Re: [basex-talk] XML in HTTP request body

2019-06-03 Thread Jerome Chauveau 
Hi Michael, 

It seems to work ... perfectly ! 

Thank you so much for that clear and quick answer :-) 

Jérôme 





De: "Michael Seiferle"  
À: "jerome chauveau"  
Cc: "basex-talk"  
Envoyé: Lundi 3 Juin 2019 16:39:07 
Objet: Re: [basex-talk] XML in HTTP request body 

Hi Jerome, 


If I understand correctly, you want to create a hash value for the string 
serialization of the document you sent to restxq right? 

Currently inside RESTXQ your document is treated as an XML Document, hence: 

$body will be of type document-node(): 




 
Hello 
World 
 




where as crypto:hmac requires a string-type $message: 

BQ_BEGIN
crypto:hmac ($message as xs:string, 
BQ_END
Hence your $body will be converted like so: 

BQ_BEGIN

string( 
 
Hello 
World 
 
) 

BQ_END


Turning it into: 

BQ_BEGIN
„HelloWorld“ 
BQ_END


In order to actually compute a hash on the bytes your document contains, do as 
follows: 

Working example here: [ https://git.basex.io/snippets/63 | 
https://git.basex.io/snippets/63 ] 


Treat your document as binary: 

BQ_BEGIN
%rest:consumes("application/octet-stream“) 

BQ_END
And then decode that binary to a string and then compute the hash for the 
string, using: bin:decode-string#2: 


BQ_BEGIN
let $str-doc := bin:decode-string($body,'utf-8') (: xs:string :) 
let $sig-cand := crypto:hmac($str-doc,$secret,'sha1','base64') 

BQ_END


Hope this helps :-) 

Michael 


BQ_BEGIN

Am 03.06.2019 um 12:17 schrieb Jerome Chauveau < [ 
mailto:jerome.chauv...@unicaen.fr | jerome.chauv...@unicaen.fr ] >: 

Hi, 

I am trying to check XML content (HTTP posted) with an hmac function in a 
RESTXQ webapp. 

My Java client sends an HTTP post request where XML data looks like : 

doehttp://www.tei-c.org/ns/1.0 | 
http://www.tei-c.org/ns/1.0 ] " 
xml:id="idtest" 
>TestXXXBurgunvilla 

This content is HMAC encrypted and the signature is added to the HTTP header : 

[...] 
String secret = "1234"; 
StringEntity entity = new StringEntity(xml, ContentType.create("text/xml", 
Consts.UTF_8)); 
String signature = HTTPUtils.hmacSHA1(xml, secret); 
httppost.setHeader("Authorization", signature); 
httppost.setEntity(entity); 
[...] 


Here is my RESTXQ function : 

declare 
%rest:POST("{$body}") 
%rest:consumes("application/xml", "text/xml") 
%rest:header-param("Authorization", "{$signature}", "none") 
%rest:path("/sf/testpost") 
function sf.test:testPost($signature,$body){ 
let $secret := 1234 
crypto:hmac($body,$secret,'sha1','base64') = $signature 
} 

Equality check always fails with such an XML sequence but works fine when XML 
does not contain any carriage return : 
doeThis is a 
test 

It seems to come when "The body of a POST or PUT request is converted to an 
XQuery item". 

I tried to set serializer's options without any success ! 

How could I retrieve xml (in $body) exactly serialized as sent by the client ? 

Tests are running on BaseX922. 
Thank you for your time. 

Jérôme 

BQ_END

Re: [basex-talk] XML in HTTP request body

2019-06-03 Thread Michael Seiferle 
Hi Jerome, 


If I understand correctly, you want to create a hash value for the string 
serialization of the document you sent to restxq right?

Currently inside RESTXQ your document is treated as an XML Document, hence: 

$body will be of type document-node(): 
> 
>   
> Hello
> World
>   
> 

where as crypto:hmac requires a string-type $message:
> crypto:hmac($message as xs:string, 
Hence your $body will be converted like so: 
> string(
>   
> Hello
> World
>   
> )


Turning it into: 
> „HelloWorld“


In order to actually compute a hash on the bytes your document contains, do as 
follows:

Working example here: https://git.basex.io/snippets/63


Treat your document as binary:
> %rest:consumes("application/octet-stream“)
And then decode that binary to a string and then compute the hash for the 
string, using: bin:decode-string#2:

>   let $str-doc  := bin:decode-string($body,'utf-8') (: xs:string :)
>   let $sig-cand := crypto:hmac($str-doc,$secret,'sha1','base64')


Hope this helps :-)

Michael

> Am 03.06.2019 um 12:17 schrieb Jerome Chauveau :
> 
> Hi,
> 
> I am trying to check XML content (HTTP posted) with an hmac function in a 
> RESTXQ webapp.
> 
> My Java client sends an HTTP post request where XML data looks like :
> 
> doe xsi:schemaLocation="http://www.tei-c.org/ns/1.0";
> xml:id="idtest"
> > > > > >Test > xml:id="authortest"
> >XXX > > > > > > xml:space="preserve"
> > > type="lieu"
> > xml:lang="la"
> >Burgunvilla > > > > > >
> 
> This content is HMAC encrypted and the signature is added to the HTTP  header 
> :
> 
> [...]
> String secret = "1234";
> StringEntity entity = new StringEntity(xml, ContentType.create("text/xml", 
> Consts.UTF_8));
> String signature = HTTPUtils.hmacSHA1(xml, secret);
> httppost.setHeader("Authorization", signature);
> httppost.setEntity(entity);
> [...]
> 
> 
> Here is my RESTXQ function :
> 
> declare
> %rest:POST("{$body}")
> %rest:consumes("application/xml", "text/xml")
> %rest:header-param("Authorization", "{$signature}", "none")
> %rest:path("/sf/testpost")
> function sf.test:testPost($signature,$body){
>   let $secret := 1234
>   crypto:hmac($body,$secret,'sha1','base64') = $signature
> }
> 
> Equality check always fails with such an XML sequence but works fine when XML 
> does not contain any carriage return :
> doeThis is a 
> test
> 
> It seems to come when "The body of a POST or PUT request is converted to an 
> XQuery item".
> 
> I tried to set serializer's options without any success !
> 
> How could I retrieve xml (in $body) exactly serialized as sent by the client 
> ? 
> 
> Tests are running on BaseX922.
> Thank you for your time.
> 
> Jérôme

[basex-talk] XML in HTTP request body

2019-06-03 Thread Jerome Chauveau 
Hi, 

I am trying to check XML content (HTTP posted) with an hmac function in a 
RESTXQ webapp. 

My Java client sends an HTTP post request where XML data looks like : 

doehttp://www.tei-c.org/ns/1.0"; 
xml:id="idtest" 
>TestXXXBurgunvilla 

This content is HMAC encrypted and the signature is added to the HTTP header : 

[...] 
String secret = "1234"; 
StringEntity entity = new StringEntity(xml, ContentType.create("text/xml", 
Consts.UTF_8)); 
String signature = HTTPUtils.hmacSHA1(xml, secret); 
httppost.setHeader("Authorization", signature); 
httppost.setEntity(entity); 
[...] 


Here is my RESTXQ function : 

declare 
%rest:POST("{$body}") 
%rest:consumes("application/xml", "text/xml") 
%rest:header-param("Authorization", "{$signature}", "none") 
%rest:path("/sf/testpost") 
function sf.test:testPost($signature,$body){ 
let $secret := 1234 
crypto:hmac($body,$secret,'sha1','base64') = $signature 
} 

Equality check always fails with such an XML sequence but works fine when XML 
does not contain any carriage return : 
doeThis is a 
test 

It seems to come when "The body of a POST or PUT request is converted to an 
XQuery item". 

I tried to set serializer's options without any success ! 

How could I retrieve xml (in $body) exactly serialized as sent by the client ? 

Tests are running on BaseX922. 
Thank you for your time. 

Jérôme