我需要对XML进行加密,而Santuario似乎是使用它的工具。问题是,我不知道如何开始。
从常见问题解答(似乎真的已经过时了(,我得到了https://svn.apache.org/repos/asf/santuario/xml-security-java/trunk/trunk/samples/org/org/org/org/apache/xmache/xecurity/security/security/security/samples/,但这是空的。
一开始,我想阅读一个传入的公钥,所以类似的东西:
<?xml version="1.0" encoding="UTF-8"?>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>6sNhgtNVksGD4ZK1rW2iiGO11O/BzEIZazovnMK37y3RVvvjmv1z44uA505gyyUTziCntHV9tONm
J11bH4koqqJQFZPXuKAyuu9eR3W/pZ4EGBMMIVH2aqSOsPMTI5K9l2YOW8fAoEZQtYVWsCrygOyc
tBiamJZRJ+AKFZCIY5E=</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
我有点希望使用JAXB读取org.apache.xml.security.keys.KeyInfo,但它没有NO-OP构造函数,因此无法使用。一个人如何解析这样的文档以获取KeyInfo对象?(我正在努力避免DocumentBuilderFactory等人进行低级处理,但如果需要(
我需要使用此公共密钥来加密生成的秘密密钥(AES-128(,而我用它来加密XML文档。我需要再次输出所有这些作为XML。我希望Lib对此也有UTILS吗?
可能是这样做的更好方法(如果是这样,请告诉我(,但这是我想到的。从这个样本中解决了这个
阅读输入
假设您有一个Inputstream或Inputsource:
Document document = XMLUtils.read(is);
// specific to my case, lookup the RSA key value node, and from there go to the parents
NodeList keyInfoList = document.getElementsByTagNameNS(XMLSignature.XMLNS, Constants._TAG_RSAKEYVALUE);
assert keyInfoList.getLength() == 1;
DOMStructure domStructure = new DOMStructure(keyInfoList.item(0).getParentNode().getParentNode());
// from here on it's generic again
KeyInfo keyInfo = KeyInfoFactory.getInstance("DOM").unmarshalKeyInfo(domStructure);
KeyValue keyValue = (KeyValue) keyInfo.getContent().get(0);
publicKey = keyValue.getPublicKey();
加密文档
要获取一个加密文档,需要以下步骤:
- 生成秘密键
- 用公钥加密该密钥
- 可选添加用于加密的输入密钥
- 加密文档
- 或文档中的任何节点
生成秘密键
KeyGenerator keygen = KeyGenerator.getInstance("AES");
keygen.init(128);
secretKey = keygen.generateKey();
加密键
XMLCipher kekCipher = XMLCipher.getInstance(XMLCipher.RSA_OAEP);
kekCipher.init(XMLCipher.WRAP_MODE, publicKey);
EncryptedKey encryptedKey = kekCipher.encryptKey(inputDocument, secretKey);
加密文档
XMLCipher cipher = XMLCipher.getInstance(XMLCipher.AES_128);
cipher.init(XMLCipher.ENCRYPT_MODE, secretKey);
// Create a KeyInfo for the EncryptedData
EncryptedData encryptedData = cipher.getEncryptedData();
org.apache.xml.security.keys.KeyInfo keyInfo = new org.apache.xml.security.keys.KeyInfo(inputDocument);
keyInfo.add(encryptedKey);
encryptedData.setKeyInfo(keyInfo);
Document result = cipher.doFinal(inputDocument, inputDocument);
选择
// output the result to a stream:
try (ByteArrayOutputStream baos = new ByteArrayOutputStream()) {
XMLUtils.outputDOM(result, baos, true);
}
// add key info to the encrypted key
org.apache.xml.security.keys.KeyInfo encryptedKeyKeyInfo = new org.apache.xml.security.keys.KeyInfo(document);
// not sure the following is needed
encryptedKeyKeyInfo.getElement()
.setAttributeNS(
"http://www.w3.org/2000/xmlns/",
"xmlns:dsig",
"http://www.w3.org/2000/09/xmldsig#");
encryptedKey.setKeyInfo(encryptedKeyKeyInfo);
encryptedKeyKeyInfo.add(publicKey);
// encrypt a specific node rather than the whole document
NodeList nodeList = document.getElementsByTagNameNS(ns, qName.getLocalPart());
// not sure if this'll work for embedded nodes
for (int i = 0, n = nodeList.getLength(); i < n; i++) {
Element elementToEncrypt = (Element) nodeList.item(i);
document = cipher.doFinal(document, elementToEncrypt, false);
// last parameter says to either encrypt the children of 'elementToEncrypt'
// or the element itself
}