Service Providers

Start of changes for service refresh 8 fix pack 30 The XMLDSigRI security provider (org.jcp.xml.dsig.internal.dom.XMLDSigRI) is the default provider for JSR 105 services. The IBMXMLCryptoProvider security provider (com.ibm.xml.crypto.IBMXMLCryptoProvider), which was previously the default, is deprecated. End of changes for service refresh 8 fix pack 30

A JSR 105 cryptographic service is a concrete implementation of the abstract XMLSignatureFactory and KeyInfoFactory classes and is responsible for creating objects and algorithms that parse, generate and validate XML Signatures and KeyInfo structures. A concrete implementation of XMLSignatureFactory MUST provide support for each of the REQUIRED algorithms as specified by the W3C recommendation for XML Signatures. It MAY support other algorithms as defined by the W3C recommendation or other specifications.

JSR 105 uses the JCA provider model for registering and loading XMLSignatureFactory and KeyInfoFactory implementations.

Each concrete XMLSignatureFactory and KeyInfoFactory implementation supports a specific XML mechanism type that identifies the XML processing mechanism that an implementation uses internally to parse and generate XML signature and KeyInfo structures. This JSR supports one standard type: DOM. Support for new standard types (such as JDOM) MAY be added in the future.

A JSR 105 implementation SHOULD use underlying JCE engine classes, such as java.security.Signature and java.security.MessageDigest, to perform cryptographic operations.

In addition to the XMLSignatureFactory and KeyInfoFactory classes, JSR 105 supports a service provider interface for transform and canonicalization algorithms. You can use the TransformService class to develop and plug in an implementation of a specific transform or canonicalization algorithm for a particular XML mechanism type. The TransformService class uses the standard JCA provider model for registering and loading implementations. Each JSR 105 implementation SHOULD use the TransformService class to find a provider that supports transform and canonicalization algorithms in XML Signatures that it is generating or validating.

Start of changes for service refresh 8 fix pack 30 The XMLDSigRI provider is a port of the Oracle XMLDSig provider. It is referred to here as the XMLDSig Reference Implementation provider (XMLDSigRI). This XMLDSigRI provider is initialized by default and it is added to the security providers list in the java.security file, as shown in the following example. The IBMXMLCryptoProvider provider, which is deprecated, is deleted from this list. End of changes for service refresh 8 fix pack 30

security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlus
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.security.sasl.IBMSASL
security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.10=sun.security.provider.Sun

Start of changes for service refresh 8 fix pack 45 In service refresh 8 fix pack 45, the XMLDSigRI provider was replaced with the Oracle XMLDSig provider version that included support for the Edwards-curve Digital Signature Algorithm (EdDSA) with Ed448 and Ed25519 elliptic curves. End of changes for service refresh 8 fix pack 45

Start of changes for service refresh 8 fix pack 30 XML Signature secure validation mode is turned on by default for both the XMLDSigRI and IBMXMLCryptoProvider providers. XML Signature secure validation mode enables stricter checking of algorithms and other constraints as specified by the jdk.xml.dsig.secureValidationPolicy security property within the java.security file. End of changes for service refresh 8 fix pack 30

Start of changes for service refresh 8 fix pack 30 When XML Signature secure validation mode is turned on, limits are set on various XML signature constructs. By default, the mode enforces the following restrictions: End of changes for service refresh 8 fix pack 30

Forbids the use of XSLT transforms
Forbids the use of MD5 signatures or MD5 MAC algorithms
Restricts the number of Reference transforms to 5 or less
Restricts the number of SignedInfo or Manifest Reference elements to 30 or less
Forbids Reference URIs of type http, https, or file
Forbids RSA or DSA keys less than 1024 bits
Forbids EC keys less than 224 bits
Ensures that Reference IDs are unique to help prevent signature wrapping attacks
Forbids a RetrievalMethod element from referencing to another RetrievalMethod element

End of changes for service refresh 8 fix pack 30

Start of changes for service refresh 8 fix pack 30 The IBMXMLCryptoProvider provider is an older, deprecated provider implementation that cannot support XML Signature secure validation mode. Because XML Signature secure validation mode is automatically turned on, if you are using the IBMXMLCryptoProvider provider, you must turn off the mode. To turn off the mode, set the property org.jcp.xml.dsig.secureValidation to Boolean.FALSE by using the method javax.xml.crypto.dsig.dom.DOMValidateContext.setProperty ("org.jcp.xml.dsig.secureValidation", Boolean.FALSE). End of changes for service refresh 8 fix pack 30

Start of changes for service refresh 8 fix pack 30 Check to ensure that XML Signature secure validation mode was actually turned off by calling the getProperty() method: End of changes for service refresh 8 fix pack 30

Object javax.xml.crypto.dsig.dom.DOMValidateContext.getProperty("org.jcp.xml.dsig.secureValidation" )

Start of changes for service refresh 8 fix pack 30 To disable XML Signature secure validation mode, set the system property org.jcp.xml.dsig.secureValidation to false with the DOMValidateContext.setProperty() method. End of changes for service refresh 8 fix pack 30