xsignxsign
Security
Home > Books > NetKernel API and Services Reference > Accessor Listing > Security Extensions > xsign
Preface
Accessor Listing
ASpell Spell Checker
Berkeley DBXML Accessors and Utilities
Cron Scheduled Jobs
DPML
Entrypoint Management
HTTP Client Services
HTTP Transport
Image Resource Model
JMS Connectivity
JSON Library
Kernel Management and Development APIs
Layer1
LDAP / DSML Accessors and Utilities
Lucene Full Text Search
PiNKY
RDBMS Accessors and Utilities
Ruby Language Runtime
Scripting Runtimes
Security Extensions
gk
guid
md5
xacml
xsign
xverify
Session Extensions
SMTP Email Service
SOAP Service Infrastructure
Utility and System Accessors
WebDav Client
XHTML Utilities
XML Accessors
XQuery
XRL
XUnit - Unit Test Framework
Aspect Listing
Transport Listing
Transreptor Listing
Fragmentor Listing
NetKernel API
Protocol Handler

Rate this page:
Really useful
Satisfactory
Not helpful
Confusing
Incorrect
Unsure
Extra comments:

 send 

Module

urn:org:ten60:netkernel:ext:xsecurity

The xsign accessor is exported by the urn:org:ten60:netkernel:ext:xsecurity module. Import this module to gain access to the accessor.

Syntax

URI
active:xsign

ArgumentRulesDescription
operandMandatory the resource to be signed
operatorMandatory the signature properties document

Example Usage

DPML

<instr>
  <type>xsign</type>
  <operand>foo.xml</operand>
  <operator>sig_settings.xml</operator>
  <target>this:response</target>
</instr>

NetKernel Foundation API

req=context.createSubRequest("active:xsign");
req.addArgument("operand", [resource representation, aspect, or URI] );
req.addArgument("operator", [resource representation, aspect, or URI] );
result=context.issueSubRequest(req);

Purpose

The xsign accessor generates a standard XML signature consisting of a DSA signature and SHA1 digest of a part of an xml document located by an xpath expression. The signature is attached to the root element of the signed document together with an X509 certificate for validation.

The xsign accessor requires a private key together with other properties. The properties for the PKI keystore, PKI private key password, xpath location and certificate alias are passed in the operator document - see description below.

It is important to provide an xpath location that does not include the ds:signature element which will be attached to the root document element as the signature.

This implementation uses the Apache XML Security package. The xsign accessor uses the DSA algorithm to generate the XML signature. It uses the SHA1 algorithm to create a hash of the document fragment given by the xpath target. This accessor provides a general purpose xml sig but it is not as comprehensive as the full features offered by xmlsec. If XML Sig is important for your application we recommend you customize this accessor to suit your requirements.

Security

In the demonstration, the xmlsig properties are hard coded into the demonstration idoc. This is highly undesirable in a real implementation. It is recommended that the xmlsig properties document be placed in a trusted location with suitable access control. Preferrably the application should be written to request the passwords dynamically at runtime.

Keystore

The default PKI keystore is located in <dexter_install_directory>/security/demo_keystore. The Java keytool application, shipped with most JDK's, can be used to register and administer PKI keys and certificates. Do not use the demo keystore or any keys it contains in a real application. It is for illustration only! Create your own keystore using keytool and obtain a certified private key from a reputable Certification Authority.

Operator Syntax

The xsign accessor requires a set of configurable properties in order to sign a document. These are passed in by the operator in an <xmlsig> document. The element names and properties are illustrated below.

<xmlsig>
  <keystore>
    <password>demo123</password>
    <uri>security/demo_keystore</uri>
    <!--Resolved relative to Install directory-->
  </keystore>
  <privateKey>
    <privateKeyAlias>DexterDemonstrationKey_INSECURE_FOR_EXAMPLE_ONLY</privateKeyAlias>
    <privateKeyPassword>demo_only_do_not_use</privateKeyPassword>
    <certificateAlias>DexterDemonstrationKey_INSECURE_FOR_EXAMPLE_ONLY</certificateAlias>
  </privateKey>
  <algorithm />
  <targetXpath>/signaturetest/name[4] and not(ancestor-or-self::ds:Signature)</targetXpath>
  <publicURI>file:/1060.org/test/signaturetest.xml</publicURI>
</xmlsig>

<keystore> contains the <uri> element which holds the uri to a Java keystore located relative to the install directory of the dexter kernel. In the default demonstrations this is security/demo_keystore. The <password> element contains the password to the keystore.

<privateKey> contains the properties necessary to specify and access the PKI private key with which the signature will be made. <privateKeyAlias> is the alias name with which the key is registered in the Java keystore. <privateKeyPassword> is the password used to secure the key within Java keystore. <certificateAlias> is alias name for the X509 certificate corresponding to the associated public key registered in the Java keystore.

<algorithm> is not currently used. xmlsig defaults to the DSA algorithm.

<targetXpath> is xpath location for the xml-fragment that is actually signed. Repeated xmlsig operations with the same document and different values for targetXPath will generate multiple signatures of the document. It is important not to include either the signature <ds:Signature> element or unwanted parts of the document in this xpath or the generated signature may be unverifiable.

<publicURI> is the uri expressed in the signature as the public URI of the document. See xmlsig specification for details

References

Apache XML Security
W3C XML Signature

© 2003-2007, 1060 Research Limited. 1060 registered trademark, NetKernel trademark of 1060 Research Limited.