XML.com: XML From the Inside Out
oreilly.comSafari Bookshelf.Conferences.

advertisement

Essentials

Annotated XML

What is XML?

What is XSLT?

What is XSL-FO?

What is XLink?

What is XML Schema?

What is XQuery?

What is RDF?

What is RSS?

What is AJAX?

What are Topic Maps?

What are Web Services?

What are XForms?

XSLT Recipe of the Day


Topics

AJAX

Business

Databases

Graphics

Metadata

Mobile

Programming

Schemas

Semantic Web

Style

Web

Signing Messages with XSS4J
by Bilal Siddiqui | Pages: 1, 2

Step 7: Now we want to author a KeyInfo element. For this purpose, XSS4J provides a class named KeyInfo. The KeyInfo class offers functionality for easy authoring of a variety of KeyInfo elements (e.g. KeyInfo elements that wrap X.509 certificates or PGP data).

We are only concerned with how to author KeyInfo elements that wrap X.509 certificates. In order to wrap an X.509 certificate inside a KeyInfo element, XSS4J provides a class named KeyInfo.X509Data.

The KeyInfo.X509Data class can wrap certificates inside a KeyInfo element in a variety of ways. At the moment, we want to demonstrate the authoring of a KeyInfo element that wraps the actual binary content of a single certificate. We will shortly demonstrate how to author KeyInfo elements that wrap pointers to a certificate instead of the actual binary content of a certificate.

So our seventh step is to instantiate a KeyInfo.X509Data element and call the setCertificate() method of the KeyInfo.X509Data class, passing the X509Certificate object of step 6 along with the method call. This will set the binary content of the X509Certificate object of step 6 into the KeyInfo.X509Data object.

Step 8: Once you have the KeyInfo.X509Data object loaded with the correct certificate, you need to add the KeyInfo.X509Data object into the KeyInfo object. For this purpose, you will instantiate a new KeyInfo object and then call its setX509Data() method. The setX509Data() method takes an array of KeyInfo.X509Data objects. This method adds all the KeyInfo.X509Data objects in the array to the KeyInfo object. More than one KeyInfo.X509Data objects in the array represent a chain of certificates that may be needed to certify each other, ending at the certificate of the signer.

However, we have only one certificate to wrap in a KeyInfo element, so we have formed an array of KeyInfo.X509Data objects with just one KeyInfo.X509Data object and passed the array to the KeyInfo.setX509Data() method.

Step 9: Now we have the KeyInfo element, which should be added to the signature template (the templateElement from step 4).

Step 10: After adding the KeyInfo to the signature template, we are ready for XML digital signature. To produce the signature, we need a SignatureContext object. Therefore, the next step is to instantiate a SignatureContext object.

Step 11: Next, we instantiate an AdHocIDResolver object and pass the object to the SignatureContext.setIDResolver() method. The SignatueContext class will use the AdHocIDResolver class to find the element to be signed.

Recall from step 5 that we have set the URI attribute value of the Reference element. The URI attribute value matches with the Id attribute value of the element that we are going to sign. Note that the Reference element is the child of the Signature element, which we stored in the templateElement node in step 4. In the next step (step 12) we will pass the templateElement node to the SignatureContext.sign() method. The sign() method will internally resolve (or dereference) the URI attribute value of the Reference element and find the element that we are signing. The AdHocIDResolver class helps in resolving the Id to the element that we are signing.

Step 12: Now we can produce the required signature by calling the SignatureContext.sign() method. The sign() method takes two parameters, namely the signature template element (the templateElement from step 4) and the key (the Key object from 6). Recall from step 4 that we have already placed the template Signature element at its correct place. A call to the SignatureContext.sign() method simply fills in the signature data in the template.

Using XSS4J to sign with a pointer to a certificate

Have a look at the XMLDSigSampleWithCertificatePointer class of Listing 9, which is a very slightly modified form of the XMLDSigSampleWithCertificate class of Listing 7. The only difference between Listings 7 and 9 is in step 7.

Recall from the discussion on step 7 of Listing 7 that in order to set the binary content of a certificate into the KeyInfo.X509Data object, we called the setCertificate() method of the KeyInfo.X509Data class. The result was that the binary data representation of the certificate got wrapped inside the KeyInfo element.

But if, instead of the actual certificate, you wish to wrap a pointer to the certificate inside the KeyInfo element, the KeyInfo.X509Data class can still help you. Note that a pointer refers to a certificate and the recipient of the message will map the pointer to the actual certificate before verifying the signature. The pointer to certificate mapping mechanism is not of our concern here. We are only interested in demonstrating how to use XSS4J to author XML digital signature messages that wrap pointers to X.509 certificates. Please refer to the resources section to learn the details of X.509 certificates.

XSS4J supports the authoring of three types of certificate pointers, namely the issuer serial number, the subject name, and the subject ID. The issuer serial number is a name-value pair containing a name and serial number. The subject name is a string representing the subject of the certificate. The subject ID is an identifier that identifies the subject.

If you want to include a pointer to a certificate in your XMLDS message, you will use the setParameters() method of the KeyInfo.X509Data class (instead of calling the setCertificate() method), as shown in step 7 of Listing 9.

The setParameters() method takes four parameters. The first parameter is a certificate (the same X509Certificate object that we instantiated in step 6). The other three parameters are of Boolean type. You can pass on "true" as the value of any one or more of the three parameters.

If you pass true as the second parameter, the issuer name and serial number of the X509 certificate will be set inside the X509Data element. If you pass true as the third parameter, the subject ID will be set inside the X509Data element. If you pass true as the fourth parameter, the subject name will be set inside the X509Data element.

Notice that we have passed "true" as value of the second parameter to the setParameters() method in step 7 of Listing 9. The third and fourth parameters are false. The resulting signed XML file is as shown in Listing 10.

If you want to include the subject identifier in the KeyInfo element, you will pass true as value of the third parameter to the setParameters() method as shown below: 

      x5data.setParameters(cert, false, true, false);

The resulting XML file will be as shown in Listing 11.

If you want to include the subject name of the certificate in the KeyInfo element, you will pass "true" as value of the fourth parameter to the setParameters() method as shown below: 

      x5data.setParameters(cert, false, false, true);

The resulting signed XML file will be as shown in Listing 12.

You can also include multiple pointers to the same certificate in your singed XML file. For example, if you pass true as value of all three boolean types (x5data.setParameters(cert, true, true, true)), the resulting XML file will appear as shown in Listing 13.

Using XSS4J to sign with a key name

Now we will show how to author a KeyName element inside the KeyInfo to produce a signature.

The XMLDSigSampleWithKeyName class of Listing 14 shows how to sign using the KeyName element. Listing 14 is similar to Listing 7 except steps 7 and 8. This time we are not using the KeyInfo.X509Data class so we don't need to do anything in step 7. Therefore, step 7 is empty in Listing 14.

In step 8 we have used the setKeyNames() method of the KeyInfo class to author the KeyInfo element with a KeyName element.

The setKeyNames() method takes an array of strings. Each string in the array is a key name. As we have just one key name to wrap inside the KeyInfo element, so we have formed an array of just one key name and passed the array to the setKeyNames() method.

The result of running XMLDSigSampleWithKeyName is shown in Listing 15.

In this column we have learned how to use XSS4J to sign messages using certificates and keys. Next time, we will use these concepts to implement signature support in our WSS4J implementation.

Resources

  • Read the first, second, and third columns of this series.
  • Download the source code zip of this column. The zip contains two folders. The folder named WSS4J contains the complete WSS4J code (source as well as compiled form) that we have developed so far. The folder named SignatureSamples contains all the signature related samples that we developed in this column.
  • You can download the official specification of X.509 certificates from here.

1 to 3 of 3
  2. Verifying
    2004-12-27 09:45:59 GraphicsSeries
  4. Unable to download source code
    2004-06-23 10:40:17 NK
  6. No relation with Apache WSS4J
    2004-06-03 07:55:47 Davanum Srinivas
1 to 3 of 3




Recommended for You