Sign, verify, decrypt, and encrypt resources
XML resources can be signed, and signatures can be verified, decrypted and encrypted. Keys from the Windows certificate store or a Java key store can also be used.
The following requirements must be met in order to test as an arbitrary user:
|
Windows Certificate Store and Java Key Store
Certificates (keys) stored in the Windows certificate store or Java key store can be used with the CertificateData Module.
The ModuleAttribute Certificate contains two specializations: CertificateStoreData and JavaKeyStoreData. Specializations are selected during the creation of a TestCase (see chapter "Generalizations and Specializations").
For the specializations, use the Modules CertificateStoreData and JavaKeyStoreData.
These Modules are part of the Standard subset. You can find them under Standard modules->TBox XEngines->Parameter data.
CertificateStoreData
For the normal range of tasks, the StoreLocation ModuleAttribute is used for the certificate store (LocalMachine or CurrentUser), while the StoreName (a list with valid designations is located at http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storename.aspx) and FindOptions ModuleAttributes identify which specific certificate is to be used.
Operations such as signing and decryption require access to the private key. Access can be restricted in Windows. If the current user does not have the necessary authorization, another user can be specified here.
In this example, a certificate located in the store My within the user-specific certificate store CurrentUser is specified. This is identified with its Thumbprint, where the value of the ModuleAttribute FindType is set to FindByThumbprint and the ModuleAttribute FindValue is specified using the concrete value of the key.
Sample use of the Windows certificate store |
JavaKeyStoreData
If the specialization JavaKeyStoreData is used, the ModuleAttributes StoreFile, StorePassword, KeyAlias and KeyPassword are needed to select a unique key.
In this example, the TestStepValue StoreFile is used to specify the path to the KeyStore file. The password for the KeyStore is specified with StorePassword, while the access parameters for the key are specified with KeyAlias and KeyPassword.
Sample use of the Java KeyStore |
Create an XML signature
XML signatures are used to guarantee the integrity and the authorship of data. Tosca supports XML signatures in compliance with the xml-dsig standard (see also http://www.w3.org/TR/xmldsig-core/). The signature is also created with a private key. The recipient of the data can verify its validity with the corresponding public key.
A certificate from the Windows certificate store or a Java Key Store can be used to sign an XML resource with the Sign XML Resource Module. This Module is part of the Standard subset. You can find it under Standard modules->TBox XEngines->XML.
The signature types Enveloped and Enveloping are both supported.
The Module Sign XML Resource contains all ModuleAttributes needed to sign an XML resource.
This includes the specification of the used certificate with the ModuleAttribute Certificate and the specification of the signature details with the Signature ModuleAttribute. The public key of the signing key can also be provided via the Attribute IncludeKeyInfo. This gives the recipient the opportunity to verify the signature.
The ModuleAttribute Certificate can receive these two specializations: JavaKeyStoreData for the Java Key Store and CertificateStoreData for the Windows certificate store.
In this example, the last book in the resource library is signed and the result is saved to the resource signedLibrary. Additionally, the key in the ModuleAttribute FindOptions is retrieved from the user's certificate store via Thumbprint. The signature is created via enveloping. The signed object is the last book that is found via the XPath book[last()].
Sample TestCase |
Verify an XML signature
Use the Module Verify Signed XML Resource to verify a signed XML.
This Module is part of the Standard subset. You can find it under Standard modules->TBox XEngines->XML.
The ModuleAttribute Certificate can receive these two specializations: JavaKeyStoreData for the Java Key Store and CertificateStoreData for the Windows certificate store. A more precise description of both specializations can be found in chapter "Windows Certificate Store and Java Key Store". If the Certificate Attribute remains empty, Tosca will then search for an embedded key and use it.
In this example, the resource signedLibrary is verified. The expected result of the verification is specified in the parameter ExpectedResult.
Sample TestCase |
Encrypt and decrypt XML content
Encryption can guarantee the security of data. Tosca supports the symmetrical encryption procedure AES as well as the asymmetrical encryption procedures RSAP-OAEP and RSA 1.5. In accordance with the recommendations of the W3 with the title XML Encryption Syntax and Processing, XML content can be encrypted as shown in the table at http://www.w3.org/TR/xmlenc-core/.
Session keys are encrypted with RSAP-OAEP or RSA 1.5, while the data are encrypted with AES-WRAP (http://www.w3.org/TR/xmlenc-core/) with algorithms as shown in the following table:
Supported algorithms for symmetrical encryption |
---|
AES-128 |
AES-192 |
AES-256 |
To encrypt data, use the Module Encrypt XML Resource.
To decrypt data, use the Module Decrypt XML Resource.
These Modules are part of the Standard subset. You can find them under Standard modules->TBox XEngines->XML->Encryption.
Supported encryption granularity
All granularity types listed at http://www.w3.org/TR/xmlenc-core/#sec-eg-Granularity except for super-encryption are supported:
-
Encrypting an element
-
Encrypting element content
-
Encrypting data and XML documents
The XPath ModuleAttribute can be used to structure this granularity. The entire document is automatically encrypted if the ModuleAttribute is empty.
The key can be created as plain text or in hexadecimal values, or can be imported from the Windows certificate store.
First, the specialization must be selected in the TestCase for the TestStepValue EncryptionMethod.
-
The specialization SessionKeyEncryption must be enabled for encryption with the certificate store (see chapter "Windows Certificate Store and Java Key Store").
-
The specialization SymmetricKeyEncryption must be enabled for symmetric encryption.
The TestStepValue KeyType is for symmetric encryption and contains the specializations PlainTextSymmetricKey and HexCodeSymmetricKey, both for plain text and hexadecimal code.
The length of the PlainTextSymmetricKey must match the key length of the AES encryption type in bytes.
If the encryption type AES-128 was selected, the key (PlainTextSymmetricKey) must consist of 16 characters (16 bytes are equal to 128 bit).
|
Encryption with plain text
Encryption with hexadecimal values
Encryption with a key imported from the Windows certificate store
Decryption functions similar to encryption. The TestStepValue XPath does not have to be specified because the encrypted nodes are automatically identified.
The ModuleAttribute EncryptionMethod is used in a way similar to encryption.
The Module Decrypt XML Resource
This example contains the following steps:
Sample workflow for encryption and decryption |