Library to manage XAdES signatures in Java

Question

I'm looking for a Java library that allows the creation and verification of XAdES signatures (the more formats, the better: XAdES-BES, XAdES-C, XAdES-X-L, etc.).

The most interesting implementations I found are:

Java XML Digital Signature API (JSR 105) (= the one included in Java SE 6), which is based on the following one;
Apache Santuario (http://santuario.apache.org/), which provides an useful support only for basic features;
XAdES4j (http://code.google.com/p/xades4j/, nice presentation: http://prezi.com/06vyxbgohncv/xades4j-en/), which seems to be interesting, because it "enables producing, verifying and extending signatures in the main XAdES forms: XAdES-BES, XAdES-EPES, XAdES-T and XAdES-C. Also, extended forms are supported through the enrichment of an existing signature". However it's the result of a thesys and it's followed only by a developer;
eID Digital Signature Service (http://code.google.com/p/eid-dss/), which is developed by the Belgium Federal ICT Department and supports the XAdES-X-L format.

Which one would you suggest to use or to build on?

@toadue: XAdES4j does support creation of XAdES-X-L signatures, it just can't verify them — Hubert Kario, Oct 04 '12 at 10:22

score 5 · Answer 1 · answered Dec 07 '11 at 11:56

We have recently completed a project using XAdES-BES signatures in both enveloped and enveloping forms. We chose the XAdES4j project because it seemed the most complete, and XAdES was a core requirement.

The support on the Q&A section is sometimes slow, and and only the most obvious use case is well documented. That said the library is well tested, excellently designed, and very useful.

We spent a couple of weeks getting our heads around it and I would now recommend it as a platform.

The only caveat is that (as you say) it is the production of an academic project, so how much support it will receive in the future is anyone's guess. If you pick it up and buy into it then consider contributing, and it might pick up a bit of speed.

I've extended `xaded4j` to full XAdES-A support, patches are in bug tracker. — Hubert Kario, Dec 27 '12 at 20:52

score 4 · Answer 2 · answered Apr 13 '13 at 16:47

4

You can look at the "Componentes de firma", a LGPL suite of components created and mantained by the Spanish government. It's a full cryptographic suite that supports creation and validation of the following XAdES formats:

XAdES-BES
XAdES-T
XAdES-C
XAdES-X
XAdES-XL
XAdES-EPES

With detached, enveloped, enveloping and mixed signatures.

Detailed description of the XAdES signatures can be found at http://oficinavirtual.mityc.es/componentes/MITyCLibXADES/index.html, and the download site is http://oficinavirtual.mityc.es/componentes/downloads.html

answered Apr 13 '13 at 16:47

user2277870

41
1
3

I wouldn't recommend it. We are using this components, and we are having lots of problems. It has several bugs, and the overall feel is a very low quality product. – Juan Calero Oct 15 '13 at 08:31
I'm not very familiar with Spansih, but isn't it licensed (also) under EUPL 1.1? – Philip Helger Mar 18 '15 at 11:26
Unfortunately both links don't work anymore. – meles Dec 29 '17 at 09:49

score 1 · Answer 3 · answered Aug 09 '12 at 05:37

1

Just to complete the list, XMLBlackbox package of our SecureBlackbox (Java edition) offers full support for all XAdES versions and is actively maintained and supported.

answered Aug 09 '12 at 05:37

Eugene Mayevski 'Callback

45,135
8
71
121

Unless I've read their documentation wrong and they didn't put this change to the change log, it looks like the Java version of the library doesn't support ArchiveTimeStamp (XAdES-A) from version 1.4.2 of the standard. This will make the A form generated with it invalid with Qualified Signatures after 2012 or 2013, can't remember exactly now... – Hubert Kario Dec 18 '12 at 22:48
@HubertKario XAdES-A is supported. Maybe an additional line or two of code should be written, but this is not a problem. – Eugene Mayevski 'Callback Dec 19 '12 at 07:03
@HubertKario All supported profiles are listed on http://www.eldos.com/sbb/desc-xml-spec.php and XAdES-A is in the list. Moreover, this is the only place where specific profiles are listed. – Eugene Mayevski 'Callback Dec 19 '12 at 07:14
Link you provided doesn't tell which version of the standard you support. Current EU law requires creation of `ArchiveTimeStamp` property in 1.4.1 namespace (so something theoretically completely different from the ArchiveTimeStamp from 1.3.2 version of the standard) and support for TimeStampValidationData property in 1.4.1 namespace. If you are supporting it, then good. Last time I checked you didn't and now I can't find the documentation again so I can't check if this has changed. – Hubert Kario Dec 19 '12 at 20:47
@HubertKario If you didn't find something, you are welcome to contact technical support. SO is not the place for such support. – Eugene Mayevski 'Callback Dec 20 '12 at 07:03

Library to manage XAdES signatures in Java

3 Answers3

Linked