Using stronger XML Signature Algorithms in JDK 7

One of the new features of the XML Signature 1.1 specification, which is currently in draft review, is the addition of stronger cryptographic algorithms to the REQUIRED algorithms, such as the RSAwithSHA256 SignatureMethod algorithm. Additional RECOMMENDED and OPTIONAL algorithms have also been added. See section 6.1 for a complete list of algorithm requirements.

In JDK 7, you can already use many of these stronger XML Signature algorithms in your Java applications. The following algorithms are newly supported: the RSAwithSHA256, RSAwithSHA384, RSAwithSHA512 signature algorithms and the HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512 mac algorithms.

To take advantage of these stronger algorithms when generating XML Signatures, you may have to specify the URI of the algorithm (if there isn't a String constant already defined in the API). For example:

XMLSignatureFactory factory = XMLSignatureFactory.getInstance(); 
SignatureMethod sm = 
    factory.newSignatureMethod
        ("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", 
         (SignatureMethodParameterSpec) null);

No special code is required when validating XML Signatures with these algorithms as the implementation will automatically identify the algorithm URIs.

We plan to add String constants for these URIs in a future revision of the JSR 105 API, but for now you must specify the URIs when generating signatures.

Last, but not least, we are planning to backport support for these stronger signature and mac algorithms to JDK 6.


Comments:

Sean,
I'm trying to create a simple XML signature using SHA-512 with JDK 6u18 (which I think includes this changes), the SignatureMethod instantiates without problems, but when I try to use it with XMLSignature I get a "javax.xml.crypto.dsig.XMLSignatureException: java.security.SignatureException: Invalid algorithm specified.".

My code works fine with SHA-1... Any clues? Here's a simplified copy of the code:

SignatureMethod sm = fac.newSignatureMethod("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512", null);
SignedInfo si = fac.newSignedInfo(cm, sm, documentReferences);
signature = fac.newXMLSignature(
si,
keyInfo,
xmlObjects,
signatureId,
signatureValueId
);
signContext = new DOMSignContext(privateKey, baseElement);
signContext.putNamespacePrefix(XMLSignature.XMLNS, signaturePrefix);
signContext.putNamespacePrefix(XMLNS, xadesPrefix());
signature.sign(signContext);

Thanks in advance!!!

Also, if you need help testing new features on Java XMLSignatures, I'll be pleased to help. I'm currently working on a big project for Spanish government developing a centralized signing platform for Spanish public administrations.

Best regards: Tomas

Posted by Tomas Garcia-Meras on April 05, 2010 at 10:10 AM EDT #

Ahhhh! Sorry, forget the previous post, it was a problem with SunMSCAPI (I thought it supported SHA-512 on 6u18), the XMLDSign Implementation works nice with the new signature methods... Thanks a lot for all your hard work on XMLDSig!!!

Regards: Tomás

Posted by Tomas Garcia-Meras on April 05, 2010 at 06:27 PM EDT #

Hello,
i have exactly the same problem.
Its not a problem of type of signature(simple, XML) but its about the provider. Java version 1.6.0_18 should improve SunMSCAPI provider, but didnt at all. This problem starts with algorithm SHA256withRSA and higher. According to stack trace what I always get, the error occurs in the native library, which is called by sun.security.mscapi.RSASignature class. Do you think this native library could contain an error? Is here another way to sign algorithm RSA-SHA256 certificate obtained from the Windows storage?

Thank you

Posted by Lukas Pavlusek on April 20, 2010 at 03:05 AM EDT #

Great post, I often feel like many of the tasks
I do online are like grunt work, and like you I agree
it was not the way I wanted to run an online business,
I wanted everything more easy and automated.
The 2 out 3 rule sounds good to me, I will be implementing that now,
I was never sure what ratio to use for mailings.
I have tried, failed and gave up, but now I am back to try again,
with a new passion so hopefully I can find the way that works for me this time,
thanks for this post, it really helped me

Posted by suvie on August 11, 2010 at 02:39 AM EDT #

Hi Sean,

Just wondering how to implement KeyIdentifier token with XML Digital Signature APIs. I want to create something as shown below for a signature in SOAP message

<ds:KeyInfo>
<wsse:SecurityTokenReference xmlns:wsu="...." wsu:Id="......">
<wsse:KeyIdentifier EncodingType="..." ValueType="....">
eG9ius9YwR
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>

Is it supported in JDK6 ?

Thanks.

Posted by Raymond on September 15, 2011 at 11:31 AM EDT #

Hi Sean,

Just wondering how to implement KeyIdentifier token with XML Digital Signature APIs. I want to create something as shown below for a signature in SOAP message

<ds:KeyInfo>
<wsse:SecurityTokenReference xmlns:wsu="...." wsu:Id="......">
<wsse:KeyIdentifier EncodingType="..." ValueType="....">
eG9ius9YwR
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>

Is it supported in JDK6 ?

Thanks.

Posted by guest on September 16, 2011 at 04:51 AM EDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Sean Mullan

Search

Top Tags
Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today