Difference between revisions of "Cryptographic Module"

From BaseX Documentation
Jump to navigation Jump to search
m
m (Text replace - "<font color='orangered'>Version 7.0</font>" to "{{Version|7.0}}")
Line 4: Line 4:
 
# Encryption and decryption
 
# Encryption and decryption
 
# Creation and validation of an XML Digital Signature
 
# Creation and validation of an XML Digital Signature
This module is introduced with <font color='orangered'>Version 7.0</font> of BaseX.
+
This module is introduced with {{Version|7.0}} of BaseX.
  
 
=Message Authentication Code (MAC)=
 
=Message Authentication Code (MAC)=

Revision as of 13:13, 10 October 2011

This module contains XQuery functions to perform cryptographic operations in XQuery. The cryptographic module is based on an early draft of the EXPath Cryptographic Module and provides the following functionality:

  1. Creation of message authentication codes (HMAC)
  2. Encryption and decryption
  3. Creation and validation of an XML Digital Signature

This module is introduced with Version 7.0 of BaseX.

Message Authentication Code (MAC)

crypto:hmac

Signatures crypto:hmac($message as xs:string(), $secret-key as xs:string(), algorithm as xs:string()) as xs:string()
crypto:hmac($message as xs:string(), $secret-key as xs:string(), algorithm as xs:string(), $encoding as xs:string()) as xs:string()
Summary Creates a message authentication code via a cryptographic hash function and a secret key.
$encoding must either be hex, base64 or the empty string (default is base64) and specifies the encoding of the returned authentication code.
$algorithm describes the hash algorithm which is used for encryption. Currently supported are md5, sha1, sha256, sha384, sha512.
Errors FOCX0013 is raised if the specified hashing algorithm is not supported.

FOCX0014 is raised if the specified encoding method is not supported.
FOCX0019 is raised if the specified secret key is invalid.

Example Returns the message authentication code (MAC) for a given string.

Query:

crypto:hmac('message','secretkey','md5','base64')

Result:

34D1E3818B347252A75A4F6D747B21C2

Encryption & Decryption

crypto:encrypt

Signatures crypto:encrypt($input as xs:string(), $encryption-type as xs:string(), $secret-key as xs:string(), $cryptographic-algorithm as xs:string()) as xs:string()
Summary Encrypts the given input string.

$encryption-type must be symmetric, as asymmetric encryption is not supported so far.
$secret-key is the secret key which is used for both encryption and decryption of input data. Its length is fixed and depends on the chosen algorithm: 8 bytes for DES, 16 bytes for AES.
$cryptographic-algorithm must either be DES or AES. Other algorithms are not supported so far, but, of course, can be added on demand.

Errors FOCX0016 is raised if padding problems arise.

FOCX0017 is raised if padding is incorrect.
FOCX0018 is raised if the encryption type is not supported.
FOCX0019 is raised if the secret key is invalid.
FOCX0020 is raised if the block size is incorrect.
FOCX0021 is raised if the specified encryption algorithm is not supported.

Example Encrypts input data.

Query:

crypto:encrypt('message', 'symmetric','keykeyke','DES')

crypto:decrypt

Signatures crypto:decrypt($input as xs:string(), $decryption-type as xs:string(), $secret-key as xs:string(), $cryptographic-algorithm as xs:string()) as xs:string()
Summary Decrypts the encrypted $input.

$decryption-type must be symmetric. An option for asymmetric encryption will most likely be added with another version of BaseX.
$secret-key is the secret key which is used for both encryption and decryption of input data. Its length is fixed and depends on the chosen algorithm: 8 bytes for DES, 16 bytes for AES.
$cryptographic-algorithm must either be DES or AES. Other algorithms are not supported so far, but, of course, can be added on demand.

Errors FOCX0016 is raised if padding problems arise.

FOCX0017 is raised if padding is incorrect.
FOCX0018 is raised if the encryption type is not supported.
FOCX0019 is raised if the secret key is invalid.
FOCX0020 is raised if the block size is incorrect.
FOCX0021 is raised if the specified encryption algorithm is not supported.

Example Decrypts input data and returns the original string.

Query:

let $encrypted := crypto:encrypt('message', 'symmetric','keykeyke','DES')
return crypto:decrypt($encrypted, 'symmetric','keykeyke','DES')

Result:

message

XML Signature

crypto:generate-signature

Signatures crypto:generate-signature($input-doc node(), $canonicalization-algorithm as xs:string(), $digest-algorithm as xs:string(), $signature-algorithm as xs:string(), $signature-namespace-prefix as xs:string(), $signature-type as xs:string()) as node()
crypto:generate-signature($input-doc node(), $canonicalization-algorithm as xs:string(), $digest-algorithm as xs:string(), $signature-algorithm as xs:string(), $signature-namespace-prefix as xs:string(), $signature-type as xs:string(), $xpath-expression as xs:string()) as node()
crypto:generate-signature($input-doc node(), $canonicalization-algorithm as xs:string(), $digest-algorithm as xs:string(), $signature-algorithm as xs:string(), $signature-namespace-prefix as xs:string(), $signature-type as xs:string(), $digital-certificate as node()) as node()
crypto:generate-signature($input-doc node(), $canonicalization-algorithm as xs:string(), $digest-algorithm as xs:string(), $signature-algorithm as xs:string(), $signature-namespace-prefix as xs:string(), $signature-type as xs:string(), $xpath-expression as xs:string(), $digital-certificate as node()) as node()
Summary ?
Errors ?
Example Generates an XML Signature.

crypto:validate-signature

Signatures crypto:validate-signature($input-doc as node()) as xs:boolean()
Summary ?
Errors ?
Example Validates an XML Signature.