Spec-Zone .ru
спецификации, руководства, описания, API
|
When this specification is final, there will be a Reference Implementation
which will demonstrate the capabilities of this API and will provide an
operational definition of this specification. A Technology Compatibility
Kit (TCK) will also be available that will verify whether an implementation
of the specification is compliant. These are required as per the
The JSR 105 API is intended to target the following two types of users:
javax.xml.crypto.dom
and javax.xml.crypto.dsig.dom
packages.
KeyInfo
object, and the URIDereferencer
class which allows developers to create and specify their
own URI dereferencing implementations.
The javax.xml.crypto.dsig package includes interfaces that represent
the core elements defined in the W3C XML digital signature specification. Of
primary significance is the
XMLSignature class, which allows
you to sign and validate an XML digital signature. Most of the XML signature
structures or elements are represented by a corresponding interface
(except for the KeyInfo
structures, which are included in their
own package, and discussed in the next paragraph). These interfaces include:
SignedInfo,
CanonicalizationMethod,
SignatureMethod,
Reference,
Transform,
DigestMethod,
XMLObject,
Manifest,
SignatureProperty, and
SignatureProperties. The
XMLSignatureFactory class is
an abstract factory that is used to create objects that implement these
interfaces.
The javax.xml.crypto.dsig.keyinfo package contains interfaces
that represent most of the KeyInfo
structures defined in the W3C
XML digital signature recommendation, including
KeyInfo,
KeyName,
KeyValue,
X509Data,
X509IssuerSerial,
RetrievalMethod,
and PGPData. The
KeyInfoFactory class is an
abstract factory that is used to create objects that implement these
interfaces.
The javax.xml.crypto.dsig.spec package contains interfaces and classes representing input parameters for the digest, signature, transform, or canonicalization algorithms used in the processing of XML signatures.
Finally, the javax.xml.crypto.dom and javax.xml.crypto.dsig.dom packages contains DOM-specific classes for the javax.xml.crypto and javax.xml.crypto.dsig packages, respectively. Only developers and users who are creating or using a DOM-based XMLSignatureFactory or KeyInfoFactory implementation should need to make direct use of these packages.
XMLSignatureFactory
MUST provide support for each of the
REQUIRED algorithms as specified by the W3C recommendation for XML Signatures.
It MAY support other algorithms as defined by the W3C recommendation or
other specifications.
JSR 105 leverages the
JCA provider model for registering and loading
XMLSignatureFactory
and KeyInfoFactory
implementations.
Each concrete XMLSignatureFactory
or KeyInfoFactory
implementation supports a specific XML mechanism type that identifies
the XML processing mechanism that an implementation uses internally to parse
and generate XML signature and KeyInfo structures. This JSR supports one
standard type: DOM.
Support for new standard types (such as JDOM) MAY be added in the future.
A JSR 105 implementation SHOULD use underlying JCA engine classes, such as java.security.Signature and java.security.MessageDigest to perform cryptographic operations.
In addition to the XMLSignatureFactory
and
KeyInfoFactory
classes, JSR 105 supports a service provider
interface for transform and canonicalization algorithms. The
TransformService class allows you to develop and
plug in an implementation of a specific transform or canonicalization
algorithm for a particular XML mechanism type. The TransformService
class uses the standard JCA provider model for registering and loading
implementations. Each JSR 105 implementation SHOULD use the
TransformService
class to find a provider that supports
transform and canonicalization algorithms in XML Signatures that it
is generating or validating.
XMLSignatureFactory
, KeyInfoFactory
or
TransformService
in order to minimize interoperability problems:
XMLSignatureFactory
MUST support DOMValidateContext types. If the type is DOMValidateContext
,
it SHOULD contain an Element of type
Signature
. Additionally, the
unmarshalXMLSignature
method MAY populate the
Id/Element mappings of the passed-in DOMValidateContext
.
XMLSignatureFactory
MUST support
DOMSignContext types and
the validate method
MUST support DOMValidateContext types. This requirement also applies to the validate
method of SignatureValue and the validate method of Reference.
iterator
method MUST return an iteration over objects of type
org.w3c.dom.Node
.
URIReference
objects passed to the dereference
method of user-specified URIDereferencer
s MUST be
of type DOMURIReference
and XMLCryptoContext
objects MUST implement
DOMCryptoContext.
URIDereferencer
s
returned by the getURIDereferencer
method of
XMLSignatureFactory
and KeyInfoFactory
.
KeyInfoFactory
MUST support DOMStructure types. If the type is DOMStructure
,
it SHOULD contain an Element of type
KeyInfo
.
Transform
MUST support
DOMCryptoContext context parameter types.
XMLSignatureFactory
MUST support
DOMStructure parameter types.
TransformService
MUST support
DOMStructure and
DOMCryptoContext types.
XMLSignatureFactory
MUST support DOMStructure types. If the type is DOMStructure
,
it SHOULD contain an Element of type
Signature
.
KeyInfo
MUST support
DOMStructure and
DOMCryptoContext
parameter types.
XMLSignatureFactory
might use
a SAX parser internally to canonicalize data.
<Reference URI="document.xml">
<Transforms>
<Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<XPath>id("foo")</XPath>
</Transform>
</Transforms>
</Reference>
Dereferencing the external document results in an octet stream which
is subsequently converted to a NodeSet by the JSR 105 implementation.
But the API does not provide a mechanism for registering ID attributes
of external documents and therefore the XPath Transform implementation
may be unable to identify the "foo" ID.
Copyright © 2005, Sun Microsystems, Inc. 4150 Network Circle Santa Clara, California 95054 All Rights Reserved. Please send comments to: java-security@sun.com. This is not a subscription list. |