- Bibliographic Information
- Related Security Specifications
- About the Java Community Process (JCP)
- Principal References
Developers from Sun, IBM, and other companies have announced the final release of Java XML Digital Signature API Specification (JSR 105) Version 1.0, produced under the Java Community Process (JCP). The purpose of this Java Specification Request is "to define a standard Java API for generating and validating XML signatures. The APIs for XML digital signatures services of JSR 105 implement the W3C XML-Signature Syntax and Processing Recommendation, and provide for support of the W3C XML-Signature XPath Filter 2.0 and Exclusive XML Canonicalization Version 1.0 Recommendations.
JSR 105 was developed by members of the JSR 105 Expert Group under the direction of Specification Leads Anthony Nadalin (IBM) and Sean Mullan (Sun Microsystems), who continue jointly in the role of JSR 105 Maintenance Lead.
The Java Community Process under which which JSR 105 was developed is a standards framework which "produces high-quality specifications in 'Internet time' using an inclusive, consensus building approach that produces a specification, a reference implementation (to prove the specification can be implemented), and a technology compatibility kit (a suite of tests, tools, and documentation that is used to test implementations for compliance with the specification). JCP participants include the international Java community, working to develop and evolve Java technology specifications."
JSR 105 has been approved in a Final Approval Ballot with votes from by Apache Software Foundation, Apple Computer, Inc., BEA Systems, Fujitsu Limited, Hewlett-Packard, IBM Corp., Intel Corp., IONA Technologies PLC, JBoss, Inc., Nortel Networks, SAP AG, and Sun Microsystems, Inc.
The Java XML Digital Signature API Specification supports software development projects that need to use the JSR 105 API to generate and validate XML signatures. It is also designed for use by Java programmers "who want to create a concrete implementation of the JSR 105 API and register it as a cryptographic service of a JCA provider. A cryptographic service provider is a package or set of packages that supply a concrete implementation of a subset of the Java 2 SDK Security API cryptography features."
The JSR proposal was to define and incorporate the high level implementation independent Java APIs for the XML Digital Signature specification as defined by the W3C. The W3C/IETF XML DSig Recommendation "specifies XML syntax and processing rules for creating and representing digital signatures. XML Signatures can be applied to any digital content (data object), including XML. An XML Signature may be applied to the content of one or more resources. Enveloped or enveloping signatures are over data within the same XML document as the signature; detached signatures are over data external to the signature element. More specifically, the specification defines an XML signature element type and an XML signature application; conformance requirements for each are specified by way of schema definitions and prose respectively. The XML DSig specification also includes other useful types that identify methods for referencing collections of resources, algorithms, and keying and management information."
The JSR 105 API specification contains six packages. Common classes for XML cryptography are included in the javax.xml.crypto package, which defines classes "used to perform XML cryptographic operations such as generating an XML signature or encrypting XML data; it allows developers to supply implementations which locate and optionally validate keys using the information contained in a KeyInfo object, and provided a URIDereferencer class which allows developers to create and specify their own URI dereferencing implementations." Classes for generating and validating XML digital signatures are defined in the javax.xml.crypto.dsig package, includes interfaces that represent the core elements defined in the W3C XML digital signature specification. A javax.xml.crypto.dsig.spec package "contains interfaces and classes representing input parameters for the digest, signature, transform, or canonicalization algorithms used in the processing of XML signatures." Two packages contain (W3C) DOM-specific classes, and a 'keyinfo' package provides classes for parsing and processing KeyInfo elements and structures.
API dependencies for JSR 105 include J2SE (JDK) 1.2 or higher, and the W3C DOM Level 2 API (required by classes of the javax.xml.crypto.dom and javax.xml.crypto.dsig.dom packages). Required support is specified for DOM as a default XML mechanism type, and the API SHOULD ensure that applications using a DOM implementation are portable and interoperable. On the other hand, the requirements provide for a DOM-independent API in the sense that it must be possible to create implementations of the API for different XML processing and mechanism representations, such as DOM, JDOM or dom4j. Further, it must be possible for a third-party to create and plug in an implementation responsible for managing and creating cryptographic and transform algorithms, dereferencing URIs, and marshalling objects to/from XML."
A Reference Implementation for JSR 105 is available as part of the Java Web Services Developer Pack 1.6. In the JCP, a reference implementation (RI) is a prototype or proof-of-concept implementation of a specification which accompanies the required Technology Compatibility Kit (TCK). The Java Web Services Developer Pack (Java WSDP) is "a free integrated toolkit you can use to build, test and deploy XML applications, Web services, and Web applications with the latest Web service technologies and standards implementations. It contains Fast Infoset technology that can increase Web services performance 2-4x by using ANS.1-based binary encodings that decrease transmission and processing times for messages compared to times for XML (ASCII) messages. The Pack also includes a preview of the next generation of XML Web Services Security, a preview of the Service Registry for SOA (service-oriented architecture) applications." The source code for the JSR 105 reference implementation is available through the Java Research License (JRL).
As required as by the Java Community Process version 2.1, a Technology Compatibility Kit (TCK) for JSR 105 is also available to (help) "verify whether an implementation of the specification is compliant. This TCK, along with source code for the reference implementation, are available for licensing through the Java Distribution License (JDL). The TCK is also separately available for licensing. The TCK is available to Qualified Not-for-Profits and Qualified Individuals for no charge, as per Section F.III of the Java Specification Participation Agreement," explained in connection with the Compatibility Testing Scholarship Program.
Three examples in the JSR 105 final release demonstrate how to generate different types of simple XML Digital Signature using the API (generating a detached XML Digital Signature; generating an enveloped XML Digital Signature; generating an enveloping XML Digital Signature). Other prepared examples show how to generate an enveloping signature, how to validate an XML Signature. One of the six examples demonstrates how to construct, sign and validate a SOAP message using the SAAJ and JSR 105 APIs; another provides a sample implementation of a KeySelector that finds a trusted key from X.509 content contained in X509Data KeyInfo types. A hyperlinked Index document contains an alphabetic list of all classes, interfaces, constructors, methods, and fields.