1 <chapter id="xmlsec-notes-sign-encrypt">
2 <title>Signing and encrypting documents.</title>
3 <sect1 id="xmlsec-notes-sign-encrypt-overview">
4 <title>Overview.</title>
5 <para>XML Security Library performs signature or encryption by processing
6 input xml or binary data and a template that specifies a signature or
7 encryption skeleton: the transforms, algorithms, the key selection
8 process. A template has the same structure as the desired result but
9 some of the nodes are empty. XML Security Library gets the key for
10 signature/encryption from keys managers using the information from
11 the template, does necessary computations and puts the results in
12 the template. Signature or encryption context controls the whole
13 process and stores the required temporary data.
15 <title>The signature or encryption processing model.</title>
16 <graphic fileref="images/sign-enc-model.png" align="center"></graphic>
21 <sect1 id="xmlsec-notes-sign" >
22 <title>Signing a document.</title>
23 <para>The typical siganture process includes following steps:
26 Prepare data for signature.
29 Create or load signature template and select start
30 <ulink URL="http://www.w3.org/TR/xmldsig-core/#sec-Signature"><dsig:Signature/></ulink>
34 Create signature context <link linkend="xmlSecDSigCtx">xmlSecDSigCtx</link>
35 using <link linkend="xmlSecDSigCtxCreate">xmlSecDSigCtxCreate</link> or
36 <link linkend="xmlSecDSigCtxInitialize">xmlSecDSigCtxInitialize</link>
40 Load signature key in <link linkend="xmlSecKeysMngr">keys manager</link>
41 or generate a session key and set it in the signature context
42 (<structfield>signKey</structfield> member of
43 <link linkend="xmlSecDSigCtx">xmlSecDSigCtx</link> structure).
46 Sign data by calling <link linkend="xmlSecDSigCtxSign">xmlSecDSigCtxSign</link>
50 Check returned value and consume signed data.
53 Destroy signature context <link linkend="xmlSecDSigCtx">xmlSecDSigCtx</link>
54 using <link linkend="xmlSecDSigCtxDestroy">xmlSecDSigCtxDestroy</link> or
55 <link linkend="xmlSecDSigCtxFinalize">xmlSecDSigCtxFinalize</link>
62 <title>Signing a template.</title>
63 <programlisting><![CDATA[
66 * @tmpl_file: the signature template file name.
67 * @key_file: the PEM private key file name.
69 * Signs the #tmpl_file using private key from #key_file.
71 * Returns 0 on success or a negative value if an error occurs.
74 sign_file(const char* tmpl_file, const char* key_file) {
76 xmlNodePtr node = NULL;
77 xmlSecDSigCtxPtr dsigCtx = NULL;
84 doc = xmlParseFile(tmpl_file);
85 if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
86 fprintf(stderr, "Error: unable to parse file \"%s\"\n", tmpl_file);
91 node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs);
93 fprintf(stderr, "Error: start node not found in \"%s\"\n", tmpl_file);
97 /* create signature context, we don't need keys manager in this example */
98 dsigCtx = xmlSecDSigCtxCreate(NULL);
100 fprintf(stderr,"Error: failed to create signature context\n");
104 /* load private key, assuming that there is not password */
105 dsigCtx->signKey = xmlSecCryptoAppKeyLoad(key_file, xmlSecKeyDataFormatPem, NULL, NULL, NULL);
106 if(dsigCtx->signKey == NULL) {
107 fprintf(stderr,"Error: failed to load private pem key from \"%s\"\n", key_file);
111 /* set key name to the file name, this is just an example! */
112 if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) {
113 fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file);
117 /* sign the template */
118 if(xmlSecDSigCtxSign(dsigCtx, node) < 0) {
119 fprintf(stderr,"Error: signature failed\n");
123 /* print signed document to stdout */
124 xmlDocDump(stdout, doc);
131 if(dsigCtx != NULL) {
132 xmlSecDSigCtxDestroy(dsigCtx);
141 <simpara><link linkend="xmlsec-example-sign1">Full program listing</link></simpara>
142 <simpara><link linkend="xmlsec-example-sign1-tmpl">Simple signature template file</link></simpara>
147 <sect1 id="xmlsec-notes-encrypt">
148 <title>Encrypting data.</title>
149 <para>The typical encryption process includes following steps:
152 Prepare data for encryption.
155 Create or load encryption template and select start
156 <enc:EncryptedData/> node.
159 Create encryption context <link linkend="xmlSecEncCtx">xmlSecEncCtx</link>
160 using <link linkend="xmlSecEncCtxCreate">xmlSecEncCtxCreate</link> or
161 <link linkend="xmlSecEncCtxInitialize">xmlSecEncCtxInitialize</link>
165 Load encryption key in <link linkend="xmlSecKeysMngr">keys manager</link>
166 or generate a session key and set it in the encryption context
167 (<structfield>encKey</structfield> member of
168 <link linkend="xmlSecEncCtx">xmlSecEncCtx</link> structure).
171 Encrypt data by calling one of the following functions:
174 <link linkend="xmlSecEncCtxBinaryEncrypt">xmlSecEncCtxBinaryEncrypt</link>
177 <link linkend="xmlSecEncCtxXmlEncrypt">xmlSecEncCtxXmlEncrypt</link>
180 <link linkend="xmlSecEncCtxUriEncrypt">xmlSecEncCtxUriEncrypt</link>
185 Check returned value and if necessary consume encrypted data.
188 Destroy encryption context <link linkend="xmlSecEncCtx">xmlSecEncCtx</link>
189 using <link linkend="xmlSecEncCtxDestroy">xmlSecEncCtxDestroy</link> or
190 <link linkend="xmlSecEncCtxFinalize">xmlSecEncCtxFinalize</link>
197 <title>Encrypting binary data with a template.</title>
198 <programlisting><![CDATA[
201 * @tmpl_file: the encryption template file name.
202 * @key_file: the Triple DES key file.
203 * @data: the binary data to encrypt.
204 * @dataSize: the binary data size.
206 * Encrypts binary #data using template from #tmpl_file and DES key from
209 * Returns 0 on success or a negative value if an error occurs.
212 encrypt_file(const char* tmpl_file, const char* key_file, const unsigned char* data, size_t dataSize) {
213 xmlDocPtr doc = NULL;
214 xmlNodePtr node = NULL;
215 xmlSecEncCtxPtr encCtx = NULL;
223 doc = xmlParseFile(tmpl_file);
224 if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
225 fprintf(stderr, "Error: unable to parse file \"%s\"\n", tmpl_file);
229 /* find start node */
230 node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeEncryptedData, xmlSecEncNs);
232 fprintf(stderr, "Error: start node not found in \"%s\"\n", tmpl_file);
236 /* create encryption context, we don't need keys manager in this example */
237 encCtx = xmlSecEncCtxCreate(NULL);
239 fprintf(stderr,"Error: failed to create encryption context\n");
244 encCtx->encKey = xmlSecKeyReadBinaryFile(xmlSecKeyDataDesId, key_file);
245 if(encCtx->encKey == NULL) {
246 fprintf(stderr,"Error: failed to load des key from binary file \"%s\"\n", key_file);
250 /* set key name to the file name, this is just an example! */
251 if(xmlSecKeySetName(encCtx->encKey, key_file) < 0) {
252 fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file);
256 /* encrypt the data */
257 if(xmlSecEncCtxBinaryEncrypt(encCtx, node, data, dataSize) < 0) {
258 fprintf(stderr,"Error: encryption failed\n");
262 /* print encrypted data with document to stdout */
263 xmlDocDump(stdout, doc);
271 xmlSecEncCtxDestroy(encCtx);
280 <simpara><link linkend="xmlsec-example-encrypt1">Full program listing</link></simpara>
281 <simpara><link linkend="xmlsec-example-encrypt1-tmpl">Simple encryption template file</link></simpara>