Authentication of Chemical Information Components using XML and X.509 Signatures - Supplemental Materials

Georgios V. Gkoutos ¹, Peter Murray-Rust ², Henry S. Rzepa ¹ and Michael Wright ¹

(1) Department of Chemistry, Imperial College of Science, Technology and Medicine, UK - (2) School of Pharmaceutical Sciences, University of Nottingham, UK - November 29, 2000

XML Languages used

The ChiMeraL example ( article.xml ) was written using the following XML languages;

• XHTML - 'HTML as XML' - Internet Explorer 5+ and Netscape 6+/Mozilla have native support for XHTML
• CML - 'Chemical Markup Language' - XSL stylesheets are required to display CML and only IE 5+ supports XSL (as yet). An extension to CML ( ChiMeraL ) allows the inclusion of spectra.
• SVG - 'Scalable Vector Graphics' - A plugin from Adobe is available for Internet Explorer 4+ and Netscape 4+
• XML Signature - W3C specified syntax for digital signatures - No browser support (although XSL stylesheets can be written to recognise them) hence stand-alone software must be used.
• docML - A simple document language - A mixture of XSL stylesheets and Javascript/applets are used to display this - hence Internet Explorer 5+ is required.

Software

Examples are intended for display in Internet Explorer 5+ and written using Homesite 4.0 (HTML editor). XMl/XSL files are plain text and can be opened in a text editor (e.g. notepad). There is presently only one freely available example of working XML signature code - IBM Alphaworks Security Suite for Java (ss4j). 'The XML Security Suite provides security features such as digital signature, element-wise encryption, and access control to Internet business-to-business transactions.' This suite is under development and versions are not back compatible. Examples given here are intended for use with the 10/30/2000 release of ss4j (xss4j-20001019.zip). Future releases will probably use different namespace URLs, please check ss4j's documentation if you are having trouble.

Installing ss4j

PATH and CLASSPATH changes should be made to your autoexec.bat (Windows '9x/Me) or to your menu [Settings | System | Environment] (Windows NT4/2000) (adjust directories as required and restart to apply changes). For example:

1. Download and install Java2 SDK 1.2+ ( http://www.javasoft.com/j2se/ )
2. Add e:\jdk1.3\bin; to your PATH.
3. Download and install Xerces Java XML parser 1.1+ ( http://xml.apache.org/xerces-j/ )
4. Add e:\xerces-1_1_0\xerces.jar;e:\xerces-1_1_0\xercesSamples.jar to your CLASSPATH
5. Download and install Xalan Java XSL processor 1.1+ ( http://xml.apache.org/xalan/ )
6. Add e:\xalan_1_2_D01\xalan.jar to your CLASSPATH
7. Download and install IBM Security Suite 4 Java ( http://www.alphaworks.ibm.com/tech/xmlsecuritysuite/ )
8. Add e:\xss4j\xss4j.jar;e:\xss4j\xml4j.jar;e:\xss4j\samples to your CLASSPATH

Aspects of chemical interest are key generation, digital signatures, element-wise encryption and access controls. Batch files running the examples are available here .

Key Generation

Java cryptography uses self-signed key pairs stored on the signees computer. ss4j uses these key pairs to sign documents or document components using X.509 certificates (under development and so not intended for practical use).

The following will create a key pair using the alias 'm.wright':

You will be asked to supply two passwords, one for the key store and one for the 'm.wright' key pair (optional). Additional key pairs can be added for further aliases by using the same key store password.

Self-signed certificates do not authenticate the identity of the author, only that the signed document has not been changed. This can be solved by replacing the self-signed certificate with a Certification Authority (CA) approved certificate. The CA is then considered to vouch for the author's identity. The process is as follows;

1. Create a RSA self-signed certificate, supplying passwords as before;

c:>keytool -genkey -keyalg RSA -alias cmlconsulting -dname "CN=CML Consulting Ltd, OU=http://www.cmlconsulting.com/, O=n/a, L=London, S=n/a, C=UK"

2. Then issue a certificate signing request (CSR):

C:>keytool -certreq -alias cmlconsulting -file csr.cer

3. You will be asked for the appropriate passwords, the returned file is plain text and will resemble the following:

-----BEGIN NEW CERTIFICATE REQUEST----- MIIBvzCCASgCAQAwfzELMAkGA1UEBhMCVUsxDDAKBgNVBAgTA24vYTEPMA0GA1UEBxMGTG9uZG9u MQwwCgYDVQQKEwNuL2ExJjAkBgNVBAsTHWh0dHA6Ly93d3cuY21sY29uc3VsdGluZy5jb20vMRsw GQYDVQQDExJDTUwgQ29uc3VsdGluZyBMdGQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ2K r7/yB1J2YqwBBQ9STY1haO2t2n/B6SvFigruSg3/bkMGKDHI/v/EYaUxPKpyc4lk+qLwx/A/AXh1 fpcoIoMR5nIyVX/9Ka3J5fvNpWRz3FGo/fyUyEGBjZW9umZJcV2HCvyHQiltfKYHKWr3MenFe8G2 4M2WezRAWqGxShsdAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQBC0Hsv1tLE6p2HwoIrRl+ltBNp 8RgfD9hQJtX869lqTIamWNRXCqKtr2UVg4c4yDq3c8MfSUuebk9S6sVF87GeQwnwE6dzav+FtNli 9467lE8qhTitlTZ86Cuj7XvuK3nyTORxxIzCTek+kVrEnbGDDwf71duKBUS9MvJqvOCMgg== -----END NEW CERTIFICATE REQUEST-----

4. Apply for a Java signing certificate from a CA (e.g. Thawte ). You will need to send them the CSR and they will return a certificate, signed with their own keys. You can now replace your self-signed certificate with the CA signed one:

C:>keytool -import -trustcacerts -file careply.cer -alias cmlconsulting

Digital Signatures

ss4j supports XML signature based on the W3C specifications ( http://www.w3.org/TR/2000/WD-xmldsig-core-20001012/ ). It allows enveloping, enveloped and detached signatures.

In order to sign a document, you need to prepare an empty signature template (examples are given in the e:\xss4j\data\dsig directory) and run the ss4j software to complete it. In the case of internal signatures the template elements are added into the XML. External signatures simply need a new file containing the template. It is suggested that detached signature should be used with files likely to change rapidly (for example an article in the process of being written by a number of authors). Static or completed documents should be signed internally. Enveloping signatures must be used if components of the document need to be signed separately (ss4j doesn't support anything else). The template is then completed using the following command, supplying appropriate passwords:

This procedure takes about half a minute depending on the size of the document. The signed file can then be validated:

If the signature and all of signed resources were not modified, VerifyGUI reports the result of verification as "Core Validity: Ok" and "SignInfo: Ok"

Password Protected Element Encryption

This allows only specific elements in an XML document to be encrypted (leaving the rest readable). Installation is as follows (assuming Java2 and Xerces have already been installed);

1. Download and install the Java Cryptography Extension ( http://java.sun.com/products/jce/ )
2. Copy the contents of E:\jce1.2.1\lib to E:\jdk1.3\jre\lib\ext (or equivalents)
3. Open E:\jdk1.3\jre\lib\security\java.security (or equivalent) in a text editor and find security.provider.2=com.sun.rsajca.Provider, now add security.provider.3=com.sun.crypto.provider.SunJCE immediately below this
4. Download and install JavaMail 1.1+ ( http://java.sun.com/products/javamail/ )
5. Add e:\javamail-1.1.3\mail.jar to your CLASSPATH

To run the excryption GUI, use: java xenc.XMLEncryptor. XML documents can be loaded, elements encrypted and then saved.

Example: article.xml

We separately signed four different components of this document, the abstract, a molecule, a spectrum and a reaction. The components are combined with the rest of the text and the entire document signed with an external signature. The procedure is as follows:

1. Run examples/makekeys/1-make3keys.bat and 2-makecmlkey to set up four keys (3 DSA and 1 RSA)
2. example/xsign/doc_parts/molecule.xml, spectrum.xml, reaction.xml and abstract.xml are the signed components, each has a unfinished enveloping signature. article_core.xml is the remaining document text. These are all legal XML and can be opened in IE5+.
3. Run example/xsign/doc_parts/sign.bat to complete the signatures. This returns four signed document components.
4. Concatenated the signed components and article_core.xml to form article.xml, validatearticle.bat will check this.
5. A detached signature template is created sig.xml - this uses the cmlconsulting alias. To complete it, upload article.xml to a suitable http server and change the URI attribute in sig.xml to match. Then run signsig.batvalidatesig.bat will validate the externl signature (must be online).
6. corrupted_article.xml is a slightly corrupted version, validatecorrupted.bat will demonstrate this.

All XML files can be opened in IE, article.xml and corrupted_article.xml will use stylesheets allowing the display of the signings (press 'show signature'). For the full signature, right click and view source.

Known Problems

• 'Our XML Signature library never resolve IDs outside the Signature element. You have to implement an IDResolver. The library parses detached resources with non-validating parser. -- Kent' (http://www.alphaworks.ibm.com/forum/xmlsecuritysuite.nsf/discussion_current_nav/59397387A3BC4AD20B9F411BD405E908?OpenDocument). This means that you can't;
• Use multiple external signature signing different parts of the same document.
• Use enveloped signatures properly.
• Validate more than one internal signature