Library to manage XAdES signatures in Java

14.2k views Asked by At

I'm looking for a Java library that allows the creation and verification of XAdES signatures (the more formats, the better: XAdES-BES, XAdES-C, XAdES-X-L, etc.).

The most interesting implementations I found are:

  • Java XML Digital Signature API (JSR 105) (= the one included in Java SE 6), which is based on the following one;
  • Apache Santuario (http://santuario.apache.org/), which provides an useful support only for basic features;
  • XAdES4j (http://code.google.com/p/xades4j/, nice presentation: http://prezi.com/06vyxbgohncv/xades4j-en/), which seems to be interesting, because it "enables producing, verifying and extending signatures in the main XAdES forms: XAdES-BES, XAdES-EPES, XAdES-T and XAdES-C. Also, extended forms are supported through the enrichment of an existing signature". However it's the result of a thesys and it's followed only by a developer;
  • eID Digital Signature Service (http://code.google.com/p/eid-dss/), which is developed by the Belgium Federal ICT Department and supports the XAdES-X-L format.

Which one would you suggest to use or to build on?

3

There are 3 answers

5
Eugene Mayevski 'Callback On

Just to complete the list, XMLBlackbox package of our SecureBlackbox (Java edition) offers full support for all XAdES versions and is actively maintained and supported.

1
spikeheap On

We have recently completed a project using XAdES-BES signatures in both enveloped and enveloping forms. We chose the XAdES4j project because it seemed the most complete, and XAdES was a core requirement.

The support on the Q&A section is sometimes slow, and and only the most obvious use case is well documented. That said the library is well tested, excellently designed, and very useful.

We spent a couple of weeks getting our heads around it and I would now recommend it as a platform.

The only caveat is that (as you say) it is the production of an academic project, so how much support it will receive in the future is anyone's guess. If you pick it up and buy into it then consider contributing, and it might pick up a bit of speed.

3
user2277870 On

You can look at the "Componentes de firma", a LGPL suite of components created and mantained by the Spanish government. It's a full cryptographic suite that supports creation and validation of the following XAdES formats:

  • XAdES-BES
  • XAdES-T
  • XAdES-C
  • XAdES-X
  • XAdES-XL
  • XAdES-EPES

With detached, enveloped, enveloping and mixed signatures.

Detailed description of the XAdES signatures can be found at http://oficinavirtual.mityc.es/componentes/MITyCLibXADES/index.html, and the download site is http://oficinavirtual.mityc.es/componentes/downloads.html