Service Providers

The IBMXMLCRYPTO provider (com.ibm.xml.crypto.IBMXMLCryptoProvider) is the default provider of JSR 105 services.

A JSR 105 cryptographic service is a concrete implementation of the abstract XMLSignatureFactory and KeyInfoFactory classes and is responsible for creating objects and algorithms that parse, generate and validate XML Signatures and KeyInfo structures. A concrete implementation of XMLSignatureFactory MUST provide support for each of the REQUIRED algorithms as specified by the W3C recommendation for XML Signatures. It MAY support other algorithms as defined by the W3C recommendation or other specifications.

JSR 105 leverages the JCA provider model for registering and loading XMLSignatureFactory and KeyInfoFactory implementations.

Each concrete XMLSignatureFactory and KeyInfoFactory implementation supports a specific XML mechanism type that identifies the XML processing mechanism that an implementation uses internally to parse and generate XML signature and KeyInfo structures. This JSR supports one standard type: DOM. Support for new standard types (such as JDOM) MAY be added in the future.

A JSR 105 implementation SHOULD use underlying JCE engine classes, such as java.security.Signature and java.security.MessageDigest, to perform cryptographic operations.

In addition to the XMLSignatureFactory and KeyInfoFactory classes, JSR 105 supports a service provider interface for transform and canonicalization algorithms. The TransformService class allows you to develop and plug in an implementation of a specific transform or canonicalization algorithm for a particular XML mechanism type. The TransformService class uses the standard JCA provider model for registering and loading implementations. Each JSR 105 implementation SHOULD use the TransformService class to find a provider that supports transform and canonicalization algorithms in XML Signatures that it is generating or validating.

Start of changes for service refresh 8 fix pack 20

You can use an XML Signature to sign any arbitrary data, whether it is XML or binary. You can enable XML Signature secure validation mode to process XML Signatures with stricter checking of algorithms and other constraints as specified by the jdk.xml.dsig.secureValidationPolicy security property. XML Signature secure validation mode is enabled by default when you run your application with a security manager. You can also enable XML Signature secure validation mode by setting the org.jcp.xml.dsig.secureValidation property to TRUE with the javax.xml.crypto.XMLCryptoContext.setProperty() method. Set this property to TRUE before validating an XML Signature. To set this system property in an application, use the javax.xml.crypto.dsig.dom.DOMValidateContext.setProperty method:

DOMValidateContext context = new DOMValidateContext(key, element);
context.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.TRUE);

End of changes for service refresh 8 fix pack 20

The IBMXMLCRYPTORI provider (org.jcp.xml.dsig.internal.dom.XMLDSigRI) is a port of the Oracle XMLDSig provider and is referred to in this documentation as the JSR 105 Reference Implementation provider. The JSR 105 Reference Implementation provider is not in the provider list by default. To install the provider statically, add the provider to the Java™ security properties file ($JAVA_HOME/jre/lib/security/java.security). This file defines which providers an application has access to and the order in which the algorithms that an application requests are searched. To add the JSR 105 Reference Implementation provider, add the following line to the list of providers:

security.provider.?=org.jcp.xml.dsig.internal.dom.XMLDSigRI

Substitute the ? with a number for the sequence that you want the provider in the list.