Java XML Digital Signature

• XML Signature syntax, processing rules and representing are defined by W3C XML Signature Working Group and W3C XML Security Specifications Maintenance Working Group
• Java XML Digital Signature API Specification (JSR 105) is to define a standard Java API for generating and validating XML signatures. The API are located in javax.xml.crypto package
• The purposes are to provide:
  – XML Canonicalization
  – Signature Generation
  – Detached XML Digital Signature
  – Enveloped XML Digital Signature
  – Enveloping XML Digital Signature
  – Signature Validation

Example: XML Digital Signature

Java XML Digital Signature (Cont’d)

XML Canonicalization

• Digital signature (PKCS#7) only works if the verification calculations are performed on exactly the same bits as the signing calculations, which is inappropriate for XML data
• XML data is subject to surface representation changes which needs to be canonicalized to DOM-Level, character encoding and XML namespace while calculating the signature

Java XML Digital Signature (Cont’d)

Detached XML Digital Signature

• The signature is detached from the content it signs. It applies to separate data objects and also the signature to separate data objects and also the signature and data object reside within the same XML document as sibling elements

Java XML Digital Signature (Cont’d)

Enveloping XML Digital Signature

• The signature is over the content found within an object element of the signature itself

Java XML Digital Signature (Cont’d)

Enveloped XML Digital Signature

• The signature is over the XML content that contains the signature as an element. The content provides the root XML document element

Java XML Digital Signature (Cont’d)

Validate XML Digital Signature

• The validation process includes signature validation and Signed info reference validation