Tutorials : Tighten Data Security with the Java XML Digital Signature API :

Looking Inside an XML Digital Signature

Here's a description of these XML elements:

• <Signature>: This is the main element of your XML signature. It encapsulates the whole signature and is used as a "flag" to find the XML signature.
• <SignedInfo>: This element encapsulates the actual signature.
• <CanonicalizationMethod>: This element uses the Algorithm attribute to specify which algorithm is used to canonicalize the <SignedInfo> element. This operation converts the XML content to a physical form, before <SignedInfo> is signed/validated. To specify the algorithm, this element uses an URI.
• <SignatureMethod>: This element uses the Algorithm attribute to specify which algorithm is used to generate the signature. The algorithm is specified using an URI.
• <Reference>: This element identifies the data that is signed. <SignatureMethod> allows more than one <Reference> child. The empty string passed to the URI attribute indicates the root of the document (the whole document). The URI attribute can be an external link (http://...) or an internal link (specified with the "#" character).
• <Transforms>: This element contains one or more <Transform> elements. The <Transform> element uses the Algorithm attribute to specify the algorithm used to transform data before signing, validating, or digesting it. In this case, the algorithm is specified by using an URI. In other cases, you can use XPath Filter Transform, which allows you to select a subset of nodes to be signed by using an XPath expression (http://www.w3.org/TR/xmldsig-filter2/).
• <DigestMethod>: This XML element uses an Algorithm attribute to specify the algorithm used to digest the data. The algorithm is specified using an URI.
• <DigestValue>: This element contains the digest value encoded as a base64 value.
• <SignatureValue>: This XML element contains the signature value of the signature over the <SignedInfo> element as a base64 value.
• <KeyInfo>: This element contains information about the key used to validate the signature. The content of this element is dependent of the signature type, as you will see in the coming examples.

Generate an Enveloped XML Signature Using KeyPairGenerator Class

First thing's first. Suppose you have the following, average XML document:

<?xml version="1.0" encoding="UTF-8"?>

<math>
<simple-equations>
  <first_degree_equation>
      First-degree equation:
      <terms_first_degree a="0.0" b="0.0"></terms_first_degree>
      <solution>"-b/a"</solution>
  </first_degree_equation>
</simple-equations>
</math>

1. Create an XMLSigantureFactory Object: You'll use the getInstance method. This method searches a DOM-supporting provider and returns the XMLSignatureFactory implementation.
2. Create a Reference Object: You'll specify the URI ("" represents the whole document) and create a DigestMethod object and a Transform object. You'll use the Reference object to identify the data that will be signed. All these objects are created using the XMLSignatureFactory created during Step 1.
3. Create a SignedInfo Object: This object is created using the CanonicalizationMethod object, a SignatureMethod object, and a list of References.
4. Create the KeyInfo Object: You'll first create a pair of keys, using the KeyPairGenerator, a KeyInfoFactory object, and a KeyValue object.To create KeyValue, use the KeyInfoFactory and the public key. To create the KeyInfo object, you will use the KeyInfoFactory and the KeyValue.
]
5. Prepare the Document to be Signed: This is an easy job, based on a simple DOM routine for obtaining the Document object.
6. Signing the Document: First, you'll need to create an instance of the DOMSignContext by using the private key and the Document root. This object will be passed to the sign method later. Next, to sign the document, create an XMLSignature object (using the SignedInfo and the KeyInfo objects) and call the sign method.
7. Write the Signed Document into a File: This task can be accomplished in various ways (per example, using a Transformer).

<?xml version="1.0" encoding="UTF-8" standalone="no"?><math>
<simple-equations>
  <first_degree_equation>
      First-degree equation:
      <terms_first_degree a="0.0" b="0.0"/>
      <solution>"-b/a"</solution>
  </first_degree_equation>
</simple-equations>
<Signature xmlns=
"http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm=
"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><SignatureMethod Algorithm=
"http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI=
""><Transforms><Transform Algorithm=
"http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms><DigestMethod Algorithm=
"http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>
PlQASEXK+FR8BAhzfgtKfh79LmM=
</DigestValue></Reference></SignedInfo><SignatureValue>
nA6rYiwQ0Bz4ec87zyVh5tLpT435zSVPX9VrDM+aOCUwMoYZObxpc1CvDEgorrtCAFbu2fIN+LYj
xq8ZRshDPg==</SignatureValue><KeyInfo><KeyValue><RSAKeyValue><Modulus>
sUQKShQ/4yooq8PynHhT6IorNJ6mXr1sMLZvuDAqKPx3VEs74s0SelkF2G/dnz5Bn7OQmMEtiJgH
BICTElsYgw==
</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>
</KeyValue></KeyInfo></Signature></math>

How to Add Java Applets to Your Site

New on the Java Boutique:

New Review:

Time Management Made Easy with the Quartz Enterprise Job Scheduler
Why not just use the Java timer API? This open source scheduling API boasts simplicity, ease-of-integration, a well-rounded feature set, and it's free!

New Applet:

Reverse Complement
Reverse Complement is a simple applet that converts DNA or RNA sequences into three useful formats.

Elsewhere on internet.com:

WebDeveloper Java
Lots of Java information on webdeveloper.com

WDVL Java
Thorough Java resource at the Web Developer's Virtual Library.

ScriptSearch Java
Hundreds of free Java code files to download.

jGuru: Your View of the Java Universe
Customizable portal with online training, FAQs, regular news updates, and tutorials.