1 <chapter id="xmlsec-notes-verify-decrypt">
2 <title>Verifing and decrypting documents.</title>
3 <sect1 id="xmlsec-notes-verify-decrypt-overview">
4 <title>Overview.</title>
5 <para>Since the template is just an XML file, it might be created in advance
6 and saved in a file. It's also possible for application to create
7 templates without using XML Security Library functions. Also in some
8 cases template should be inserted in the signed or encrypted data
9 (for example, if you want to create an enveloped or enveloping
11 <para>Signature verification and data decryption do not require template
12 because all the necessary information is provided in the signed or
15 <title>The verification or decryption processing model.</title>
16 <graphic fileref="images/verif-dec-model.png" align="center"></graphic>
21 <sect1 id="xmlsec-notes-verify" >
22 <title>Verifying a signed document</title>
23 <para>The typical siganture verification process includes following steps:
26 Load keys, X509 certificates, etc. in the <link linkend="xmlSecKeysMngr">keys manager</link> .
29 Create signature context <link linkend="xmlSecDSigCtx">xmlSecDSigCtx</link>
30 using <link linkend="xmlSecDSigCtxCreate">xmlSecDSigCtxCreate</link> or
31 <link linkend="xmlSecDSigCtxInitialize">xmlSecDSigCtxInitialize</link>
35 Select start verification
36 <ulink URL="http://www.w3.org/TR/xmldsig-core/#sec-Signature"><dsig:Signature/></ulink>
37 node in the signed XML document.
40 Verify signature by calling <link linkend="xmlSecDSigCtxVerify">xmlSecDSigCtxVerify</link>
44 Check returned value and verification status (<structfield>status</structfield>
45 member of <link linkend="xmlSecDSigCtx">xmlSecDSigCtx</link> structure).
46 If necessary, consume returned data from the <link linkend="xmlSecDSigCtx">context</link>.
49 Destroy signature context <link linkend="xmlSecDSigCtx">xmlSecDSigCtx</link>
50 using <link linkend="xmlSecDSigCtxDestroy">xmlSecDSigCtxDestroy</link> or
51 <link linkend="xmlSecDSigCtxFinalize">xmlSecDSigCtxFinalize</link>
58 <title>Verifying a document.</title>
59 <programlisting><![CDATA[
62 * @xml_file: the signed XML file name.
63 * @key_file: the PEM public key file name.
65 * Verifies XML signature in #xml_file using public key from #key_file.
67 * Returns 0 on success or a negative value if an error occurs.
70 verify_file(const char* xml_file, const char* key_file) {
72 xmlNodePtr node = NULL;
73 xmlSecDSigCtxPtr dsigCtx = NULL;
80 doc = xmlParseFile(xml_file);
81 if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
82 fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file);
87 node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs);
89 fprintf(stderr, "Error: start node not found in \"%s\"\n", xml_file);
93 /* create signature context, we don't need keys manager in this example */
94 dsigCtx = xmlSecDSigCtxCreate(NULL);
96 fprintf(stderr,"Error: failed to create signature context\n");
100 /* load public key */
101 dsigCtx->signKey = xmlSecCryptoAppKeyLoad(key_file,xmlSecKeyDataFormatPem, NULL, NULL, NULL);
102 if(dsigCtx->signKey == NULL) {
103 fprintf(stderr,"Error: failed to load public pem key from \"%s\"\n", key_file);
107 /* set key name to the file name, this is just an example! */
108 if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) {
109 fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file);
113 /* Verify signature */
114 if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
115 fprintf(stderr,"Error: signature verify\n");
119 /* print verification result to stdout */
120 if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
121 fprintf(stdout, "Signature is OK\n");
123 fprintf(stdout, "Signature is INVALID\n");
131 if(dsigCtx != NULL) {
132 xmlSecDSigCtxDestroy(dsigCtx);
141 <simpara><link linkend="xmlsec-example-verify1">Full Program Listing</link></simpara>
146 <sect1 id="xmlsec-notes-decrypt" >
147 <title>Decrypting an encrypted document</title>
148 <para>The typical decryption process includes following steps:
151 Load keys, X509 certificates, etc. in the <link linkend="xmlSecKeysMngr">keys manager</link> .
154 Create encryption context <link linkend="xmlSecEncCtx">xmlSecEncCtx</link>
155 using <link linkend="xmlSecEncCtxCreate">xmlSecEncCtxCreate</link> or
156 <link linkend="xmlSecEncCtxInitialize">xmlSecEncCtxInitialize</link>
160 Select start decryption <enc:EncryptedData> node.
163 Decrypt by calling <link linkend="xmlSecEncCtxDecrypt">xmlSecencCtxDecrypt</link>
167 Check returned value and if necessary consume encrypted data.
170 Destroy encryption context <link linkend="xmlSecEncCtx">xmlSecEncCtx</link>
171 using <link linkend="xmlSecEncCtxDestroy">xmlSecEncCtxDestroy</link> or
172 <link linkend="xmlSecEncCtxFinalize">xmlSecEncCtxFinalize</link>
179 <title>Decrypting a document.</title>
180 <programlisting><![CDATA[
182 decrypt_file(const char* enc_file, const char* key_file) {
183 xmlDocPtr doc = NULL;
184 xmlNodePtr node = NULL;
185 xmlSecEncCtxPtr encCtx = NULL;
192 doc = xmlParseFile(enc_file);
193 if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
194 fprintf(stderr, "Error: unable to parse file \"%s\"\n", enc_file);
198 /* find start node */
199 node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeEncryptedData, xmlSecEncNs);
201 fprintf(stderr, "Error: start node not found in \"%s\"\n", enc_file);
205 /* create encryption context, we don't need keys manager in this example */
206 encCtx = xmlSecEncCtxCreate(NULL);
208 fprintf(stderr,"Error: failed to create encryption context\n");
213 encCtx->encKey = xmlSecKeyReadBinaryFile(xmlSecKeyDataDesId, key_file);
214 if(encCtx->encKey == NULL) {
215 fprintf(stderr,"Error: failed to load des key from binary file \"%s\"\n", key_file);
219 /* set key name to the file name, this is just an example! */
220 if(xmlSecKeySetName(encCtx->encKey, key_file) < 0) {
221 fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file);
225 /* decrypt the data */
226 if((xmlSecEncCtxDecrypt(encCtx, node) < 0) || (encCtx->result == NULL)) {
227 fprintf(stderr,"Error: decryption failed\n");
231 /* print decrypted data to stdout */
232 if(encCtx->resultReplaced != 0) {
233 fprintf(stdout, "Decrypted XML data:\n");
234 xmlDocDump(stdout, doc);
236 fprintf(stdout, "Decrypted binary data (%d bytes):\n", xmlSecBufferGetSize(encCtx->result));
237 if(xmlSecBufferGetData(encCtx->result) != NULL) {
238 fwrite(xmlSecBufferGetData(encCtx->result),
240 xmlSecBufferGetSize(encCtx->result),
244 fprintf(stdout, "\n");
252 xmlSecEncCtxDestroy(encCtx);
261 <simpara><link linkend="xmlsec-example-decrypt1">Full Program Listing</link></simpara>