XML Encryption also augments the
behavior of the <ds:RetrievalMethod> child of <ds:KeyInfo>. If you
specify
http://www.w3.org/2001/04/xmlenc#EncryptedKey as the Type
attribute of the <ds:RetrievalMethod>, the an <EncryptedKey> element is
retrieved.
Ted Leung
Professional XML Development
with Apache Tools
explains programming with Apache
Tools such as Xerces, Xalan, FOP, Cocoon, Axis and Xindice. This
is part 2 of an excerpt from chapter 10 discusses XML Encryption
and the XML Security software from Apache Software Foundation.
The <CipherData> element is a required
element that acts as a container for the encrypted data. The data may
appear as either a <CipherValue> element or as a <CipherReference>
element:
If the <CipherReference> element appears,
it specifies a resource that can be processed to yield the encrypted
data. <CipherReference> uses a URI attribute to specify the resource to
process. The content of the <CipherReference> element can be a <ds:Transforms>
element to indicate that Transforms are to be applied to the referenced
data. Support for <ds:Transforms> is optional.
The remainder of the document is as it was
before:
21: </xenc:CipherData>
22: </xenc:EncryptedData>
23: <isbn>0-7645-4355-5</isbn>
24: <month>December</month>
25: <year>2003</year>
26: <publisher>Wrox</publisher>
27: <address>Indianapolis,
Indiana</address>
28: </book>
Installing and Configuring XML
Security
To work with XML Security, you need to
get a current build. The XML Security builds are available at
http://xml.apache.org/security/download.html.
Click the link to choose a mirror site. On the page listing the mirrors,
click a mirror that’s close to you. Doing so will take you to a
distribution director with entries for the C-library version, the
Java-library version, and a PGP public key file in keys.asc. When you
click the link for the Java-library, you’ll be presented with a list of
distributions. Both binary and source distributions are provided.
For the sake of example, let’s assume
you’re interested in the latest development release 1.0.5D2. The binary
distribution is in a file named xml-security-bin-1_0_5D2.zip. The source
distribution is in a file named xml-security-src-1_0_5D2.zip. XML
Security is providing distributions only in zip file format. This
shouldn’t be a problem, because unzipping utilities exist for Windows,
UNIX, Linux, and Mac OS X. There are PGP signature files for each of the
distribution files—they have the same name as the associated
distribution file but end in .sig. The signature file for the
xml-security-bin-1_0_5D2.zip file is in the file
xml-security-bin-1_0_5D2. You should create a new directory for the
xml-security distribution you’re unpacking and unzip the files into it.
Once you’ve done that, the new directory contains the following
directories and files:
ant—Ant
taskdefs used by the XML Security build file.
build—The results of
running the Ant build:
doc—HTML
documentation.
xmlsec.jar—XML
Security library.
xmlsecSamples.jar—XML
Security sample programs.
xmlsecTests.jar—XML
Security test suite.
data—The data files
for the XML Security test suite.
libs—The jar files
required by XML Security. Note that you need Xalan 2.2 or later if
you’re going to use XPath or XSLT-related functionality.
src_samples—The source
code for the sample applications.
build.xml—The Ant
build file for XML Security.
Install—Simple
installation instructions.
Keys.asc—The PGP keys
files for the XML Security developers.
License.txt —The
Apache Software License.
README —A
brief README file.
README.html — The
gateway to the XML security documentation.
You also need to download the Bouncy
Castle JCE Provider, and if you’re using JDK 1.3, the Bouncy Castle
clean room JCE implementation for Java 1.3. You can obtain these files
from the Bouncy Castle Website at www.bouncycastle.org. For JDK 1.3,
you’ll want the combined JCE provider and implementation jar. This file
is named jce-jdk13-nnn.jar, where nnn is the version number. For JDK
1.3, you’ll want the file bcprov-jdk14-nnn.jar, again, where nnn is the
version number. Your classpath must include the BouncyCastle jar as well
as the xmlsec.jar from the build directory and the various jars in the
lib directory.
If you’re running JDK 1.4, you may need
to deal with two additional items. XML Security depends on a released
version of Xalan with a version number of at least 2.2. The version of
Xalan that’s built into JDK 1.4 is Xalan 2.2D13, which is incompatible.
To solve this problem, you should take the xml-apis.jar and xalan.jar
files from XML Security’s lib directory and install them in the JDK
using the Java Endorsed Standards Mechanism. Doing so overrides the
version built into the JDK.
The other JDK 1.4 issue you may run
into is related to encryption strength. By default, the JDK 1.4 ships
with a restricted encryption policy file. Your application may require
encryption algorithms that need cryptography with unlimited strength.
You can change the JCE policy file by downloading the JCE Unlimited
Strength Jurisdiction Policy Files for the JDK version you’re using. You
can obtain these files via http://java.sun.com/products/jce/index-14.html#UnlimitedDownload.
Once you’ve downloaded the jar file, you can follow the instructions
inside it to install the needed files. Basically, you take the contents
of the jar file and copy them over the corresponding files in JAVA_HOME/jre/lib/security.
You should back up the old files somewhere in case you need to use them
again.
About the Author
Ted Leung is currently working on the Chandler Personal
Information Manager for the Open Source Applications Foundation (OSAF).
He is also using his experience as a member of the Apache Software
Foundation (ASF) to help OSAF bootstrap a vibrant community around
Chandler. Ted continues his involvement with ASF by helping new
projects become a part of the Apache community. He was one of the
original developers of the Xerces-J XML parser and a founding
member of the Apache XML Project.
Prior to OSAF, Ted was an independent consultant
focusing on Java, XML and web services. He was the technical lead
for IBM's XML4J parser, which provided the initial code base for
the Xerces-J parser. Ted has also worked on the Apple Newton PDA
and the compound document portion of Taligent's object-oriented
frameworks. As a graduate student at Brown University, he worked
on problems in object oriented databases, including data models
and query languages. He earned a bachelor's degree in Mathematics
at MIT.
Besides
Professional XML Development with Apache Tools, Ted has
authored trade magazine articles and academic papers and spoken at
conferences such as OSCON, PyCon, ApacheCon, Software Development
and IBM's Solutions Developer Conference. He writes a personal web
log about Open Source, modern programming languages, Mac OS X and
microcontent. With Thom May, Ted also operates the
PlanetApache community
weblog.
