Using stronger XML Signature Algorithms in JDK 7
By Sean Mullan on Jul 24, 2009
One of the new features of the XML Signature 1.1 specification, which is currently in draft review, is the addition of stronger cryptographic algorithms to the REQUIRED algorithms, such as the RSAwithSHA256 SignatureMethod algorithm. Additional RECOMMENDED and OPTIONAL algorithms have also been added. See section 6.1 for a complete list of algorithm requirements.
In JDK 7, you can already use many of these stronger XML Signature algorithms in your Java applications. The following algorithms are newly supported: the RSAwithSHA256, RSAwithSHA384, RSAwithSHA512 signature algorithms and the HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512 mac algorithms.
To take advantage of these stronger algorithms when generating XML Signatures, you may have to specify the URI of the algorithm (if there isn't a String constant already defined in the API). For example:
XMLSignatureFactory factory = XMLSignatureFactory.getInstance();
SignatureMethod sm = factory.newSignatureMethod ("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", (SignatureMethodParameterSpec) null);
No special code is required when validating XML Signatures with these algorithms as the implementation will automatically identify the algorithm URIs.
We plan to add String constants for these URIs in a future revision of the JSR 105 API, but for now you must specify the URIs when generating signatures.
Last, but not least, we are planning to backport support for these stronger signature and mac algorithms to JDK 6.