Digital signatures and XML encryption standards?

My question is about securing the messages passed to a Web Service (and vice versa). Can anyone say, based on today's situation, which technologies/standards should I look into for applying digital signatures and (partial) encryption to XML messages? I've read about a slew of standards being developed (mainly SAML and XML-Sig I guess) but none of them seems to be "ready" and the implementations seem to be non-existent or "alpha stage".
So, which standard should I use? Or should I just implement my "proprietary" encryption and signatures using the basic Java security APIs (taking the to-be-encoded XML element, encoding it into Base64 and then applying some encryption algorithm)?
I'd be interested in experiences with IBM's XML Security Suite...?

see if this helps
http://www.xml.com/pub/a/2001/08/08/xmldsig.html
Eric

Originally posted by Eric Pascarello:
http://www.xml.com/pub/a/2001/08/08/xmldsig.html

Thanks for the link. However, it didn't do much because I am already aware of the principle of XML digital signatures. What I'm after is a "shrink-wrapped" library for signing a given XML document (a specified part of it) so that I don't have to hand code that logic. And the same for reading the signature, of course.

Originally posted by Lasse Koskela:

Thanks for the link. However, it didn't do much because I am already aware of the principle of XML digital signatures. What I'm after is a "shrink-wrapped" library for signing a given XML document (a specified part of it) so that I don't have to hand code that logic. And the same for reading the signature, of course.

Hi - I'd recommend the IBM XML Security Suite. Here's some example code written using it - you can see that it's quite high-level and you don't have to deal with the nuts-and-bolts of making the actual signature yourself, although it does help to be aware of the high level structure of XML Signature [ i.e. Reference, KeyInfo, etc]
[ com.ibm.xml.dsig.* and java.security.* namespaces are required ]
KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream(keystorepath), storepass);
X509Certificate cert = (X509Certificate)keystore.getCertificate(alias);
Key key = keystore.getKey(alias, keypass); // a private key
if (key == null) {
System.err.println("Could not get a key: "+alias);
System.exit(1);
}
KeyInfo keyInfo = dsig.SignatureUtil.createKeyInfo(cert);
Element signatureElement = signatureGen.getSignatureElement();
keyInfo.insertTo(signatureElement, prefix);
//
// Sign
//
SignatureContext sigContext = new SignatureContext();
sigContext.setIDResolver(idg);
sigContext.sign(signatureElement, key);
doc.appendChild(signatureElement);
dsig.SignatureUtil.printDocument(doc, System.out);
---------
hope this helps
-Mark
Mark O'Neill
CTO, Vordel

Originally posted by Mark O'Neill:
KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream(keystorepath), storepass);
X509Certificate cert = (X509Certificate)keystore.getCertificate(alias);
Key key = keystore.getKey(alias, keypass); // a private key
if (key == null) {
System.err.println("Could not get a key: "+alias);
System.exit(1);
}
KeyInfo keyInfo = dsig.SignatureUtil.createKeyInfo(cert);
Element signatureElement = signatureGen.getSignatureElement();
keyInfo.insertTo(signatureElement, prefix);
//
// Sign
//
SignatureContext sigContext = new SignatureContext();
sigContext.setIDResolver(idg);
sigContext.sign(signatureElement, key);
doc.appendChild(signatureElement);
dsig.SignatureUtil.printDocument(doc, System.out);

Thank you very much!
I have a question about IBM's suite, though. I see that your example code used a locally stored keystore file for fetching keys - what other sources are supported by the IBM XML Security Suite? Can I use, for example, a policy server to provide the keys?

Originally posted by Mark O'Neill:

...
KeyInfo keyInfo = dsig.SignatureUtil.createKeyInfo(cert);
...
Element signatureElement = signatureGen.getSignatureElement();
...
keyInfo.insertTo(signatureElement, prefix);
...
dsig.SignatureUtil.printDocument(doc, System.out);

Where do these classes/objects come from ("dsig.SignatureUtil", "signatureGen", "prefix")? I couldn't find them in the XSS4J javadocs.