Tuesday, September 29, 2009

 

XML Encryption with Apache XML Security

這幾天在弄這個東西搞得很煩不過還是弄好了
所以在這裡記錄一下以免之後忘掉還是怎樣
很奇怪他library裡面對於encryption與decryption附的sample code
是用secret key(symmetric key)加密內容後再用另一把secret key加密那把secret key
然後傳來傳去的就是那把secret key
我不是很了解其中的原因
所以把它改成我知道比較ok的方式就是
使用public key加密那把加密內容的secret key
傳過去後再用自己的private key解開

但這小小的變更卻是麻煩的開始
之前總是出現一些奇怪的Exception像是
org.apache.xml.security.encryption.XMLEncryptionException: decryptElement called without a key and unable to resolve
或是
javax.crypto.BadPaddingException: Given final block not properly padded
不過弄了幾天後
在我下面這個例子裡面是沒有出現啦~


首先是我拿來測試用的XML檔案

swanky.xml

<?xml version="1.0" encoding="UTF-8"?>

<Test>
  <Name>Swanky Hsiao</Name>
  <Blog>http://swanbear.blogspot.com/</Blog>
  <Flickr>http://www.flickr.com/photos/swanky-hsiao/</Flickr>
  <Plurk>http://www.plurk.com/swanky</Plurk>
  <Facebook>http://www.facebook.com/swanky</Facebook>
  <FacebookFansGroup>http://www.facebook.com/pages/0e801f0a/172447000328</FacebookFansGroup>
</Test>

然後用keytool產生keystore
輸入後除了一開始要你指定key的密碼是打password之外都可以亂打

swanky.keystore

keytool -keystore swanky.keystore -genkey -alias swanky-key -keyalg RSA -keypass password

XML檔案跟keystore準備好後就可以測試了~
我這裡是都寫在一個class裡面方便使用!
除了可以直接用encryElement()指定要加密的Element外
也可以像我這例子裡面放多個xpath進行多個Element的加密

ApacheXMLSecurityTest.java

import java.io.CharArrayWriter;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.Writer;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;

import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpression;
import javax.xml.xpath.XPathExpressionException;
import javax.xml.xpath.XPathFactory;

import org.apache.xml.security.encryption.EncryptedKey;
import org.apache.xml.security.encryption.XMLCipher;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.utils.EncryptionConstants;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

import com.sun.org.apache.xml.internal.serialize.OutputFormat;
import com.sun.org.apache.xml.internal.serialize.XMLSerializer;

public class ApacheXMLSecurityTest {
   static {
      org.apache.xml.security.Init.init();
   }

   static private String keystoreName = "swanky.keystore";
   static private String keystorePassword = "password";
   static private String keyAlias = "swanky-key";

   public static void main(String[] args) {
      Document doc = parseXML("swanky.xml");

      String[] xpaths = new String[] { "Test/Plurk", "Test/Facebook" };
      encryptXPaths(doc, xpaths);
      System.out.println("Encrypt:\n" + serialDoc(doc));

      decryptDoc(doc);
      System.out.println("Decrypt:\n" + serialDoc(doc));
   }

   public static Document parseXML(String uri) {
      DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
      Document doc = null;

      try {
         DocumentBuilder docBuilder = factory.newDocumentBuilder();
         doc = docBuilder.parse(uri);
      } catch (Exception e) {
         e.printStackTrace();
      }

      return doc;
   }

   public static Writer serialDoc(Document doc) {
      CharArrayWriter writer = new CharArrayWriter();

      OutputFormat format = new OutputFormat(doc);
      format.setLineWidth(65);
      format.setIndenting(true);
      format.setIndent(2);
      XMLSerializer serializer = new XMLSerializer(writer, format);
      try {
         serializer.serialize(doc);
      } catch (IOException e) {
         e.printStackTrace();
      }
      return writer;
   }

   public static void encryptXPaths(Document doc, String[] xpaths) {
      try {
         for (int i = 0; i < xpaths.length; i++) {
            String xpath = xpaths[i];
            NodeList list = evaluateXPath(doc, xpath);
            for (int j = 0; j < list.getLength(); j++) {
               Node node = (Node) list.item(j);
               Element element = (Element) node;
               encryElement(doc, element);
            }
         }
      } catch (XPathExpressionException e) {
         e.printStackTrace();
      }
   }

   private static NodeList evaluateXPath(Document doc, String expression)
         throws XPathExpressionException {
      NodeList nodes;
      XPathFactory factory = XPathFactory.newInstance();
      XPath xpath = factory.newXPath();

      XPathExpression expr = xpath.compile(expression);

      Object result = expr.evaluate(doc, XPathConstants.NODESET);
      nodes = (NodeList) result;

      return nodes;
   }

   public static void encryElement(Document doc, Element element) {
      try {
         SecretKey symmetricKey = generateDataEncryptionKey();

         XMLCipher xmlCipher = XMLCipher.getInstance(XMLCipher.AES_128);
         xmlCipher.init(XMLCipher.ENCRYPT_MODE, symmetricKey);
         PublicKey pubKey = getKeyStore(keystoreName, keystorePassword)
               .getCertificate("swanky-key").getPublicKey();
         XMLCipher keyCipher = XMLCipher.getInstance(XMLCipher.RSA_v1dot5);
         keyCipher.init(XMLCipher.WRAP_MODE, pubKey);
         EncryptedKey encryptedKey = keyCipher.encryptKey(doc, symmetricKey);

         KeyInfo keyInfo = new KeyInfo(doc);
         keyInfo.add(encryptedKey);
         xmlCipher.getEncryptedData().setKeyInfo(keyInfo);

         xmlCipher.doFinal(doc, element, true);
      } catch (Exception e) {
         e.printStackTrace();
      }
   }

   static KeyStore getKeyStore(String keyStoreFileName, String password) {
      KeyStore store = null;
      try {
         store = KeyStore.getInstance("JKS", "SUN");
         InputStream in = new FileInputStream(keyStoreFileName);
         store.load(in, password.toCharArray());
         in.close();
      } catch (Exception e) {
         e.printStackTrace();
      }
      return store;
   }

   private static SecretKey kek;

   private static SecretKey generateDataEncryptionKey() {
      if (kek == null) {
         try {
            String jceAlgorithmName = "AES";
            KeyGenerator keyGenerator = KeyGenerator
                  .getInstance(jceAlgorithmName);
            keyGenerator.init(128);
            kek = keyGenerator.generateKey();
         } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
         }
      }
      return kek;
   }

   public static Document decryptDoc(Document doc) {
      try {
         XMLCipher xmlCipher = XMLCipher.getInstance();
         xmlCipher.init(XMLCipher.DECRYPT_MODE, null);
         PrivateKey privateKey = (PrivateKey) getKeyStore(keystoreName,
               keystorePassword).getKey(keyAlias,
               keystorePassword.toCharArray());
         xmlCipher.setKEK(privateKey);

         NodeList list = doc.getElementsByTagNameNS(
               EncryptionConstants.EncryptionSpecNS,
               EncryptionConstants._TAG_ENCRYPTEDDATA);

         while (list.getLength() > 0) {
            Node node = (Node) list.item(0);
            Element encryptedDataElement = (Element) node;
            xmlCipher.doFinal(doc, encryptedDataElement);
         }
      } catch (Exception e) {
         e.printStackTrace();
      }
      return doc;
   }
}

執行結果是像這樣的


Encrypt:
<?xml version="1.0" encoding="UTF-8"?>
<Test>
  <Name>Swanky Hsiao</Name>
  <Blog>http://swanbear.blogspot.com/</Blog>
  <Flickr>http://www.flickr.com/photos/swanky-hsiao/</Flickr>
  <Plurk>
    <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
      <xenc:EncryptionMethod
        Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
      <ds:KeyInfo>
        <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
          <xenc:EncryptionMethod
            Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
          <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
            <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">n0VFmIo5y+Ra+0Qnd0zQIbNK2N8QuLz6rQAd2UgHKjfLnhjAzFy9lX+wpcLdk31F5zvxw+G4yFKt
VFZaQn7/bW1tOUoHmoepdIZ9ZsQHWS7NZRsaKUjaLjIj777Rt5paCQUGOhI6yf7QyPh+zGkUwoPI
lbIyZeEXO9w6MjetnI0=</xenc:CipherValue>
          </xenc:CipherData>
        </xenc:EncryptedKey>
      </ds:KeyInfo>
      <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
        <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">Vo/J6LhCT8wA8ohdgo0g2CgmDnFznQ/hz3GkpMxJZu5ELTA6Paj+FVR9hgEicDSg</xenc:CipherValue>
      </xenc:CipherData>
    </xenc:EncryptedData>
  </Plurk>
  <Facebook>
    <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
      <xenc:EncryptionMethod
        Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
      <ds:KeyInfo>
        <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
          <xenc:EncryptionMethod
            Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
          <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
            <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">OY5WBZW/aFssBJ/ZaHkSo+UncYCQF/fdnOnLsXrZBZVtKKvfVZkVEMzKNYmtdquqZKcOd5FYfet7
3SW7P6GNEhuTGPmA3L/+tlKroONg50ATe6HBb5CbkPhArfDJmtEu8zvQCxOkXUACO3KCYc2RQ7/g
Ri3BH+q3M9YLpDT/GVE=</xenc:CipherValue>
          </xenc:CipherData>
        </xenc:EncryptedKey>
      </ds:KeyInfo>
      <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
        <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">8UufIfFlEUXHhQ+l1owFOq1m/MDEW+4Psn/kCqY5Y2RDLWRZu7smOPfveYUAJmJA</xenc:CipherValue>
      </xenc:CipherData>
    </xenc:EncryptedData>
  </Facebook>
  <FacebookFansGroup>http://www.facebook.com/pages/0e801f0a/172447000328</FacebookFansGroup>
</Test>

Decrypt:
<?xml version="1.0" encoding="UTF-8"?>
<Test>
  <Name>Swanky Hsiao</Name>
  <Blog>http://swanbear.blogspot.com/</Blog>
  <Flickr>http://www.flickr.com/photos/swanky-hsiao/</Flickr>
  <Plurk>http://www.plurk.com/swanky</Plurk>
  <Facebook>http://www.facebook.com/swanky</Facebook>
  <FacebookFansGroup>http://www.facebook.com/pages/0e801f0a/172447000328</FacebookFansGroup>
</Test>

Labels: , , , , ,


Comments: Post a Comment



<< Home