geuerp 2002/09/06 00:45:30
Added: doc/xml/sources LICENSE.txt api.xml docs-book.xml
faq-common.xml faq.xml history.xml install.xml
interop.xml loader.xml readme.xml resolvermania.xml
resources.xml
Log:
new location
Revision Changes Path
1.1 xml-security/doc/xml/sources/LICENSE.txt
Index: LICENSE.txt
===================================================================
The Apache Software License, Version 1.1
Copyright (c) 1999 The Apache Software Foundation. All rights
reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the
distribution.
3. The end-user documentation included with the redistribution,
if any, must include the following acknowledgment:
"This product includes software developed by the
Apache Software Foundation (http://www.apache.org/)."
Alternately, this acknowledgment may appear in the software itself,
if and wherever such third-party acknowledgments normally appear.
4. The names "<WebSig>" and "Apache Software Foundation" must
not be used to endorse or promote products derived from this
software without prior written permission. For written
permission, please contact [EMAIL PROTECTED]
5. Products derived from this software may not be called "Apache",
nor may "Apache" appear in their name, without prior written
permission of the Apache Software Foundation.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
====================================================================
This software consists of voluntary contributions made by many
individuals on behalf of the Apache Software Foundation and was
originally based on software copyright (c) 2001, Institute for
Data Communications Systems, <http://www.nue.et-inf.uni-siegen.de/>.
The development of this software was partly funded by the European
Commission in the <WebSig> project in the ISIS Programme.
For more information on the Apache Software Foundation, please see
<http://www.apache.org/>.
1.1 xml-security/doc/xml/sources/api.xml
Index: api.xml
===================================================================
<?xml version="1.0" standalone="no"?>
<!DOCTYPE s1 SYSTEM "../style/dtd/document.dtd">
<s1 title="API Documentation">
<s2 title="Javadoc Generated Documentation">
<p>&packagenamelong; comes packaged with API documentation.</p>
<p>This documentation is generated automatically from the
Javadoc-style
comments inside the source files. Click on one of the links below to
go to the appropriate API documentation.</p>
</s2>
<s2 title="&packagename; API Documentation">
<ul>
<li><jump href="api/index.html">Full API documentation</jump></li>
<li><jump href="api/overview-tree.html">Hierarchy for all the
packages</jump></li>
<li>If the above documentation is outdated, an always-fresh copy
can be found
<jump
href="http://nagoya.apache.org/gump/javadoc/xml-security/build/doc/html/api/index.html";>here</jump></li>
</ul>
</s2>
</s1>
1.1 xml-security/doc/xml/sources/docs-book.xml
Index: docs-book.xml
===================================================================
<?xml version="1.0"?>
<!DOCTYPE book SYSTEM "../style/dtd/book.dtd">
<book title="XML-Security Documentation"
copyright="2001 The Apache Software Foundation">
<resources source="sbk:/sources/resources.xml"/>
<external label="Home"
href="http://xml.apache.org/"; />
<separator />
<document label="Readme"
id="index"
source="readme.xml" />
<faqs label='FAQs'
title='Frequently Asked Questions'
id='faqs'
source='faq.xml'>
</faqs>
<external label="Download"
href="http://xml.apache.org/security/dist/"; />
<external label="Repository"
href="http://cvs.apache.org/viewcvs.cgi/xml-security/"; />
<document label="Installation"
id="install"
source="install.xml" />
<document label="Resolver-Mania"
id="resolvermania"
source="resolvermania.xml" />
<document label="Interoperability"
id="interop"
source="interop.xml" />
<!--
<group label="FAQs"
id="faqs"
title="Frequently Asked Questions">
<entry id="faq-resolvers"
source="faq-resolvers.xml" />
</group>
-->
<separator />
<document label="API Docs"
id="api"
source="api.xml" />
<separator />
<document label="History"
id="history"
source="history.xml" />
<external label="Latest GUMP"
href="http://jakarta.apache.org/builds/gump/latest/xml-security.html"; />
</book>
1.1 xml-security/doc/xml/sources/faq-common.xml
Index: faq-common.xml
===================================================================
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE faqs SYSTEM '../style/dtd/faqs.dtd'>
<faqs title='Common Problems FAQs'>
<faq title='Get some exception'>
<q>
When I run the samples, I get the following Exception. Why?
<code>java.lang.ClassCastException:
org.apache.crimson.tree.XmlDocument</code>
</q>
<a>
<p>
You try to use Crimson as XML Parser. This library requires Xerces.
</p>
</a>
</faq>
</faqs>
1.1 xml-security/doc/xml/sources/faq.xml
Index: faq.xml
===================================================================
<?xml version="1.0" standalone="no"?>
<!DOCTYPE faqs SYSTEM "../style/dtd/faqs.dtd">
<faqs title="Frequently asked questions">
<faq>
<q>Where's the archive for this list?</q>
<a>
<p>A very good question! Currently, <resource-ref
idref="mail-arch-gmane"/> is archiving the mailing list. This service
also makes the mailinglist reachable with a news reader.</p>
<p>If this service ever fails/stops, you can still use the ezmlm mailing
list controller to recieve previous messages by email. Send an empty
email to <human-resource-ref idref="mailhelp"/> for detailed
information on
how to use this service </p>
</a>
</faq>
<faq>
<q>Where can I learn about XML?</q>
<a>
<p>There are plenty of resources on the web, just use any search
engine. You might start at <resource-ref idref="xmlfaq"/> or
<resource-ref idref="zvon"/>.</p>
</a>
</faq>
<faq>
<q>Where can I learn about XML Digital Signatures?</q>
<a>
<p>The best place to start is <resource-ref idref="xmldsig"/>. Links on
XML security in general can be found on <resource-ref
idref="christ-page"/>.</p>
</a>
</faq>
<faq>
<q>Where can I learn about XML Encryption?</q>
<a>
<p>The best place to start is <resource-ref idref="xmlenc"/>. Links on
XML security in general can be found on <resource-ref
idref="christ-page"/></p>
</a>
</faq>
<faq>
<q>Where can I learn about Cryptography in general?</q>
<a>
<p>A lot of resources exist on the web, including the 'green bible' for
cryptography: <resource-ref idref="hac"/>. The &hac; is completely
online and it should satisfy most of your cryptographic
hunger. Disadvantage of it is that it goes rather deep, so it isn't a
executive overview or a "Learn XYZ in 21 days"-book</p>
</a>
</faq>
<faq>
<q>I have a Java-(security/cryptography) problem. Can you help me?</q>
<a>
<p>Go to the <resource-ref idref="javaforum"/> of Sun. You can find
forums where you can ask questions like "How do I generate a
keypair", etc.</p>
</a>
</faq>
<faq>
<q>I have a Java-XML problem.</q>
<a>
<p>Go to the <resource-ref idref="javaforum"/> of Sun, section Java
Technology & XML and have a look at <resource-ref
idref="xml4j-used"/>.</p>
</a>
</faq>
<faq>
<q>I'm using crimson</q>
<a>
<p>You shouldn't; some people had problems with it. Use
<resource-ref idref="xml4j-used"/> instead.</p>
</a>
</faq>
<faq>
<q>I'm using JDK1.4.0</q>
<a>
<p>After SUN released the
<jump href="http://java.sun.com/j2se/1.4/index.html";>
Java (TM) 2 Platform Standard Edition v1.4.0
</jump>, the xml-security package stopped working. This is a
<jump
href="http://developer.java.sun.com/developer/bugParade/bugs/4615582.html";>
known
</jump> problem: SUN packaged a beta of Xalan into the JDK1.4.0, but
the xml-security package requires a stable version of Xalan (v2.2.0 or
later). To fix the problem, you have to put the xalan.jar into a
special directory in your JDK:
<code>j2sdk1.4.0/jre/lib/endorsed/xalan.jar</code>. If you installed an
out-of-the-box JDK1.4 (e.g. on Windows 2000), the "endorsed"
directory does not exist: you'll have to create it by hand.
<em>Putting this JAR to another location like lib/ext WILL NOT
WORK.</em>
</p>
<p>For more on that, you can also check the
<jump href="http://xml.apache.org/~edwingo/jaxp-faq.html#override";>
Unofficial JAXP FAQ
</jump>.
</p>
</a>
</faq>
<faq>
<q>What's up with the Bouncy Castle CSP? / Where is my CSP?</q>
<a>
<p>There is <em>no</em> JCE bundled together with this distribution.
This
is because the Apache Project is hosted in the US where some export
restrictions apply to the cryptographic primitives.
</p>
<p>The nice guys from the
<jump href="http://www.bouncycastle.org/";>Legion of Bouncy
Castle</jump> where so helpful to supply the JAR that you need to
create HMAC integrity checks on their web site. When you use the ant
makefile <code>build.xml</code> and simply say <code>ant compile</code>
or <code>ant get-jce</code>, <code>ant</code> tries to fetch this JAR
from the australian server. After that step, the compilation works
completely.
</p>
<p>The ant make tools initiates an automated download of the
BouncyCastle
JCE. The file is downloaded into the <code>libs/</code> directory and a
"bc-" is prepended to the filename. This is done because we
want the provider name (bc means BouncyCastle) being visible in the
JAR's filename. </p>
<p>More information can be found in the Installation section.</p>
</a>
</faq>
<faq>
<q>How do I enable/turn off logging?</q>
<a>
<p>2BDone</p>
</a>
</faq>
<faq>
<q>How do I use the package to generate and verify a signature?</q>
<a>
<p>Checkout the samples in
<code>src_samples/org/apache/xml/security/samples/signature/</code>.
</p>
<note>The samples divide into two groups: Samples that <em>create</em>
and samples that <em>verify</em> Signatures. Eventually, you should
adjust the verifying program to another filename if you get
<code>FileNotFoundException</code>s.</note>
</a>
</faq>
<faq>
<q>What is the meaning of BaseURI?</q>
<a>
<p>The String BaseURI is the systemID on which the Object will be stored
in the future. This is needed to resolve relative links in the
<code>Reference</code> elements which point to the filesystem or
something similar.
</p>
<p>Example: Imagine that you want to create a signature to store it on
a web server as
<code>http://www.acme.com/signatures/sig1.xml</code>. So
<code>BaseURI="http://www.acme.com/sig1.xml"</code>. This
means that if you create a <code>Reference</code> with
<code>URI="../index.html"</code>, the library can easily use
it's HTTPResourceResolver to fetch
<code>http://www.acme.com/index.html</code> without that you have to
say <code>URI="http://www.acme.com/index.html"</code>.
</p>
</a>
</faq>
<faq>
<q></q>
<a>
<p></p>
</a>
</faq>
</faqs>
1.1 xml-security/doc/xml/sources/history.xml
Index: history.xml
===================================================================
<?xml version="1.0" standalone="no"?>
<!DOCTYPE s1 SYSTEM "../style/dtd/document.dtd">
<s1 title="History of the project">
<s2 title="The <WebSig> project">
<p>In mid-1999, the <jump
href="http://www.nue.et-inf.uni-siegen.de/";>Institute for Data Communications
Systems</jump> at the <jump href="http://www.uni-siegen.de/";>University of
Siegen</jump> in Germany looked for partners to participate in a European
project for implementing the upcoming <jump
href="http://www.w3.org/Signature/";>XML Signature standard</jump>. We found our
partners in the companies <jump href="http://www.expnet.gr/";>Expertnet
S.A.</jump> and <jump href="http://www.proodos.gr/";>PROODOS S.A.</jump>, both
from Athens, who were willing to use our XML Signature library in a first
commercial project.</p>
<p>The project started in January 2000 and ended up in September 2001. 50% of
the costs have been funded by the European Commission in the <jump
href="http://www.ispo.cec.be/isis/99websig.htm";>ISIS programme</jump>. Goal was
to develop a JAVA library for creating and validating XML Signatures and to
make the binaries of this software freely available.</p>
<p>In 9/2001, the Institute for Data Communications Systems decided to make
the sources freely available, too, to promote the use of digital signatures and
to give XML Signature a spin. The decision was made to give the complete
library (including an implementation of "Canonical XML" and "XML Signature")
under the hood of the Apache Software Foundation to ensure availablility of the
source and to enable other people to use it under the Apache License.</p>
</s2>
</s1>
1.1 xml-security/doc/xml/sources/install.xml
Index: install.xml
===================================================================
<?xml version="1.0" standalone="no"?>
<!DOCTYPE s1 SYSTEM "../style/dtd/document.dtd">
<s1 title="Installation">
<s2 title="Using JDK 1.4.0">
<p>After SUN released the <jump
href="http://java.sun.com/j2se/1.4/index.html";>Java (TM) 2 Platform Standard
Edition v1.4.0</jump>, the xml-security package stopped working. This is a
<jump
href="http://developer.java.sun.com/developer/bugParade/bugs/4615582.html";>known</jump>
problem: SUN packaged a beta of Xalan into the JDK 1.4.0, but the xml-security
package requires a stable version of Xalan (v2.2.0 or later). To fix the
problem, you have to put the xalan.jar into a special directory in your JDK:
<code>j2sdk1.4.0/jre/lib/endorsed/xalan.jar</code> . If you installed an
out-of-the-box JDK1.4 (e.g. on Windows 2000), the "endorsed" directory does not
exist: you'll have to create it by hand. <em>Putting this JAR to another
location like lib/ext WILL NOT WORK.</em></p>
<p>For more on that, you can also check the <jump
href="http://xml.apache.org/~edwingo/jaxp-faq.html#override";>Unofficial JAXP
FAQ</jump>.</p>
</s2>
<s2 title="Prerequisite">
<p>Make sure you get the Jakarta Ant Tool from <jump
href="http://jakarta.apache.org/ant/";>http://jakarta.apache.org/ant/</jump>
</p>
</s2>
<s2 title="Getting the source">
<p>You can download the sources via WWW in the distribution
directory under <jump
href="http://xml.apache.org/security/dist/";>http://xml.apache.org/security/dist/</jump>
</p>
<p>This project's CVS repository can be checked out through
anonymous (pserver) CVS with the following instruction set. The module you wish
to check out must be specified as the modulename. When prompted for a password
for anonymous, simply enter "anoncvs" without quotes: </p>
<source>cvs -d :pserver:[EMAIL PROTECTED]:/home/cvspublic login
password: anoncvs
cvs -d :pserver:[EMAIL PROTECTED]:/home/cvspublic checkout
xml-security</source>
<p>A HTTP interface to browse the sources online is available
via <jump
href="http://cvs.apache.org/viewcvs.cgi/xml-security/";>http://cvs.apache.org/viewcvs.cgi/xml-security/</jump>
</p>
</s2>
<s2 title="Compiling the source">
<p>
At the command prompt type 'ant test'. If you want to
use jikes instead of your default java compiler locate the
'build.xml'
file and replace the line
</p>
<source><property name="build.compiler"
value="classic"/></source>
<p>
with
</p>
<source><property name="build.compiler"
value="jikes"/></source>
</s2>
<!-- <s2 title="Unpacking the files">
<p>&packagename; is packaged as a ZIP file for all
platforms and operating systems. You can run the Java
<ref>jar</ref> command to unpack the distribution.</p>
<ul>
<li>jar xf &packagename;-bin.&packageversion;.zip</li>
<li>jar xf &packagename;-src.&packageversion;.zip</li>
<li>This command creates a "&packagedirectory;"
sub-directory in the current directory containing all the files.</li>
</ul>
</s2>
<s2 title="Files in the binary package release">
<table>
<tr><td>LICENSE</td><td>License for
&packagename;</td></tr>
<tr><td>Readme.html</td><td>Web page redirect to
docs/html/index.html</td></tr>
<tr><td>xerces.jar</td><td>Jar file containing all the
parser class files</td></tr>
<tr><td>xercesSamples.jar</td><td>Jar file containing
all sample class files</td></tr>
<tr><td>data/</td><td>Directory containing sample XML
data files</td></tr>
<tr><td>doc/html/</td><td>Directory containing
documentation</td></tr>
<tr><td>doc/html/api/</td><td>Directory containing
Javadoc API</td></tr>
</table>
<note>To use &packagename; you do not need the source
files.</note>
</s2>
-->
<s2 title="Testing the distibution">
<p>The first way to ensure that everything is in place is to
run the unit tests. This is simply done by typing <code>ant test</code>. This
starts the included JUnit test cases. Actually, we do not have complete test
coverage, but as a first start, it works.</p>
</s2>
<s2 title="Playing around with the examples">
<p>To see how the distribution works, simply run <code>ant
mega-sample</code> to let ant execute several examples from the
<code>src_samples/</code> directory. </p>
</s2>
<s2 title="Files in the source package release">
<table>
<tr>
<td>build.xml</td>
<td>Top level <jump
href="http://jakarta.apache.org/ant/index.html";>Ant</jump> Makefile -- read
README file before building</td>
</tr>
<tr>
<td>LICENSE.txt</td>
<td>License for the software</td>
</tr>
<tr>
<td>README</td>
<td>Build instructions</td>
</tr>
<tr>
<td>Readme.html</td>
<td>Web page redirect required for building
documentation</td>
</tr>
<tr>
<td>STATUS</td>
<td>Current source code status information</td>
</tr>
<tr>
<td>data/</td>
<td>Directory containing sample data files and
test vectors for the unit tests</td>
</tr>
<tr>
<td>doc/xml/</td>
<td>Directory containing documentation, in XML
form</td>
</tr>
<tr>
<td>src/</td>
<td>Directory containing source code for the
core library</td>
</tr>
<tr>
<td>src_samples/</td>
<td>Directory containing source code for
samples</td>
</tr>
<tr>
<td>src_unitTests/</td>
<td>Directory containing source code for unit
tests</td>
</tr>
</table>
</s2>
<s2 title="Where is my JCE?">
<p>There is <em>no</em> JCE bundled together with this
distribution. Living in Germany, I had no problem to include the JCE in this
software package but then I realized that the Apache Project is hosted in the
US where some export restrictions apply to the cryptographic primitives. </p>
<p>Well, how do we solve this problem? The nice guys from the
<jump href="http://www.bouncycastle.org/";>Bouncy Castle</jump> where so helpful
to supply the JAR that you need to create HMAC integrity checks on their web
site. When you use the ant makefile <code>build.xml</code> and simply say
<code>ant compile</code> or <code>ant get-jce</code>, <code>ant</code> tries to
fetch this JAR from the australian server. After that step, the compilation
works completely. </p>
<p/>
<p>The ant make tools initiates an automated download of the
BouncyCastle JCE. The file is downloaded into the libs/ directory and a "bc-"
is prepended to the filename. This is done because we want the provider name
(bc means BouncyCastle) being visible in the JAR's filename. </p>
<p/>
<p>If you are a little paranoid like all security people and
don't want ant to make automated downloads or your firewall doesn't permit it
(preventing programs "phoning home"), look in the ./build.xml file for the
properties called</p>
<p/>
<source><![CDATA[<property
name="jce.download.file"
value="@@jce.download.file@@" />
<property
name="jce.download"
value="http://www.bouncycastle.org/download/${jce.download.file}"; />
<property
name="lib.jce"
value="${libs}/bc-${jce.download.file}" />
]]></source>
<p>Here you can see that the file <code>
<jump
href="@@jce.download@@">@@jce.download@@</jump>
</code> is downloaded and stored in the location
<code>@@lib.jce@@</code>
</p>
<p>If you do this by hand (pointing you favourite web browser
and download it yourself), simply put a "<code>bc-</code>" in front of the
filename and put it to <code>./libs/</code>, then ant won't try to make a
download.</p>
</s2>
<s2 title="Using JDK 1.4.0">
<p>After SUN released the <jump
href="http://java.sun.com/j2se/1.4/index.html";>Java (TM) 2 Platform Standard
Edition v1.4.0</jump>, the xml-security package stopped working. This is a
<jump
href="http://developer.java.sun.com/developer/bugParade/bugs/4615582.html";>known</jump>
problem: SUN packaged a beta of Xalan into the JDK 1.4.0, but the xml-security
package requires a stable version of Xalan (v2.2.0 or later). To fix the
problem, you have to put the xalan.jar into a special directory in your JDK:
<code>j2sdk1.4.0/jre/lib/endorsed/xalan.jar</code> . If you installed an
out-of-the-box JDK1.4 (e.g. on Windows 2000), the "endorsed" directory does not
exist: you'll have to create it by hand. <em>Putting this JAR to another
location like lib/ext WILL NOT WORK.</em></p>
<p>For more on that, you can also check the <jump
href="http://xml.apache.org/~edwingo/jaxp-faq.html#override";>Unofficial JAXP
FAQ</jump>.</p>
</s2>
</s1>
1.1 xml-security/doc/xml/sources/interop.xml
Index: interop.xml
===================================================================
<?xml version="1.0" standalone="no"?>
<!DOCTYPE s1 SYSTEM "../style/dtd/document.dtd">
<!-- <jump href=""></jump> -->
<s1 title="Interoperability">
<s2 title="Problems">
<p>In Version v1.0.4, there is one test case which fails (interop
test for exclusive c14n). This is related to very esoteric node sets (The Y4
test vector from <jump
href="http://www.w3.org/Signature/2002/02/01-exc-c14n-interop.html";>the interop
matrix</jump>). </p>
</s2>
<s2 title="Interoperability issues">
<p>As it can be seen on the <jump
href="http://www.w3.org/Signature/";>working group homepage</jump>, there are
some interoperability reports, namely for <jump
href="http://www.w3.org/Signature/2000/10/10-c14n-interop.html";>Canonical
XML</jump>, <jump
href="http://www.w3.org/Signature/2002/02/01-exc-c14n-interop.html";>Exclusive
Canonical XML</jump> and <jump
href="http://www.w3.org/TR/xmldsig-core/2001/04/05-xmldsig-interop.html";>XML
Signature</jump>.</p>
<p>Interoperability depends heavily on test vectors, this means
that implementation A has to check whether the signatures from implementation B
can be verified. For this purpose, we have a collection of different test
vectors in our <code>data/</code> directory. The directory includes test
vectors from</p>
<ul>
<li><jump
href="http://www.baltimore.com/keytools/xml/index.html";>Baltimore KeyTools
XML</jump></li>
<li><jump
href="http://jcewww.iaik.at/products/ixsil/index.php";>IAIK IXSIL</jump></li>
<li><jump
href="http://www.rsasecurity.com/products/bsafe/certj.html";>RSA Security
Cert-J</jump></li>
<li>The vectors from the <jump
href="http://www.alphaworks.ibm.com/tech/xmlsecuritysuite";>IBM alphaWorks XML
Security suite</jump> could not been included in this distribution because of
licensing issues. For some reasons which I do not understand, they copyrighted
their test signatures which they have bundled with xss4j. If you want to
include interop testing against IBM in your unit tests, simply do the
following: Download <code>xss4j-20011029.zip</code> from the <jump
href="http://www.alphaworks.ibm.com/aw.nsf/download/xmlsecuritysuite";>alphaWorks
download page</jump>. Copy all files from the
<code>xss4j-20011029.zip#/xss4j/data</code> directory into the
<code>xml-security/data/com/ibm/xss4j-20011029/</code> directory. If the <jump
href="api/org/apache/xml/security/test/InteropTest.html">Interop</jump> class
finds these files, the
<code>org.apache.xml.security.test.interop.IBMTest</code> class is also
executed during unit interop tests. </li>
</ul>
</s2>
</s1>
1.1 xml-security/doc/xml/sources/loader.xml
Index: loader.xml
===================================================================
<?xml version="1.0"?>
<!-- CVS $Revision: 1.1 $ $Date: 2002/09/06 07:45:30 $ -->
<loader>
<processor name="xslt">
<parameter name="stylesheet"
value="sbk:/style/stylesheets/book2project.xsl"/>
</processor>
</loader>
1.1 xml-security/doc/xml/sources/readme.xml
Index: readme.xml
===================================================================
<?xml version="1.0" standalone="no"?>
<!DOCTYPE s1 SYSTEM "../style/dtd/document.dtd">
<s1 title="Readme">
<s2 title="News">
<p>Version 1.0.4 released on 15. July 2002; minor improvements.
The most significant is that people who did not install Xalan properly under
JDK 1.4.0 get a more specific error message. It uses the most recent version of
the BouncyCastle JCE now. </p>
<p>Version 1.0.3 now supports new W3C specs:</p>
<ul>
<li><jump
href="http://www.w3.org/TR/2002/REC-xml-exc-c14n-20020718/";>Exclusive XML
Canonicalization Version 1.0, W3C Recommendation 18 July 2002</jump>. (There is
no interop to test vector <jump
href="http://www.w3.org/Signature/2002/02/01-exc-c14n-interop.html";>Y4</jump>
because of a problem in Xalan)</li>
<li><jump
href="http://www.w3.org/TR/2002/CR-xmldsig-filter2-20020718/";>XML-Signature
XPath Filter 2.0, W3C Candidate Recommendation 18 July 2002 </jump></li>
</ul>
<p>Canonicalization is written completely new: it's about 5-80
times faster than the implementation in version 1.0.2. It's highly recommended
to upgrade to the new version. </p>
</s2>
<s2 title="JDK 1.4 issues">
<p>If you use JDK 1.4 and want to use this software, be sure
that Xalan is properly installed. Check the bottom of the <jump
href="install.html">installation guide</jump>!!!</p>
<p>I have so many complaints from people who argue that the
software throws exceptions during running the examples or during unit testing.
This package NEEDS a Xalan version after 2.2D13 (and SUN shipped his JDK 1.4.0
final with a Xalan beta!). I started integrating the installation guide into
the exception messages cause it seems that people don't have a look at the
installation guide. </p>
</s2>
<s2 title="XML Security Release">
<p>The &packagenamelong; &packageversion; supports the <jump
href="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/";>XML-Signature
Syntax and Processing</jump> recommendation.</p>
<p>Note that there is no standard API avaliable at the
moment. SUN is working on a JAVA Specification Request <jump
href="http://jcp.org/jsr/detail/105.jsp";>JSR-105: XML Digital Signature
APIs</jump> on an API for XML Signature and <jump
href="http://jcp.org/jsr/detail/106.jsp";>JSR-106: XML Digital Encryption
APIs</jump>, but until now, nothing has been published. So, this software does
<em>not</em> conform to any of these specifications.</p>
</s2>
<s2 title="License Information">
<p>The XML Security package is available in both source code
and precompiled binary (JAR files) form. Both packages are made available
under the <jump href='LICENSE.txt'>Apache Software License</jump>.</p>
</s2>
<s2 title="Download">
<p>You can download the source and binary packages in the <jump
href='http://xml.apache.org/security/dist/'>dist</jump> directory.</p>
</s2>
<s2 title="Sample programs">
<p>This software can be used to create and verify arbitrary
forms of XML Signatures. The documentation available here is not very huge; my
first approach is to supply usage examples which are available in the
<code>src_samples/</code> directory to give interested users a first starting
point to jump-start with XML Signature. NOTE: The samples divide into two
groups: Samples that <em>create</em> and samples that <em>verify</em>
Signatures. Eventually, you should adjust the verifying program to another
filename if you get <code>FileNotFoundException</code>s.</p>
</s2>
<s2 title="Mailing lists">
<p>There exists a mailing list which you can subscribe to ask
questions:</p>
<p>The <jump href="http://xml.apache.org/mail.html";>ezmlm
mailing list controller</jump> accepts commands by sending emails to it,
generally like the following:</p>
<ul>
<li><jump href="mailto:[EMAIL
PROTECTED]">security-dev-subscribe</jump> to subscribe your current email
address to the list</li>
<li><jump href="mailto:[EMAIL
PROTECTED]">security-dev-unsubscribe</jump> to <em>un</em>subscribe your
*current* email address from the list</li>
<li><jump href="mailto:[EMAIL
PROTECTED]">security-dev-help</jump> to get Help on mailing list commands</li>
</ul>
<p>An archive of this list is kept under <jump
href="http://news.gmane.org/thread.php?group=gmane.text.xml.security.devel";>http://news.gmane.org/thread.php?group=gmane.text.xml.security.devel</jump></p>
</s2>
<s2 title="Contact information">
<p>For comments about the software please send them to the
author <code><jump href="mailto:[EMAIL PROTECTED]">[EMAIL
PROTECTED]</jump></code></p>
</s2>
</s1>
1.1 xml-security/doc/xml/sources/resolvermania.xml
Index: resolvermania.xml
===================================================================
<?xml version="1.0" standalone="no"?>
<!DOCTYPE s1 SYSTEM "../style/dtd/document.dtd">
<s1 title="Resolver-Mania">
<s2 title="Why do we need all these resolvers">
<p>For security and comfort reasons. In the XML Security package, there exist
many kinds of Resolvers for different purposes. Resolvers in this package do
the same job as an EntityResolver in the SAX package: retrieve information from
the apropriate location and give it to the parser/software who needs it. The
reason for offering these different Resolvers is that it should be under
complete control of the application which connections to the network are made.
In the security area, it wouldn't be a good idea to imediately fetch some
documents from the web or make other connections only because you want to
verify a Signature. This resolver framework gives the application developer the
ability to have total control about the interface from the library to the rest
of the world. </p>
</s2>
<s2 title="Types of resolvers">
<s3 title="ResourceResolvers">
<p>A <jump
href="api/org/apache/xml/security/utils/resolver/ResourceResolver.html">ResourceResolver</jump>
is used by a <jump
href="api/org/apache/xml/security/signature/Reference.html">Reference</jump> to
retrieve the signed resource from it's location. Different resolvers exist to
get signed portions from the XML document in which the signature resides, to
make HTTP connections or to fetch files from the local file system. <br />
The concept of a <jump
href="api/org/apache/xml/security/utils/resolver/ResourceResolver.html">ResourceResolver</jump>
is very similar to an org.xml.sax.EntityResolver, but in contrast to that
Interface, the ResourceResolver is able to de-reference contents
<em>inside</em> an XML document.
</p>
</s3>
<s3 title="StorageResolver">
<p>A <jump
href="api/org/apache/xml/security/keys/storage/StorageResolver.html">StorageResolver</jump>
is used by <jump
href="api/org/apache/xml/security/keys/KeyInfo.html">KeyInfo</jump> and it's
child objects / Elements to retrieve Certificates from storage locations. This
approach is used to allow a user to customize the library for use in a specific
corporate environment. It's possible to write <jump
href="api/org/apache/xml/security/keys/storage/StorageResolver.html">StorageResolver</jump>s
who make requests to LDAP servers or to use specificic PKI interfaces. <br/>
Bundled with the software come three sample <jump
href="api/org/apache/xml/security/keys/storage/StorageResolver.html">StorageResolver</jump>s
which can be used for common tasks:</p>
<ul>
<li>The <jump
href="api/org/apache/xml/security/keys/storage/implementations/KeyStoreResolver.html">KeyStoreResolver</jump>
is able to retrieve Certificates from a JAVA KeyStore object. This <jump
href="api/org/apache/xml/security/keys/storage/implementations/KeyStoreResolver.html">KeyStoreResolver</jump>
is constructed from an open JAVA KeyStore.</li>
<li>The <jump
href="api/org/apache/xml/security/keys/storage/implementations/SingleCertificateResolver.html">SingleCertificateResolver</jump>
resolves only to a single Certificate. The <jump
href="api/org/apache/xml/security/keys/storage/implementations/SingleCertificateResolver.html">SingleCertificateResolver</jump>
is constructed using this single Certificate. </li>
<li>The <jump
href="api/org/apache/xml/security/keys/storage/implementations/CertsInFilesystemDirectoryResolver.html">CertsInFilesystemDirectoryResolver</jump>
is useful for resolving to raw X.509 certificates which reside as separate
files in a directory in the filesystem. Such a resolver is needed for verifying
the test signatures from Merlin Huges which are bundled in a directory.</li>
</ul>
<p><jump
href="api/org/apache/xml/security/keys/storage/StorageResolver.html">StorageResolver</jump>s
are supplied to the KeyInfo's addStorageResolver() method.</p>
<p>Generally, a <jump
href="api/org/apache/xml/security/keys/storage/StorageResolver.html">StorageResolver</jump>
has only a method to return an Iterator which iterates through the available
Certificates.</p>
</s3>
<s3 title="KeyResolver">
<p>A <jump
href="api/org/apache/xml/security/keys/keyresolver/KeyResolver.html">KeyResolver</jump>
is used by <jump
href="api/org/apache/xml/security/keys/KeyInfo.html">KeyInfo</jump> to process
it's child Elements. There exist two general classes of a <jump
href="api/org/apache/xml/security/keys/keyresolver/KeyResolver.html">KeyResolver</jump>:</p>
<ul>
<li>If a ds:RSAKeyValue or ds:DSAKeyValue or ds:X509Certificate is used
inside the ds:KeyInfo, the resolvers can return a public key or Certificate
directly without further action, because the key itself is contained inside the
ds:Signature</li>
<li>If there is only key material identification information like a
ds:KeyName or the serial number of the Certificate, the KeyResolver must use
the StorageResolvers to query the available keys and certificates to find the
correct one.</li>
</ul>
<p>Of course, there are cross-dependencies: e.g. a KeyResolver named <jump
href="api/org/apache/xml/security/keys/keyresolver/implementations/RetrievalMethodResolver.html">RetrievalMethodResolver</jump>
uses the <jump
href="api/org/apache/xml/security/utils/resolver/ResourceResolver.html">ResourceResolver</jump>
framework to retrieve a public key or certificate from an arbitrary
location.</p>
</s3>
</s2>
</s1>
1.1 xml-security/doc/xml/sources/resources.xml
Index: resources.xml
===================================================================
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE resources [
<!ENTITY % externalEntity SYSTEM "./entities.ent">
%externalEntity;
<!ELEMENT resources (resource|human-resource)+>
<!ELEMENT resource EMPTY>
<!ATTLIST resource
id CDATA #IMPLIED
title CDATA #IMPLIED
location CDATA #IMPLIED>
<!ELEMENT human-resource EMPTY>
<!ATTLIST human-resource
id CDATA #IMPLIED
name CDATA #IMPLIED
mailto CDATA #IMPLIED>
]>
<resources>
<resource id="mail-arch-gmane" title="Gmane"
location="http://www.gmane.org/"/>
<resource id="xmldsig" title="&xmldsig;"
location="http://www.w3c.org/Signature"/>
<resource id="xmlenc" title="&xmlenc;"
location="http://www.w3c.org/Encryption"/>
<resource id="hac" title="&hac;"
location="http://www.cacr.math.uwaterloo.ca/hac/"/>
<resource id="bouncy" title="Bouncy Castle Crypto API"
location="http://www.bouncycastle.org/"/>
<human-resource id="mailhelp" name="[EMAIL PROTECTED]" mailto="[EMAIL
PROTECTED]"/>
<resource id="zvon" title="http://www.zvon.org/";
location="http://www.zvon.org/"/>
<resource id="xmlfaq" title="The XML FAQ"
location="http://www.ucc.ie/xml/"/>
<resource id="christ-page" title="the XML Security Page"
location="http://www.nue.et-inf.uni-siegen.de/~geuer-pollmann/xml_security.html"/>
<resource id="javaforum" title="Java Technology Forums"
location="http://forum.java.sun.com/"/>
<resource id="xslt4j-current"
title="&xslt4j-current;"
location="http://xml.apache.org/xalan-j"/>
<resource id="xslt4j-distdir"
title="xalan-j distribution directory"
location="&xslt4j-distdir;"/>
<resource id="xslt4j-distdir-previous"
title="xalan-j previously posted builds directory"
location="&xslt4j-distdir;old"/>
<resource id="xslt4j-dist-zip"
title="&xslt4j-dist;.zip"
location="&xslt4j-distdir;&xslt4j-dist;.zip"/>
<resource id="xslt4j-dist-targz"
title="&xslt4j-dist;.tar.gz"
location="&xslt4j-distdir;&xslt4j-dist;.tar.gz"/>
<resource id="xslt4j-dist-bin-zip"
title="&xslt4j-dist-bin;.zip"
location="&xslt4j-distdir;&xslt4j-dist-bin;.zip"/>
<resource id="xslt4j-dist-bin-targz"
title="&xslt4j-dist-bin;.tar.gz"
location="&xslt4j-distdir;&xslt4j-dist-bin;.tar.gz"/>
<resource id="xslt4j-dist-src-zip"
title="&xslt4j-dist-src;.zip"
location="&xslt4j-distdir;&xslt4j-dist-src;.zip"/>
<resource id="xslt4j-dist-src-targz"
title="&xslt4j-dist-src;.tar.gz"
location="&xslt4j-distdir;&xslt4j-dist-src;.tar.gz"/>
<resource id="xml4j-current"
title="&xml4j;"
location="http://xml.apache.org/xerces-j/index.html"/>
<resource id="xml4j-used"
title="&xml4j-used;"
location="http://xml.apache.org/xerces-j/index.html"/>
<resource id="xml4j-distdir"
title="xerces-j distribution directory"
location="http://xml.apache.org/dist/xerces-j/"/>
<resource id="ant" title="Ant"
location="http://jakarta.apache.org/ant/index.html"/>
<resource id="ApacheLicense"
title="The Apache Software License, Version 1.1"
location="http://xml.apache.org/dist/LICENSE.txt"/>
<resource id="bugzilla"
title="Bugzilla (the Apache bug database)"
location="http://nagoya.apache.org/bugzilla"/>
<resource id="buglist"
title="XalanJ2 open bugs"
location="http://nagoya.apache.org/bugzilla/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&email1=&emailtype1=substring&emailassigned_to1=1&email2=&emailtype2=substring&emailreporter2=1&bugidtype=include&bug_id=&changedin=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&product=XalanJ2&short_desc=&short_desc_type=substring&long_desc=&long_desc_type=substring&bug_file_loc=&bug_file_loc_type=substring&keywords=&keywords_type=anywords&field0-0-0=noop&type0-0-0=noop&value0-0-0=&cmdtype=doit&order=%27Importance%27"/>
<resource id="bsf"
title="Bean Scripting Framework (BSF)"
location="http://oss.software.ibm.com/developerworks/projects/bsf"/>
<resource id="Readme"
title="Xalan Repository Release Notes"
location="http://www.apache.org/websrc/cvsweb.cgi/xml-xalan/README"/>
<resource id="dpawsonxslfaq" title="XSL Frequently Asked Questions"
location="http://www.dpawson.co.uk/xsl/xslfaq.html"/>
<resource id="xsl"
title="Extensible Stylesheet Language (XSL) Version 1.0"
location="http://www.w3.org/TR/xsl"/>
<resource id="xslt"
title="XSL Transformations (XSLT) Version 1.0"
location="http://www.w3.org/TR/xslt"/>
<resource id="xpath"
title="XML Path Language (XPath) Version 1.0"
location="http://www.w3.org/TR/xpath"/>
<resource id="dom"
title="DOM"
location="http://www.w3.org/DOM"/>
<resource id="dom2"
title="DOM level 2"
location="http://www.w3.org/TR/DOM-Level-2/"/>
<resource id="sax"
title="SAX"
location="http://www.megginson.com/SAX/sax.html"/>
<resource id="sax2"
title="SAX 2"
location="http://www.megginson.com/SAX/Java/index.html"/>
<resource id="jaxp"
title="Java API for XML Parsing 1.0"
location="http://java.sun.com/xml/docs/api/index.html"/>
<resource id="jaxp11"
title="Java API for XML Processing 1.1 Public Review 2"
location="http://java.sun.com/aboutJava/communityprocess/review/jsr063/jaxp-pd2.pdf"/>
<resource id="jsr063"
title="Java Specification Request 63"
location="http://java.sun.com/aboutJava/communityprocess/review/jsr063"/>
<resource id="xmlapirepository"
title="xml-commons/java/external/src"
location="http://cvs.apache.org/viewcvs.cgi/xml-commons/java/external/src/"/>
<human-resource id="xalandev"
name="Xalan Development Mailing List"
mailto="[email protected]"/>
<human-resource id="sboag"
name="Scott Boag"
mailto="[EMAIL PROTECTED]"/>
<human-resource id="scurcuru"
name="Shane Curcuru"
mailto="[EMAIL PROTECTED]"/>
<human-resource id="pdick"
name="Paul Dick"
mailto="[EMAIL PROTECTED]"/>
<human-resource id="jkesselman"
name="Joseph Kesselman"
mailto="[EMAIL PROTECTED]"/>
<human-resource id="dleslie"
name="Donald Leslie"
mailto="[EMAIL PROTECTED]"/>
<human-resource id="cmanolache"
name="Costin Manolache"
mailto="[EMAIL PROTECTED]"/>
<human-resource id="dmarston"
name="David Marston"
mailto="[EMAIL PROTECTED]"/>
<human-resource id="mmidy"
name="Myriam Midy"
mailto="[EMAIL PROTECTED]"/>
<human-resource id="gpeskin"
name="Gary L Peskin"
mailto="[EMAIL PROTECTED]"/>
<human-resource id="jgentilin"
name="John Gentilin"
mailto="[EMAIL PROTECTED]"/>
</resources>
