1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta content="Apache Forrest" name="Generator">
<meta name="Forrest-version" content="0.6">
<meta name="Forrest-skin-name" content="pelt">
<title>Resolver-Mania</title>
<link type="text/css" href="../skin/basic.css" rel="stylesheet">
<link media="screen" type="text/css" href="../skin/screen.css" rel="stylesheet">
<link media="print" type="text/css" href="../skin/print.css" rel="stylesheet">
<link type="text/css" href="../skin/profile.css" rel="stylesheet">
<script src="../skin/getBlank.js" language="javascript" type="text/javascript"></script><script src="../skin/getMenu.js" language="javascript" type="text/javascript"></script><script src="../skin/fontsize.js" language="javascript" type="text/javascript"></script>
</head>
<body onload="init()">
<script type="text/javascript">ndeSetTextSize();</script>
<div id="top">
<!--+
|breadtrail
+-->
<div class="breadtrail">
<a href="http://www.apache.org/">apache</a> > <a href="http://xml.apache.org/">xml.apache</a><script src="../skin/breadcrumbs.js" language="JavaScript" type="text/javascript"></script>
</div>
<!--+
|header
+-->
<div class="header">
<!--+
|start group logo
+-->
<div class="grouplogo">
<a href="http:///xml.apache.org"><img class="logoImage" alt="Apache XML" src="../images/group-logo.gif"></a>
</div>
<!--+
|end group logo
+-->
<!--+
|start Project Logo
+-->
<div class="projectlogo">
<a href="http://xml.apache.org/security"><img class="logoImage" alt="Apache XML Security" src="../images/project-logo.gif"></a>
</div>
<!--+
|end Project Logo
+-->
<!--+
|start Search
+-->
<div class="searchbox">
<form action="http://www.google.com/search" method="get" class="roundtopsmall">
<input value="xml.apache.org/security" name="sitesearch" type="hidden"><input onFocus="getBlank (this, 'Search the site with google:');" value="Search the site with google:" size="25" name="q" id="query" type="text">
<input name="Search" value="Search" type="submit">
</form>
</div>
<!--+
|end search
+-->
<!--+
|start Tabs
+-->
<ul id="tabs">
<li>
<a class="base-not-selected" href="../index.html">Home</a>
</li>
<li class="current">
<a class="base-selected" href="../Java/index.html">Java</a>
</li>
<li>
<a class="base-not-selected" href="../c/index.html">C++</a>
</li>
</ul>
<!--+
|end Tabs
+-->
</div>
</div>
<div id="main">
<div id="publishedStrip">
<!--+
|start Subtabs
+-->
<div id="level2tabs"></div>
<!--+
|end Endtabs
+-->
<script type="text/javascript" language="JavaScript"><!--
document.write("Published: " + document.lastModified);
// --></script>
</div>
<!--+
|breadtrail
+-->
<div class="breadtrail">
</div>
<!--+
|start Menu, mainarea
+-->
<!--+
|start Menu
+-->
<div id="menu">
<div onclick="SwitchMenu('menu_selected_1.1', '../skin/')" id="menu_selected_1.1Title" class="menutitle" style="background-image: url('../skin/images/chapter_open.gif');">Java</div>
<div id="menu_selected_1.1" class="selectedmenuitemgroup" style="display: block;">
<div class="menuitem">
<a title="" href="../Java/index.html">Index</a>
</div>
<div class="menuitem">
<a title="" href="../Java/installation.html">Installation</a>
</div>
<div class="menuitem">
<a title="" href="../Java/examples.html">Examples</a>
</div>
<div class="menuitem">
<a title="" href="../Java/faq.html">FAQs</a>
</div>
<div class="menuitem">
<a title="" href="../Java/api.html">API Docs</a>
</div>
<div class="menuitem">
<a title="" href="../Java/interop.html">Interoperability</a>
</div>
<div class="menuitem">
<a title="" href="http://lsd.student.utwente.nl/gump/xml-security/xml-security.html">Gump results</a>
</div>
<div class="menupage">
<div class="menupagetitle">Resolvermania</div>
</div>
</div>
<div id="credit"></div>
<div id="roundbottom">
<img style="display: none" class="corner" height="15" width="15" alt="" src="../skin/images/rc-b-l-15-1body-2menu-3menu.png"></div>
<!--+
|alternative credits
+-->
</div>
<!--+
|end Menu
+-->
<!--+
|start content
+-->
<div id="content">
<div id="skinconf-txtlink"></div>
<h1>Resolver-Mania</h1>
<a name="N1000D"></a><a name="Why+do+we+need+all+these+resolvers%3F"></a>
<h2 class="h3">Why do we need all these resolvers?</h2>
<div class="section">
<p>
For security and comfort reasons. In the XML Security package, there
exist many kinds of Resolvers for different purposes. Resolvers in this
package do the same job as an EntityResolver in the SAX package:
retrieve information from the apropriate location and give it to the
parser/software who needs it. The reason for offering these different
Resolvers is that it should be under complete control of the
application which connections to the network are made. In the security
area, it wouldn't be a good idea to imediately fetch some documents
from the web or make other connections only because you want to verify
a Signature. This resolver framework gives the application developer
the ability to have total control about the interface from the library
to the rest of the world.
</p>
</div>
<a name="N10017"></a><a name="Types+of+resolvers"></a>
<h2 class="h3">Types of resolvers</h2>
<div class="section">
<a name="N1001D"></a><a name="ResourceResolvers"></a>
<h3 class="h4">ResourceResolvers</h3>
<p>
A
<a target="_top" href="api/org/apache/xml/security/utils/resolver/ResourceResolver.html">
ResourceResolver
</a> is used by a
<a target="_top" href="api/org/apache/xml/security/signature/Reference.html">
Reference
</a> to retrieve the signed resource from it's location. Different
resolvers exist to get signed portions from the XML document in which
the signature resides, to make HTTP connections or to fetch files
from the local file system. <br>
The concept of a
<a target="_top" href="api/org/apache/xml/security/utils/resolver/ResourceResolver.html">
ResourceResolver
</a> is very similar to an org.xml.sax.EntityResolver, but in
contrast to that Interface, the ResourceResolver is able to
de-reference contents <em>inside</em> an XML document.
</p>
<a name="N10038"></a><a name="StorageResolver"></a>
<h3 class="h4">StorageResolver</h3>
<p>A
<a target="_top" href="api/org/apache/xml/security/keys/storage/StorageResolver.html">
StorageResolver
</a> is used by
<a target="_top" href="api/org/apache/xml/security/keys/KeyInfo.html">
KeyInfo
</a> and it's child objects / Elements to retrieve Certificates
from storage locations. This approach is used to allow a user to
customize the library for use in a specific corporate
environment. It's possible to write
<a target="_top" href="api/org/apache/xml/security/keys/storage/StorageResolver.html">
StorageResolver
</a>s who make requests to LDAP servers or to use specificic PKI
interfaces. <br>
Bundled with the software come three sample
<a target="_top" href="api/org/apache/xml/security/keys/storage/StorageResolver.html">
StorageResolver
</a>s which can be used for common tasks:
</p>
<ul>
<li>
The
<a target="_top" href="api/org/apache/xml/security/keys/storage/implementations/KeyStoreResolver.html">
KeyStoreResolver
</a> is able to retrieve Certificates from a JAVA KeyStore
object. This
<a target="_top" href="api/org/apache/xml/security/keys/storage/implementations/KeyStoreResolver.html">
KeyStoreResolver
</a> is constructed from an open JAVA KeyStore.
</li>
<li>
The
<a target="_top" href="api/org/apache/xml/security/keys/storage/implementations/SingleCertificateResolver.html">
SingleCertificateResolver
</a> resolves only to a single Certificate. The
<a target="_top" href="api/org/apache/xml/security/keys/storage/implementations/SingleCertificateResolver.html">
SingleCertificateResolver
</a> is constructed using this single Certificate.
</li>
<li>
The
<a target="_top" href="api/org/apache/xml/security/keys/storage/implementations/CertsInFilesystemDirectoryResolver.html">
CertsInFilesystemDirectoryResolver
</a> is useful for resolving to raw X.509 certificates which
reside as separate files in a directory in the filesystem. Such a
resolver is needed for verifying the test signatures from Merlin
Huges which are bundled in a directory.
</li>
</ul>
<p>
<a target="_top" href="api/org/apache/xml/security/keys/storage/StorageResolver.html">
StorageResolver
</a>s are supplied to the KeyInfo's <span class="codefrag">addStorageResolver()</span> method.
</p>
<p>
Generally, a
<a target="_top" href="api/org/apache/xml/security/keys/storage/StorageResolver.html">
StorageResolver
</a> has only a method to return an Iterator which iterates
through the available Certificates.
</p>
<a name="N10085"></a><a name="KeyResolver"></a>
<h3 class="h4">KeyResolver</h3>
<p>
A
<a target="_top" href="api/org/apache/xml/security/keys/keyresolver/KeyResolver.html">
KeyResolver
</a> is used by
<a target="_top" href="api/org/apache/xml/security/keys/KeyInfo.html">
KeyInfo
</a> to process it's child Elements. There exist two general
classes of a
<a target="_top" href="api/org/apache/xml/security/keys/keyresolver/KeyResolver.html">
KeyResolver
</a>:
</p>
<ul>
<li>
If a ds:RSAKeyValue or ds:DSAKeyValue or ds:X509Certificate is used
inside the ds:KeyInfo, the resolvers can return a public key or
Certificate directly without further action, because the key itself
is contained inside the ds:Signature.
</li>
<li>
If there is only key material identification information like a
ds:KeyName or the serial number of the Certificate, the KeyResolver
must use the StorageResolvers to query the available keys and
certificates to find the correct one.
</li>
</ul>
<p>
Of course, there are cross-dependencies: e.g. a KeyResolver named
<a target="_top" href="api/org/apache/xml/security/keys/keyresolver/implementations/RetrievalMethodResolver.html">
RetrievalMethodResolver
</a> uses the
<a target="_top" href="api/org/apache/xml/security/utils/resolver/ResourceResolver.html">
ResourceResolver
</a> framework to retrieve a public key or certificate from an
arbitrary location.
</p>
</div>
</div>
<!--+
|end content
+-->
<div class="clearboth"> </div>
</div>
<div id="footer">
<!--+
|start bottomstrip
+-->
<div class="lastmodified">
<script type="text/javascript"><!--
document.write("Last Published: " + document.lastModified);
// --></script>
</div>
<div class="copyright">
Copyright © 2002-2005 The Apache Software Foundation.</div>
<!--+
|end bottomstrip
+-->
</div>
</body>
</html>
|
