XQuery/Digital Signatures

      Motivation

      You want to verify that a document sent to you has not been modified.

      ↑Jump back a section

      Method

      We will use the W3C Digital Signature standard. We will use the standard Java function to sign and verify the signature of a document.

      Warning: This program is not working yet

      ↑Jump back a section

      Creating a Local Keystore

      To use the function you will need to create a local key store to store your information in. In production systems the key store is stored on an internal server but in this example we will store it in the eXist database as a binary file.

      The following shell command shows how the keytool program that comes with the Java JRE can be used to generate a keystore file:

        /usr/java/bin/keytool -genkeypair -dname "cn=Test Certificate, ou=MyDivision, o=MyCompany, c=US"
     -alias eXist -keypass kpi135 -keystore /tmp/keystore.pem -storepass ab987c -
     validity 180

      After you run this file put the /tmp/keystore.pem file into your file system /db/test/dig-sig/keystore.pem

      ↑Jump back a section

      Adding a XQuery Function Wrapper Module

      We will add a custom jar file to our $EXIST_HOME/lib/extensions area called x-krypt.jar. After this file has been loaded we need to add the following line to the $EXIST_HOME/conf.xml in the xquery/builtin-modules area (around line 780):

           <module class="ro.kuberam.xcrypt.XcryptModule" 
              uri="http://kuberam.ro/x-crypt" />
      ↑Jump back a section

      Adding a Digital Signature to a File

      After rebooting the server the following can be executed:

      xquery version "1.0";
 
let $keystore-file-path := '/db/test/dig-sig/keystore.txt'
 
return
if ( not(util:binary-doc-available($keystore-file-path)) )
   then
   <error><message>Keystore File {$keystore-file-path} Not Available</message></error>
   else
 
let $doc := <data><a>1</a><b>7</b><c/><c/></data>
let $certificate-details :=
    <digital-certificate>
        <keystore-type>JKS</keystore-type>
        <keystore-name>{$keystore-file-path}</keystore-name>
        <keystore-password>ab987c</keystore-password>
        <key-alias>eXist</key-alias>
        <private-key-password>kpi135</private-key-password>
    </digital-certificate>
 
let $signed-doc := x-crypt:generate-signature($doc, "inclusive", "", "DSA_SHA1", "ds", "enveloped", $certificate-details ) 
 
return
<results>
  <doc>{$doc}</doc>
  <keystore-file-path>{$keystore-file-path}</keystore-file-path>
</results>
      ↑Jump back a section

      Validating a Digital Signature

      The same process that was used to sign an XML document can be used to verify its signature.

      ↑Jump back a section
      Last modified on 14 January 2011, at 20:36