Tuesday, December 04, 2007

MTOM attachments and SOAP message encryption

If we are to guarantee the confidentiality of SOAP message we have to encrypt them. For example a SOAP body may carry information that are only for authorized parties.
But what about MTOM attachments? Is it not possible to encrypt them? Do we have to send them as it is?
The answer is NO. We must encrypt the attachment as well. For example, such attachments might carry some confidential image or a secret key in binary format.
The question came in the way AXIOM handled attachments. For example in order to encrypt a particular node, the first step would be to serialize it. But when the serialization happens, the attachment is ignored. Thus the confidentiality is not applied to the attachment.
As a solution for this, we have to get the attachment as a base64 encoded string. Then this whole content should be encrypted. In fact this is now possible with the newly introduced axiom_node_to_string_non_optimized() function, which returns non-optimized base64 encoded string representation of the MTOM attachment. So when ever it is necessary to use xml encryption in OMXMLSec, it is required to use the above function to serialize the XML data.

Following code segment shows how to we do the above

axis2_char_t *serialized_data = NULL;
oxs_buffer_t *serialized_buf= NULL;
axis2_status_t ret = AXIS2_FAILURE;

...
/*Serialize node*/
serialized_data = axiom_node_to_string_non_optimized(node, env);
serialized_buf = oxs_buffer_create(env);
ret = oxs_buffer_populate(serialized_buf, env, (unsigned char *)serialized_data, axutil_strlen(serialized_data));

/*We call encrypt_data*/
ret = oxs_xml_enc_encrypt_data(env, enc_ctx, serialized_buf, enc_type_node);

No comments: