A Public Review Draft was issued for JSR 105 Java XML Digital Signature API Specification on May 29, 2003 under the Java Community Process. The Public Review period closes on June 29, 2003. The purpose of this Java Specification Request is "to define a standard Java API for parsing, generating, and validating XML signatures." The API consists of five packages that support a DOM-independent implementation of XML-Signature Syntax and Processing and related W3C Recommendations. The W3C XML Digital Signature specification defines "XML syntax and processing rules for creating and representing digital signatures. The XML Signature is a method of associating a key with referenced data; it does not normatively specify how keys are associated with persons or institutions, nor the meaning of the data being referenced and signed. While the W3C specification is an important component of secure XML applications, it [of itself] is not sufficient to address all application security/trust concerns, particularly with respect to using signed XML (or other data formats) as a basis of human-to-human communication and agreement. Such an application must specify additional key, algorithm, processing and rendering requirements and developers must give consideration to their application threat models."

Bibliographic Information

Java XML Digital Signature API Specification. JSR 105 Public Review Draft. Version 0.9. May 29, 2003. Release: May 29, 2003. Status: Pre-FCS, Public Review Draft. Download file: xml_digital_signature-0_9-prd-spec-apidocs.zip, 340,286 bytes. See the file listing for the distribution. Specification Leads: Sean Mullan (Sun Microsystems, Inc.) and Anthony Nadalin (IBM). JSR 105 Expert Group Contributors include: Nicolas Catania (Hewlett-Packard), Donald E. Eastlake 3rd (Motorola), Christian Geuer-Pollmann (Apache Software Foundation), Hans Granqvist (VeriSign), Kazuyuki Harada (Fujitsu), Anthony Ho (DSTC), Merlin Hughes (Baltimore Technologies), Joyce Leung (IBM), Gregor Karlinger (IAIK), Serge Mister (Entrust Technologies), Takuya Mori (NEC Corporation), Sean Mullan (Sun Microsystems, co-specification lead) Anthony Nadalin (IBM, co-specification lead) Valerie Peng (Sun Microsystems), Erwin van der Koogh (Apache Software Foundation), and Chris Yeung (XML Asia).

Excerpts from XML Digital Signature APIs Public Review Draft

"The purpose of this JSR is to define a standard Java API for parsing, generating, and validating XML signatures. When this specification is final, there will be a Reference Implementation which will demonstrate the capabilities of this API and will provide an operational definition of this specification. A Technology Compatibility Kit (TCK) will also be available that will verify whether an implementation of the specification is compliant."

Package Overview. The JSR 105 API consists of 5 packages:

• The javax.xml.crypto package contains common classes that are used to perform XML cryptographic operations, such as generating an XML signature or encrypting XML data. Two notable classes in this package are the KeySelector class, the purpose of which is to allow developers to supply implementations which locate and optionally validate keys using the information contained in a KeyInfo object, and the URIDereferencer class which allows developers to create and specify their own URI dereferencing implementations.
• The javax.xml.crypto.dom package contains DOM-specific classes for the javax.xml.crypto package. Only developers and users who are creating or using a DOM-based XMLSignatureFactory or KeyInfoFactory implementation should need to make direct use of this package.
• The javax.xml.crypto.dsig package includes interfaces that represent the core elements defined in the W3C XML digital signature specification. Of primary significance is the XMLSignature class, which allows you to sign and validate XML digital signatures. Most of the XML signature structures or elements are represented by a corresponding interface (except for the KeyInfo structures, which are included in their own package, and discussed in the next paragraph). These interfaces include: SignedInfo, CanonicalizationMethod, SignatureMethod, Reference, Transform, DigestMethod, XMLObject, Manifest, SignatureProperty, and SignatureProperties. The XMLSignatureFactory class is an abstract factory that is used to create objects that implement these interfaces.
• The javax.xml.crypto.dsig.keyinfo package contains interfaces that represent most of the KeyInfo structures defined in the W3C XML digital signature recommendation, including KeyInfo, KeyName, KeyValue, X509Data, X509IssuerSerial, RetrievalMethod, and PGPData. The KeyInfoFactory class is an abstract factory that is used to create objects that implement these interfaces.
• The javax.xml.crypto.dsig.spec package contains interfaces and classes representing input parameters for the digest, signature, transform, or canonicalization algorithms used in the processing of XML signatures.

Programming Examples: Examples 1-3 demonstrate how to generate and validate a simple XML Digital Signature using the JSR 105 API. Example 1 describes how to generate and validate a detached signature using the DSA signature algorithm. This example also shows how to marshal an XMLSignature object to or from an XML representation. Example 2 describes how to generate and validate an enveloped signature. Example 3 decribes how to generate and validate an enveloping signature. Example 4 is a sample implementation of a KeySelector that finds a trusted key from X.509 content contained in X509Data KeyInfo types. Example 5 demonstrates how to construct, sign and validate a SOAP message using the SAAJ and JSR 105 APIs. Examples include: (1) Detached XML Digital Signature; (2) Enveloped XML Digital Signature; (3) Enveloping XML Digital Signature; (4) X.509 KeySelector implementation; (5) Signed SOAP message.

About XML Signatures

"XML Signatures can be applied to any digital content (data object), including XML. An XML Signature may be applied to the content of one or more resources. Enveloped or enveloping signatures are over data within the same XML document as the signature; detached signatures are over data external to the signature element. More specifically, the XML Digital Signature specification defines an XML signature element type and an XML signature application; conformance requirements for each are specified by way of schema definitions and prose respectively. The XML Digital Signature specification also includes other useful types that identify methods for referencing collections of resources, algorithms, and keying and management information." [from the overview]