XMLEncryptor Component
Properties Methods Events Config Settings Errors
The XMLEncryptor component encrypts XML documents.
Syntax
nsoftware.SecureBlackbox.Xmlencryptor
Remarks
XMLEncryptor encrypts XML documents with certificates or generic keys.
Property List
The following is the full list of the properties of the component with short descriptions. Click on the links for further details.
| Encoding | Specifies XML encoding. |
| EncryptedDataType | Specifies the type of the data being encrypted. |
| EncryptionKey | The symmetric (session) key used to encrypt the data. |
| EncryptionMethod | The encryption method used to encrypt the document. |
| EncryptKey | Specifies if the encryption key is encrypted. |
| ExternalData | The data that should be encrypted. |
| FIPSMode | Reserved. |
| InputBytes | Use this property to pass the input to component in byte array form. |
| InputFile | The XML document to be encrypted. |
| InputStream | Stream containing the XML document. |
| KeyEncryptionCertificate | The certificate used to encrypt a session key. |
| KeyEncryptionKey | The symmetric key used to encrypt a session key. |
| KeyEncryptionType | Specifies how the session key is encrypted. |
| KeyTransportMethod | Specifies how the session key is encrypted. |
| KeyWrapMethod | The key wrap method used to encrypt the session key. |
| OutputBytes | Use this property to read the output the component object has produced. |
| OutputFile | Defines where to save the encrypted XML document. |
| OutputStream | A stream where the encrypted XML document can be written to. |
| UseGCM | Specifies if GCM mode is enabled. |
| XMLNode | Defines the XML element to encrypt. |
| XPathNamespaces | Specifies namespaces for XPath expression. |
Method List
The following is the full list of the methods of the component with short descriptions. Click on the links for further details.
| Config | Sets or retrieves a configuration setting. |
| DoAction | Performs an additional action. |
| Encrypt | Encrypts an XML document. |
Event List
The following is the full list of the events fired by the component with short descriptions. Click on the links for further details.
| Error | Information about errors during signing. |
| FormatElement | Reports the XML element that is currently being processed. |
| FormatText | Reports XML text that is currently being processed. |
| Notification | This event notifies the application about an underlying control flow event. |
Config Settings
The following is a list of config settings for the component with short descriptions. Click on the links for further details.
| EncryptedDataID | Specifies the ID for EncryptedData element. |
| EncryptedKeyID | Specifies the ID for EncryptedKey element. |
| EncryptedKeyInfoCustomXML | The custom XML content for EncryptedKey\\KeyInfo element. |
| EncryptedKeyInfoID | Specifies the ID for EncryptedKey\\KeyInfo element. |
| EncryptedKeyOnly | Specifies whether to create only EncryptedKey element. |
| EncryptedKeyXMLElement | Specifies the XML element where to save the encrypted key element. |
| EncryptionPrefix | Specifies the encryption prefix. |
| KeyInfoCustomXML | The custom XML content for KeyInfo element. |
| KeyInfoID | Specifies the ID for KeyInfo element. |
| KeyName | Contains information about the key used for encryption. |
| MimeType | Specifies the mime type of the encrypted data. |
| SignaturePrefix | Specifies the signature prefix. |
| TempPath | Location where the temporary files are stored. |
| WriteBOM | Specifies whether byte-order mark should be written when saving the document. |
| XMLFormatting | Specifies the signature XML formatting. |
| CheckKeyIntegrityBeforeUse | Enables or disable private key integrity check before use. |
| CookieCaching | Specifies whether a cookie cache should be used for HTTP(S) transports. |
| Cookies | Gets or sets local cookies for the component. |
| DefDeriveKeyIterations | Specifies the default key derivation algorithm iteration count. |
| EnableClientSideSSLFFDHE | Enables or disables finite field DHE key exchange support in TLS clients. |
| GlobalCookies | Gets or sets global cookies for all the HTTP transports. |
| HttpUserAgent | Specifies the user agent name to be used by all HTTP clients. |
| LogDestination | Specifies the debug log destination. |
| LogDetails | Specifies the debug log details to dump. |
| LogFile | Specifies the debug log filename. |
| LogFilters | Specifies the debug log filters. |
| LogFlushMode | Specifies the log flush mode. |
| LogLevel | Specifies the debug log level. |
| LogMaxEventCount | Specifies the maximum number of events to cache before further action is taken. |
| LogRotationMode | Specifies the log rotation mode. |
| MaxASN1BufferLength | Specifies the maximal allowed length for ASN.1 primitive tag data. |
| MaxASN1TreeDepth | Specifies the maximal depth for processed ASN.1 trees. |
| OCSPHashAlgorithm | Specifies the hash algorithm to be used to identify certificates in OCSP requests. |
| StaticDNS | Specifies whether static DNS rules should be used. |
| StaticIPAddress[domain] | Gets or sets an IP address for the specified domain name. |
| StaticIPAddresses | Gets or sets all the static DNS rules. |
| Tag | Allows to store any custom data. |
| TLSSessionGroup | Specifies the group name of TLS sessions to be used for session resumption. |
| TLSSessionLifetime | Specifies lifetime in seconds of the cached TLS session. |
| TLSSessionPurgeInterval | Specifies how often the session cache should remove the expired TLS sessions. |
| UseOwnDNSResolver | Specifies whether the client components should use own DNS resolver. |
| UseSharedSystemStorages | Specifies whether the validation engine should use a global per-process copy of the system certificate stores. |
| UseSystemOAEPAndPSS | Enforces or disables the use of system-driven RSA OAEP and PSS computations. |
| UseSystemRandom | Enables or disables the use of the OS PRNG. |
Encoding Property (XMLEncryptor Component)
Specifies XML encoding.
Syntax
Default Value
""
Remarks
Use this property to specify the encoding to apply to the XML documents.
EncryptedDataType Property (XMLEncryptor Component)
Specifies the type of the data being encrypted.
Syntax
public XmlencryptorEncryptedDataTypes EncryptedDataType { get; set; }
enum XmlencryptorEncryptedDataTypes { cxedtElement, cxedtContent, cxedtExternal }
Public Property EncryptedDataType As XmlencryptorEncryptedDataTypes
Enum XmlencryptorEncryptedDataTypes cxedtElement cxedtContent cxedtExternal End Enum
Default Value
0
Remarks
This property specifies the data type to be encrypted.
Supported values:
| cxedtElement | 0 | The XML element is encrypted.
XMLNode property specifies the XML element that should be encrypted. |
| cxedtContent | 1 | Element content is encrypted.
XMLNode property specifies the XML element which content should be encrypted. |
| cxedtExternal | 2 | External data is encrypted. Use ExternalData property to set the data that should be encrypted.
XMLNode property specifies the location where xenc:EncryptedData element should be placed. |
EncryptionKey Property (XMLEncryptor Component)
The symmetric (session) key used to encrypt the data.
Syntax
Remarks
Use this property to provide the encryption symmetric (session) key that will be used to encrypt a data.
It is required when the EncryptKey property is disabled. If the EncryptKey property is enabled, and no value is set, the component will generate a random session key (recommended).
This property is not available at design time.
EncryptionMethod Property (XMLEncryptor Component)
The encryption method used to encrypt the document.
Syntax
Default Value
"AES256"
Remarks
This property contains the encryption algorithm used to encrypt the XML document.
Supported values:
| SB_XML_ENCRYPTION_ALGORITHM_RC4 | RC4 | |
| SB_XML_ENCRYPTION_ALGORITHM_DES | DES | |
| SB_XML_ENCRYPTION_ALGORITHM_3DES | 3DEST | |
| SB_XML_ENCRYPTION_ALGORITHM_AES128 | AES128 | |
| SB_XML_ENCRYPTION_ALGORITHM_AES192 | AES192 | |
| SB_XML_ENCRYPTION_ALGORITHM_AES256 | AES256 | |
| SB_XML_ENCRYPTION_ALGORITHM_CAMELLIA128 | Camellia128 | |
| SB_XML_ENCRYPTION_ALGORITHM_CAMELLIA192 | Camellia192 | |
| SB_XML_ENCRYPTION_ALGORITHM_CAMELLIA256 | Camellia256 | |
| SB_XML_ENCRYPTION_ALGORITHM_SEED | SEED |
If UseGCM property is enabled, then supported values are:
| SB_XML_ENCRYPTION_ALGORITHM_AES128 | AES128 | |
| SB_XML_ENCRYPTION_ALGORITHM_AES192 | AES192 | |
| SB_XML_ENCRYPTION_ALGORITHM_AES256 | AES256 |
EncryptKey Property (XMLEncryptor Component)
Specifies if the encryption key is encrypted.
Syntax
Default Value
False
Remarks
Use this property to specify if encryption (session) key should be encrypted and also added to the encrypted data.
ExternalData Property (XMLEncryptor Component)
The data that should be encrypted.
Syntax
Remarks
Use this property to provide the data that should be encrypted if EncryptedDataType property is set to cxedtExternal value.
This property is not available at design time.
FIPSMode Property (XMLEncryptor Component)
Reserved.
Syntax
Default Value
False
Remarks
This property is reserved for future use.
InputBytes Property (XMLEncryptor Component)
Use this property to pass the input to component in byte array form.
Syntax
Remarks
Assign a byte array containing the data to be processed to this property.
This property is not available at design time.
InputFile Property (XMLEncryptor Component)
The XML document to be encrypted.
Syntax
Default Value
""
Remarks
Provide the path to the XML document to be encrypted.
InputStream Property (XMLEncryptor Component)
Stream containing the XML document.
Syntax
public System.IO.Stream InputStream { get; set; }
Public Property InputStream As System.IO.Stream
Default Value
null
Remarks
Use this property to feed the XML document to the component via a stream.
This property is not available at design time.
KeyEncryptionCertificate Property (XMLEncryptor Component)
The certificate used to encrypt a session key.
Syntax
public Certificate KeyEncryptionCertificate { get; set; }
Public Property KeyEncryptionCertificate As Certificate
Remarks
Use this property to provide the encryption certificate that will be used to encrypt a session key. It is required when the EncryptKey property is enabled and the KeyEncryptionType is set to cxetKeyTransport value.
This property is not available at design time.
Please refer to the Certificate type for a complete list of fields.KeyEncryptionKey Property (XMLEncryptor Component)
The symmetric key used to encrypt a session key.
Syntax
Remarks
Use this property to provide the encryption symmetric key that will be used to encrypt a session key. It is required when the EncryptKey property is enabled and KeyEncryptionType is set to cxetKeyWrap value.
This property is not available at design time.
KeyEncryptionType Property (XMLEncryptor Component)
Specifies how the session key is encrypted.
Syntax
public XmlencryptorKeyEncryptionTypes KeyEncryptionType { get; set; }
enum XmlencryptorKeyEncryptionTypes { cxetKeyTransport, cxetKeyWrap }
Public Property KeyEncryptionType As XmlencryptorKeyEncryptionTypes
Enum XmlencryptorKeyEncryptionTypes cxetKeyTransport cxetKeyWrap End Enum
Default Value
0
Remarks
This property specifies how the session key is encrypted.
Supported values:
| cxetKeyTransport | 0 | The key is encrypted using public-key based algorithm |
| cxetKeyWrap | 1 | The key is encrypted using symmetric algorithm with pre-shared secret key |
KeyTransportMethod Property (XMLEncryptor Component)
Specifies how the session key is encrypted.
Syntax
public XmlencryptorKeyTransportMethods KeyTransportMethod { get; set; }
enum XmlencryptorKeyTransportMethods { cxktRSA15, cxktRSAOAEP }
Public Property KeyTransportMethod As XmlencryptorKeyTransportMethods
Enum XmlencryptorKeyTransportMethods cxktRSA15 cxktRSAOAEP End Enum
Default Value
0
Remarks
This property specifies how the session key is encrypted.
Supported values:
| cxktRSA15 | 0 | RSA 1.5 (RSAES-PKCS1-v1_5) encryption is used |
| cxktRSAOAEP | 1 | RSA-OAEP (RSAES-OAEP-ENCRYPT) encryption is used |
KeyWrapMethod Property (XMLEncryptor Component)
The key wrap method used to encrypt the session key.
Syntax
Default Value
"Camellia256"
Remarks
This property specifies the key wrap algorithm used to encrypt the session key.
Supported values:
| SB_XML_ENCRYPTION_ALGORITHM_3DES | 3DEST | |
| SB_XML_ENCRYPTION_ALGORITHM_AES128 | AES128 | |
| SB_XML_ENCRYPTION_ALGORITHM_AES192 | AES192 | |
| SB_XML_ENCRYPTION_ALGORITHM_AES256 | AES256 | |
| SB_XML_ENCRYPTION_ALGORITHM_CAMELLIA128 | Camellia128 | |
| SB_XML_ENCRYPTION_ALGORITHM_CAMELLIA192 | Camellia192 | |
| SB_XML_ENCRYPTION_ALGORITHM_CAMELLIA256 | Camellia256 | |
| SB_XML_ENCRYPTION_ALGORITHM_SEED | SEED |
OutputBytes Property (XMLEncryptor Component)
Use this property to read the output the component object has produced.
Syntax
Remarks
Read the contents of this property after the operation has completed to read the produced output. This property will only be set if the OutputFile and OutputStream properties had not been assigned.
This property is read-only and not available at design time.
OutputFile Property (XMLEncryptor Component)
Defines where to save the encrypted XML document.
Syntax
Default Value
""
Remarks
Specifies the path where the encrypted XML document should be saved.
OutputStream Property (XMLEncryptor Component)
A stream where the encrypted XML document can be written to.
Syntax
public System.IO.Stream OutputStream { get; set; }
Public Property OutputStream As System.IO.Stream
Default Value
null
Remarks
Use this property to save the encrypted XML document to the stream.
This property is not available at design time.
UseGCM Property (XMLEncryptor Component)
Specifies if GCM mode is enabled.
Syntax
Default Value
False
Remarks
Use this property to enable Galois/Counter Mode (GCM) mode for AES encryption method.
XMLNode Property (XMLEncryptor Component)
Defines the XML element to encrypt.
Syntax
Default Value
""
Remarks
Defines the XML element/node to encrypt or in case if cxedtExternal encryption data type is used where to save the encrypted data.
Supported values are:
| "" | an empty string indicates the Document element |
| "#id" | indicates an XML element with specified Id |
| XPath expression | indicates an XML element selected using XPath expression. Use XPathNamespaces property to specify Prefixes and NamespaceURIs
For example: "/root/data[1]" - indicates the second "data" element under the document element with a name "root" "//ns1:data" - indicates a data element. "ns1" prefix should be defined in XPathNamespaces property |
| Node name | indicates an XML element selected using its NodeName.
For example: "data" - indicates an XML element with node name "data". |
XPathNamespaces Property (XMLEncryptor Component)
Specifies namespaces for XPath expression.
Syntax
public XMLNamespaceList XPathNamespaces { get; }
Public Property XPathNamespaces As XMLNamespaceList
Remarks
This property contains a list of prefixes and namespaceURIs that used in XPath expression with XMLNode property.
Please refer to the XMLNamespace type for a complete list of fields.Config Method (XMLEncryptor Component)
Sets or retrieves a configuration setting.
Syntax
Remarks
Config is a generic method available in every component. It is used to set and retrieve configuration settings for the component.
These settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the component, access to these internal properties is provided through the Config method.
To set a configuration setting named PROPERTY, you must call Config("PROPERTY=VALUE"), where VALUE is the value of the setting expressed as a string. For boolean values, use the strings "True", "False", "0", "1", "Yes", or "No" (case does not matter).
To read (query) the value of a configuration setting, you must call Config("PROPERTY"). The value will be returned as a string.
DoAction Method (XMLEncryptor Component)
Performs an additional action.
Syntax
Remarks
DoAction is a generic method available in every component. It is used to perform an additional action introduced after the product major release. The list of actions is not fixed, and may be flexibly extended over time.
The unique identifier (case insensitive) of the action is provided in the ActionID parameter.
ActionParams contains the value of a single parameter, or a list of multiple parameters for the action in the form of PARAM1=VALUE1;PARAM2=VALUE2;....
Encrypt Method (XMLEncryptor Component)
Encrypts an XML document.
Syntax
public void Encrypt();
Public Sub Encrypt()
Remarks
Call this method to encrypt an XML document.
The component could be used to encrypt the SOAP message as well.
Example 1: Encrypting the SOAP message
void EncryptSOAPMessage(string inputFilename, string outputFilename, string cert, string certPassword)
{
string encKeyId = "EK-" + Guid.NewGuid().ToString();
string encDataId = "ED-" + Guid.NewGuid().ToString();
using (Xmlencryptor encryptor = new Xmlencryptor())
{
encryptor.InputFile = inputFilename;
encryptor.OutputFile = outputFilename;
string certB64;
using (Certificatemanager certMgr = new Certificatemanager())
{
certMgr.ImportFromFile(cert, certPassword);
encryptor.KeyEncryptionCertificate = certMgr.Certificate;
using (Utils utils = new Utils())
{
var certBytes = certMgr.Certificate.Bytes;
certB64 = utils.Base64Encode(certBytes, false);
}
}
encryptor.XMLNode = "/soapv11:Envelope/soapv11:Body";
encryptor.EncryptedDataType = XmlencryptorEncryptedDataTypes.cxedtContent;
encryptor.EncryptionMethod = "AES128";
encryptor.EncryptKey = true;
encryptor.KeyEncryptionType = XmlencryptorKeyEncryptionTypes.cxetKeyTransport;
encryptor.KeyTransportMethod = XmlencryptorKeyTransportMethods.cxktRSA15;
encryptor.Config($"EncryptedDataID={encDataId}");
encryptor.Config($"EncryptedKeyID={encKeyId}");
encryptor.Config("EncryptedKeyXMLElement=/soapv11:Envelope/soapv11:Header/wssev10:Security");
encryptor.Config("KeyInfoCustomXML=<wsse:SecurityTokenReference xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
"xmlns:wsse11=\"http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd\" wsse11:TokenType=\"http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey\">" +
$"<wsse:Reference URI=\"#{encKeyId}\"/>" +
"</wsse:SecurityTokenReference>");
encryptor.Config("EncryptedKeyInfoCustomXML=<wsse:SecurityTokenReference xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\">" +
$"<ds:X509Data xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">{certB64}</ds:X509Data>" +
"</wsse:SecurityTokenReference>");
encryptor.Encrypt();
}
}
EncryptSOAPMessage(@"soap_test.xml", @"soap_encrypted.xml", @"cert.pfx", "password");
Note: The above code expects that the SOAP message has a WS Security header element.
Sample SOAP message:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
</wsse:Security>
</soap:Header>
<soap:Body>
<ns:Data xmlns:ns="http://test.com">Sample message</ns:Data>
</soap:Body>
</soap:Envelope>
Sample encrypted SOAP message produced by the above code:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
<xenc:EncryptedKey Id="EK-89565c75-9556-43d3-9de0-35ce6577e798" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</wsse:Security>
</soap:Header>
<soap:Body>
<xenc:EncryptedData Id="ED-90fe019e-0093-489d-a646-7ae0cee237c2" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<ds:KeyInfo>
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
<wsse:Reference URI="#EK-89565c75-9556-43d3-9de0-35ce6577e798"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
</soap:Envelope>
Example 2: Decrypting the SOAP message
void DecryptSOAPMessage(string inputFilename, string outputFilename, string cert, string certPassword)
{
using (Xmldecryptor decryptor = new Xmldecryptor())
{
decryptor.InputFile = inputFilename;
decryptor.OutputFile = outputFilename;
using (Certificatemanager certMgr = new Certificatemanager())
{
certMgr.ImportFromFile(cert, certPassword);
decryptor.KeyDecryptionCertificate = certMgr.Certificate;
}
decryptor.XMLElement = "/soapv11:Envelope/soapv11:Body/xenc:EncryptedData";
decryptor.Config("EncryptedKeyXMLElement=/soapv11:Envelope/soapv11:Header/wssev10:Security");
decryptor.Decrypt();
}
}
DecryptSOAPMessage(@"soap_encrypted.xml", @"soap_decrypted.xml", @"cert.pfx", "password");
Example 3: Signing and encrypting the SOAP message
void SignAndEncryptSOAPMessage(string inputFilename, string outputFilename, string signingCert, string signingCertPassword, string encryptionCert, string encryptionCertPassword)
{
byte[] data;
string encKeyId = "EK-" + Guid.NewGuid().ToString();
string encDataId1 = "ED-" + Guid.NewGuid().ToString();
string encDataId2 = "ED-" + Guid.NewGuid().ToString();
// Step 1: Creating Web service security (WSS) signature
using (Soapsigner signer = new Soapsigner())
{
signer.InputFile = inputFilename;
// loading the signing certificate
using (Certificatemanager certMgr = new Certificatemanager())
{
certMgr.ImportFromFile(encryptionCert, encryptionCertPassword);
signer.SigningCertificate = certMgr.Certificate;
}
signer.NewSignature.SignatureType = SOAPSignatureTypes.sstWSSSignature;
signer.NewSignature.HashAlgorithm = "SHA256";
signer.NewSignature.XAdES = false;
signer.SecurityHeaderIndex = 0;
signer.AddBodyReference("ID-" + Guid.NewGuid().ToString(), false);
signer.Sign();
data = signer.OutputBytes;
}
using (Xmlencryptor encryptor = new Xmlencryptor())
{
// Step 2: loading the encryption certificate
string certB64;
using (Certificatemanager certMgr = new Certificatemanager())
{
certMgr.ImportFromFile(encryptionCert, encryptionCertPassword);
encryptor.KeyEncryptionCertificate = certMgr.Certificate;
using (Utils utils = new Utils())
{
var certBytes = certMgr.Certificate.Bytes;
certB64 = utils.Base64Encode(certBytes, false);
}
}
// Step 3: generating random key encryption key (128-bit length)
// this key will be used for both encryptions
byte[] KEK;
using (Rnd rnd = new Rnd())
{
KEK = rnd.NextBytes(16);
}
encryptor.KeyEncryptionKey = KEK;
// Step 4: encrypting Body element and placing encrypted key to the Security block in the SOAP Message Header
encryptor.XMLNode = "/soapv11:Envelope/soapv11:Body";
encryptor.EncryptedDataType = XmlencryptorEncryptedDataTypes.cxedtContent;
encryptor.EncryptionMethod = "AES128";
encryptor.EncryptKey = true;
encryptor.KeyEncryptionType = XmlencryptorKeyEncryptionTypes.cxetKeyTransport;
encryptor.KeyTransportMethod = XmlencryptorKeyTransportMethods.cxktRSA15;
encryptor.Config($"EncryptedDataID={encDataId1}");
encryptor.Config($"EncryptedKeyID={encKeyId}");
encryptor.Config("EncryptedKeyXMLElement=/soapv11:Envelope/soapv11:Header/wssev10:Security");
encryptor.Config("KeyInfoCustomXML=<wsse:SecurityTokenReference xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
"xmlns:wsse11=\"http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd\" wsse11:TokenType=\"http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey\">" +
$"<wsse:Reference URI=\"#{encKeyId}\"/>" +
"</wsse:SecurityTokenReference>");
encryptor.Config("EncryptedKeyInfoCustomXML=<wsse:SecurityTokenReference xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\">" +
$"<ds:X509Data xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">{certB64}</ds:X509Data>" +
"</wsse:SecurityTokenReference>");
encryptor.InputBytes = data;
encryptor.Encrypt();
// Step 5: encrypting WSS Signature
encryptor.InputBytes = encryptor.OutputBytes;
// resetting settings
encryptor.Config("EncryptedKeyXMLElement=");
encryptor.Config("EncryptedKeyInfoCustomXML=");
encryptor.XMLNode = "/soapv11:Envelope/soapv11:Header/wsse:Security/ds:Signature";
encryptor.EncryptedDataType = XmlencryptorEncryptedDataTypes.cxedtElement;
encryptor.EncryptKey = false;
encryptor.Config($"EncryptedDataID={encDataId2}");
encryptor.Config("KeyInfoCustomXML=<wsse:SecurityTokenReference xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
"xmlns:wsse11=\"http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd\" wsse11:TokenType=\"http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey\">" +
$"<wsse:Reference URI=\"#{encKeyId}\"/>" +
"</wsse:SecurityTokenReference>");
encryptor.Encrypt();
data = encryptor.OutputBytes;
}
// Step 6: miscellaneous XML DOM manipulations, not supported by XMLEncryptor, but may be required by SOAP standard
using (Soapsigner signer = new Soapsigner())
{
signer.InputBytes = data;
signer.OutputFile = outputFilename;
signer.Open();
// Adding xenc:ReferenceList element to xenc:EncryptedKey element
signer.SetInnerXML("/soapv11:Envelope/soapv11:Header/wssev10:Security/xenc:EncryptedKey",
signer.GetInnerXML("/soapv11:Envelope/soapv11:Header/wssev10:Security/xenc:EncryptedKey") +
"<xenc:ReferenceList>" +
$"<xenc:DataReference URI=\"#{encDataId1}\"/>" +
$"<xenc:DataReference URI=\"#{encDataId2}\"/>" +
"</xenc:ReferenceList>");
// swapping the order of elements in WSS Security header
// SOAP requires that items in the header are placed in the order that they will be processed, not the order they were generated
// because the decryption should be performed before veryfing SOAP message, the xenc:EncryptedKey element should be placed first
var encKeyContent = signer.GetOuterXML("/soapv11:Envelope/soapv11:Header/wssev10:Security/xenc:EncryptedKey");
var secContent = signer.GetInnerXML("/soapv11:Envelope/soapv11:Header/wssev10:Security");
var k = secContent.IndexOf(encKeyContent, StringComparison.Ordinal);
if (k != -1)
signer.SetInnerXML("/soapv11:Envelope/soapv11:Header/wssev10:Security", encKeyContent + secContent.Substring(0, k));
signer.Close(true);
}
}
SignAndEncryptSOAPMessage(@"soap_test.xml", @"soap_signed_encrypted.xml", @"cert.pfx", "password", @"cert2.pfx", "password2");
Sample SOAP message:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<ns:Data xmlns:ns="http://test.com">Sample message</ns:Data>
</soap:Body>
</soap:Envelope>
Sample signed and encrypted SOAP message produced by the above code:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
<xenc:EncryptedKey Id="EK-14e69f03-fc61-48f1-b825-b03ca613f0f8" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#ED-65385224-0bb5-43f0-b4bf-67a9e9452c10"/>
<xenc:DataReference URI="#ED-4267b8f3-8662-4441-99ec-32a2e9180288"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsu:Id="id-1135467976" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">...</wsse:BinarySecurityToken>
<xenc:EncryptedData Id="ED-4267b8f3-8662-4441-99ec-32a2e9180288" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<ds:KeyInfo>
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
<wsse:Reference URI="#EK-14e69f03-fc61-48f1-b825-b03ca613f0f8"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</wsse:Security>
</soap:Header>
<soap:Body wsu:Id="ID-5bbf3495-d919-416e-96c3-67759aab9cf8" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<xenc:EncryptedData Id="ED-65385224-0bb5-43f0-b4bf-67a9e9452c10" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<ds:KeyInfo>
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
<wsse:Reference URI="#EK-14e69f03-fc61-48f1-b825-b03ca613f0f8"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
</soap:Envelope>
Example 4: Decrypting and verifying the SOAP message
void DecryptAndVerifySOAPMessage(string inputFilename, string outputFilename, string decryptionCert, string decryptionCertPassword)
{
byte[] data;
using (Xmldecryptor decryptor = new Xmldecryptor())
{
decryptor.InputFile = inputFilename;
decryptor.OutputFile = outputFilename;
using (Certificatemanager certMgr = new Certificatemanager())
{
certMgr.ImportFromFile(decryptionCert, decryptionCertPassword);
decryptor.KeyDecryptionCertificate = certMgr.Certificate;
}
decryptor.Config("EncryptedKeyXMLElement=/soapv11:Envelope/soapv11:Header/wssev10:Security");
decryptor.Decrypt();
}
using (Soapverifier verifier = new Soapverifier())
{
verifier.InputFile = outputFilename;
verifier.Verify();
if ((verifier.Signatures.Count != 1) || (verifier.Signatures[0].SignatureValidationResult != XMLSignatureValidities.xsvValid))
throw new Exception("Signature not found or failed to verify a signature");
}
}
DecryptAndVerifySOAPMessage(@"soap_signed_encrypted.xml", @"soap_signed_decrypted.xml", @"cert2.pfx", "password2");
Error Event (XMLEncryptor Component)
Information about errors during signing.
Syntax
public event OnErrorHandler OnError; public delegate void OnErrorHandler(object sender, XmlencryptorErrorEventArgs e); public class XmlencryptorErrorEventArgs : EventArgs { public int ErrorCode { get; } public string Description { get; } }
Public Event OnError As OnErrorHandler Public Delegate Sub OnErrorHandler(sender As Object, e As XmlencryptorErrorEventArgs) Public Class XmlencryptorErrorEventArgs Inherits EventArgs Public ReadOnly Property ErrorCode As Integer Public ReadOnly Property Description As String End Class
Remarks
The event is fired in case of exceptional conditions during signing.
ErrorCode contains an error code and Description contains a textual description of the error.
FormatElement Event (XMLEncryptor Component)
Reports the XML element that is currently being processed.
Syntax
public event OnFormatElementHandler OnFormatElement; public delegate void OnFormatElementHandler(object sender, XmlencryptorFormatElementEventArgs e); public class XmlencryptorFormatElementEventArgs : EventArgs { public string StartTagWhitespace { get; set; } public string EndTagWhitespace { get; set; } public int Level { get; } public string Path { get; } public bool HasChildElements { get; } }
Public Event OnFormatElement As OnFormatElementHandler Public Delegate Sub OnFormatElementHandler(sender As Object, e As XmlencryptorFormatElementEventArgs) Public Class XmlencryptorFormatElementEventArgs Inherits EventArgs Public Property StartTagWhitespace As String Public Property EndTagWhitespace As String Public ReadOnly Property Level As Integer Public ReadOnly Property Path As String Public ReadOnly Property HasChildElements As Boolean End Class
Remarks
Path and Level specify the path to the XML element being processed and its nesting level, respectively.
HasChildElements specify if processed XML element has child elements.
Among other purposes, this event may be used to add whitespace formatting before or after a particular element in the signature.
FormatText Event (XMLEncryptor Component)
Reports XML text that is currently being processed.
Syntax
public event OnFormatTextHandler OnFormatText; public delegate void OnFormatTextHandler(object sender, XmlencryptorFormatTextEventArgs e); public class XmlencryptorFormatTextEventArgs : EventArgs { public string Text { get; set; } public int TextType { get; } public int Level { get; } public string Path { get; } }
Public Event OnFormatText As OnFormatTextHandler Public Delegate Sub OnFormatTextHandler(sender As Object, e As XmlencryptorFormatTextEventArgs) Public Class XmlencryptorFormatTextEventArgs Inherits EventArgs Public Property Text As String Public ReadOnly Property TextType As Integer Public ReadOnly Property Level As Integer Public ReadOnly Property Path As String End Class
Remarks
TextType parameter specifies the type of the XML text (normal or Base64-encoded) that is stored in the element; Path and Level specify the path to the XML element and its nesting level.
Among other purposes, this event may be used to add whitespace formatting before or after a particular element in the signature.
Notification Event (XMLEncryptor Component)
This event notifies the application about an underlying control flow event.
Syntax
public event OnNotificationHandler OnNotification; public delegate void OnNotificationHandler(object sender, XmlencryptorNotificationEventArgs e); public class XmlencryptorNotificationEventArgs : EventArgs { public string EventID { get; } public string EventParam { get; } }
Public Event OnNotification As OnNotificationHandler Public Delegate Sub OnNotificationHandler(sender As Object, e As XmlencryptorNotificationEventArgs) Public Class XmlencryptorNotificationEventArgs Inherits EventArgs Public ReadOnly Property EventID As String Public ReadOnly Property EventParam As String End Class
Remarks
The component fires this event to let the application know about some event, occurrence, or milestone in the component. For example, it may fire to report completion of the document processing. The list of events being reported is not fixed, and may be flexibly extended over time.
The unique identifier of the event is provided in the EventID parameter. EventParam contains any parameters accompanying the occurrence. Depending on the type of the component, the exact action it is performing, or the document being processed, one or both may be omitted.
Certificate Type
Provides details of an individual X.509 certificate.
Remarks
This type provides access to X.509 certificate details.
Fields
Bytes
byte[] (read-only)
Default Value: ""
Returns the raw certificate data in DER format.
CA
bool
Default Value: False
Indicates whether the certificate has a CA capability (a setting in the BasicConstraints extension).
CAKeyID
byte[] (read-only)
Default Value: ""
A unique identifier (fingerprint) of the CA certificate's private key.
Authority Key Identifier is a (non-critical) X.509 certificate extension which allows the identification of certificates produced by the same issuer, but with different public keys.
CRLDistributionPoints
string
Default Value: ""
Locations of the CRL (Certificate Revocation List) distribution points used to check this certificate's validity.
Curve
string
Default Value: ""
Specifies the elliptic curve of the EC public key.
| SB_EC_SECP112R1 | SECP112R1 | |
| SB_EC_SECP112R2 | SECP112R2 | |
| SB_EC_SECP128R1 | SECP128R1 | |
| SB_EC_SECP128R2 | SECP128R2 | |
| SB_EC_SECP160K1 | SECP160K1 | |
| SB_EC_SECP160R1 | SECP160R1 | |
| SB_EC_SECP160R2 | SECP160R2 | |
| SB_EC_SECP192K1 | SECP192K1 | |
| SB_EC_SECP192R1 | SECP192R1 | |
| SB_EC_SECP224K1 | SECP224K1 | |
| SB_EC_SECP224R1 | SECP224R1 | |
| SB_EC_SECP256K1 | SECP256K1 | |
| SB_EC_SECP256R1 | SECP256R1 | |
| SB_EC_SECP384R1 | SECP384R1 | |
| SB_EC_SECP521R1 | SECP521R1 | |
| SB_EC_SECT113R1 | SECT113R1 | |
| SB_EC_SECT113R2 | SECT113R2 | |
| SB_EC_SECT131R1 | SECT131R1 | |
| SB_EC_SECT131R2 | SECT131R2 | |
| SB_EC_SECT163K1 | SECT163K1 | |
| SB_EC_SECT163R1 | SECT163R1 | |
| SB_EC_SECT163R2 | SECT163R2 | |
| SB_EC_SECT193R1 | SECT193R1 | |
| SB_EC_SECT193R2 | SECT193R2 | |
| SB_EC_SECT233K1 | SECT233K1 | |
| SB_EC_SECT233R1 | SECT233R1 | |
| SB_EC_SECT239K1 | SECT239K1 | |
| SB_EC_SECT283K1 | SECT283K1 | |
| SB_EC_SECT283R1 | SECT283R1 | |
| SB_EC_SECT409K1 | SECT409K1 | |
| SB_EC_SECT409R1 | SECT409R1 | |
| SB_EC_SECT571K1 | SECT571K1 | |
| SB_EC_SECT571R1 | SECT571R1 | |
| SB_EC_PRIME192V1 | PRIME192V1 | |
| SB_EC_PRIME192V2 | PRIME192V2 | |
| SB_EC_PRIME192V3 | PRIME192V3 | |
| SB_EC_PRIME239V1 | PRIME239V1 | |
| SB_EC_PRIME239V2 | PRIME239V2 | |
| SB_EC_PRIME239V3 | PRIME239V3 | |
| SB_EC_PRIME256V1 | PRIME256V1 | |
| SB_EC_C2PNB163V1 | C2PNB163V1 | |
| SB_EC_C2PNB163V2 | C2PNB163V2 | |
| SB_EC_C2PNB163V3 | C2PNB163V3 | |
| SB_EC_C2PNB176W1 | C2PNB176W1 | |
| SB_EC_C2TNB191V1 | C2TNB191V1 | |
| SB_EC_C2TNB191V2 | C2TNB191V2 | |
| SB_EC_C2TNB191V3 | C2TNB191V3 | |
| SB_EC_C2ONB191V4 | C2ONB191V4 | |
| SB_EC_C2ONB191V5 | C2ONB191V5 | |
| SB_EC_C2PNB208W1 | C2PNB208W1 | |
| SB_EC_C2TNB239V1 | C2TNB239V1 | |
| SB_EC_C2TNB239V2 | C2TNB239V2 | |
| SB_EC_C2TNB239V3 | C2TNB239V3 | |
| SB_EC_C2ONB239V4 | C2ONB239V4 | |
| SB_EC_C2ONB239V5 | C2ONB239V5 | |
| SB_EC_C2PNB272W1 | C2PNB272W1 | |
| SB_EC_C2PNB304W1 | C2PNB304W1 | |
| SB_EC_C2TNB359V1 | C2TNB359V1 | |
| SB_EC_C2PNB368W1 | C2PNB368W1 | |
| SB_EC_C2TNB431R1 | C2TNB431R1 | |
| SB_EC_NISTP192 | NISTP192 | |
| SB_EC_NISTP224 | NISTP224 | |
| SB_EC_NISTP256 | NISTP256 | |
| SB_EC_NISTP384 | NISTP384 | |
| SB_EC_NISTP521 | NISTP521 | |
| SB_EC_NISTB163 | NISTB163 | |
| SB_EC_NISTB233 | NISTB233 | |
| SB_EC_NISTB283 | NISTB283 | |
| SB_EC_NISTB409 | NISTB409 | |
| SB_EC_NISTB571 | NISTB571 | |
| SB_EC_NISTK163 | NISTK163 | |
| SB_EC_NISTK233 | NISTK233 | |
| SB_EC_NISTK283 | NISTK283 | |
| SB_EC_NISTK409 | NISTK409 | |
| SB_EC_NISTK571 | NISTK571 | |
| SB_EC_GOSTCPTEST | GOSTCPTEST | |
| SB_EC_GOSTCPA | GOSTCPA | |
| SB_EC_GOSTCPB | GOSTCPB | |
| SB_EC_GOSTCPC | GOSTCPC | |
| SB_EC_GOSTCPXCHA | GOSTCPXCHA | |
| SB_EC_GOSTCPXCHB | GOSTCPXCHB | |
| SB_EC_BRAINPOOLP160R1 | BRAINPOOLP160R1 | |
| SB_EC_BRAINPOOLP160T1 | BRAINPOOLP160T1 | |
| SB_EC_BRAINPOOLP192R1 | BRAINPOOLP192R1 | |
| SB_EC_BRAINPOOLP192T1 | BRAINPOOLP192T1 | |
| SB_EC_BRAINPOOLP224R1 | BRAINPOOLP224R1 | |
| SB_EC_BRAINPOOLP224T1 | BRAINPOOLP224T1 | |
| SB_EC_BRAINPOOLP256R1 | BRAINPOOLP256R1 | |
| SB_EC_BRAINPOOLP256T1 | BRAINPOOLP256T1 | |
| SB_EC_BRAINPOOLP320R1 | BRAINPOOLP320R1 | |
| SB_EC_BRAINPOOLP320T1 | BRAINPOOLP320T1 | |
| SB_EC_BRAINPOOLP384R1 | BRAINPOOLP384R1 | |
| SB_EC_BRAINPOOLP384T1 | BRAINPOOLP384T1 | |
| SB_EC_BRAINPOOLP512R1 | BRAINPOOLP512R1 | |
| SB_EC_BRAINPOOLP512T1 | BRAINPOOLP512T1 | |
| SB_EC_CURVE25519 | CURVE25519 | |
| SB_EC_CURVE448 | CURVE448 |
Fingerprint
byte[] (read-only)
Default Value: ""
Contains the fingerprint (a hash imprint) of this certificate.
FriendlyName
string (read-only)
Default Value: ""
Contains an associated alias (friendly name) of the certificate.
HashAlgorithm
string
Default Value: ""
Specifies the hash algorithm to be used in the operations on the certificate (such as key signing)
| SB_HASH_ALGORITHM_SHA1 | SHA1 | |
| SB_HASH_ALGORITHM_SHA224 | SHA224 | |
| SB_HASH_ALGORITHM_SHA256 | SHA256 | |
| SB_HASH_ALGORITHM_SHA384 | SHA384 | |
| SB_HASH_ALGORITHM_SHA512 | SHA512 | |
| SB_HASH_ALGORITHM_MD2 | MD2 | |
| SB_HASH_ALGORITHM_MD4 | MD4 | |
| SB_HASH_ALGORITHM_MD5 | MD5 | |
| SB_HASH_ALGORITHM_RIPEMD160 | RIPEMD160 | |
| SB_HASH_ALGORITHM_CRC32 | CRC32 | |
| SB_HASH_ALGORITHM_SSL3 | SSL3 | |
| SB_HASH_ALGORITHM_GOST_R3411_1994 | GOST1994 | |
| SB_HASH_ALGORITHM_WHIRLPOOL | WHIRLPOOL | |
| SB_HASH_ALGORITHM_POLY1305 | POLY1305 | |
| SB_HASH_ALGORITHM_SHA3_224 | SHA3_224 | |
| SB_HASH_ALGORITHM_SHA3_256 | SHA3_256 | |
| SB_HASH_ALGORITHM_SHA3_384 | SHA3_384 | |
| SB_HASH_ALGORITHM_SHA3_512 | SHA3_512 | |
| SB_HASH_ALGORITHM_BLAKE2S_128 | BLAKE2S_128 | |
| SB_HASH_ALGORITHM_BLAKE2S_160 | BLAKE2S_160 | |
| SB_HASH_ALGORITHM_BLAKE2S_224 | BLAKE2S_224 | |
| SB_HASH_ALGORITHM_BLAKE2S_256 | BLAKE2S_256 | |
| SB_HASH_ALGORITHM_BLAKE2B_160 | BLAKE2B_160 | |
| SB_HASH_ALGORITHM_BLAKE2B_256 | BLAKE2B_256 | |
| SB_HASH_ALGORITHM_BLAKE2B_384 | BLAKE2B_384 | |
| SB_HASH_ALGORITHM_BLAKE2B_512 | BLAKE2B_512 | |
| SB_HASH_ALGORITHM_SHAKE_128 | SHAKE_128 | |
| SB_HASH_ALGORITHM_SHAKE_256 | SHAKE_256 | |
| SB_HASH_ALGORITHM_SHAKE_128_LEN | SHAKE_128_LEN | |
| SB_HASH_ALGORITHM_SHAKE_256_LEN | SHAKE_256_LEN |
Issuer
string (read-only)
Default Value: ""
The common name of the certificate issuer (CA), typically a company name.
IssuerRDN
string
Default Value: ""
A collection of information, in the form of [OID, Value] pairs, uniquely identifying the certificate issuer.
KeyAlgorithm
string
Default Value: "0"
Specifies the public key algorithm of this certificate.
| SB_CERT_ALGORITHM_ID_RSA_ENCRYPTION | rsaEncryption | |
| SB_CERT_ALGORITHM_MD2_RSA_ENCRYPTION | md2withRSAEncryption | |
| SB_CERT_ALGORITHM_MD5_RSA_ENCRYPTION | md5withRSAEncryption | |
| SB_CERT_ALGORITHM_SHA1_RSA_ENCRYPTION | sha1withRSAEncryption | |
| SB_CERT_ALGORITHM_ID_DSA | id-dsa | |
| SB_CERT_ALGORITHM_ID_DSA_SHA1 | id-dsa-with-sha1 | |
| SB_CERT_ALGORITHM_DH_PUBLIC | dhpublicnumber | |
| SB_CERT_ALGORITHM_SHA224_RSA_ENCRYPTION | sha224WithRSAEncryption | |
| SB_CERT_ALGORITHM_SHA256_RSA_ENCRYPTION | sha256WithRSAEncryption | |
| SB_CERT_ALGORITHM_SHA384_RSA_ENCRYPTION | sha384WithRSAEncryption | |
| SB_CERT_ALGORITHM_SHA512_RSA_ENCRYPTION | sha512WithRSAEncryption | |
| SB_CERT_ALGORITHM_ID_RSAPSS | id-RSASSA-PSS | |
| SB_CERT_ALGORITHM_ID_RSAOAEP | id-RSAES-OAEP | |
| SB_CERT_ALGORITHM_RSASIGNATURE_RIPEMD160 | ripemd160withRSA | |
| SB_CERT_ALGORITHM_ID_ELGAMAL | elGamal | |
| SB_CERT_ALGORITHM_SHA1_ECDSA | ecdsa-with-SHA1 | |
| SB_CERT_ALGORITHM_RECOMMENDED_ECDSA | ecdsa-recommended | |
| SB_CERT_ALGORITHM_SHA224_ECDSA | ecdsa-with-SHA224 | |
| SB_CERT_ALGORITHM_SHA256_ECDSA | ecdsa-with-SHA256 | |
| SB_CERT_ALGORITHM_SHA384_ECDSA | ecdsa-with-SHA384 | |
| SB_CERT_ALGORITHM_SHA512_ECDSA | ecdsa-with-SHA512 | |
| SB_CERT_ALGORITHM_EC | id-ecPublicKey | |
| SB_CERT_ALGORITHM_SPECIFIED_ECDSA | ecdsa-specified | |
| SB_CERT_ALGORITHM_GOST_R3410_1994 | id-GostR3410-94 | |
| SB_CERT_ALGORITHM_GOST_R3410_2001 | id-GostR3410-2001 | |
| SB_CERT_ALGORITHM_GOST_R3411_WITH_R3410_1994 | id-GostR3411-94-with-GostR3410-94 | |
| SB_CERT_ALGORITHM_GOST_R3411_WITH_R3410_2001 | id-GostR3411-94-with-GostR3410-2001 | |
| SB_CERT_ALGORITHM_SHA1_ECDSA_PLAIN | ecdsa-plain-SHA1 | |
| SB_CERT_ALGORITHM_SHA224_ECDSA_PLAIN | ecdsa-plain-SHA224 | |
| SB_CERT_ALGORITHM_SHA256_ECDSA_PLAIN | ecdsa-plain-SHA256 | |
| SB_CERT_ALGORITHM_SHA384_ECDSA_PLAIN | ecdsa-plain-SHA384 | |
| SB_CERT_ALGORITHM_SHA512_ECDSA_PLAIN | ecdsa-plain-SHA512 | |
| SB_CERT_ALGORITHM_RIPEMD160_ECDSA_PLAIN | ecdsa-plain-RIPEMD160 | |
| SB_CERT_ALGORITHM_WHIRLPOOL_RSA_ENCRYPTION | whirlpoolWithRSAEncryption | |
| SB_CERT_ALGORITHM_ID_DSA_SHA224 | id-dsa-with-sha224 | |
| SB_CERT_ALGORITHM_ID_DSA_SHA256 | id-dsa-with-sha256 | |
| SB_CERT_ALGORITHM_SHA3_224_RSA_ENCRYPTION | id-rsassa-pkcs1-v1_5-with-sha3-224 | |
| SB_CERT_ALGORITHM_SHA3_256_RSA_ENCRYPTION | id-rsassa-pkcs1-v1_5-with-sha3-256 | |
| SB_CERT_ALGORITHM_SHA3_384_RSA_ENCRYPTION | id-rsassa-pkcs1-v1_5-with-sha3-384 | |
| SB_CERT_ALGORITHM_SHA3_512_RSA_ENCRYPTION | id-rsassa-pkcs1-v1_5-with-sha3-512 | |
| SB_CERT_ALGORITHM_SHA3_224_ECDSA | id-ecdsa-with-sha3-224 | |
| SB_CERT_ALGORITHM_SHA3_256_ECDSA | id-ecdsa-with-sha3-256 | |
| SB_CERT_ALGORITHM_SHA3_384_ECDSA | id-ecdsa-with-sha3-384 | |
| SB_CERT_ALGORITHM_SHA3_512_ECDSA | id-ecdsa-with-sha3-512 | |
| SB_CERT_ALGORITHM_SHA3_224_ECDSA_PLAIN | id-ecdsa-plain-with-sha3-224 | |
| SB_CERT_ALGORITHM_SHA3_256_ECDSA_PLAIN | id-ecdsa-plain-with-sha3-256 | |
| SB_CERT_ALGORITHM_SHA3_384_ECDSA_PLAIN | id-ecdsa-plain-with-sha3-384 | |
| SB_CERT_ALGORITHM_SHA3_512_ECDSA_PLAIN | id-ecdsa-plain-with-sha3-512 | |
| SB_CERT_ALGORITHM_ID_DSA_SHA3_224 | id-dsa-with-sha3-224 | |
| SB_CERT_ALGORITHM_ID_DSA_SHA3_256 | id-dsa-with-sha3-256 | |
| SB_CERT_ALGORITHM_BLAKE2S_128_RSA_ENCRYPTION | id-rsassa-pkcs1-v1_5-with-blake2s128 | |
| SB_CERT_ALGORITHM_BLAKE2S_160_RSA_ENCRYPTION | id-rsassa-pkcs1-v1_5-with-blake2s160 | |
| SB_CERT_ALGORITHM_BLAKE2S_224_RSA_ENCRYPTION | id-rsassa-pkcs1-v1_5-with-blake2s224 | |
| SB_CERT_ALGORITHM_BLAKE2S_256_RSA_ENCRYPTION | id-rsassa-pkcs1-v1_5-with-blake2s256 | |
| SB_CERT_ALGORITHM_BLAKE2B_160_RSA_ENCRYPTION | id-rsassa-pkcs1-v1_5-with-blake2b160 | |
| SB_CERT_ALGORITHM_BLAKE2B_256_RSA_ENCRYPTION | id-rsassa-pkcs1-v1_5-with-blake2b256 | |
| SB_CERT_ALGORITHM_BLAKE2B_384_RSA_ENCRYPTION | id-rsassa-pkcs1-v1_5-with-blake2b384 | |
| SB_CERT_ALGORITHM_BLAKE2B_512_RSA_ENCRYPTION | id-rsassa-pkcs1-v1_5-with-blake2b512 | |
| SB_CERT_ALGORITHM_BLAKE2S_128_ECDSA | id-ecdsa-with-blake2s128 | |
| SB_CERT_ALGORITHM_BLAKE2S_160_ECDSA | id-ecdsa-with-blake2s160 | |
| SB_CERT_ALGORITHM_BLAKE2S_224_ECDSA | id-ecdsa-with-blake2s224 | |
| SB_CERT_ALGORITHM_BLAKE2S_256_ECDSA | id-ecdsa-with-blake2s256 | |
| SB_CERT_ALGORITHM_BLAKE2B_160_ECDSA | id-ecdsa-with-blake2b160 | |
| SB_CERT_ALGORITHM_BLAKE2B_256_ECDSA | id-ecdsa-with-blake2b256 | |
| SB_CERT_ALGORITHM_BLAKE2B_384_ECDSA | id-ecdsa-with-blake2b384 | |
| SB_CERT_ALGORITHM_BLAKE2B_512_ECDSA | id-ecdsa-with-blake2b512 | |
| SB_CERT_ALGORITHM_BLAKE2S_128_ECDSA_PLAIN | id-ecdsa-plain-with-blake2s128 | |
| SB_CERT_ALGORITHM_BLAKE2S_160_ECDSA_PLAIN | id-ecdsa-plain-with-blake2s160 | |
| SB_CERT_ALGORITHM_BLAKE2S_224_ECDSA_PLAIN | id-ecdsa-plain-with-blake2s224 | |
| SB_CERT_ALGORITHM_BLAKE2S_256_ECDSA_PLAIN | id-ecdsa-plain-with-blake2s256 | |
| SB_CERT_ALGORITHM_BLAKE2B_160_ECDSA_PLAIN | id-ecdsa-plain-with-blake2b160 | |
| SB_CERT_ALGORITHM_BLAKE2B_256_ECDSA_PLAIN | id-ecdsa-plain-with-blake2b256 | |
| SB_CERT_ALGORITHM_BLAKE2B_384_ECDSA_PLAIN | id-ecdsa-plain-with-blake2b384 | |
| SB_CERT_ALGORITHM_BLAKE2B_512_ECDSA_PLAIN | id-ecdsa-plain-with-blake2b512 | |
| SB_CERT_ALGORITHM_ID_DSA_BLAKE2S_224 | id-dsa-with-blake2s224 | |
| SB_CERT_ALGORITHM_ID_DSA_BLAKE2S_256 | id-dsa-with-blake2s256 | |
| SB_CERT_ALGORITHM_EDDSA_ED25519 | id-Ed25519 | |
| SB_CERT_ALGORITHM_EDDSA_ED448 | id-Ed448 | |
| SB_CERT_ALGORITHM_EDDSA_ED25519_PH | id-Ed25519ph | |
| SB_CERT_ALGORITHM_EDDSA_ED448_PH | id-Ed448ph | |
| SB_CERT_ALGORITHM_EDDSA | id-EdDSA | |
| SB_CERT_ALGORITHM_EDDSA_SIGNATURE | id-EdDSA-sig |
KeyBits
int (read-only)
Default Value: 0
Returns the length of the public key.
KeyFingerprint
byte[] (read-only)
Default Value: ""
Returns a fingerprint of the public key contained in the certificate.
KeyUsage
int
Default Value: 0
Indicates the purposes of the key contained in the certificate, in the form of an OR'ed flag set.
This value is a bit mask of the following values:
| ckuUnknown | 0x00000 | Unknown key usage |
| ckuDigitalSignature | 0x00001 | Digital signature |
| ckuNonRepudiation | 0x00002 | Non-repudiation |
| ckuKeyEncipherment | 0x00004 | Key encipherment |
| ckuDataEncipherment | 0x00008 | Data encipherment |
| ckuKeyAgreement | 0x00010 | Key agreement |
| ckuKeyCertSign | 0x00020 | Certificate signing |
| ckuCRLSign | 0x00040 | Revocation signing |
| ckuEncipherOnly | 0x00080 | Encipher only |
| ckuDecipherOnly | 0x00100 | Decipher only |
| ckuServerAuthentication | 0x00200 | Server authentication |
| ckuClientAuthentication | 0x00400 | Client authentication |
| ckuCodeSigning | 0x00800 | Code signing |
| ckuEmailProtection | 0x01000 | Email protection |
| ckuTimeStamping | 0x02000 | Timestamping |
| ckuOCSPSigning | 0x04000 | OCSP signing |
| ckuSmartCardLogon | 0x08000 | Smartcard logon |
| ckuKeyPurposeClientAuth | 0x10000 | Kerberos - client authentication |
| ckuKeyPurposeKDC | 0x20000 | Kerberos - KDC |
KeyValid
bool (read-only)
Default Value: False
Returns True if the certificate's key is cryptographically valid, and False otherwise.
OCSPLocations
string
Default Value: ""
Locations of OCSP (Online Certificate Status Protocol) services that can be used to check this certificate's validity, as recorded by the CA.
OCSPNoCheck
bool
Default Value: False
Accessor to the value of the certificate's ocsp-no-check extension.
Origin
int (read-only)
Default Value: 0
Returns the origin of this certificate.
PolicyIDs
string
Default Value: ""
Contains identifiers (OIDs) of the applicable certificate policies.
The Certificate Policies extension identifies a sequence of policies under which the certificate has been issued, and which regulate its usage.
PrivateKeyBytes
byte[] (read-only)
Default Value: ""
Contains the certificate's private key. It is normal for this property to be empty if the private key is non-exportable.
PrivateKeyExists
bool (read-only)
Default Value: False
Indicates whether the certificate has an associated private key.
PrivateKeyExtractable
bool (read-only)
Default Value: False
Indicates whether the private key is extractable.
PublicKeyBytes
byte[] (read-only)
Default Value: ""
Contains the certificate's public key in DER format.
QualifiedStatements
QualifiedStatementsTypes
Default Value: 0
Returns the qualified status of the certificate.
SelfSigned
bool (read-only)
Default Value: False
Indicates whether the certificate is self-signed (root) or signed by an external CA.
SerialNumber
byte[]
Default Value: ""
Returns the certificate's serial number.
SigAlgorithm
string (read-only)
Default Value: ""
Indicates the algorithm that was used by the CA to sign this certificate.
Subject
string (read-only)
Default Value: ""
The common name of the certificate holder, typically an individual's name, a URL, an e-mail address, or a company name.
SubjectAlternativeName
string
Default Value: ""
Returns or sets the value of the Subject Alternative Name extension of the certificate.
SubjectKeyID
byte[]
Default Value: ""
Contains a unique identifier (fingerprint) of the certificate's private key.
Subject Key Identifier is a (non-critical) X.509 certificate extension which allows the identification of certificates containing a particular public key. In SecureBlackbox, the unique identifier is represented with a SHA1 hash of the bit string of the subject public key.
SubjectRDN
string
Default Value: ""
A collection of information, in the form of [OID, Value] pairs, uniquely identifying the certificate holder (subject).
ValidFrom
string
Default Value: ""
The time point at which the certificate becomes valid, in UTC.
ValidTo
string
Default Value: ""
The time point at which the certificate expires, in UTC.
Constructors
public Certificate(byte[] bytes, int startIndex, int count, string password);
Public Certificate(ByVal Bytes As Byte(), ByVal StartIndex As Integer, ByVal Count As Integer, ByVal Password As String)
Loads the X.509 certificate from a memory buffer. Bytes is a buffer containing the raw certificate data. StartIndex and Count specify the starting position and number of bytes to be read from the buffer, respectively. Password is a password encrypting the certificate.
Loads the X.509 certificate from a memory buffer. CertBytes is a buffer containing the raw certificate data. CertStartIndex and CertCount specify the number of bytes to be read from the buffer, respectively. KeyBytes is a buffer containing the private key data. KeyStartIndex and KeyCount specify the starting position and number of bytes to be read from the buffer, respectively. Password is a password encrypting the certificate.
public Certificate(byte[] bytes, int startIndex, int count);
Public Certificate(ByVal Bytes As Byte(), ByVal StartIndex As Integer, ByVal Count As Integer)
Loads the X.509 certificate from a memory buffer. Bytes is a buffer containing the raw certificate data. StartIndex and Count specify the starting position and number of bytes to be read from the buffer, respectively.
public Certificate(string path, string password);
Public Certificate(ByVal Path As String, ByVal Password As String)
Loads the X.509 certificate from a file. Path specifies the full path to the file containing the certificate data. Password is a password encrypting the certificate.
public Certificate(string certPath, string keyPath, string password);
Public Certificate(ByVal CertPath As String, ByVal KeyPath As String, ByVal Password As String)
Loads the X.509 certificate from a file. CertPath specifies the full path to the file containing the certificate data. KeyPath specifies the full path to the file containing the private key. Password is a password encrypting the certificate.
public Certificate(string path);
Public Certificate(ByVal Path As String)
Loads the X.509 certificate from a file. Path specifies the full path to the file containing the certificate data.
public Certificate(System.IO.Stream stream);
Public Certificate(ByVal Stream As System.IO.Stream)
Loads the X.509 certificate from a stream. Stream is a stream containing the certificate data.
public Certificate(System.IO.Stream stream, string password);
Public Certificate(ByVal Stream As System.IO.Stream, ByVal Password As String)
Loads the X.509 certificate from a stream. Stream is a stream containing the certificate data. Password is a password encrypting the certificate.
public Certificate(System.IO.Stream certStream, System.IO.Stream keyStream, string password);
Public Certificate(ByVal CertStream As System.IO.Stream, ByVal KeyStream As System.IO.Stream, ByVal Password As String)
Loads the X.509 certificate from a stream. CertStream is a stream containing the certificate data. KeyStream is a stream containing the private key. Password is a password encrypting the certificate.
public Certificate();
Public Certificate()
Creates a new object with default field values.
XMLNamespace Type
Represents an XML namespace map for XPath expressions.
Remarks
This class defines the correspondence between Prefixes and namespace URIs.
Fields
Prefix
string
Default Value: ""
A user-defined prefix value of a namespace.
URI
string
Default Value: ""
A user-defined URI value of a namespace.
Constructors
public XMLNamespace();
Public XMLNamespace()
Creates a new XML namespace object.
Config Settings (XMLEncryptor Component)
The component accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the component, access to these internal properties is provided through the Config method.XMLEncryptor Config Settings
The empty elements in the custom XML content act as a placeholder for auto-generated elements.
For example to change the order of ds:KeyValue and ds:X509Data auto-generated elements use the value: "<X509Data/><KeyValue/>"
Supported values are:
| "" | an empty string indicates the Document element |
| "#id" | indicates an XML element with specified Id |
| XPath expression | indicates an XML element selected using XPath expression. Use XPathNamespaces property to specify Prefixes and NamespaceURIs
For example: "/root/data[1]" - indicates the second "data" element under the document element with a name "root" "//ns1:data" - indicates a data element. "ns1" prefix should be defined in XPathNamespaces property |
| Node name | indicates an XML element selected using its NodeName.
For example: "data" - indicates an XML element with node name "data". |
Default value is "xenc". In this case "xenc:" prefix will be used.
Special values:
| "#default" or "" | indicates that the prefix will be omitted. |
| "#auto" | indicates that the prefix will be auto-detected based on the parent nodes. |
The empty elements in the custom XML content act as a placeholder for auto-generated elements.
For example to change the order of ds:KeyValue and ds:X509Data auto-generated elements use the value: "<X509Data/><KeyValue/>"
Default value is "ds". In this case "ds:" prefix will be used.
Special values:
| "#default" or "" | indicates that the prefix will be omitted. |
| "#auto" | indicates that the prefix will be auto-detected based on the parent nodes. |
Supported values:
| "" or "none" | no formatting (by default). | |
| "auto" | enables auto-formatting, equivalent to: "indent: 1; indent-char: tab; base64-max-length: 64; starting-level: node" |
| indent | specifies indentation level (default is 1) | |
| indent-char | specifies indentation character: "space" or "tab" (default) | |
| base64-max-length | specifies max length of base64 encoded data, such as signature value, certificate data and etc. (default is 64) | |
| starting-level | specifies starting indentation level: non-negative integer or "node" - detected based on parent node, or "root" - detected based on number of parent nodes to a document element (default is "node"). | |
| indent-before-main | specifies if whitespace characters should be inserted before a main (ds:Signature) element: "auto" (default), "yes" or "no" |
Base Config Settings
You can switch this property off to improve performance if your project only uses known, good private keys.
Supported values are:
| off | No caching (default) | |
| local | Local caching | |
| global | Global caching |
This setting only applies to sessions negotiated with TLS version 1.3.
Supported values are:
| file | File | |
| console | Console | |
| systemlog | System Log (supported for Android only) | |
| debugger | Debugger (supported for VCL for Windows and .Net) |
Supported values are:
| time | Current time | |
| level | Level | |
| package | Package name | |
| module | Module name | |
| class | Class name | |
| method | Method name | |
| threadid | Thread Id | |
| contenttype | Content type | |
| content | Content | |
| all | All details |
Supported filter names are:
| exclude-package | Exclude a package specified in the value | |
| exclude-module | Exclude a module specified in the value | |
| exclude-class | Exclude a class specified in the value | |
| exclude-method | Exclude a method specified in the value | |
| include-package | Include a package specified in the value | |
| include-module | Include a module specified in the value | |
| include-class | Include a class specified in the value | |
| include-method | Include a method specified in the value |
| none | No flush (caching only) | |
| immediate | Immediate flush (real-time logging) | |
| maxcount | Flush cached entries upon reaching LogMaxEventCount entries in the cache. |
Supported values are:
| none | None (by default) | |
| fatal | Severe errors that cause premature termination. | |
| error | Other runtime errors or unexpected conditions. | |
| warning | Use of deprecated APIs, poor use of API, 'almost' errors, other runtime situations that are undesirable or unexpected, but not necessarily "wrong". | |
| info | Interesting runtime events (startup/shutdown). | |
| debug | Detailed information on flow of through the system. | |
| trace | More detailed information. |
The default value of this setting is 100.
| none | No rotation | |
| deleteolder | Delete older entries from the cache upon reaching LogMaxEventCount | |
| keepolder | Keep older entries in the cache upon reaching LogMaxEventCount (newer entries are discarded) |
Supported values are:
| none | No static DNS rules (default) | |
| local | Local static DNS rules | |
| global | Global static DNS rules |
This setting only applies to certificates originating from a Windows system store.
Trappable Errors (XMLEncryptor Component)
XMLEncryptor Errors
| 1048577 Invalid parameter value (SB_ERROR_INVALID_PARAMETER) | |
| 1048578 Component is configured incorrectly (SB_ERROR_INVALID_SETUP) | |
| 1048579 Operation cannot be executed in the current state (SB_ERROR_INVALID_STATE) | |
| 1048580 Attempt to set an invalid value to a property (SB_ERROR_INVALID_VALUE) | |
| 1048581 Certificate does not have its private key loaded (SB_ERROR_NO_PRIVATE_KEY) | |
| 1048581 Cancelled by the user (SB_ERROR_CANCELLED_BY_USER) | |
| 39845889 Input file does not exist (SB_ERROR_XML_INPUTFILE_NOT_EXISTS) | |
| 39845890 Data file does not exist (SB_ERROR_XML_DATAFILE_NOT_EXISTS) | |
| 39845891 Unsupported signature method type (SB_ERROR_XML_UNSUPPORTED_SIGNATURE_METHOD_TYPE) | |
| 39845892 Unsupported has algorithm (SB_ERROR_XML_UNSUPPORTED_HASH_ALGORITHM) | |
| 39845893 Unsupported key type (SB_ERROR_XML_UNSUPPORTED_KEY_TYPE) | |
| 39845894 Invalid key type (SB_ERROR_XML_INVALID_KEY_TYPE) | |
| 39845895 Invalid encryption method (SB_ERROR_XML_INVALID_ENCRYPTION_METHOD) | |
| 39845896 Not found (SB_ERROR_XML_NOT_FOUND) | |
| 39845897 No element ID (SB_ERROR_XML_NO_ELEMENT_ID) |