Apache Santuario - XML Security for Java 2.0.0 - part II

In the previous blog post, I covered the new StAX-based (streaming) XML Signature functionality coming in Apache Santuario - XML Security for Java 2.0.0. In this post, I will focus on the new streaming XML Encryption functionality that will also be available in this release.

1) XML Encryption test-cases

I have uploaded some test-cases to github to show how to use the new StAX-based API. The tests and setup mirror the XML Signature testcases that I covered in the previous blog post. There are currently three junit tests in this project:

• EncryptionDOMTest - Encrypt + decrypt using the (older) DOM API
• EncryptionStAXTest - Encrypt + decrypt using the new StAX API
• EncryptionInteropTest - Test interop between the two implementations

2) Outbound StAX configuration

To see how to configure the new outbound StAX-based XML Encryption functionality, take a look at the "encryptUsingStax" method used by the tests. The streaming XML Security functionality is configured by populating a XMLSecurityProperties Object. You must typically call the following methods for XML Encryption:

• properties.setAction(XMLSecurityConstants.Action) - an "Action" to perform, which for XML Encryption purposes is XMLSecurityConstants.ENCRYPT. 
• properties.setEncryptionKey(Key) - The encrypting key. Typically a SecretKey instance.
• properties.setEncryptionSymAlgorithm(String) - Symmetric encryption Algorithm to use. The default is AES 256.
• properties.addEncryptionPart(SecurePart) - Add a SecurePart to encrypt, e.g. encrypt a given QName. 
• properties.setEncryptionTransportKey(Key) - The key to use to encrypt the secret key (if desired). Either a SecretKey or PublicKey instance.
• properties.setEncryptionKeyTransportAlgorithm(String) - The encryption key transport algorithm to use, to encrypt the secret key (if desired). Default is RSA OAEP.
• properties.setEncryptionKeyIdentifier(SecurityTokenConstants.KeyIdentifier) - How to reference the encrypting key/cert. The default is SecurityTokenConstants.KeyIdentifier_IssuerSerial.  

The valid Encryption KeyIdentifier types are:

• SecurityTokenConstants.KeyIdentifier_KeyValue
• SecurityTokenConstants.KeyIdentifier_KeyName
• SecurityTokenConstants.KeyIdentifier_IssuerSerial
• SecurityTokenConstants.KeyIdentifier_SkiKeyIdentifier
• SecurityTokenConstants.KeyIdentifier_X509KeyIdentifier
• SecurityTokenConstants.KeyIdentifier_X509SubjectName
• SecurityTokenConstants.KeyIdentifier_NoKeyInfo

3) Inbound StAX configuration

To see how to configure the new inbound StAX-based XML Encryption functionality, take a look at the "decryptUsingStAX" method used by the tests. As with encryption creation, it is necessary to create a XMLSecurityProperties Object, and to tell it what "Action" to perform. In addition you must call the following method:

• properties.setDecryptionKey(Key) - a key to use to decrypt the request.

In addition, it is possible to pass a SecurityEventListener to record what security events were performed (see TestSecurityEventListener used in the tests). This allows the user to check what algorithms were used, what was encrypted etc.