You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by ge...@apache.org on 2002/09/06 09:45:30 UTC
cvs commit: xml-security/doc/xml/sources LICENSE.txt api.xml docs-book.xml faq-common.xml faq.xml history.xml install.xml interop.xml loader.xml readme.xml resolvermania.xml resources.xml
geuerp 2002/09/06 00:45:30
Added: doc/xml/sources LICENSE.txt api.xml docs-book.xml
faq-common.xml faq.xml history.xml install.xml
interop.xml loader.xml readme.xml resolvermania.xml
resources.xml
Log:
new location
Revision Changes Path
1.1 xml-security/doc/xml/sources/LICENSE.txt
Index: LICENSE.txt
===================================================================
The Apache Software License, Version 1.1
Copyright (c) 1999 The Apache Software Foundation. All rights
reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the
distribution.
3. The end-user documentation included with the redistribution,
if any, must include the following acknowledgment:
"This product includes software developed by the
Apache Software Foundation (http://www.apache.org/)."
Alternately, this acknowledgment may appear in the software itself,
if and wherever such third-party acknowledgments normally appear.
4. The names "<WebSig>" and "Apache Software Foundation" must
not be used to endorse or promote products derived from this
software without prior written permission. For written
permission, please contact apache@apache.org.
5. Products derived from this software may not be called "Apache",
nor may "Apache" appear in their name, without prior written
permission of the Apache Software Foundation.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
====================================================================
This software consists of voluntary contributions made by many
individuals on behalf of the Apache Software Foundation and was
originally based on software copyright (c) 2001, Institute for
Data Communications Systems, <http://www.nue.et-inf.uni-siegen.de/>.
The development of this software was partly funded by the European
Commission in the <WebSig> project in the ISIS Programme.
For more information on the Apache Software Foundation, please see
<http://www.apache.org/>.
1.1 xml-security/doc/xml/sources/api.xml
Index: api.xml
===================================================================
<?xml version="1.0" standalone="no"?>
<!DOCTYPE s1 SYSTEM "../style/dtd/document.dtd">
<s1 title="API Documentation">
<s2 title="Javadoc Generated Documentation">
<p>&packagenamelong; comes packaged with API documentation.</p>
<p>This documentation is generated automatically from the Javadoc-style
comments inside the source files. Click on one of the links below to
go to the appropriate API documentation.</p>
</s2>
<s2 title="&packagename; API Documentation">
<ul>
<li><jump href="api/index.html">Full API documentation</jump></li>
<li><jump href="api/overview-tree.html">Hierarchy for all the packages</jump></li>
<li>If the above documentation is outdated, an always-fresh copy can be found
<jump href="http://nagoya.apache.org/gump/javadoc/xml-security/build/doc/html/api/index.html">here</jump></li>
</ul>
</s2>
</s1>
1.1 xml-security/doc/xml/sources/docs-book.xml
Index: docs-book.xml
===================================================================
<?xml version="1.0"?>
<!DOCTYPE book SYSTEM "../style/dtd/book.dtd">
<book title="XML-Security Documentation"
copyright="2001 The Apache Software Foundation">
<resources source="sbk:/sources/resources.xml"/>
<external label="Home"
href="http://xml.apache.org/" />
<separator />
<document label="Readme"
id="index"
source="readme.xml" />
<faqs label='FAQs'
title='Frequently Asked Questions'
id='faqs'
source='faq.xml'>
</faqs>
<external label="Download"
href="http://xml.apache.org/security/dist/" />
<external label="Repository"
href="http://cvs.apache.org/viewcvs.cgi/xml-security/" />
<document label="Installation"
id="install"
source="install.xml" />
<document label="Resolver-Mania"
id="resolvermania"
source="resolvermania.xml" />
<document label="Interoperability"
id="interop"
source="interop.xml" />
<!--
<group label="FAQs"
id="faqs"
title="Frequently Asked Questions">
<entry id="faq-resolvers"
source="faq-resolvers.xml" />
</group>
-->
<separator />
<document label="API Docs"
id="api"
source="api.xml" />
<separator />
<document label="History"
id="history"
source="history.xml" />
<external label="Latest GUMP"
href="http://jakarta.apache.org/builds/gump/latest/xml-security.html" />
</book>
1.1 xml-security/doc/xml/sources/faq-common.xml
Index: faq-common.xml
===================================================================
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE faqs SYSTEM '../style/dtd/faqs.dtd'>
<faqs title='Common Problems FAQs'>
<faq title='Get some exception'>
<q>
When I run the samples, I get the following Exception. Why?
<code>java.lang.ClassCastException: org.apache.crimson.tree.XmlDocument</code>
</q>
<a>
<p>
You try to use Crimson as XML Parser. This library requires Xerces.
</p>
</a>
</faq>
</faqs>
1.1 xml-security/doc/xml/sources/faq.xml
Index: faq.xml
===================================================================
<?xml version="1.0" standalone="no"?>
<!DOCTYPE faqs SYSTEM "../style/dtd/faqs.dtd">
<faqs title="Frequently asked questions">
<faq>
<q>Where's the archive for this list?</q>
<a>
<p>A very good question! Currently, <resource-ref
idref="mail-arch-gmane"/> is archiving the mailing list. This service
also makes the mailinglist reachable with a news reader.</p>
<p>If this service ever fails/stops, you can still use the ezmlm mailing
list controller to recieve previous messages by email. Send an empty
email to <human-resource-ref idref="mailhelp"/> for detailed information on
how to use this service </p>
</a>
</faq>
<faq>
<q>Where can I learn about XML?</q>
<a>
<p>There are plenty of resources on the web, just use any search
engine. You might start at <resource-ref idref="xmlfaq"/> or
<resource-ref idref="zvon"/>.</p>
</a>
</faq>
<faq>
<q>Where can I learn about XML Digital Signatures?</q>
<a>
<p>The best place to start is <resource-ref idref="xmldsig"/>. Links on
XML security in general can be found on <resource-ref
idref="christ-page"/>.</p>
</a>
</faq>
<faq>
<q>Where can I learn about XML Encryption?</q>
<a>
<p>The best place to start is <resource-ref idref="xmlenc"/>. Links on
XML security in general can be found on <resource-ref
idref="christ-page"/></p>
</a>
</faq>
<faq>
<q>Where can I learn about Cryptography in general?</q>
<a>
<p>A lot of resources exist on the web, including the 'green bible' for
cryptography: <resource-ref idref="hac"/>. The &hac; is completely
online and it should satisfy most of your cryptographic
hunger. Disadvantage of it is that it goes rather deep, so it isn't a
executive overview or a "Learn XYZ in 21 days"-book</p>
</a>
</faq>
<faq>
<q>I have a Java-(security/cryptography) problem. Can you help me?</q>
<a>
<p>Go to the <resource-ref idref="javaforum"/> of Sun. You can find
forums where you can ask questions like "How do I generate a
keypair", etc.</p>
</a>
</faq>
<faq>
<q>I have a Java-XML problem.</q>
<a>
<p>Go to the <resource-ref idref="javaforum"/> of Sun, section Java
Technology & XML and have a look at <resource-ref idref="xml4j-used"/>.</p>
</a>
</faq>
<faq>
<q>I'm using crimson</q>
<a>
<p>You shouldn't; some people had problems with it. Use
<resource-ref idref="xml4j-used"/> instead.</p>
</a>
</faq>
<faq>
<q>I'm using JDK1.4.0</q>
<a>
<p>After SUN released the
<jump href="http://java.sun.com/j2se/1.4/index.html">
Java (TM) 2 Platform Standard Edition v1.4.0
</jump>, the xml-security package stopped working. This is a
<jump href="http://developer.java.sun.com/developer/bugParade/bugs/4615582.html">
known
</jump> problem: SUN packaged a beta of Xalan into the JDK1.4.0, but
the xml-security package requires a stable version of Xalan (v2.2.0 or
later). To fix the problem, you have to put the xalan.jar into a
special directory in your JDK:
<code>j2sdk1.4.0/jre/lib/endorsed/xalan.jar</code>. If you installed an
out-of-the-box JDK1.4 (e.g. on Windows 2000), the "endorsed"
directory does not exist: you'll have to create it by hand.
<em>Putting this JAR to another location like lib/ext WILL NOT
WORK.</em>
</p>
<p>For more on that, you can also check the
<jump href="http://xml.apache.org/~edwingo/jaxp-faq.html#override">
Unofficial JAXP FAQ
</jump>.
</p>
</a>
</faq>
<faq>
<q>What's up with the Bouncy Castle CSP? / Where is my CSP?</q>
<a>
<p>There is <em>no</em> JCE bundled together with this distribution. This
is because the Apache Project is hosted in the US where some export
restrictions apply to the cryptographic primitives.
</p>
<p>The nice guys from the
<jump href="http://www.bouncycastle.org/">Legion of Bouncy
Castle</jump> where so helpful to supply the JAR that you need to
create HMAC integrity checks on their web site. When you use the ant
makefile <code>build.xml</code> and simply say <code>ant compile</code>
or <code>ant get-jce</code>, <code>ant</code> tries to fetch this JAR
from the australian server. After that step, the compilation works
completely.
</p>
<p>The ant make tools initiates an automated download of the BouncyCastle
JCE. The file is downloaded into the <code>libs/</code> directory and a
"bc-" is prepended to the filename. This is done because we
want the provider name (bc means BouncyCastle) being visible in the
JAR's filename. </p>
<p>More information can be found in the Installation section.</p>
</a>
</faq>
<faq>
<q>How do I enable/turn off logging?</q>
<a>
<p>2BDone</p>
</a>
</faq>
<faq>
<q>How do I use the package to generate and verify a signature?</q>
<a>
<p>Checkout the samples in
<code>src_samples/org/apache/xml/security/samples/signature/</code>.
</p>
<note>The samples divide into two groups: Samples that <em>create</em>
and samples that <em>verify</em> Signatures. Eventually, you should
adjust the verifying program to another filename if you get
<code>FileNotFoundException</code>s.</note>
</a>
</faq>
<faq>
<q>What is the meaning of BaseURI?</q>
<a>
<p>The String BaseURI is the systemID on which the Object will be stored
in the future. This is needed to resolve relative links in the
<code>Reference</code> elements which point to the filesystem or
something similar.
</p>
<p>Example: Imagine that you want to create a signature to store it on a web server as
<code>http://www.acme.com/signatures/sig1.xml</code>. So
<code>BaseURI="http://www.acme.com/sig1.xml"</code>. This
means that if you create a <code>Reference</code> with
<code>URI="../index.html"</code>, the library can easily use
it's HTTPResourceResolver to fetch
<code>http://www.acme.com/index.html</code> without that you have to
say <code>URI="http://www.acme.com/index.html"</code>.
</p>
</a>
</faq>
<faq>
<q></q>
<a>
<p></p>
</a>
</faq>
</faqs>
1.1 xml-security/doc/xml/sources/history.xml
Index: history.xml
===================================================================
<?xml version="1.0" standalone="no"?>
<!DOCTYPE s1 SYSTEM "../style/dtd/document.dtd">
<s1 title="History of the project">
<s2 title="The <WebSig> project">
<p>In mid-1999, the <jump href="http://www.nue.et-inf.uni-siegen.de/">Institute for Data Communications Systems</jump> at the <jump href="http://www.uni-siegen.de/">University of Siegen</jump> in Germany looked for partners to participate in a European project for implementing the upcoming <jump href="http://www.w3.org/Signature/">XML Signature standard</jump>. We found our partners in the companies <jump href="http://www.expnet.gr/">Expertnet S.A.</jump> and <jump href="http://www.proodos.gr/">PROODOS S.A.</jump>, both from Athens, who were willing to use our XML Signature library in a first commercial project.</p>
<p>The project started in January 2000 and ended up in September 2001. 50% of the costs have been funded by the European Commission in the <jump href="http://www.ispo.cec.be/isis/99websig.htm">ISIS programme</jump>. Goal was to develop a JAVA library for creating and validating XML Signatures and to make the binaries of this software freely available.</p>
<p>In 9/2001, the Institute for Data Communications Systems decided to make the sources freely available, too, to promote the use of digital signatures and to give XML Signature a spin. The decision was made to give the complete library (including an implementation of "Canonical XML" and "XML Signature") under the hood of the Apache Software Foundation to ensure availablility of the source and to enable other people to use it under the Apache License.</p>
</s2>
</s1>
1.1 xml-security/doc/xml/sources/install.xml
Index: install.xml
===================================================================
<?xml version="1.0" standalone="no"?>
<!DOCTYPE s1 SYSTEM "../style/dtd/document.dtd">
<s1 title="Installation">
<s2 title="Using JDK 1.4.0">
<p>After SUN released the <jump href="http://java.sun.com/j2se/1.4/index.html">Java (TM) 2 Platform Standard Edition v1.4.0</jump>, the xml-security package stopped working. This is a <jump href="http://developer.java.sun.com/developer/bugParade/bugs/4615582.html">known</jump> problem: SUN packaged a beta of Xalan into the JDK 1.4.0, but the xml-security package requires a stable version of Xalan (v2.2.0 or later). To fix the problem, you have to put the xalan.jar into a special directory in your JDK: <code>j2sdk1.4.0/jre/lib/endorsed/xalan.jar</code> . If you installed an out-of-the-box JDK1.4 (e.g. on Windows 2000), the "endorsed" directory does not exist: you'll have to create it by hand. <em>Putting this JAR to another location like lib/ext WILL NOT WORK.</em></p>
<p>For more on that, you can also check the <jump href="http://xml.apache.org/~edwingo/jaxp-faq.html#override">Unofficial JAXP FAQ</jump>.</p>
</s2>
<s2 title="Prerequisite">
<p>Make sure you get the Jakarta Ant Tool from <jump href="http://jakarta.apache.org/ant/">http://jakarta.apache.org/ant/</jump>
</p>
</s2>
<s2 title="Getting the source">
<p>You can download the sources via WWW in the distribution directory under <jump href="http://xml.apache.org/security/dist/">http://xml.apache.org/security/dist/</jump>
</p>
<p>This project's CVS repository can be checked out through anonymous (pserver) CVS with the following instruction set. The module you wish to check out must be specified as the modulename. When prompted for a password for anonymous, simply enter "anoncvs" without quotes: </p>
<source>cvs -d :pserver:anoncvs@cvs.apache.org:/home/cvspublic login
password: anoncvs
cvs -d :pserver:anoncvs@cvs.apache.org:/home/cvspublic checkout xml-security</source>
<p>A HTTP interface to browse the sources online is available via <jump href="http://cvs.apache.org/viewcvs.cgi/xml-security/">http://cvs.apache.org/viewcvs.cgi/xml-security/</jump>
</p>
</s2>
<s2 title="Compiling the source">
<p>
At the command prompt type 'ant test'. If you want to
use jikes instead of your default java compiler locate the 'build.xml'
file and replace the line
</p>
<source><property name="build.compiler" value="classic"/></source>
<p>
with
</p>
<source><property name="build.compiler" value="jikes"/></source>
</s2>
<!-- <s2 title="Unpacking the files">
<p>&packagename; is packaged as a ZIP file for all
platforms and operating systems. You can run the Java
<ref>jar</ref> command to unpack the distribution.</p>
<ul>
<li>jar xf &packagename;-bin.&packageversion;.zip</li>
<li>jar xf &packagename;-src.&packageversion;.zip</li>
<li>This command creates a "&packagedirectory;" sub-directory in the current directory containing all the files.</li>
</ul>
</s2>
<s2 title="Files in the binary package release">
<table>
<tr><td>LICENSE</td><td>License for &packagename;</td></tr>
<tr><td>Readme.html</td><td>Web page redirect to docs/html/index.html</td></tr>
<tr><td>xerces.jar</td><td>Jar file containing all the parser class files</td></tr>
<tr><td>xercesSamples.jar</td><td>Jar file containing all sample class files</td></tr>
<tr><td>data/</td><td>Directory containing sample XML data files</td></tr>
<tr><td>doc/html/</td><td>Directory containing documentation</td></tr>
<tr><td>doc/html/api/</td><td>Directory containing Javadoc API</td></tr>
</table>
<note>To use &packagename; you do not need the source files.</note>
</s2>
-->
<s2 title="Testing the distibution">
<p>The first way to ensure that everything is in place is to run the unit tests. This is simply done by typing <code>ant test</code>. This starts the included JUnit test cases. Actually, we do not have complete test coverage, but as a first start, it works.</p>
</s2>
<s2 title="Playing around with the examples">
<p>To see how the distribution works, simply run <code>ant mega-sample</code> to let ant execute several examples from the <code>src_samples/</code> directory. </p>
</s2>
<s2 title="Files in the source package release">
<table>
<tr>
<td>build.xml</td>
<td>Top level <jump href="http://jakarta.apache.org/ant/index.html">Ant</jump> Makefile -- read README file before building</td>
</tr>
<tr>
<td>LICENSE.txt</td>
<td>License for the software</td>
</tr>
<tr>
<td>README</td>
<td>Build instructions</td>
</tr>
<tr>
<td>Readme.html</td>
<td>Web page redirect required for building documentation</td>
</tr>
<tr>
<td>STATUS</td>
<td>Current source code status information</td>
</tr>
<tr>
<td>data/</td>
<td>Directory containing sample data files and test vectors for the unit tests</td>
</tr>
<tr>
<td>doc/xml/</td>
<td>Directory containing documentation, in XML form</td>
</tr>
<tr>
<td>src/</td>
<td>Directory containing source code for the core library</td>
</tr>
<tr>
<td>src_samples/</td>
<td>Directory containing source code for samples</td>
</tr>
<tr>
<td>src_unitTests/</td>
<td>Directory containing source code for unit tests</td>
</tr>
</table>
</s2>
<s2 title="Where is my JCE?">
<p>There is <em>no</em> JCE bundled together with this distribution. Living in Germany, I had no problem to include the JCE in this software package but then I realized that the Apache Project is hosted in the US where some export restrictions apply to the cryptographic primitives. </p>
<p>Well, how do we solve this problem? The nice guys from the <jump href="http://www.bouncycastle.org/">Bouncy Castle</jump> where so helpful to supply the JAR that you need to create HMAC integrity checks on their web site. When you use the ant makefile <code>build.xml</code> and simply say <code>ant compile</code> or <code>ant get-jce</code>, <code>ant</code> tries to fetch this JAR from the australian server. After that step, the compilation works completely. </p>
<p/>
<p>The ant make tools initiates an automated download of the BouncyCastle JCE. The file is downloaded into the libs/ directory and a "bc-" is prepended to the filename. This is done because we want the provider name (bc means BouncyCastle) being visible in the JAR's filename. </p>
<p/>
<p>If you are a little paranoid like all security people and don't want ant to make automated downloads or your firewall doesn't permit it (preventing programs "phoning home"), look in the ./build.xml file for the properties called</p>
<p/>
<source><![CDATA[<property
name="jce.download.file"
value="@@jce.download.file@@" />
<property
name="jce.download"
value="http://www.bouncycastle.org/download/${jce.download.file}" />
<property
name="lib.jce"
value="${libs}/bc-${jce.download.file}" />
]]></source>
<p>Here you can see that the file <code>
<jump href="@@jce.download@@">@@jce.download@@</jump>
</code> is downloaded and stored in the location <code>@@lib.jce@@</code>
</p>
<p>If you do this by hand (pointing you favourite web browser and download it yourself), simply put a "<code>bc-</code>" in front of the filename and put it to <code>./libs/</code>, then ant won't try to make a download.</p>
</s2>
<s2 title="Using JDK 1.4.0">
<p>After SUN released the <jump href="http://java.sun.com/j2se/1.4/index.html">Java (TM) 2 Platform Standard Edition v1.4.0</jump>, the xml-security package stopped working. This is a <jump href="http://developer.java.sun.com/developer/bugParade/bugs/4615582.html">known</jump> problem: SUN packaged a beta of Xalan into the JDK 1.4.0, but the xml-security package requires a stable version of Xalan (v2.2.0 or later). To fix the problem, you have to put the xalan.jar into a special directory in your JDK: <code>j2sdk1.4.0/jre/lib/endorsed/xalan.jar</code> . If you installed an out-of-the-box JDK1.4 (e.g. on Windows 2000), the "endorsed" directory does not exist: you'll have to create it by hand. <em>Putting this JAR to another location like lib/ext WILL NOT WORK.</em></p>
<p>For more on that, you can also check the <jump href="http://xml.apache.org/~edwingo/jaxp-faq.html#override">Unofficial JAXP FAQ</jump>.</p>
</s2>
</s1>
1.1 xml-security/doc/xml/sources/interop.xml
Index: interop.xml
===================================================================
<?xml version="1.0" standalone="no"?>
<!DOCTYPE s1 SYSTEM "../style/dtd/document.dtd">
<!-- <jump href=""></jump> -->
<s1 title="Interoperability">
<s2 title="Problems">
<p>In Version v1.0.4, there is one test case which fails (interop test for exclusive c14n). This is related to very esoteric node sets (The Y4 test vector from <jump href="http://www.w3.org/Signature/2002/02/01-exc-c14n-interop.html">the interop matrix</jump>). </p>
</s2>
<s2 title="Interoperability issues">
<p>As it can be seen on the <jump href="http://www.w3.org/Signature/">working group homepage</jump>, there are some interoperability reports, namely for <jump href="http://www.w3.org/Signature/2000/10/10-c14n-interop.html">Canonical XML</jump>, <jump href="http://www.w3.org/Signature/2002/02/01-exc-c14n-interop.html">Exclusive Canonical XML</jump> and <jump href="http://www.w3.org/TR/xmldsig-core/2001/04/05-xmldsig-interop.html">XML Signature</jump>.</p>
<p>Interoperability depends heavily on test vectors, this means that implementation A has to check whether the signatures from implementation B can be verified. For this purpose, we have a collection of different test vectors in our <code>data/</code> directory. The directory includes test vectors from</p>
<ul>
<li><jump href="http://www.baltimore.com/keytools/xml/index.html">Baltimore KeyTools XML</jump></li>
<li><jump href="http://jcewww.iaik.at/products/ixsil/index.php">IAIK IXSIL</jump></li>
<li><jump href="http://www.rsasecurity.com/products/bsafe/certj.html">RSA Security Cert-J</jump></li>
<li>The vectors from the <jump href="http://www.alphaworks.ibm.com/tech/xmlsecuritysuite">IBM alphaWorks XML Security suite</jump> could not been included in this distribution because of licensing issues. For some reasons which I do not understand, they copyrighted their test signatures which they have bundled with xss4j. If you want to include interop testing against IBM in your unit tests, simply do the following: Download <code>xss4j-20011029.zip</code> from the <jump href="http://www.alphaworks.ibm.com/aw.nsf/download/xmlsecuritysuite">alphaWorks download page</jump>. Copy all files from the <code>xss4j-20011029.zip#/xss4j/data</code> directory into the <code>xml-security/data/com/ibm/xss4j-20011029/</code> directory. If the <jump href="api/org/apache/xml/security/test/InteropTest.html">Interop</jump> class finds these files, the <code>org.apache.xml.security.test.interop.IBMTest</code> class is also executed during unit interop tests. </li>
</ul>
</s2>
</s1>
1.1 xml-security/doc/xml/sources/loader.xml
Index: loader.xml
===================================================================
<?xml version="1.0"?>
<!-- CVS $Revision: 1.1 $ $Date: 2002/09/06 07:45:30 $ -->
<loader>
<processor name="xslt">
<parameter name="stylesheet" value="sbk:/style/stylesheets/book2project.xsl"/>
</processor>
</loader>
1.1 xml-security/doc/xml/sources/readme.xml
Index: readme.xml
===================================================================
<?xml version="1.0" standalone="no"?>
<!DOCTYPE s1 SYSTEM "../style/dtd/document.dtd">
<s1 title="Readme">
<s2 title="News">
<p>Version 1.0.4 released on 15. July 2002; minor improvements. The most significant is that people who did not install Xalan properly under JDK 1.4.0 get a more specific error message. It uses the most recent version of the BouncyCastle JCE now. </p>
<p>Version 1.0.3 now supports new W3C specs:</p>
<ul>
<li><jump href="http://www.w3.org/TR/2002/REC-xml-exc-c14n-20020718/">Exclusive XML Canonicalization Version 1.0, W3C Recommendation 18 July 2002</jump>. (There is no interop to test vector <jump href="http://www.w3.org/Signature/2002/02/01-exc-c14n-interop.html">Y4</jump> because of a problem in Xalan)</li>
<li><jump href="http://www.w3.org/TR/2002/CR-xmldsig-filter2-20020718/">XML-Signature XPath Filter 2.0, W3C Candidate Recommendation 18 July 2002 </jump></li>
</ul>
<p>Canonicalization is written completely new: it's about 5-80 times faster than the implementation in version 1.0.2. It's highly recommended to upgrade to the new version. </p>
</s2>
<s2 title="JDK 1.4 issues">
<p>If you use JDK 1.4 and want to use this software, be sure that Xalan is properly installed. Check the bottom of the <jump href="install.html">installation guide</jump>!!!</p>
<p>I have so many complaints from people who argue that the software throws exceptions during running the examples or during unit testing. This package NEEDS a Xalan version after 2.2D13 (and SUN shipped his JDK 1.4.0 final with a Xalan beta!). I started integrating the installation guide into the exception messages cause it seems that people don't have a look at the installation guide. </p>
</s2>
<s2 title="XML Security Release">
<p>The &packagenamelong; &packageversion; supports the <jump href="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/">XML-Signature Syntax and Processing</jump> recommendation.</p>
<p>Note that there is no standard API avaliable at the moment. SUN is working on a JAVA Specification Request <jump href="http://jcp.org/jsr/detail/105.jsp">JSR-105: XML Digital Signature APIs</jump> on an API for XML Signature and <jump href="http://jcp.org/jsr/detail/106.jsp">JSR-106: XML Digital Encryption APIs</jump>, but until now, nothing has been published. So, this software does <em>not</em> conform to any of these specifications.</p>
</s2>
<s2 title="License Information">
<p>The XML Security package is available in both source code and precompiled binary (JAR files) form. Both packages are made available under the <jump href='LICENSE.txt'>Apache Software License</jump>.</p>
</s2>
<s2 title="Download">
<p>You can download the source and binary packages in the <jump href='http://xml.apache.org/security/dist/'>dist</jump> directory.</p>
</s2>
<s2 title="Sample programs">
<p>This software can be used to create and verify arbitrary forms of XML Signatures. The documentation available here is not very huge; my first approach is to supply usage examples which are available in the <code>src_samples/</code> directory to give interested users a first starting point to jump-start with XML Signature. NOTE: The samples divide into two groups: Samples that <em>create</em> and samples that <em>verify</em> Signatures. Eventually, you should adjust the verifying program to another filename if you get <code>FileNotFoundException</code>s.</p>
</s2>
<s2 title="Mailing lists">
<p>There exists a mailing list which you can subscribe to ask questions:</p>
<p>The <jump href="http://xml.apache.org/mail.html">ezmlm mailing list controller</jump> accepts commands by sending emails to it, generally like the following:</p>
<ul>
<li><jump href="mailto:security-dev-subscribe@xml.apache.org">security-dev-subscribe</jump> to subscribe your current email address to the list</li>
<li><jump href="mailto:security-dev-unsubscribe@xml.apache.org">security-dev-unsubscribe</jump> to <em>un</em>subscribe your *current* email address from the list</li>
<li><jump href="mailto:security-dev-help@xml.apache.org">security-dev-help</jump> to get Help on mailing list commands</li>
</ul>
<p>An archive of this list is kept under <jump href="http://news.gmane.org/thread.php?group=gmane.text.xml.security.devel">http://news.gmane.org/thread.php?group=gmane.text.xml.security.devel</jump></p>
</s2>
<s2 title="Contact information">
<p>For comments about the software please send them to the author <code><jump href="mailto:geuer-pollmann@nue.et-inf.uni-siegen.de">geuer-pollmann@nue.et-inf.uni-siegen.de</jump></code></p>
</s2>
</s1>
1.1 xml-security/doc/xml/sources/resolvermania.xml
Index: resolvermania.xml
===================================================================
<?xml version="1.0" standalone="no"?>
<!DOCTYPE s1 SYSTEM "../style/dtd/document.dtd">
<s1 title="Resolver-Mania">
<s2 title="Why do we need all these resolvers">
<p>For security and comfort reasons. In the XML Security package, there exist many kinds of Resolvers for different purposes. Resolvers in this package do the same job as an EntityResolver in the SAX package: retrieve information from the apropriate location and give it to the parser/software who needs it. The reason for offering these different Resolvers is that it should be under complete control of the application which connections to the network are made. In the security area, it wouldn't be a good idea to imediately fetch some documents from the web or make other connections only because you want to verify a Signature. This resolver framework gives the application developer the ability to have total control about the interface from the library to the rest of the world. </p>
</s2>
<s2 title="Types of resolvers">
<s3 title="ResourceResolvers">
<p>A <jump href="api/org/apache/xml/security/utils/resolver/ResourceResolver.html">ResourceResolver</jump> is used by a <jump href="api/org/apache/xml/security/signature/Reference.html">Reference</jump> to retrieve the signed resource from it's location. Different resolvers exist to get signed portions from the XML document in which the signature resides, to make HTTP connections or to fetch files from the local file system. <br />
The concept of a <jump href="api/org/apache/xml/security/utils/resolver/ResourceResolver.html">ResourceResolver</jump> is very similar to an org.xml.sax.EntityResolver, but in contrast to that Interface, the ResourceResolver is able to de-reference contents <em>inside</em> an XML document.
</p>
</s3>
<s3 title="StorageResolver">
<p>A <jump href="api/org/apache/xml/security/keys/storage/StorageResolver.html">StorageResolver</jump> is used by <jump href="api/org/apache/xml/security/keys/KeyInfo.html">KeyInfo</jump> and it's child objects / Elements to retrieve Certificates from storage locations. This approach is used to allow a user to customize the library for use in a specific corporate environment. It's possible to write <jump href="api/org/apache/xml/security/keys/storage/StorageResolver.html">StorageResolver</jump>s who make requests to LDAP servers or to use specificic PKI interfaces. <br/>
Bundled with the software come three sample <jump href="api/org/apache/xml/security/keys/storage/StorageResolver.html">StorageResolver</jump>s which can be used for common tasks:</p>
<ul>
<li>The <jump href="api/org/apache/xml/security/keys/storage/implementations/KeyStoreResolver.html">KeyStoreResolver</jump> is able to retrieve Certificates from a JAVA KeyStore object. This <jump href="api/org/apache/xml/security/keys/storage/implementations/KeyStoreResolver.html">KeyStoreResolver</jump> is constructed from an open JAVA KeyStore.</li>
<li>The <jump href="api/org/apache/xml/security/keys/storage/implementations/SingleCertificateResolver.html">SingleCertificateResolver</jump> resolves only to a single Certificate. The <jump href="api/org/apache/xml/security/keys/storage/implementations/SingleCertificateResolver.html">SingleCertificateResolver</jump> is constructed using this single Certificate. </li>
<li>The <jump href="api/org/apache/xml/security/keys/storage/implementations/CertsInFilesystemDirectoryResolver.html">CertsInFilesystemDirectoryResolver</jump> is useful for resolving to raw X.509 certificates which reside as separate files in a directory in the filesystem. Such a resolver is needed for verifying the test signatures from Merlin Huges which are bundled in a directory.</li>
</ul>
<p><jump href="api/org/apache/xml/security/keys/storage/StorageResolver.html">StorageResolver</jump>s are supplied to the KeyInfo's addStorageResolver() method.</p>
<p>Generally, a <jump href="api/org/apache/xml/security/keys/storage/StorageResolver.html">StorageResolver</jump> has only a method to return an Iterator which iterates through the available Certificates.</p>
</s3>
<s3 title="KeyResolver">
<p>A <jump href="api/org/apache/xml/security/keys/keyresolver/KeyResolver.html">KeyResolver</jump> is used by <jump href="api/org/apache/xml/security/keys/KeyInfo.html">KeyInfo</jump> to process it's child Elements. There exist two general classes of a <jump href="api/org/apache/xml/security/keys/keyresolver/KeyResolver.html">KeyResolver</jump>:</p>
<ul>
<li>If a ds:RSAKeyValue or ds:DSAKeyValue or ds:X509Certificate is used inside the ds:KeyInfo, the resolvers can return a public key or Certificate directly without further action, because the key itself is contained inside the ds:Signature</li>
<li>If there is only key material identification information like a ds:KeyName or the serial number of the Certificate, the KeyResolver must use the StorageResolvers to query the available keys and certificates to find the correct one.</li>
</ul>
<p>Of course, there are cross-dependencies: e.g. a KeyResolver named <jump href="api/org/apache/xml/security/keys/keyresolver/implementations/RetrievalMethodResolver.html">RetrievalMethodResolver</jump> uses the <jump href="api/org/apache/xml/security/utils/resolver/ResourceResolver.html">ResourceResolver</jump> framework to retrieve a public key or certificate from an arbitrary location.</p>
</s3>
</s2>
</s1>
1.1 xml-security/doc/xml/sources/resources.xml
Index: resources.xml
===================================================================
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE resources [
<!ENTITY % externalEntity SYSTEM "./entities.ent">
%externalEntity;
<!ELEMENT resources (resource|human-resource)+>
<!ELEMENT resource EMPTY>
<!ATTLIST resource
id CDATA #IMPLIED
title CDATA #IMPLIED
location CDATA #IMPLIED>
<!ELEMENT human-resource EMPTY>
<!ATTLIST human-resource
id CDATA #IMPLIED
name CDATA #IMPLIED
mailto CDATA #IMPLIED>
]>
<resources>
<resource id="mail-arch-gmane" title="Gmane" location="http://www.gmane.org/"/>
<resource id="xmldsig" title="&xmldsig;" location="http://www.w3c.org/Signature"/>
<resource id="xmlenc" title="&xmlenc;" location="http://www.w3c.org/Encryption"/>
<resource id="hac" title="&hac;" location="http://www.cacr.math.uwaterloo.ca/hac/"/>
<resource id="bouncy" title="Bouncy Castle Crypto API" location="http://www.bouncycastle.org/"/>
<human-resource id="mailhelp" name="security-dev-help@xml.apache.org" mailto="security-dev-help@xml.apache.org"/>
<resource id="zvon" title="http://www.zvon.org/" location="http://www.zvon.org/"/>
<resource id="xmlfaq" title="The XML FAQ" location="http://www.ucc.ie/xml/"/>
<resource id="christ-page" title="the XML Security Page" location="http://www.nue.et-inf.uni-siegen.de/~geuer-pollmann/xml_security.html"/>
<resource id="javaforum" title="Java Technology Forums" location="http://forum.java.sun.com/"/>
<resource id="xslt4j-current"
title="&xslt4j-current;"
location="http://xml.apache.org/xalan-j"/>
<resource id="xslt4j-distdir"
title="xalan-j distribution directory"
location="&xslt4j-distdir;"/>
<resource id="xslt4j-distdir-previous"
title="xalan-j previously posted builds directory"
location="&xslt4j-distdir;old"/>
<resource id="xslt4j-dist-zip"
title="&xslt4j-dist;.zip"
location="&xslt4j-distdir;&xslt4j-dist;.zip"/>
<resource id="xslt4j-dist-targz"
title="&xslt4j-dist;.tar.gz"
location="&xslt4j-distdir;&xslt4j-dist;.tar.gz"/>
<resource id="xslt4j-dist-bin-zip"
title="&xslt4j-dist-bin;.zip"
location="&xslt4j-distdir;&xslt4j-dist-bin;.zip"/>
<resource id="xslt4j-dist-bin-targz"
title="&xslt4j-dist-bin;.tar.gz"
location="&xslt4j-distdir;&xslt4j-dist-bin;.tar.gz"/>
<resource id="xslt4j-dist-src-zip"
title="&xslt4j-dist-src;.zip"
location="&xslt4j-distdir;&xslt4j-dist-src;.zip"/>
<resource id="xslt4j-dist-src-targz"
title="&xslt4j-dist-src;.tar.gz"
location="&xslt4j-distdir;&xslt4j-dist-src;.tar.gz"/>
<resource id="xml4j-current"
title="&xml4j;"
location="http://xml.apache.org/xerces-j/index.html"/>
<resource id="xml4j-used"
title="&xml4j-used;"
location="http://xml.apache.org/xerces-j/index.html"/>
<resource id="xml4j-distdir"
title="xerces-j distribution directory"
location="http://xml.apache.org/dist/xerces-j/"/>
<resource id="ant" title="Ant"
location="http://jakarta.apache.org/ant/index.html"/>
<resource id="ApacheLicense"
title="The Apache Software License, Version 1.1"
location="http://xml.apache.org/dist/LICENSE.txt"/>
<resource id="bugzilla"
title="Bugzilla (the Apache bug database)"
location="http://nagoya.apache.org/bugzilla"/>
<resource id="buglist"
title="XalanJ2 open bugs"
location="http://nagoya.apache.org/bugzilla/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&email1=&emailtype1=substring&emailassigned_to1=1&email2=&emailtype2=substring&emailreporter2=1&bugidtype=include&bug_id=&changedin=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&product=XalanJ2&short_desc=&short_desc_type=substring&long_desc=&long_desc_type=substring&bug_file_loc=&bug_file_loc_type=substring&keywords=&keywords_type=anywords&field0-0-0=noop&type0-0-0=noop&value0-0-0=&cmdtype=doit&order=%27Importance%27"/>
<resource id="bsf"
title="Bean Scripting Framework (BSF)"
location="http://oss.software.ibm.com/developerworks/projects/bsf"/>
<resource id="Readme"
title="Xalan Repository Release Notes"
location="http://www.apache.org/websrc/cvsweb.cgi/xml-xalan/README"/>
<resource id="dpawsonxslfaq" title="XSL Frequently Asked Questions" location="http://www.dpawson.co.uk/xsl/xslfaq.html"/>
<resource id="xsl"
title="Extensible Stylesheet Language (XSL) Version 1.0"
location="http://www.w3.org/TR/xsl"/>
<resource id="xslt"
title="XSL Transformations (XSLT) Version 1.0"
location="http://www.w3.org/TR/xslt"/>
<resource id="xpath"
title="XML Path Language (XPath) Version 1.0"
location="http://www.w3.org/TR/xpath"/>
<resource id="dom"
title="DOM"
location="http://www.w3.org/DOM"/>
<resource id="dom2"
title="DOM level 2"
location="http://www.w3.org/TR/DOM-Level-2/"/>
<resource id="sax"
title="SAX"
location="http://www.megginson.com/SAX/sax.html"/>
<resource id="sax2"
title="SAX 2"
location="http://www.megginson.com/SAX/Java/index.html"/>
<resource id="jaxp"
title="Java API for XML Parsing 1.0"
location="http://java.sun.com/xml/docs/api/index.html"/>
<resource id="jaxp11"
title="Java API for XML Processing 1.1 Public Review 2"
location="http://java.sun.com/aboutJava/communityprocess/review/jsr063/jaxp-pd2.pdf"/>
<resource id="jsr063"
title="Java Specification Request 63"
location="http://java.sun.com/aboutJava/communityprocess/review/jsr063"/>
<resource id="xmlapirepository"
title="xml-commons/java/external/src"
location="http://cvs.apache.org/viewcvs.cgi/xml-commons/java/external/src/"/>
<human-resource id="xalandev"
name="Xalan Development Mailing List"
mailto="xalan-dev@xml.apache.org"/>
<human-resource id="sboag"
name="Scott Boag"
mailto="scott_boag@us.ibm.com"/>
<human-resource id="scurcuru"
name="Shane Curcuru"
mailto="Shane_Curcuru@us.ibm.com"/>
<human-resource id="pdick"
name="Paul Dick"
mailto="Paul_Dick@us.ibm.com"/>
<human-resource id="jkesselman"
name="Joseph Kesselman"
mailto="keshlam@us.ibm.com"/>
<human-resource id="dleslie"
name="Donald Leslie"
mailto="donald_leslie@us.ibm.com"/>
<human-resource id="cmanolache"
name="Costin Manolache"
mailto="cmanolache@yahoo.com"/>
<human-resource id="dmarston"
name="David Marston"
mailto="David_Marston@us.ibm.com"/>
<human-resource id="mmidy"
name="Myriam Midy"
mailto="myriam_midy@us.ibm.com"/>
<human-resource id="gpeskin"
name="Gary L Peskin"
mailto="garyp@firstech.com"/>
<human-resource id="jgentilin"
name="John Gentilin"
mailto="johng@apache.org"/>
</resources>