Cryptographic Functions
This module contains functions to perform cryptographic operations in XQuery. The cryptographic module is based on an early draft of the EXPath Cryptographic Module and provides the following functionality: creation of message authentication codes (HMAC), encryption and decryption, and creation and validation of XML Digital Signatures.
All functions in this module are assigned to the http://expath.org/ns/crypto namespace, which is statically bound to the crypto prefix. 
All errors are assigned to the http://expath.org/ns/error namespace, which is statically bound to the experr prefix.
| Signature | crypto:hmac(
  $data       as xs:anyAtomicType,
  $key        as xs:anyAtomicType,
  $algorithm  as xs:string,
  $encoding   as xs:string?        := ()
) as xs:string | 
|---|
| Summary | Creates an authentication code for the specified $datavia a cryptographic hash function:$keymust not be empty.$algorithmdescribes the hash algorithm which is used for encryption. Currently supported aremd5,sha1,sha256,sha384,sha512. Default ismd5.$encodingmust either behexorbase64; it specifies the encoding of the returned authentication code. Default isbase64.
 | 
|---|
| Errors | | CX0013 | The hashing algorithm is not supported. |  | CX0014 | The encoding method is not supported. |  | CX0019 | The secret key is invalid. | 
 | 
|---|
| Examples | Return the message authentication codecrypto:hmac('message', 'secretkey', 'md5', 'hex')
 34D1E3818B347252A75A4F6D747B21C2. | 
|---|
The encryption and decryption functions underlie several limitations:
- Cryptographic algorithms are currently limited to symmetricalgorithms. This means that the same secret key is used for encryption and decryption.
- Available algorithms are DESandAES.
- Padding is fixed to PKCS5Padding.
- The result of an encryption using the same message, algorithm and key looks different each time it is executed. This is due to a random initialization vector (IV) which is appended to the message and simply increases security.
- As the IV has to be passed along with the encrypted message somehow, data which has been encrypted by the crypto:encryptfunction in BaseX can only be decrypted by calling thecrypto:decryptfunction.
| Signature | crypto:encrypt(
  $data       as xs:anyAtomicType,
  $type       as xs:string,
  $key        as xs:anyAtomicType,
  $algorithm  as xs:string
) as xs:base64Binary | 
|---|
| Summary | Encrypts data with the specified key: $datamust be a string or binary item.$typemust besymmetric.$keyis the secret key which is used for both encryption and decryption of input data. It must be a string or binary item. Its length is fixed and depends on the chosen algorithm: 8 bytes forDES, 16 bytes forAES.$algorithmmust either beDESorAES. Default isDES.
 | 
|---|
| Errors | | CX0016 | No such padding. |  | CX0017 | Incorrect padding. |  | CX0018 | The encryption type is not supported. |  | CX0019 | The secret key is invalid. |  | CX0020 | Illegal block size. |  | CX0021 | The algorithm is not supported. | 
 | 
|---|
| Examples | Encrypt input data.crypto:encrypt('message', 'symmetric', 'keykeyke', 'DES')
 | 
|---|
| Signature | crypto:decrypt(
  $data       as xs:anyAtomicType,
  $type       as xs:string,
  $key        as xs:anyAtomicType,
  $algorithm  as xs:string
) as xs:string | 
|---|
| Summary | Encrypts data with the specified key: $datamust be a string or binary item.$typemust besymmetric.$keyis the secret key which is used for both encryption and decryption of input data. It must be a string or binary item. Its length is fixed and depends on the chosen algorithm: 8 bytes forDES, 16 bytes forAES.$algorithmmust either beDESorAES. Default isDES.
 | 
|---|
| Errors | | CX0016 | No such padding. |  | CX0017 | Incorrect padding. |  | CX0018 | The encryption type is not supported. |  | CX0019 | The secret key is invalid. |  | CX0020 | Illegal block size. |  | CX0021 | The algorithm is not supported. | 
 | 
|---|
| Examples | Decrypts the input and returnslet $encrypted := crypto:encrypt('message', 'symmetric', 'keykeyke', 'DES')
return crypto:decrypt($encrypted, 'symmetric', 'keykeyke', 'DES')
 message. | 
|---|
XML Signatures are used to sign data. In our case, the data which is signed is an XQuery node. The following example shows the basic structure of an XML signature.
XML Signature
<Signature>
  <SignedInfo>
    <CanonicalizationMethod/>
    <SignatureMethod/>
    <Reference>
      <Transforms/>
      <DigestMethod/>
      <DigestValue/>
    </Reference>
    <Reference/>
  </SignedInfo>
  <SignatureValue/>
  <KeyInfo/>
  <Object/>
</Signature>
- SignedInfo contains or references the signed data and lists algorithm information
- Reference references the signed node
- Transforms contains transformations (i.e. XPath expressions) that are applied to the input node in order to sign a subset
- DigestValue holds digest value of the transformed references
- SignatureValue contains the Base64 encoded value of the encrypted digest of the SignedInfoelement
- KeyInfo provides information on the key that is used to validate the signature
- Object contains the node which is signed if the signature is of type enveloping
Signature TypesDepending on the signature type, the signature element is either placed as a child of the signed node (enveloped type), or directly contains the signed node (enveloping type). Detached signatures are so far not supported.
Digital Certificate
The generate-signature function allows to pass a digital certificate. This certificate holds parameters that allow to access key information stored in a Java key store which is then used to sign the input document. Passing a digital certificate simply helps re-using the same key pair to sign and validate data. The digital certificate is passed as a node and has the following form:
<digital-certificate>
  <keystore-type>JKS</keystore-type>
  <keystore-password>...</keystore-password>
  <key-alias>...</key-alias>
  <private-key-password>...</private-key-password>
  <keystore-uri>...</keystore-uri>
</digital-certificate>
| Signature | crypto:generate-signature(
  $input             as node(),
  $canonicalization  as xs:string,
  $as                as xs:string,
  $digest            as xs:string,
  $signature         as xs:string,
  $prefix            as xs:string,
  $type              as xs:string,
  $ext1              as item(),
  $ext2              as node()
) as node() | 
|---|
| Summary | $canonicalizationmust either beinclusive-with-comments,inclusive,exclusive-with-commentsorexclusive. **Default isinclusive-with-comments**.$digestmust be one of the following:SHA1,SHA256orSHA512. **Default isSHA1**.$signaturemust either beRSA_SHA1orDSA_SHA1. **Default isRSA_SHA1**.$prefixmay be empty and prefixes theSignatureelement accordingly.$typeis the signature type. It must either beenvelopedorenveloping(detached signatures are not supported so far). **Default isenveloped**.$ext1may either be an$xpathexpression or a$certificate.If $ext2is specified as well,$ext1is an arbitrary XPath expression which specifies a subset of the document that is to be signed, and$ext2is the digitial certificate used to sign the input document. | 
|---|
| Errors | | CX0001 | The canonicalization algorithm is not supported. |  | CX0002 | The digest algorithm is not supported. |  | CX0003 | The signature algorithm is not supported. |  | CX0004 | The XPath expression is invalid. |  | CX0005 | The root element of argument $digital-certificate must have the name 'digital-certificate'. |  | CX0007 | The keystore is null. |  | CX0012 | Cannot find key for alias in given keystore. |  | CX0023 | An invalid certificate alias is specified. Added to the official specification. |  | CX0024 | The algorithm is invalid. Added to the official specification. |  | CX0025 | Signature cannot be processed. Added to the official specification. |  | CX0026 | Keystore cannot be processed. Added to the official specification. |  | CX0027 | An I/O Exception occurred. Added to the official specification. |  | CX0028 | The specified signature type is not supported. Added to the official specification. | 
 | 
|---|
| Signature | crypto:validate-signature(
  $input-doc  as node()
) as xs:boolean | 
|---|
| Summary | Checks if the given node contains a Signatureelement and whether the signature is valid. In this casetrueis returned. If the signature is invalid the function returnsfalse. | 
|---|
| Errors |  | 
|---|
| Code | Description | 
|---|
| CX0001 | The canonicalization algorithm is not supported. | 
| CX0002 | The digest algorithm is not supported. | 
| CX0003 | The signature algorithm is not supported. | 
| CX0004 | The XPath expression is invalid. | 
| CX0005 | The root element of argument $digital-certificate must have the name 'digital-certificate'. | 
| CX0006 | The child element of argument $digital-certificate having position $position must have the name $child-element-name. | 
| CX0007 | The keystore is null. | 
| CX0008 | I/O error while reading keystore. | 
| CX0009 | Permission denied to read keystore. | 
| CX0010 | The keystore URL is invalid. | 
| CX0011 | The keystore type is not supported. | 
| CX0012 | Cannot find key for alias in given keystore. | 
| CX0013 | The hashing algorithm is not supported. | 
| CX0014 | The encoding method is not supported. | 
| CX0015 | Cannot find Signature element. | 
| CX0016 | No such padding. | 
| CX0017 | Incorrect padding. | 
| CX0018 | The encryption type is not supported. | 
| CX0019 | The secret key is invalid. | 
| CX0020 | Illegal block size. | 
| CX0021 | The algorithm is not supported. | 
| CX0023 | An invalid certificate alias is specified. Added to the official specification. | 
| CX0024 | The algorithm is invalid. Added to the official specification. | 
| CX0025 | Signature cannot be processed. Added to the official specification. | 
| CX0026 | Keystore cannot be processed. Added to the official specification. | 
| CX0027 | An I/O Exception occurred. Added to the official specification. | 
| CX0028 | The specified signature type is not supported. Added to the official specification. | 
Version 9.3Version 7.0
 
⚡Generated with XQuery