|
Professional XML Development
with Apache Tools
explains programming with Apache
Tools such as Xerces, Xalan, FOP, Cocoon, Axis and Xindice. This
excerpt from chapter 10 discusses XML Encryption
and the XML Security software from Apache Software Foundation.
The
XML Encryption Recommendation describes how to encrypt data and
represent the result as XML. You can use XML Encryption to encrypt XML
documents, XML elements, XML element content, or any other kind of data.
When you encrypt data using XML Encryption, the result is an <EncryptedData>
element that’s included in an XML document, depending on what data you
encrypted:
-
If you encrypted an XML document or arbitrary data, then <EncryptedData> is
the root element of a new XML document or becomes a child element of a
document supplied by your application.
-
If you encrypted an XML element, then the <EncryptedData> element replaces
the element you encrypted.
-
If you encrypted the content of an XML element, then the <EncryptedData>
element replaces the element content you encrypted.
| Ted Leung |
 |
Just as we did
with XML Signature, we’ll explain XML Encryption by walking through an example.
This example has also been slightly modified in order to fit with the formatting
of the book (just like the signature example). Again, let’s take the book
document and encrypt the <author> element:
1: <?xml version="1.0" encoding="UTF-8"?>
2: <book version="1.0"
3: xmlns="http://sauria.com/schemas/apache-xml-book/book"
4: xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5: xsi:schemaLocation=
6: "http://sauria.com/schemas/apache-xml-book/book
7: http://www.sauria.com/schemas/apache-xml-book/book.xsd">
8: <title>Professional XML
Development with Apache Tools</title>
According to the XML Encryption spec,
when you’re encrypting an XML element like <author>, the <EncryptedData>
element replaces the element being encrypted. So here, where <author>
used to be, you see <EncryptedData>. <EncryptedData> has its own
namespace URI,
http://www.w3.org/2001/04 /xmlenc#, and you use the prefix
xenc. An <EncryptedData> element contains an optional <EncryptionMethod>
element, followed by an optional <ds:KeyInfo> (from the XML Signature
Recommendation) element. After these two optional elements is a required
<CipherData> element, followed by an optional <EncryptionProperties>
element:
9: <xenc:EncryptedData
10: Type="http://www.w3.org/2001/04/xmlenc#Element"
11: xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
The <EncryptedData> element can have some
optional attributes:
-
Type—Type
information about the unencrypted form of the content. This is
specified as a URI. The spec describes two types that must be
implemented. These two types are used to discriminate between an XML
element that has been encrypted and XML element content that has been
encrypted:
-
Element—http://www.w3.org/2001/04/xmlenc#Element.
-
Element
content—http://www.w3.org/2001/04/xmlenc#Content.
-
Id—An
ID-valued attribute that can be used to refer to the element.
-
MimeType—The
MIME media type of the data that was encrypted.
-
Encoding—The
encoding used by the data.
The <EncryptionMethod> element
specifies the algorithm used to encrypt the data. The content of the <EncryptionMethod>
element is determined by the value of the Algorithm attribute, which is
a URI that specifies the particular encryption algorithm:
12: <xenc:EncryptionMethod
13:
Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"
14: xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
Algorithms detailed by the XML
Encryption specification include:
-
Triple DES—www.w3.org/2001/04/xmlenc#tripledes-cbc.
Support is required.
-
AES-128 (128 bit key)—www.w3.org/2001/04/xmlenc#tripledes-cbc.
Support is required.
-
AES-256 (256 bit key)—www.w3.org/2001/04/xmlenc#tripledes-cbc.
Support is required.
-
AES-192 (192 bit key)—www.w3.org/2001/04/xmlenc#tripledes-cbc.
Support is optional.
An optional <ds:KeyInfo> element may
come after the <Encryption> method, although one isn’t shown in this
example. The XML Encryption spec defines two new child elements of <ds:KeyInfo>:
-
<xenc:EncryptedKey>—Allows
the message to carry an encrypted key along with it.
It can have two child elements, zero or more <ReferenceList>s followed
by zero or more <CarriedKeyName>s:
-
<ReferenceList>—A
sequence of <DataReference> and <KeyReference> elements. These
elements take a URI that refers to different data depending on whether
the element is a <DataReference> or a <KeyReference>. A <DataReference>
refers to an <EncryptedData> encrypted by the key represented by the
enclosing <EncryptedKey>. A <KeyReference> refers to <EncryptedKey>
elements that were encrypted using the key represented by the
enclosing <EncryptedKey> element.
-
<CarriedKeyName>—A
user-readable name for a key value that’s specified using a <ds:KeyName>
element in a <ds:KeyInfo> element.
-
<xenc:AgreementMethod>—Allows
you to specify a Key Agreement algorithm for deriving a secret key
from certain kinds of public keys. This is a topic that’s beyond the
scope of this chapter. If you’re interested, you should look at the
XML Encryption specification.
2
Next>>
|
