Bureaucrats, editor, reviewer, Administrators
13,550
edits
Changes
Jump to navigation
Jump to search
[[Category:XQuery]]
no edit summary
This [[Module Library|XQuery Module]] contains functions to perform cryptographic operations in XQuery.
The cryptographic module is based on an early draft of the [http://expath.org/spec/crypto /20110810 EXPath Cryptographic Module] and provides the following functionality: creation of message authentication codes (HMAC), encryption and decryption, and creation and validation of XML Digital Signatures.
=Conventions=
All functions in this module are assigned to the {{Code|<code><nowiki>http://expath.org/ns/crypto}} </nowiki></code> namespace, which is statically bound to the {{Code|crypto}} prefix.<br/>All errors are assigned to the {{Code|<code><nowiki>http://expath.org/ns/error}} </nowiki></code> namespace, which is statically bound to the {{Code|experr}} prefix.
=Message Authentication=
==crypto:hmac==
{| width='100%'
|-
| width='120' | '''Signatures'''
|{{Func|crypto:hmac|$message data as xs:stringanyAtomicType, $key as xs:stringanyAtomicType, $algorithm as xs:string|xs:string}}<br/>{{Func|crypto:hmac|$message data as xs:stringanyAtomicType, $key as xs:stringanyAtomicType, $algorithm as xs:string, $encoding as xs:string|xs:string}}
|-
| '''Summary'''
|Creates a message an authentication code via a cryptographic hash function and a secret for the specified {{Code|$keydata}}. <br/>via a cryptographic hash function:* {{Code|$encodingkey}} must either not be {{Code|hex}}, {{Code|base64}} or the empty string and specifies the encoding of the returned authentication code. '''Default is {{Code|base64}}'''.<br/>* {{Code|$algorithm}} describes the hash algorithm which is used for encryption. Currently supported are {{Code|md5}}, {{Code|sha1}}, {{Code|sha256}}, {{Code|sha384}}, {{Code|sha512}}. '''Default is {{Code|md5}}'''.* {{Code|$encoding}} must either be {{Code|hex}} or {{Code|base64}}; it specifies the encoding of the returned authentication code. Default is {{Code|base64}}.
|-
| '''Errors'''
|{{Error|CX0013|XQuery Errors#Cryptographic Functions Errors}} the specified hashing algorithm is not supported.<br/>{{Error|CX0014|XQuery Errors#Cryptographic Functions Errors}} the specified encoding method is not supported.<br/>{{Error|CX0019|XQuery Errors#Cryptographic Functions Errors}} the specified secret key is invalid.<br/>
|-
| '''Example'''
|'''Returns the Return message authentication code (MAC) for a given string.''':
'''Query:'''
<pre classsyntaxhighlight lang="brush:xquery">crypto:hmac('message','secretkey','md5','base64hex')</presyntaxhighlight>
'''Result:'''
<pre classsyntaxhighlight lang="brush:xml">
34D1E3818B347252A75A4F6D747B21C2
</presyntaxhighlight>
|}
=Encryption & Decryption=
The encryption and decryption functions underlie several limitations:
* Cryptographic algorithms are currently limited to {{Code|symmetric}} algorithms only. This means that the same secret key is used for encryption and decryption.
* Available algorithms are {{Code|DES}} and {{Code|AES}}.
* Padding is fixed to {{Code|PKCS5Padding}}.
==crypto:encrypt==
{| width='100%'
|-
| width='120' | '''Signatures'''
|{{Func|crypto:encrypt|$input data as xs:stringanyAtomicType, $encryption type as xs:string, $key as xs:stringanyAtomicType, $algorithm as xs:string|xs:stringbase64Binary}}
|-
| '''Summary'''
|Encrypts data with the given input string.<br/>specified key:* {{Code|$encryptiondata}} must be a string or binary item.* {{Code|symmetric$type}}, as asymmetric encryption is not supported so far. '''Default is must be {{Code|symmetric}}'''.<br/>* {{Code|$key}} is the secret key which is used for both encryption and decryption of input data. It must be a string or binary item. Its length is fixed and depends on the chosen algorithm: 8 bytes for {{Code|8 bytes for DES}}, 16 bytes for {{Code|16 bytes for AES}}.<br/>* {{Code|$algorithm}} must either be {{Code|DES}} or {{Code|AES}}. Other algorithms are not supported so far, but, of course, can be added on demand. '''Default is {{Code|DES}}'''.
|-
| '''Errors'''
|{{Error|CX0016|XQuery Errors#Cryptographic Functions Errors}} padding problems arise.<br/>{{Error|CX0017|XQuery Errors#Cryptographic Functions Errors}} padding is incorrect.<br/>{{Error|CX0018|XQuery Errors#Cryptographic Functions Errors}} the encryption type is not supported.<br/>{{Error|CX0019|XQuery Errors#Cryptographic Functions Errors}} the secret key is invalid.<br/>{{Error|CX0020|XQuery Errors#Cryptographic Functions Errors}} the block size is incorrect.<br/>{{Error|CX0021|XQuery Errors#Cryptographic Functions Errors}} the specified encryption algorithm is not supported.<br/>
|-
| '''Example'''
|'''Encrypts Encrypt input data.''' '''Query:'''<pre classsyntaxhighlight lang="brush:xquery">crypto:encrypt('message', 'symmetric','keykeyke','DES')</presyntaxhighlight>
|}
==crypto:decrypt==
{| width='100%'
|-
| width='120' | '''Signatures'''
|{{Func|crypto:decrypt|$input data as xs:stringanyAtomicType, $type as xs:string, $key as xs:stringanyAtomicType, $algorithm as xs:string|xs:string}}
|-
| '''Summary'''
|Decrypts Encrypts data with the encrypted specified key:* {{Code|$inputdata}}must be a string or binary item.<br/>* {{Code|$type}} must be {{Code|symmetric}}. An option for asymmetric encryption will most likely be added with another version of BaseX. '''Default is {{Code|symmetric}}'''.<br/>* {{Code|$key}} is the secret key which is used for both encryption and decryption of input data. It must be a string or binary item. Its length is fixed and depends on the chosen algorithm: 8 bytes for {{Code|8 bytes for DES}}, 16 bytes for {{Code|16 bytes for AES}}.<br/>* {{Code|$algorithm}} must either be {{Code|DES}} or {{Code|AES}}. Other algorithms are not supported so far, but, of course, can be added on demand. '''Default is {{Code|DES}}'''.
|-
| '''Errors'''
|{{Error|CX0016|XQuery Errors#Cryptographic Functions Errors}} padding problems arise.<br/>{{Error|CX0017|XQuery Errors#Cryptographic Functions Errors}} padding is incorrect.<br/>{{Error|CX0018|XQuery Errors#Cryptographic Functions Errors}} the encryption type is not supported.<br/>{{Error|CX0019|XQuery Errors#Cryptographic Functions Errors}} the secret key is invalid.<br/>{{Error|CX0020|XQuery Errors#Cryptographic Functions Errors}} the block size is incorrect.<br/>{{Error|CX0021|XQuery Errors#Cryptographic Functions Errors}} the specified encryption algorithm is not supported.<br/>
|-
| '''Example'''
|'''Decrypts Decrypt input data and returns the return original string.''':
'''Query:'''
<pre classsyntaxhighlight lang="brush:xquery">let $encrypted := crypto:encrypt('message', 'symmetric','keykeyke','DES')return crypto:decrypt($encrypted, 'symmetric','keykeyke','DES')</presyntaxhighlight>
'''Result:'''
<pre classsyntaxhighlight lang="brush:xml">
message
</presyntaxhighlight>
|}
=XML Signatures=
[httphttps://www.w3.org/TR/xmldsig-core/ XML Signatures] are used to sign data. In our case, the data which is signed is an XQuery node. The following example shows the basic structure of an XML signature.
'''XML Signature'''
<pre classsyntaxhighlight lang="brush:xml">
<Signature>
<SignedInfo>
<Object/>
</Signature>
</presyntaxhighlight>
* '''SignedInfo''' contains or references the signed data and lists algorithm information
The {{Code|generate-signature}} function allows to pass a {{Code|digital certificate}}. This certificate holds parameters that allow to access key information stored in a Java key store which is then used to sign the input document. Passing a {{Code|digital certificate}} simply helps re-using the same key pair to sign and validate data. The {{Code|digital certificate}} is passed as a node and has the following form:
<pre classsyntaxhighlight lang="brush:xml">
<digital-certificate>
<keystore-type>JKS</keystore-type>
<keystore-uri>...</keystore-uri>
</digital-certificate>
</presyntaxhighlight>
==crypto:generate-signature==
{| width='100%'
|-
| width='120' | '''Signatures'''
|{{Func|crypto:generate-signature|$input as node(), $canonicalization as xs:string, $digest as xs:string, $signature as xs:string, $prefix as xs:string, $type as xs:string|node()}}<br/>{{Func|crypto:generate-signature|$input as node(), $canonicalization as xs:string, $digest as xs:string, $signature as xs:string, $prefix as xs:string, $type as xs:string, $ext xpath as xs:string, $certificate as itemnode()|node()}}<br/>{{Func|crypto:generate-signature|$input as node(), $canonicalization as xs:string, $digest as xs:string, $signature as xs:string, $prefix as xs:string, $type as xs:string, $xpath ext as xs:string, $certificate as nodeitem()|node()}}
|-
| '''Summary'''
{{Code|$type}} is the signature type. It must either be {{Code|enveloped}} or {{Code|enveloping}} (detached signatures are not supported so far). '''Default is {{Code|enveloped}}'''.<br/>
{{Code|$xpath}} is an arbitrary XPath expression which specifies a subset of the document that is to be signed.<br/>
{{Code|$certificate}} is the digitial certificate used to sign the input document.<br/>
{{Code|$ext}} may either be an {{Code|$xpath}} expression or a {{Code|$certificate}}.<br/>
|-
| '''Errors'''
|{{Error|CX0001|XQuery Errors#Cryptographic Functions Errors}} the canonicalization algorithm is not supported.<br/>{{Error|CX0002|XQuery Errors#Cryptographic Functions Errors}} the digest algorithm is not supported.<br/>{{Error|CX0003|XQuery Errors#Cryptographic Functions Errors}} the signature algorithm is not supported.<br/>{{Error|CX0004|XQuery Errors#Cryptographic Functions Errors}} the {{Code|$xpath-expression}} is invalid.<br/>{{Error|CX0005|XQuery Errors#Cryptographic Functions Errors}} the root name of {{Code|$digital-certificate}} is not 'digital-certificate.<br/>{{Error|CX0007|XQuery Errors#Cryptographic Functions Errors}} the key store is null.<br/>{{Error|CX0012|XQuery Errors#Cryptographic Functions Errors}} the key cannot be found in the specified key store.<br/>{{Error|CX0023|XQuery Errors#Cryptographic Functions Errors}} the certificate alias is invalid.<br/>{{Error|CX0024|XQuery Errors#Cryptographic Functions Errors}} an invalid algorithm is specified.<br/>{{Error|CX0025|XQuery Errors#Cryptographic Functions Errors}} an exception occurs while the signing the document.<br/>{{Error|CX0026|XQuery Errors#Cryptographic Functions Errors}} an exception occurs during key store initialization.<br/>{{Error|CX0027|XQuery Errors#Cryptographic Functions Errors}} an IO exception occurs.<br/>{{Error|CX0028|XQuery Errors#Cryptographic Functions Errors}} the signature type is not supported.<br/>
|-
| '''Example'''
|'''Generates an Generate [httphttps://www.w3.org/TR/xmldsig-core/ XML Signature].''':
'''Query:'''
<pre classsyntaxhighlight lang="brush:xquery">
crypto:generate-signature(<a/>, '', '', '', '', '')
</presyntaxhighlight>
'''Result:'''
<pre classsyntaxhighlight lang="brush:xml">
<a>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
</Signature>
</a>
</presyntaxhighlight>
|}
==crypto:validate-signature==
{| width='100%'
|-
|-
| '''Errors'''
|{{Error|CX0015|XQuery Errors#Cryptographic Functions Errors}} the signature element cannot be found.<br/>{{Error|CX9994|XQuery Errors#Cryptographic Functions Errors}} an unspecified problem occurs during validation.<br/>{{Error|CX9996|XQuery Errors#Cryptographic Functions Errors}} an IO exception occurs during validation.<br/>
|-
| '''Example'''
|'''Validates an Validate [httphttps://www.w3.org/TR/xmldsig-core/ XML Signature].''':
'''Query:'''
<pre classsyntaxhighlight lang="brush:xquery">
let $sig := crypto:generate-signature(<a/>, '', '', '', '', '')
return crypto:validate-signature($sig)
</presyntaxhighlight>
'''Result:'''
<pre classsyntaxhighlight lang="brush:xml">
true
</presyntaxhighlight>
|}
=Changelog=
;Version 9.3
* Updated: [[#crypto:hmac|crypto:hmac]], [[#crypto:encrypt|crypto:encrypt]], [[#crypto:decrypt|crypto:decrypt]]: Function types revised.
;Version 8.6
* Updated: [[#crypto:hmac|crypto:hmac]]: The key can now be a string or a binary item.
The Module was introduced with Version 7.0.
