xsign
Security
Release Notes
attachGoldenThread
cast
copy
cutGoldenThread
cwu
delete
dpml
dump
entrypoint
exists
expire
fls
guid
hotRestart
HTTPCookie
HTTPRedirect
isUnix
locationToXPath
lock/unlock
log
loglevel
luceneIndex
luceneSearch
mapper
mapper-export
md5
mls
netkernel:*
new
Orchextra
org.ten60.util.aspell
org.ten60.util.image.SVG2PNG
org.ten60.util.image.Text2PNG
org.ten60.util.image.xchart
plainTextToXHTML
regex
relativizeURI
requestWithArgs
resolveURI
serialize
sleep
sqlBatch
sqlBooleanQuery
SQLEncodeElement
SQLEscapeXML
sqlQuery
sqlUpdate
stm
stopWatch
StringToCanonicalString
throw
toRelaxNG
trace
validateDTD
validateRNG
validateSchematron
validateXSD
xacml
xform
XHREFlinker
XHTMLredirect
XHTMLTidy
xinclude
xmltidy
xpatheval
xpur
xquery
xrl
xsign
xslfo-fop
xslfo-fop
xslt
xverify
License
Change History
NetKernel History
Acknowledgements
URA Reference

xsign

Used to sign an xml document

Definition

Format

<instr>
  <type>xsign</type>
  <operand>foo.xml</operand>
  <operator>sig_settings.xml</operator>
  <target>this:response</target>
</instr>

Syntax

ElementRulesDescription
typeMandatory xsign
operandMandatory the resource to be signed
operatorMandatory the signature properties document
targetMandatory Fragment OKthe target resource

The xsign accessor generates a standard XML signature consisting of a DSA signature and SHA1 digest of a part of an xml document located by an xpath expression. The signature is attached to the root element of the signed document together with an X509 certificate for validation.

The xsign accessor requires a private key together with other properties. The properties for the PKI keystore, PKI private key password, xpath location and certificate alias are passed in the operator document - see description below.

It is important to provide an xpath location that does not include the ds:signature element which will be attached to the root document element as the signature.

This implementation uses the Apache XML Security package. The xsign accessor uses the DSA algorithm to generate the XML signature. It uses the SHA1 algorithm to create a hash of the document fragment given by the xpath target. This accessor provides a general purpose xml sig but it is not as comprehensive as the full features offered by xmlsec. If XML Sig is important for your application we recommend you customize this accessor to suit your requirements.

Security

In the demonstration, the xmlsig properties are hard coded into the demonstration idoc. This is highly undesirable in a real implementation. It is recommended that the xmlsig properties document be placed in a trusted location with suitable access control. Preferrably the application should be written to request the passwords dynamically at runtime.

Keystore

The default PKI keystore is located in <dexter_install_directory>/security/demo_keystore. The java keytool application, shipped with most JDK's, can be used to register and administer PKI keys and certificates. Do not use the demo keystore or any keys it contains in a real application. It is for illustration only! Create your own keystore using keytool and obtain a certified private key from a reputable Certification Authority.

Operator Syntax

The xsign accessor requires a set of configurable properties in order to sign a document. These are passed in by the operator in an <xmlsig> document. The element names and properties are illustrated below.

<xmlsig>
  <keystore>
    <password>demo123</password>
    <uri>security/demo_keystore</uri>
<!--Resolved relative to Install directory-->
  </keystore>
  <privateKey>
    <privateKeyAlias>DexterDemonstrationKey_INSECURE_FOR_EXAMPLE_ONLY</privateKeyAlias>
    <privateKeyPassword>demo_only_do_not_use</privateKeyPassword>
    <certificateAlias>DexterDemonstrationKey_INSECURE_FOR_EXAMPLE_ONLY</certificateAlias>
  </privateKey>
  <algorithm />
  <targetXpath>/signaturetest/name[4] and not(ancestor-or-self::ds:Signature)</targetXpath>
  <publicURI>file:/1060.org/test/signaturetest.xml</publicURI>
</xmlsig>

<keystore> contains the <uri> element which holds the uri to a java keystore located relative to the install directory of the dexter kernel. In the default demonstrations this is security/demo_keystore. The <password> element contains the password to the keystore.

<privateKey> contains the properties necessary to specify and access the PKI private key with which the signature will be made. <privateKeyAlias> is the alias name with which the key is registered in the java keystore. <privateKeyPassword> is the password used to secure the key within java keystore. <certificateAlias> is alias name for the X509 certificate corresponding to the associated public key registered in the java keystore.

<algorithm> is not currently used. xmlsig defaults to the DSA algorithm.

<targetXpath> is xpath location for the xml-fragment that is actually signed. Repeated xmlsig operations with the same document and different values for targetXPath will generate multiple signatures of the document. It is important not to include either the signature <ds:Signature> element or unwanted parts of the document in this xpath or the generated signature may be unverifiable.

<publicURI> is the uri expressed in the signature as the public URI of the document. See xmlsig specification for details

Example

TBD

References

Apache XML Security
W3C XML Signature

(C) 2003, 1060 Research Limited
© 2003,2004, 1060® Research Limited
1060 registered trademark, NetKernel trademark of 1060 Research Limited