tested with the following implementations:

  • Apache Xalan-Java (with Xerces-J)

  • Oracle XDK for Java


Note:

If you have questions regarding compatibility with other parsers, see the Oracle Technology Network Web Site at http://www.oracle.com/technology/index.html.

Apache Libraries

Sun JDK 1.4.x distributions contain an embedded version of the Apache Crimson parser and an older version of the Apache Xalan XSLT engine. Oracle does not recommend using these versions, as they contain a number of bugs and incompatibilities that can result in signature and encryption failures. If you are using JDK 1.4.x with an Apache XML parser, the XSLT engine, or both, put the Apache library JAR files in your JRE's /lib/endorsed directory to override the JRE's built-in version of Apache.

8.2.2 Setting the CLASSPATH Environment Variable

Your CLASSPATH environment variable must contain the full path and file names to all of the required jar and class files. Make sure the following items are included in your CLASSPATH:

  • osdt_core.jar

  • osdt_cert.jar

  • osdt_xmlsec.jar

  • jaxen.jar, which is included in the $ORACLE_HOME/jlib directory of the security tools distribution. Oracle XML Security relies on the Jaxen XPath engine for XPath processing.

  • The appropriate XML parser and XSLT processor implementations, unless you have installed them in your JRE's /lib/ext or /lib/endorsed directory.


Note:

The Jaxen library included in the Oracle XML Security distribution is a modified version of the Jaxen 1.0 FCS release. If you also have an earlier Jaxen release in your CLASSPATH, you must ensure that the version from this distribution appears first.

8.2.2.1 Setting the CLASSPATH on Windows

If you are installing Oracle XML Security on Windows, set your CLASSPATH as follows:

  1. In your Windows Control Panel, select System.

  2. In the System Properties dialog, select the Advanced tab.

  3. Click Environment Variables.

  4. In the User Variables section, click New to add a CLASSPATH environment variable for your user profile. If a CLASSPATH environment variable already exists, select it and click Edit.

  5. Add the full path and file names for all the required jar and class files to the CLASSPATH.

    For example, your CLASSPATH might look like this:

    %CLASSPATH%;C:\ORACLE_HOME\jlib\osdt_core.jar;
    C:\ORACLE_HOME\jlib\osdt_cert.jar;
    C:\ORACLE_HOME\jlib\osdt_xmlsec.jar;
    C:\ORACLE_HOME\jlib\jaxen.jar;
    
    
  6. Click OK.

8.2.2.2 Setting the CLASSPATH on UNIX

On UNIX, set your CLASSPATH environment variable to include the full path and file name of all the required jar and class files. For example:

setenv CLASSPATH $CLASSPATH:$ORACLE_HOME/jlib/osdt_core.jar:\
$ORACLE_HOME/jlib/osdt_cert.jar:\
$ORACLE_HOME/jlib/osdt_xmlsec.jar:\
$ORACLE_HOME/jlib/jaxen.jar:

8.3 Classes and Interfaces

This section describes classes in the XML Security API. It includes:

8.3.1 Core Classes

This section describes core classes, illustrates how to create class instances, and uses code samples to illustrate the capabilities of each class.

8.3.1.1 The oracle.security.xmlsec.dsig.XSSignature Class

This class represents the top-level Signature element of the XML Signature schema. Creating an instance of this class is the first step in creating a new signature or in verifying an existing signature.

To create a new signature, you create a new instance of the XSSignature class by calling the static newInstance() method:

Example 8-1 Creating a Signature with XSSignature

XSSignature sig = XSSignature.newInstance("MySignatureID");

To obtain Signature elements from an XML document to verify a signature, you first obtain an org.w3c.dom.NodeList object that contains all the Signature elements as instances of org.w3c.dom.Node. You can then iterate through the NodeList and convert each node to an instance of XSSignature, as the following example illustrates:

Example 8-2 Verifying a Signature with XSSignature

Document doc = Instance of org.w3c.dom.Document;
// Get list of all XML Signatures in the document.
NodeList sigList = doc.getElementsByTagNameNS(XMLURI.ns_xmldsig, "Signature");
if (sigList.getLength() == 0)
    System.err.println("No XML-DSIG Signature elements found.");

// Convert each org.w3c.dom.Node object to a oracle.security.xmlsec.dsig.XSSignature
// object and perform verification
for (int s = 0, n = sigList.getLength(); s < n; ++s)
{
    XSSignature sig = new XSSignature((Element)sigList.item(s));
    //Perform signature verification for this signature
    ...
}

8.3.1.2 The oracle.security.xmlsec.dsig.XSSignedInfo Class

This class represents the SignedInfo element of the XML Signature schema. As with XSSignature, you must use this class to both create and verify signatures. In signature creation, you create an instance of this class with the following code:

Example 8-3 Creating a Signature with XSSignedInfo

XSignature sig = XSSignature.newInstance("MySignatureID");
XSSignedInfo si = sig.createSignedInfo("MySignedInfoID");

When performing verification, you first obtain an instance of XSSignature as shown in Example 8-2, then obtain the SignedInfo element from the top-level Signature with the following code:

Example 8-4 Verifying a Signature with XSSignedInfo

XSSignature sig;

//Instance of XSSignature is obtained (Example 8-2)

//Get SignedInfo
XSSignedInfo si = sig.getSignedInfo();

8.3.1.3 The oracle.security.xmlsec.dsig.XSReference class

This class represents the Reference element of the XML Signature schema. You must use this class when creating and verifying signatures. In signature creation, you create an instance of this class with the following code:

Example 8-5 Creating Signature Reference Elements with XSReference

XSignature sig = XSSignature.newInstance("MySignatureID");
String uri = "the URI of the data object you want to reference";
String type = "the type of the data object you want to reference (optional)";
XSAlgorithmIdentifier digestAlg = 
    the digest algorithm identifier (e.g., XMLURI.alg_sha1);
XSReference ref = 
    sig.createReference("MyReferenceID", uri, type, digestAlg);

When performing verification, you first obtain an instance of XSSignature as shown in Example 8-2, then obtain the Reference elements from the top-level Signature with the following code:

Example 8-6 Obtaining Reference Elements of XSSignature

XSSignature sig;

//Instance of XSSignature is obtained (Example 8-2)

//Get Vector of reference objects
Vector refs = sig.References();

8.3.1.4 The oracle.security.xmlsec.dsig.XSKeyInfo class

This class represents the KeyInfo element of the XML Signature schema. You may use this class for signature creation as well as signature verification.

In signature creation, you create an instance of this class with the following code:

Example 8-7 Creating Key Information Elements with XSKeyInfo

XSignature sig = XSSignature.newInstance("MySignatureID");
XSKeyInfo si = sig.createKeyInfo("MyKeyInfoID");

A KeyInfo element can have various child elements that contain the actual key data. The classes that support these KeyInfo children are found in the oracle.security.xmlsec.keys package.

For example, to create an RSAKeyValue element containing a signer's public key, you can use the following code:

Example 8-8 Creating an RSAKeyValue Element with the Signer's Public Key

X509 cert = An instance of the oracle.security.crypto.cert.X509 class;
XSKeyInfo ki = An instance of the XSKeyInfo class;
RSAKeyValue rsaKeyValue = ki.createKeyValue(cert.getPublicKey());
ki.addKeyInfoData(rsaKeyValue);

When performing verification, you first obtain an instance of XSSignature as shown in Example 8-2, then obtain the KeyInfo element from the top-level Signature with the following code:

Example 8-9 Obtaining KeyInfo Elements of XSSignature

XSSignature sig;

//Instance of XSSignature is obtained (Example 8-2)

//Get KeyInfo
XSSignedInfo si = sig.getKeyInfo();

8.3.1.5 The oracle.security.xmlsec.enc.XEEncryptedData class

This class represents the EncryptedData element of the XML encryption schema. You must create an instance of this class when encrypting or decrypting arbitrary data or an entire XML document.

When encrypting, you create an instance of this class with the following code:

Example 8-10 Using XEEncryptedData for Encryption

Document doc = Instance of org.w3c.dom.Document;
String dataType = Either XMLURI.obj_content (content only) or
    XMLURI.obj_Element (entire element);
XEEncryptedData encData = 
    XEEncryptedData.newInstance(doc, "MyEncryptedDataID", dataType);

When decrypting, you can obtain the EncryptedData elements from an XML document with the following code:

Example 8-11 Using XEEncryptedData for Decryption

Document doc = Instance of org.w3c.dom.Document;

// Get list of all XML EncryptedData elements in the document.
NodeList encDataList = 
    doc.getElementsByTagNameNS(XMLURI.ns_xmlenc, "EncryptedData");
if (encDataList.getLength() == 0)
    System.err.println("No XML-ENC EncryptedData elements found.");

// Convert each org.w3c.dom.Node object to a 
// oracle.security.xmlsec.enc.XEEncryptedData
// object and perform decryption
for (int s = 0, n = encDataList.getLength(); s < n; ++s)
{
    XEEncryptedData = new XEEncryptedData((Element)encDataList.item(s));

    //TODO: Perform decryption of the encrypted data 
    //contained in this element
}

8.3.1.6 The oracle.security.xmlsec.enc.XEEncryptedKey Class

This class represents the EncryptedKey element of the XML Encryption Schema. You can use an instance of this class to encrypt and decrypt cryptographic key material.

When encrypting a key, you create an instance of this class with the following code:

Example 8-12 Using XEEncryptedKey for Key Encryption

Document doc = Instance of org.w3c.dom.Document;
XEEncryptedKey encKey = XEEncryptedKey.newInstance(doc, "MyEncryptedKeyID");

When decrypting a key, you first obtain the XEEncryptedData from an XML document using the code in Example 8-11, then obtain the EncryptedKey elements with the following code:

Example 8-13 Using XEEncryptedKey for Key Decryption

XEEncryptedData encData;
//Instance of XEEncryptedData is obtained (See Example 8-11

//Get Vector of XEEncryptedKey objects
XEKeyInfo ki = encData.getKeyInfo();
Vector encKeys;
if (ki != null)
    Vector encKeys = encData.getEncryptedKeys();

8.3.1.7 The oracle.security.xmlsec.enc.XEEncryptionMethod Class

This class represents the EncryptionMethod element of the XML encryption schema. It contains the algorithm and parameters used in encrypting data or encrypting a key.

When encrypting, you create an instance of this class with the following code:

Example 8-14 Using XEEncryptionMethod for Encryption

String algURI = "String containing the URI of the encryption algorithm";
XEEncryptedObject encObj = Instance of XEEncryptedData or XEEncryptedKey;
XEEncryptionMethod em = encObj.createEncryptionMethod(algURI);

When decrypting, you first obtain an EncryptedData element using Example 8-11, or an EncryptedKey element using Example 8-13, then obtain an EncryptionMethod element with the following code:

Example 8-15 Using XEEncryptionMethod for Decryption

XEEncryptedObject encObj;

//Obtain instance of XEEncryptedData (see class example earlier) or
//XEEncryptedKey (see class example earlier)
XEEncryptionMethod em = encObj.getEncryptionMethod();

8.3.1.8 The oracle.security.xmlsec.enc.XECipherData Class

This class represents the CipherData element that provides the encrypted data. It either stores the encrypted data in the CipherValue element or refers to a source containing the data through the CipherReference element. When performing encryption, you create an instance of XEEncryptedData or XEEncryptedKey, then create an instance of XECipherData with the following code:

Example 8-16 Using XECipherData when Encrypting

XEEncryptedObject encObj;

//Create an instance of XEEncryptedData (see class example earlier)
//XEEncryptedKey (see example 8-12)
XECipherData cd = encObj.createCipherData();

When decrypting, you first obtain an EncryptedData element using Example 8-11, or an EncryptedKey element using Example 8-13, then obtain an instance of an XECipherData element with the following code:

Example 8-17 Using XECipherData when Decrypting

XEEncryptedObject encObj;

//Obtain an instance of XEEncryptedData (see example 8-11) or
//XEEncryptedKey (see example 8-13)
XECipherData cd = encObj.getCipherData();

8.3.2 Supporting Classes and Interfaces

This section describes additional classes and interfaces in the Oracle XML Security SDK.

8.3.2.1 The oracle.security.xmlsec.util.XMLURI Interface

This interface defines URI string constants for algorithms, namespaces, and objects. It uses the following naming convention:

  • Algorithm URIs begin with "alg_".

  • Namespace URIs begin with "ns_".

  • Object type URIs begin with "obj_".

8.3.2.2 The oracle.security.xmlsec.util.XMLUtils class

This class contains static utility methods for XML and XML-DSIG. Methods frequently used in applications include the createDocBuilder(), createDocument(), toBytesXML(), and toStringXML() methods.

8.4 Common XML Security Questions

This section answers frequently asked questions about XML security and about using Oracle XML Security. It addresses these areas:

8.4.1 Common Questions about Keys and Certificates

This section describes common issues related to keys and certificates.

What is the DER format? The PEM format? How are these formats used?

DER is an abbreviation for ASN.1 Distinguished Encoding Rules. DER is a binary format that is used to encode certificates and private keys. Oracle XML Security SDK uses DER as its native format, as do most commercial products that use certificates and private keys.

Many other formats used to encode certificates and private keys, including PEM, PKCS #7, and PKCS #12, are transformations of DER encoding. For example, PEM (Privacy Enhanced Mail) is a text format that is the Base 64 encoding of the DER binary format. The PEM format also specifies the use of text BEGIN and END lines that indicate the type of content that is being encoded.

I received a certificate in my email in a text format. It has several lines of text characters that don't seem to mean anything. How do I convert it into the format that Oracle XML Security uses?

If you received the certificate in your email, it is in PEM format. You need to convert the certificate from PEM (Privacy-Enhanced Mail) format to ASN.1 DER (Distinguished Encoding Rules) format.

How do I use a certificate that is exported from a browser?

If you have exported the certificate from a browser, it is most likely in PKCS #12 format (*.p12 or *.pfx). You must parse the PKCS #12 object into its component parts.

8.4.2 Common Questions about XML Signatures

This section describes common questions about keys and certificates.

What signature algorithms does Oracle XML Security support?

Oracle XML Security supports the following signature algorithms:

  • DSA with SHA1

  • RSA with SHA1


See Also:

For more information about these algorithms, refer to the links for DSA-SHA and RSA-SHA in Appendix A, "References".

8.4.3 Common Questions about XML Encryption

This section describes common issues related to keys and certificates.

What data encryption algorithms does Oracle XML Security support?

Oracle XML Security supports the following signature algorithms:

  • AES-128 in CBC mode

  • AES-192 in CBC mode

  • AES-256 in CBC mode

  • DES EDE in CBC mode

Links to these standards are available in Appendix A, "References".

What key wrapping algorithms does Oracle XML Security support?

Oracle XML Security supports the following key wrapping algorithms:

  • AES-128

  • AES-192

  • AES-256

  • DES-EDE

Links to these standards are available in Appendix A, "References".

What key transport algorithms does Oracle XML Security support?

Oracle XML Security supports the following key transport algorithms:

  • RSAES-OAEP-ENCRYPT with MGF1

  • RSAES-PKCS1-v1_5

Links to these standards are available in Appendix A, "References".

What key agreement algorithms does Oracle XML Security support?

Oracle XML Security supports the Diffie-Hellman key agreement algorithm.


See Also:

A link to this standard is available in Appendix A, "References".

8.5 The Oracle XML Security API

The Oracle XML Security API is available at:

Oracle XML Security Java API Reference