XML Security test package testxmlsec
(supplementary to org.aaauthreach package) 
------------------------------------------------------------------

0. Introduction

This test and demo package demonstrate how to use XML Signature and XML Encryption with 
IODEF XML format.

Suggested version of the IODEF is 0.4.

1. Test classes

1.1. TestIODEF01xss4jdsig.java - uses IBM's xss4j for creating Enveloped XML Signature

Note. This is an old example. Not recommended due to suspended xss4j development.


1.2. TestIODEF02SignTypes.java - creates sample IODEF-040 document and signes by using 
different URI types and XPath expressions:

0 - Create and sign whole document with an ENVELOPED Signature, e.g. 
    <ds:Reference URI="">
1 - ENVELOPED for element by Id/ID, e.g. URI="#incident"
2 - ENVELOPED for element by Id/ID, e.g. URI="#xpointer(id('incident'))"
3 - ENVELOPED for element with XPath TRANSFORM, e.g. 
    XPath = not(ancestor-or-self::ds:Signature) 
    and (ancestor-or-self::node() = /IODEF-Document/Incident)
4 - ENVELOPED for element with XPath TRANSFORM, e.g. 
    XPath = not(ancestor-or-self::ds:Signature) 
    and ((ancestor-or-self::node() = /IODEF-Document/Incident)
    or (ancestor-or-self::node() = /IODEF-Document/Incident/EventData))


1.3. TestIODEF03SignDoc.java - provides examples of different input methods for 
the document to be signed:

1 - sign file (multiple signatures)
2 - sign input DOM document
3 - sign string document 


1.4. TestIODEF10VerifySignature,java - verify XML Signature in the document that 
can be read as file, DOM document or String document


1.5. TestIODEF05Encryption.java - provides examples of encrypting content of the 
document or an element and implements XMLEnc recommended procedure:

(1) data are encrypted with the symmetric instantly generated key (dek - AES_128), and 
(2) this dek is encrypted with another shared symmetric key (kek) or with repicient's 
    public key (RSA as recommended by XMLEnc), 
(3) encrypted kek is included into the <xenc:EncryptedData>/<ds:KeyInfo> element 

Available encryption options:
 
1 - Create and encrypt doc (with the symmetric dek and kek)
2 - Create and encrypt an element <System> of the context doc (with the symmetric dek and kek)
3 - Read and encrypt ext doc (with the symmetric dek and kek)
4 - Create and encrypt doc (with the symmetric dek and asymmentric/PKI public kek)


1.6. TestIODEF12Decryption.java - decrypts encrypted data for all above examples.

For the examples with symmetrical kek, it uses previously stored kek (in the encryption 
test) for each example. When using PKI kek transport, the receiver's (locally stored) 
private key is used for data decryption.

NOTE. 
All test classes have interactive interface to select available options. They are 
also structured in such a way that application developers can re-use some methods 
to include them into their applications.


2. Installing and running examples

2.1. Directories and components

iodef - project/startup directory where you have all working files and from which 
you will run your examples

iodef/data - data required to run examples 

iodef/data/schemas - location of IODEF schemas

iodef/data/keystore - directory where the keys used to sign documents are located
         This directory also contain .BAT files to generate key pairs and 
         X.509 public key certificates (e.g., genkey01iodef.bat)
         
iodef/data/keystore/xmlsec/keystore2xmlsec.jks - keystore used in current examples          

iodef/data/keystore/xmlsec/symkeystore - directory where the symmetric secret keys 
         used to encrypt data encryption key are located

iodef/tests - location of the testxmldsig package for IODEF

iodef/bin/testxmlsec - location of test classes


2.2. Installing IODEF project into Eclipse

Provided archive is actually an Eclipse project archive and it contains all 
necessary components and structure to be used directly.

Unzip iodef-test01.zip archive into your Eclipse workspace, 
update classpath and place recommended files into endorsed directory (see 
section 4. Required libraries).

After Eclipse startup IODEF project should appear in your working area automatically, 
otherwise you can add via File>New Project menu. 

You can run all test classes from Eclipse using its run and debug facility.


2.3. Installing and running standalone IODEF examples

Unzip iodef-test01.zip archive into your working area. 

NOTE. 
You need to take care of providing all necessary library class paths and paths 
to org.aaauthreach supporting classes.

Compile and run your examples from the project directory "iodef"


2.4. Generating key for running examples

Current test package is pre-configured to use current Java keystore and have 
these parameters:

keystoreType = "JKS";
keystoreFile = "data/keystore/xmlsec/keystore2xmlsec.jks";
keystorePass = "iodefsecurity";
privateKeyAlias = "iodef04"rsa;
privateKeyPass = "iodefsecurity";
certificateAlias = "iodef04rsa";

These parameters are hardcoded into supporting class ConfigSecurity.java
of the org.aaauthreach.resources package.

You can generate your own keys configuring and running genkey01iodef.bat file 
in the data/keystore directory. 


3. Supporting libraries and classes

Few supporting classes are provided as components of org.aaauthreach package.

When running examples as standalone applications, you need to provide 
path to org.aaauthreach location.


4. Required external libraries

List of required libraries (also can be found in .classpath file for the 
Eclipse project):

Xalan v2.4+ - http://xml.apache.org/xalan-j/index.html
xalan.jar

Xerces2 v2.3+ - http://xml.apache.org/xerces2-j/index.html
xercesSamples.jar
xercesImpl.jar

Special DOM3 components required for XMLSig
dom3-xercesImpl-2.4.0.jar
dom3-xml-apis-2.4.0.jar

XML-security package v1.1.0 (from Apache) - 
xmlsec.jar
xmlsecSamples.jar
bc-jce-jdk13-114.jar 
(originally - http://www.bouncycastle.org/download/jce-jdk13-114.jar)

Logging facility required for XML-Security package
log4j-1.2.8.jar
commons-logging-1.0.3.jar
commons-logging-api.jar"/>

Optionally for xss4j samples
xss4j.jar
are.jar
xml4j.jar

For some reason it is recommended to put the following packages into 
$j2sdk1.4.2-install-dir/jre/lib/endorsed/ directory:

dom3-xercesImpl-2.4+.jar, dom3-xml-apis-2.4+.jar

NOTE. 
For your convenience all required libraries are provided in the 
iodef-test01-libs.zip archive. You need to place them in a convenient 
place and configure your system classpath correspondently.

IMPORTANT: XML Encryption requires extended number of the cryptographic 
service providers not included into standard JSDK distribution. This can 
dowloaded from http://www.bouncycastle.org/download/jce-jdk13-114.jar 
This jar file is also included into iodef-test01-libs.zip


---------------

Comments/questions: demch@chello.nl