/*
- * Copyright 2001-2006 Internet2
+ * Copyright 2001-2007 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*/
/**
- * @file Encrypter.h
+ * @file xmltooling/encryption/Encrypter.h
*
* Methods for encrypting XMLObjects and other data.
*/
#include <xsec/enc/XSECCryptoKey.hpp>
#include <xsec/xenc/XENCCipher.hpp>
+namespace xmltooling {
+ class XMLTOOL_API Credential;
+};
+
namespace xmlencryption {
/**
* Summing up, if KeyEncryptionParams are used, a raw key must be available or the
* key can be generated when the encryption algorithm itself is a standard one. If
* no KeyEncryptionParams are supplied, then the key must be supplied either in raw
- * or object form.
+ * or object form.
+ *
+ * Finally, when encrypting data, the key transport algorithm can be left blank to
+ * derive it from the data encryption algorithm.
*/
class XMLTOOL_API Encrypter
{
/**
* Constructor.
+ *
* The algorithm constant and key buffer <strong>MUST</strong> be accessible for the life of
- * the structure. The other objects will be destroyed if need be when the structure is destroyed.
+ * the structure.
*
- * @param algorithm the XML Encryption key wrapping or transport algorithm constant
+ * @param algorithm the XML Encryption algorithm constant
* @param keyBuffer buffer containing the raw key information
* @param keyBufferSize the size of the raw key buffer in bytes
- * @param key the key encryption key to use, or NULL
- * @param keyInfo a KeyInfo object to place within the EncryptedData structure
+ * @param credential optional Credential supplying the encryption key
+ * @param compact true iff the encrypted representation should be made as small as possible
*/
EncryptionParams(
const XMLCh* algorithm=DSIGConstants::s_unicodeStrURIAES256_CBC,
const unsigned char* keyBuffer=NULL,
unsigned int keyBufferSize=0,
- XSECCryptoKey* key=NULL,
- xmlsignature::KeyInfo* keyInfo=NULL
- ) : m_keyBuffer(keyBuffer), m_keyBufferSize(keyBufferSize), m_key(key), m_keyInfo(keyInfo), m_algorithm(algorithm) {
+ const xmltooling::Credential* credential=NULL,
+ bool compact=false
+ ) : m_algorithm(algorithm), m_keyBuffer(keyBuffer), m_keyBufferSize(keyBufferSize),
+ m_credential(credential), m_compact(compact) {
}
- ~EncryptionParams() {
- delete m_key;
- delete m_keyInfo;
- }
+ ~EncryptionParams() {}
private:
+ const XMLCh* m_algorithm;
const unsigned char* m_keyBuffer;
unsigned int m_keyBufferSize;
- XSECCryptoKey* m_key;
- xmlsignature::KeyInfo* m_keyInfo;
- const XMLCh* m_algorithm;
+ const xmltooling::Credential* m_credential;
+ bool m_compact;
friend class Encrypter;
};
/**
* Constructor.
- * The algorithm constant <strong>MUST</strong> be accessible for the life of the structure.
- * Using a static constant suffices for this. The other objects will be destroyed if need be
- * when the structure is destroyed.
*
- * @param algorithm the XML Encryption key wrapping or transport algorithm constant
- * @param key the key encryption key to use
- * @param keyInfo a KeyInfo object to place within the EncryptedKey structure that describes the KEK
+ * @param credential a Credential supplying the key encryption key
+ * @param algorithm XML Encryption key wrapping or transport algorithm constant
+ * @param recipient optional name of recipient of encrypted key
*/
- KeyEncryptionParams(const XMLCh* algorithm, XSECCryptoKey* key, xmlsignature::KeyInfo* keyInfo=NULL)
- : m_key(key), m_keyInfo(keyInfo), m_algorithm(algorithm) {
+ KeyEncryptionParams(
+ const xmltooling::Credential& credential,
+ const XMLCh* algorithm=NULL,
+ const XMLCh* recipient=NULL
+ ) : m_credential(credential), m_algorithm(algorithm), m_recipient(recipient) {
}
- ~KeyEncryptionParams() {
- delete m_key;
- delete m_keyInfo;
- }
+ ~KeyEncryptionParams() {}
private:
- XSECCryptoKey* m_key;
- xmlsignature::KeyInfo* m_keyInfo;
+ const xmltooling::Credential& m_credential;
const XMLCh* m_algorithm;
+ const XMLCh* m_recipient;
friend class Encrypter;
};
/**
* Encrypts the supplied element and returns the resulting object.
- * The returned object will be unmarshalled around a DOM tree created
- * using the encrypted element's owning document.
*
* If an encryption algorithm is set, but no key, a random key will be
- * generated iff keParams is non-NULL and the algorithm is known.
+ * generated iff kencParams is non-NULL and the algorithm is known.
*
* If key encryption parameters are supplied, then the encryption key
* is wrapped and the result placed into an EncryptedKey object in the
* KeyInfo of the returned EncryptedData.
*
- * @param element the DOM element to encrypt
- * @param keParams key encryption settings, or NULL
+ * @param element the DOM element to encrypt
+ * @param encParams primary encryption settings
+ * @param kencParams key encryption settings, or NULL
+ * @return a stand-alone EncryptedData object, unconnected to the source DOM
*/
- EncryptedData* encryptElement(DOMElement* element, EncryptionParams& encParams, KeyEncryptionParams* kencParams=NULL);
+ EncryptedData* encryptElement(
+ xercesc::DOMElement* element, EncryptionParams& encParams, KeyEncryptionParams* kencParams=NULL
+ );
/**
* Encrypts the supplied element's children and returns the resulting object.
- * The returned object will be unmarshalled around a DOM tree created
- * using the encrypted content's owning document.
*
* If an encryption algorithm is set, but no key, a random key will be
- * generated iff keParams is non-NULL and the algorithm is known.
+ * generated iff kencParams is non-NULL and the algorithm is known.
* If key encryption parameters are supplied, then the encryption key
* is wrapped and the result placed into an EncryptedKey object in the
* KeyInfo of the returned EncryptedData.
*
- * @param element parent element of children to encrypt
- * @param keParams key encryption settings, or NULL
+ * @param element parent element of children to encrypt
+ * @param encParams primary encryption settings
+ * @param kencParams key encryption settings, or NULL
+ * @return a stand-alone EncryptedData object, unconnected to the source DOM
*/
- EncryptedData* encryptElementContent(DOMElement* element, EncryptionParams& encParams, KeyEncryptionParams* kencParams=NULL);
+ EncryptedData* encryptElementContent(
+ xercesc::DOMElement* element, EncryptionParams& encParams, KeyEncryptionParams* kencParams=NULL
+ );
/**
* Encrypts the supplied input stream and returns the resulting object.
- * The returned object will be unmarshalled around a DOM tree created
- * using the encrypted element's owning document.
*
* If an encryption algorithm is set, but no key, a random key will be
- * generated iff keParams is non-NULL and the algorithm is known.
+ * generated iff kencParams is non-NULL and the algorithm is known.
* If key encryption parameters are supplied, then the encryption key
* is wrapped and the result placed into an EncryptedKey object in the
* KeyInfo of the returned EncryptedData.
*
- * @param input the stream to encrypt
- * @param keParams key encryption settings, or NULL
+ * @param input the stream to encrypt
+ * @param encParams primary encryption settings
+ * @param kencParams key encryption settings, or NULL
+ * @return a stand-alone EncryptedData object, unconnected to any DOM
*/
EncryptedData* encryptStream(std::istream& input, EncryptionParams& encParams, KeyEncryptionParams* kencParams=NULL);
+ /**
+ * Encrypts the supplied key and returns the resulting object.
+ *
+ * @param keyBuffer raw key material to encrypt
+ * @param keyBufferSize size in bytes of raw key material
+ * @param kencParams key encryption settings
+ * @param compact true iff the encrypted representation should be made as small as possible
+ * @return a stand-alone EncryptedKey object, unconnected to any DOM
+ */
+ EncryptedKey* encryptKey(
+ const unsigned char* keyBuffer, unsigned int keyBufferSize, KeyEncryptionParams& kencParams, bool compact=false
+ );
+
+ /**
+ * Maps a data encryption algorithm to an appropriate key transport algorithm to use.
+ *
+ * @param algorithm data encryption algorithm
+ * @return a key transport algorithm
+ */
+ static const XMLCh* getKeyTransportAlgorithm(const XMLCh* algorithm) {
+ if (xercesc::XMLString::equals(algorithm,DSIGConstants::s_unicodeStrURI3DES_CBC))
+ return DSIGConstants::s_unicodeStrURIRSA_1_5;
+ else
+ return DSIGConstants::s_unicodeStrURIRSA_OAEP_MGFP1;
+ }
+
private:
void checkParams(EncryptionParams& encParams, KeyEncryptionParams* kencParams);
EncryptedData* decorateAndUnmarshall(EncryptionParams& encParams, KeyEncryptionParams* kencParams);
unsigned char m_keyBuffer[32];
};
- DECL_XMLTOOLING_EXCEPTION(EncryptionException,XMLTOOL_EXCEPTIONAPI(XMLTOOL_API),xmlencryption,xmltooling::XMLToolingException,Exceptions in encryption processing);
+ DECL_XMLTOOLING_EXCEPTION(EncryptionException,XMLTOOL_EXCEPTIONAPI(XMLTOOL_API),xmlencryption,xmltooling::XMLSecurityException,Exceptions in encryption processing);
};