Sign, verify, decrypt, and encrypt resources

XML resources can be signed, and signatures can be verified, decrypted and encrypted. Keys from the Windows certificate store or a Java key store can also be used.

The following requirements must be met in order to test as an arbitrary user: The private key must be exportable. The user must have administrator rights. The user management must be disabled (user account control).

Windows Certificate Store and Java Key Store

Certificates (keys) stored in the Windows certificate store or Java key store can be used with the CertificateData Module.

The ModuleAttribute Certificate contains two specializations: CertificateStoreData and JavaKeyStoreData. Specializations are selected during the creation of a TestCase (see chapter "Generalizations and Specializations").

For the specializations, use the Modules CertificateStoreData and JavaKeyStoreData.

These Modules are part of the Standard subset. You can find them under Standard modules->TBox XEngines->Parameter data.

CertificateStoreData

For the normal range of tasks, the StoreLocation ModuleAttribute is used for the certificate store (LocalMachine or CurrentUser), while the StoreName (a list with valid designations is located at http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storename.aspx) and FindOptions ModuleAttributes identify which specific certificate is to be used.

Operations such as signing and decryption require access to the private key. Access can be restricted in Windows. If the current user does not have the necessary authorization, another user can be specified here.

In this example, a certificate located in the store My within the user-specific certificate store CurrentUser is specified. This is identified with its Thumbprint, where the value of the ModuleAttribute FindType is set to FindByThumbprint and the ModuleAttribute FindValue is specified using the concrete value of the key. Sample use of the Windows certificate store

JavaKeyStoreData

If the specialization JavaKeyStoreData is used, the ModuleAttributes StoreFile, StorePassword, KeyAlias and KeyPassword are needed to select a unique key.

In this example, the TestStepValue StoreFile is used to specify the path to the KeyStore file. The password for the KeyStore is specified with StorePassword, while the access parameters for the key are specified with KeyAlias and KeyPassword. Sample use of the Java KeyStore

Create an XML signature

XML signatures are used to guarantee the integrity and the authorship of data. Tosca supports XML signatures in compliance with the xml-dsig standard (see also http://www.w3.org/TR/xmldsig-core/). The signature is also created with a private key. The recipient of the data can verify its validity with the corresponding public key.

A certificate from the Windows certificate store or a Java Key Store can be used to sign an XML resource with the Sign XML Resource Module. This Module is part of the Standard subset. You can find it under Standard modules->TBox XEngines->XML.

The signature types Enveloped and Enveloping are both supported.

The Module Sign XML Resource contains all ModuleAttributes needed to sign an XML resource.

This includes the specification of the used certificate with the ModuleAttribute Certificate and the specification of the signature details with the Signature ModuleAttribute. The public key of the signing key can also be provided via the Attribute IncludeKeyInfo. This gives the recipient the opportunity to verify the signature.

The ModuleAttribute Certificate can receive these two specializations: JavaKeyStoreData for the Java Key Store and CertificateStoreData for the Windows certificate store.

In this example, the last book in the resource library is signed and the result is saved to the resource signedLibrary. Additionally, the key in the ModuleAttribute FindOptions is retrieved from the user's certificate store via Thumbprint. The signature is created via enveloping. The signed object is the last book that is found via the XPath book[last()]. Sample TestCase

Verify an XML signature

Use the Module Verify Signed XML Resource to verify a signed XML.

This Module is part of the Standard subset. You can find it under Standard modules->TBox XEngines->XML.

The ModuleAttribute Certificate can receive these two specializations: JavaKeyStoreData for the Java Key Store and CertificateStoreData for the Windows certificate store. A more precise description of both specializations can be found in chapter "Windows Certificate Store and Java Key Store". If the Certificate Attribute remains empty, Tosca will then search for an embedded key and use it.

In this example, the resource signedLibrary is verified. The expected result of the verification is specified in the parameter ExpectedResult. Sample TestCase

Encrypt and decrypt XML content

Encryption can guarantee the security of data. Tosca supports the symmetrical encryption procedure AES as well as the asymmetrical encryption procedures RSAP-OAEP and RSA 1.5. In accordance with the recommendations of the W3 with the title XML Encryption Syntax and Processing, XML content can be encrypted as shown in the table at http://www.w3.org/TR/xmlenc-core/.

Session keys are encrypted with RSAP-OAEP or RSA 1.5, while the data are encrypted with AES-WRAP (http://www.w3.org/TR/xmlenc-core/) with algorithms as shown in the following table:

Supported algorithms for symmetrical encryption
AES-128
AES-192
AES-256

To encrypt data, use the Module Encrypt XML Resource.

To decrypt data, use the Module Decrypt XML Resource.

These Modules are part of the Standard subset. You can find them under Standard modules->TBox XEngines->XML->Encryption.

Supported encryption granularity

All granularity types listed at http://www.w3.org/TR/xmlenc-core/#sec-eg-Granularity except for super-encryption are supported:

• Encrypting an element

• Encrypting element content

• Encrypting data and XML documents

The XPath ModuleAttribute can be used to structure this granularity. The entire document is automatically encrypted if the ModuleAttribute is empty.

The key can be created as plain text or in hexadecimal values, or can be imported from the Windows certificate store.

First, the specialization must be selected in the TestCase for the TestStepValue EncryptionMethod.

• The specialization SessionKeyEncryption must be enabled for encryption with the certificate store (see chapter "Windows Certificate Store and Java Key Store").

• The specialization SymmetricKeyEncryption must be enabled for symmetric encryption.

  The TestStepValue KeyType is for symmetric encryption and contains the specializations PlainTextSymmetricKey and HexCodeSymmetricKey, both for plain text and hexadecimal code.

  The length of the PlainTextSymmetricKey must match the key length of the AES encryption type in bytes.

If the encryption type AES-128 was selected, the key (PlainTextSymmetricKey) must consist of 16 characters (16 bytes are equal to 128 bit). Length of the key in bit Characters in byte AES-128 16 AES-192 24 AES-256 32

Decryption functions similar to encryption. The TestStepValue XPath does not have to be specified because the encrypted nodes are automatically identified.

The ModuleAttribute EncryptionMethod is used in a way similar to encryption.

This example contains the following steps: A resource named encr4 is created. In the next XTestStep, the content of the resource encr4 is specified. The XTestStepValue XPath specifies the name of an author. This is encrypted and written into the resource encr4out. In this example, the XTestStepValue EncryptionMethod receives the specialization SymmetricKeyEncryption, and the XTestStepValue KeyType receives PlainTextSymmetricKey. The resource encr4out is decrypted and written into the resource decr4out. The encryption technology and the key to be used must be specified. The specializations should be set as in the previous step. The resource decr4out is saved to an XML file. The path is available as a configuration parameter. Sample workflow for encryption and decryption