Xoxa: Normalising and signing XML

Xoxa is a prescription for normalising XML, and signing and verifying it using GPG signatures. It acts as an alternative to the standardised, but undeniably intricate W3C XML Signature standard.

This package takes a rather different approach to that implied by that standard, since it aims to address a slightly different problem, which is significantly simpler.

This distribution contains both a Java and a C implementation of the method. See the documentation below for details.

This distribution should currently be regarded as a beta release. The details of the normalisation may change.

There is extensive rationale elsewhere; for the library description and downloads, see below. There are further details in a paper on arXiv at 1505.04437.

Both distributions are available under the terms of the 2-clause BSD licence.

A Java library

This Java library provides support for the various steps involved.

The normalisation is based on the data model implied by the well-known SAX streaming API of Java, but very similar APIs exist for other languages, which very closely match the Java one (which is natural, because they all necessarily have a close relationship to the XML information set) and so there is nothing Java-specific about the normalisation procedure here. The data model does not include lexical information, such as information about quotes or the order of attributes, so this confounding information is a fortiori not present in the normalised output.

This is a rather aggressive normalisation, meaning that it defines a large class of XML documents which are deemed equivalent in the sense that they produce identical normalisations. This normalisation greatly simplifies the solution, by solving a simpler problem from the one the XML Canonicalisation Working Group has set itself. This scheme is practical because there is a large set of XML documents which are practically equivalent under this normalisation, so that we do not have to deal with the complicating generalities required if we wish to preserve the entire XML Information Set.

The distributed jar file includes a command-line application which can be used to experiment with the normalisation and signing functionality. See java -jar xoxaj-version.jar --help for usage.

A C library

The C library has the same core functionality as the Java library, in terms of normalising XML input, but in this case it demonstrates calculating cryptographic digests of the XML input, rather than PGP signatures. It also exposes an API which mirrors the Expat API (that it, it can act as a replacement for it), but with additional functions for calculating digests ‘en passant’.

The C implementation includes a command-line program to perform the normalisation, hashing and verification steps. See ./xoxa -h for usage, or man ./xoxa.1 for fuller documentation.

Code and downloads

Release notes

The C and Java libraries currently have identical version numbers; this isn't guaranteed long-term.

Release 0.3.1, 2015 May 17
Included sample code (and check it works!); various documentation and distribution fixes.
Release 0.3, 2015 May 10
Assorted changes, including PGP support in C implementation.
Release 0.2, 2014 September 13
First public release
Norman Gray
2015 May 11