EXPath

Cryptographic Module 1.1

EXPath Candidate Module 15 August 2012

This version:
http://expath.org/spec/crypto/20120815
Latest version:
http://expath.org/spec/crypto
Editor:
Claudius Teodorescu, XML Consultant
Contributor:
Joe Wicentowski, U.S. Department Of State, Historian Office

This document is also available in these non-normative formats: XML.


Abstract

This proposal defines a module for providing cryptographic services, which consists of a set of XPath 2.0 extension functions related to XML Digital Signature, encryption and decryption, and checking of integrity and authentication of data. It has been designed to be compatible with XQuery 1.0 and XSLT 2.0, as well as any other standard based on XPath 2.0.

Table of Contents

1 Introduction
1.1 Namespace conventions
1.2 Error management
2 Cryptographic Service Providers
2.1 The crypto:list-providers function
2.1.1 The crypto:providers-list element
2.1.2 The crypto:provider element
2.2 The crypto:list-services function
2.2.1 The crypto:services-list element
2.2.2 The crypto:service element
3 Integrity and Authentication of Data
3.1 The crypto:hash function
3.2 The crypto:hmac function
4 Key Management
4.1 The crypto:generate-key-pair function
4.2 The crypto:generate-secret-key function
4.3 The crypto:compare-keys function
4.4 The crypto:key-agrement function
4.5 The crypto:convert-key-specification-to-key-object, crypto:convert-key-object-to-key-specification function
5 Digital Signature
5.1 The crypto:generate-signature function
5.2 The crypto:validate-signature function
6 Encryption and Decryption
6.1 The crypto:encrypt function
6.2 The crypto:decrypt function
7 Secure Storing of Sensitive Keying and Data Material
7.1 The crypto:create-secure-store function
7.2 The crypto:load-secure-store function
7.3 The crypto:convert-secure-store function
7.4 The crypto:get-secure-store-metadata function
7.4.1 The crypto:metadata element
7.5 The crypto:add-entry function
7.6 The crypto:get-entry function
7.7 The crypto:delete-entry function
7.8 The crypto:get-entry-metadata function
7.8.1 The crypto:metadata element
7.9 The crypto:list-trusted-certificate-authorities function
8 Digital Certificates
8.1 The crypto:generate-certificate function
8.2 The crypto:validate-certificate function
8.3 The crypto:parse-certificate function
8.4 The crypto:generate-certification-path function
8.5 The crypto:validate-certification-path function
8.6 The crypto:generate-certification-request function
8.7 The crypto:validate-certification-request function
8.8 The crypto:validate-certificate-revocation-list function
9 Cryptographic Hardware
10 Random Sequences Generation
10.1 The crypto:generate-random-number function
11 The crypto:options element
11.1 The provider option
11.2 The canonicalization-algorithm option
11.3 The digest-algorithm option
11.4 The signature-algorithm option
11.5 The signature-namespace-prefix option

Appendices

A References
B Summary of Error Conditions


1 Introduction

Cryptography is the science of communicating in secret code, by conversion of data with the help of a key. In modern times, cryptography is necessary when communicating over any untrusted medium, particularly the Internet.

Encryption of data can be of two types: symmetric and asymmetric. Symmetric encryption means that the same key is used for encryption and decryption. Asymmetric encryption means that a message can be encrypted by using a key that is public, but the decryption can be made only by using a private key, which form a pair with the respective public key.

A related technique of cryptography is to apply a one-way hash or digest function to data; replicating the operation with the same data and function can check the integrity and authentication of the data.

1.1 Namespace conventions

The module defined by this document defines functions and elements in the namespace http://expath.org/ns/crypto. In this document, the crypto prefix, when used, is bound to this namespace URI.

Error codes are defined in the namespace http://expath.org/ns/error. In this document, the err prefix, when used, is bound to this namespace URI.

1.2 Error management

Error conditions are identified by a code (a QName). When such an error condition is reached during the execution of the function, a dynamic error is thrown, with the corresponding error code (as if the standard XPath function error had been called).

2 Cryptographic Service Providers

Cryptographic providers provide cryptographic services, involving cryptographic operations (encryption, digital signatures, message digests, message authentication), generators and converters of cryptographic material and cryptographic objects (keystores or certificates) containing the cryptographic data. They can be implemented using software, hardware, or both.

Cryptographic services described by this specification
Cryptographic Service QName Cryptographic Service Description
crypto:hash See 3.1 The crypto:hash function.
crypto:hmac See 3.2 The crypto:hmac function.

2.1 The crypto:list-providers function

This function lists the available cryptographic providers.

crypto:list-providers() as element(crypto:provider-list)

2.1.1 The crypto:providers-list element

The crypto:providers-list element represents the list of the available cryptographic providers:

<crypto:providers-list>
    (crypto:provider*)
</crypto:providers-list>
    

2.1.2 The crypto:provider element

The crypto:provider element contains the name of an available cryptographic provider:

<crypto:provider name = xs:string
    version = xs:string>
</crypto:provider>
                

2.2 The crypto:list-services function

This function lists the cryptographic services a provider provides.

crypto:list-services($provider-name as xs:string) as element(crypto:service-list)
  • $provider-name is the provider's name. TBD: case when provider is not registered, etc.

2.2.1 The crypto:services-list element

The crypto:services-list element represents the list of the available cryptographic services for a provider:

<crypto:services-list>
    (crypto:service*)
</crypto:services-list>
    

2.2.2 The crypto:service element

The crypto:service element contains details about an available cryptographic service:

<crypto:service qname = xsd:QName
    algorithm? = xs:string
    type? = xs:string
    format? = xs:string?/>
                

3 Integrity and Authentication of Data

3.1 The crypto:hash function

This function generates a "message digest" of the input data, by using a cryptographic algorithm. It returns the hash value as a string.

crypto:hash($data as xs:anyAtomicType,
            $hashing-algorithm as xs:string) as xs:string
crypto:hash($data as xs:anyAtomicType,
            $hashing-algorithm as xs:string,
            $format as xs:string?) as xs:string
  • $data is the data to be hashed. This parameter can be of type xs:string, xs:base64Binary, or xs:hexBinary.

  • $algorithm is the cryptographic hashing algorithm. If it is specified an unsupported algorithm, this is an error [err:CX21].

  • $format is the format of the output. The legal values are "hex" and "base64". The default value is "base64". If the format is not supprted, this is an error [err:CX24].

3.2 The crypto:hmac function

HMAC (Keyed-Hashing for Message Authentication) is a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function, e.g. MD5 or SHA-1, in combination with a secret shared key. Typically, message authentication codes are used between two parties that share a secret key in order to validate information transmitted between these parties.

This function generates a message authentication code, based on the input message, by using a cryptographic algorithm and a secret key. It returns the hash-based message authentication code as base64 string.

crypto:hmac($data as xs:anyAtomicType,
            $secret-key as xs:anyAtomicType,
            $hashing-algorithm as xs:string) as xs:string
crypto:hmac($data as xs:anyAtomicType,
            $secret-key as xs:anyAtomicType,
            $hashing-algorithm as xs:string,
            $format as xs:string) as xs:string
  • $data is the data to be authenticated. This parameter can be of type xs:string, xs:base64Binary, or xs:hexBinary.

  • $secret-key is the secret key used for calculating the authentication code. This parameter can be of type xs:string, xs:base64Binary, or xs:hexBinary.

  • $algorithm is the cryptographic hashing algorithm. If it is specified an unsupported algorithm, this is an error [err:CX21].

  • $format is the format of the output. The legal values are "hex" and "base64". The default value is "base64". If the format is not supprted, this is an error [err:CX24].

4 Key Management

TBD.

4.1 The crypto:generate-key-pair function

This function generates a new pair of public and private cryptographic keys, to be used with a specific cryptographic algorithm.

4.2 The crypto:generate-secret-key function

This function generates a new secret key, to be used with a specific cryptographic algorithm.

4.3 The crypto:compare-keys function

4.4 The crypto:key-agrement function

4.5 The crypto:convert-key-specification-to-key-object, crypto:convert-key-object-to-key-specification function

5 Digital Signature

The XML Signature is a method of associating a key with referenced data (octets); it does not normatively specify how keys are associated with persons or institutions, nor the meaning of the data being referenced and signed. XML Signatures are applied to arbitrary digital content (data objects) via an indirection. Data objects are digested, the resulting value is placed in an element (with other information) and that element is then digested and cryptographically signed.

5.1 The crypto:generate-signature function

This function has four signatures, as one have to consider that some applications require the ability to specify a subset of a given XML document as the information content to be signed (this is done by using XPath to indicate the subset), and also the ability to use a digital certificate to obtain the key pair, instead of an auto-generated key pair.

The first signature considers the case of auto-generated key pair, and signature for the whole document.

The second signature considers the case of auto-generated key pair, and signature for a subset of the document.

The third signature considers the case of key pair generated from an digital certificate, and signature for the whole document.

The fourth signature considers the case of key pair generated from an digital certificate, and signature for a subset of the document.

crypto:generate-signature($data as node(),
    $canonicalization-algorithm as xs:string,
    $digest-algorithm as xs:string,
    $signature-algorithm as xs:string,
    $signature-namespace-prefix as xs:string,
    $signature-type as xs:string) as node()

crypto:generate-signature($data as node(),
    $canonicalization-algorithm as xs:string,
    $digest-algorithm as xs:string,
    $signature-algorithm as xs:string,
    $signature-namespace-prefix as xs:string,
    $signature-type as xs:string,
    $xpath-expression as xs:string) as node()

crypto:generate-signature($data as node(),
    $canonicalization-algorithm as xs:string,
    $digest-algorithm as xs:string,
    $signature-algorithm as xs:string,
    $signature-namespace-prefix as xs:string,
    $signature-type as xs:string,
    $digital-certificate as node()) as node()

crypto:generate-signature($data as node(),
    $canonicalization-algorithm as xs:string,
    $digest-algorithm as xs:string,
    $signature-algorithm as xs:string,
    $signature-namespace-prefix as xs:string,
    $signature-type as xs:string,
    $xpath-expression as xs:string,
    $digital-certificate as node()) as node()            
  • $data is the data to be signed.

  • $canonicalization-algorithm is the canonicalization algorithm applied to the SignedInfo element prior to performing signature calculations. Possible values are: "exclusive", "exclusive-with-comments", "inclusive", and "inclusive-with-comments". The default value is "inclusive-with-comments". If the parameter specifies an unsupported algorithm, this is an error [err:CX01].

  • $digest-algorithm is the digest algorithm to be applied to the signed object. Possible values are: "SHA1", "SHA256", and "SHA512". The default value is "SHA1". If the parameter specifies an unsupported algorithm, this is an error [err:CX02].

  • $signature-algorithm is the algorithm used for signature generation and validation. Possible values are: "DSA_SHA1", and "RSA_SHA1". The default value is "RSA_SHA1". If the parameter specifies an unsupported algorithm, this is an error [err:CX03].

  • $signature-namespace-prefix is the namespace prefix for signature.

  • $signature-type is the method used for signing the content of signature. Possible values are: 'enveloping', 'enveloped', and 'detached'. The default value is 'enveloped'.

  • $xpath-expression is the XPath expression used for selecting the subset to be signed. If the XPath expression is invalid, this is an error [err:CX04].

  • $digital-certificate is the digital certificate to be used for signing the input document or document subset. The structure of this parameter is as follows (this is an example):

    <digital-certificate>
       <keystore-type>JKS</keystore-type>
       <keystore-password>ab987c</keystore-password>
       <key-alias>eXist</key-alias>
       <private-key-password>kpi135</private-key-password>
       <keystore-uri>/db/mykeystoreEXist</keystore-uri>
    </digital-certificate>

    The following errors can be raised relative to the structure and content of $digital-certificate parameter: [err:CX05], [err:CX07], [err:CX08], [err:CX09], [err:CX10], [err:CX11], and [err:CX12].

5.2 The crypto:validate-signature function

This function validates an XML Digital Signature.

crypto:validate-signature($data as node()) as xs:boolean
  • $data is the enveloped, enveloping, or detached signature. If the Signature element cannot be found, this is an error [err:CX15].

6 Encryption and Decryption

Encryption represents the process of conversion of data, by using a secret key (a cipher), in a form (called cipher text) that cannot be understood by unautorized persons.

The decryption represents the reverse process, of converting encrypted data back to plain text (original text).

There are two main types of encryption: symmetric encryption, when both parties, the sender and the receiver, use the same secret key, previously exchanged, and asymmetric encryption, when a key pair, consisting of a private key and a private key, is used, of which the public key is used by sender to encrypt a message that can only be decrypted by the receiver, who holds the private key of that key pair.

6.1 The crypto:encrypt function

This function encrypts data.

crypto:encrypt($data as xs:anyAtomicType,
               $encryption-type as xs:string,
               $secret-key as xs:anyAtomicType,
               $cryptographic-algorithm as xs:string,
               $vi as xs:string?,
               $provider as xs:string?) as xs:anyAtomicType
  • $data is the data to be encrypted. This parameter can be of type xs:string, xs:base64Binary, or xs:hexBinary. When a particular padding mechanism is requested, but is not available, this is an error [err:CX16]. Also, when a particular padding mechanism is expected, but the data is not padded properly, this is an error [err:CX17].

  • $encryption-type is the type of encryption. Legal values: "symmetric", and "asymmetric". If the parameter has an illegal value, this is an error [err:CX18].

  • $secret-key is the secret key used for encryption. This parameter can be of type xs:string, xs:base64Binary, or xs:hexBinary. If the key is invalid, this is an error [err:CX19]. If the length of data provided to the block cipher is incorrect, this is an error [err:CX20].

  • $cryptographic-algorithm is the cryptographic algorithm used for encryption. For symmetric encryption, a transformation name can be used. If the parameter specifies an unsupported algorithm or transformation name, this is an error [err:CX21].

  • $iv is the initialization vector for symmetric encryption.

  • $provider is the cryptographic provider for the current operation. If the provider is not specified, the implementation will use the default provider. If the provider does not exist, this is an error [err:CX23].

6.2 The crypto:decrypt function

This function decrypts data.

crypto:decrypt($data as xs:anyAtomicType,
               $decryption-type as xs:string,
               $secret-key as xs:anyAtomicType,
               $cryptographic-algorithm as xs:string,
               $vi as xs:string?,
               $provider as xs:string?) as xs:anyAtomicType
  • $data is the data to be decrypted. This parameter can be of type xs:string, xs:base64Binary, or xs:hexBinary. When a particular padding mechanism is requested, but is not available, this is an error [err:CX16]. Also, when a particular padding mechanism is expected, but the data is not padded properly, this is an error [err:CX17].

  • $decryption-type is the type of decryption. Legal values: "symmetric", and "asymmetric". If the parameter has an illegal value, this is an error [err:CX22].

  • $secret-key is the secret key used for decryption. This parameter can be of type xs:string, xs:base64Binary, or xs:hexBinary. If the key is invalid, this is an error [err:CX19]. If the length of data provided to the block cipher is incorrect, this is an error [err:CX20].

  • $cryptographic-algorithm is the cryptographic algorithm used for decryption. For symmetric decryption, a transformation name can be used. If the parameter specifies an unsupported algorithm or transformation name, this is an error [err:CX21].

  • $iv is the initialization vector for symmetric encryption.

  • $provider is the cryptographic provider for the current operation. If the provider is not specified, the implementation will use the default provider. If the provider does not exist, this is an error [err:CX23].

7 Secure Storing of Sensitive Keying and Data Material

A secure storage is a collection of CRLs, cryptographic keys, cryptographic certificates, cryptographic certificate chains, various secrets, and extensions. It may have different implementation, according to different cryptographic providers. Every entry has a unique alias name and can be protected by its own password.

7.1 The crypto:create-secure-store function

This function creates a secure store. It returns the store as xs:base64binary if successfully completed, empty sequence if not.

crypto:create-secure-store($store-format as xs:string,
               $store-password as xs:string) as xs:base64binary
  • $store-format is the format of the secure store.

  • $store-password is the password for the secure store.

7.2 The crypto:load-secure-store function

This function loads a secure store in order to operate against it. It returns an xs:long representing the secure store handle.

crypto:load-secure-store($secure-store as xs:base64binary,
               $store-password as xs:string) as xs:long
  • $secure-store is the secure store.

  • $store-password is the password for the secure store.

7.3 The crypto:convert-secure-store function

This function converts a secure store from one format to another. It returns the converted store as xs:base64binary if successfully completed, empty sequence if not.

crypto:convert-secure-store($input-store as xs:base64binary,
               $input-format as xs:string,
               $output-format as xs:string) as xs:base64binary
  • $input-store is the secure store to be converted.

  • $input-format is the format of the input secure store.

  • $output-format is the format of the output secure store.

7.4 The crypto:get-secure-store-metadata function

This function gets metadata for a secure store. It returns a crypto:metadata element.

crypto:get-secure-store-metadata($secure-store-handle as xs:long) as element(crypto:metadata)
  • $secure-store-handle is the secure store handle.

7.4.1 The crypto:metadata element

The crypto:metadata element contains metadata about a resource.

<crypto:metadata>
    <crypto:secure-store-type>xs:string</crypto:secure-store-type>
    <crypto:provider>xs:string</crypto:provider>
    <crypto:aliases-list>xs:string</crypto:aliases-list>
    <crypto:size>xs:integer</crypto:size>
</crypto:metadata>
    
  • secure-store-type is the type of the secure store.

  • provider is the provider that generated the secure store.

  • aliases-list is the list of all the aliases in the secure store.

  • size is the number of entries in the secure store.

7.5 The crypto:add-entry function

This function adds an entry to a secure store. It returns true if successfully completed, false if not.

crypto:add-entry($secure-store-handle as xs:long,
               $data as xs:base64binary,
               $alias as xs:string,
               $entry-password as xs:string?) as xs:boolean
  • $secure-store-handle is the secure store handle.

  • $data is the data to be stored.

  • $alias is the alias for the data to be stored.

  • $entry-password is the password for the entry.

7.6 The crypto:get-entry function

This function gets an entry from a secure store. It returns the entry.

crypto:get-entry($secure-store-handle as xs:long,
               $alias as xs:string,
               $entry-password as xs:string?) as xs:base64binary
  • $secure-store-handle is the secure store handle.

  • $alias is the alias for the data to be stored.

  • $entry-password is the password for the entry.

7.7 The crypto:delete-entry function

This function delets an entry from a secure store. It returns true if successfully completed, false if not.

crypto:delete-entry($secure-store-handle as xs:long,
               $alias as xs:string,
               $entry-password as xs:string?) as xs:boolean
  • $secure-store-handle is the secure store handle.

  • $alias is the alias for the data to be stored.

  • $entry-password is the password for the entry.

7.8 The crypto:get-entry-metadata function

This function gets metadata for a secure store entry. It returns a crypto:metadata element if entry exists, empty sequence if the entry does not exist.

crypto:get-entry-metadata($secure-store-handle as xs:long,
               $alias as xs:string) as element(crypto:metadata)?
  • $secure-store-handle is the secure store handle.

  • $alias is the alias for the data to be stored.

7.8.1 The crypto:metadata element

The crypto:metadata element contains metadata about a resource.

<crypto:metadata>
    <crypto:creation-date>xs:dateTime</crypto:creation-date>
    <crypto:type>("certificate" | "key" | "other")</crypto:provider>
</crypto:metadata>
    
  • creation-date is the entry's creation date.

  • type is the entry's type.

7.9 The crypto:list-trusted-certificate-authorities function

This function lists the most-trusted certificate authorities in a secure store.

8 Digital Certificates

TBD.

8.1 The crypto:generate-certificate function

This function generates a digital certificate.

8.2 The crypto:validate-certificate function

This function validates a digital certificate.

8.3 The crypto:parse-certificate function

This function parses a digital certificate.

8.4 The crypto:generate-certification-path function

This function validates the certification path for a digital certificate.

8.5 The crypto:validate-certification-path function

This function validates the certification path for a digital certificate.

8.6 The crypto:generate-certification-request function

This function generates a certificate signing request, in order to apply for a digital identity certificate, which is to be issued by a Certificate Authority .

8.7 The crypto:validate-certification-request function

This function validates a certificate signing request.

8.8 The crypto:validate-certificate-revocation-list function

This function validates a certificate revocation list.

9 Cryptographic Hardware

TBD.

10 Random Sequences Generation

TBD.

10.1 The crypto:generate-random-number function

This function generates a random number that is cryptographically strong.

11 The crypto:options element

The crypto:options element represents the options needed for the functions included in this module. Users will specify for a certain functions only the options mentioned in function's description above. In case a needed option is not mentioned for a function, its default value will be used.

<crypto:options>
    <crypto:option name = xs:string value? = xs:string>
        any*
    </crypto:option> *
</crypto:options> ?

11.1 The provider option

Represents the provider for the current operation. If the provider does not exist, this is an error [err:CX23].

<crypto:option name = "provider"
    value = xs:string/>

11.2 The canonicalization-algorithm option

This option represents the canonicalization algorithm applied to the SignedInfo element prior to performing signature calculations. The default value is "inclusive-with-comments". If the parameter specifies an unsupported algorithm, this is an error [err:CX01].

<crypto:option name = "canonicalization-algorithm"
    value = "exclusive" | "exclusive-with-comments" | "inclusive" | "inclusive-with-comments" /> ?

11.3 The digest-algorithm option

This option represents the digest algorithm to be applied to the signed object. If the parameter specifies an unsupported algorithm, this is an error [err:CX02].

<crypto:option name = "digest-algorithm" value = xs:string />

11.4 The signature-algorithm option

This option represents the algorithm used for signature generation and validation. If the parameter specifies an unsupported algorithm, this is an error [err:CX03].

<crypto:option name = "signature-algorithm" value = xs:string />

11.5 The signature-namespace-prefix option

This option represents the namespace prefix for signature.

<crypto:option name = "signature-namespace-prefix" value = xs:string />

A References

XPath 3.0
XML Path Language (XPath) 3.0. Jonathan Robie, Don Chamberlin, Michael Dyck, John Snelson, editors. W3C Working Draft, 13 December 2011.
XSLT 3.0
XSL Transformations (XSLT) Version 3.0. Michael Kay, editor. W3C Working Draft, 10 July 2012.
XQuery 3.0
XQuery 3.0: An XML Query Language. Jonathan Robie, Don Chamberlin, Michael Dyck, John Snelson, editors. W3C Working Draft, 13 December 2011.
XPath and XQuery Functions and Operators 3.0
XPath and XQuery Functions and Operators 3.0. Michael Kay, editor. W3C Working Draft, 13 December 2011.
XQuery and XPath Data Model 3.0
XQuery and XPath Data Model 3.0. Norman Walsh, Anders Berglund, John Snelson, editors. W3C Working Draft, 13 December 2011.
RFC 1321
RFC 1321: The MD5 Message-Digest Algorithm. Ronald L. Rivest, editor. Network Working Group. April 1992.
FIPS PUB 180-1
Secure Hash Standard. U.S. Department Of Commerce, National Institute of Standards and Technology. 1995 April 17.
FIPS PUB 186
Digital Signature Standard (DSS). U.S. Department Of Commerce, National Institute of Standards and Technology. 1994 May 19.
RFC 1750
RFC 1750: Randomness Recommendations for Security. D. Eastlake, 3rd, S. Crocker, J. Schiller, editors. Network Working Group. December 1994.
RFC 3852
RFC 3852: Cryptographic Message Syntax (CMS). R. Housley, editor. Network Working Group. July 2004.
RFC 5958
RFC 5958: Asymmetric Key Packages. S. Turner, editor. Internet Engineering Task Force (IETF). August 2010.
RFC 5959
RFC 5959: Algorithms for Asymmetric Key Package Content Type. S. Turner, editor. Internet Engineering Task Force (IETF). August 2010.
RFC 2104
RFC 2104: HMAC: Keyed-Hashing for Message Authentication. H. Krawczyk, M. Bellare, R. Canetti, editors. Network Working Group. February, 1997.
RFC 2617
RFC 2617: HTTP Authentication: Basic and Digest Access Authentication. J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach, A. Luotonen, L. Stewart. June, 1999.
XML Signature
XML Signature Syntax and Processing (Second Edition). Donald Eastlake, Joseph Reagle, David Solo, Frederick Hirsch, Thomas Roessler, editors. Mark Bartel, John Boyer, Barb Fox, Brian LaMacchia, Ed Simon, authors. W3C Recommendation, 10 June 2008.
XML-Signature XPath Filter 2.0
XML-Signature XPath Filter 2.0. John Boyer, Merlin Hughes, Joseph Reagle, authors/editors. W3C Recommendation, 08 November 2002.

B Summary of Error Conditions

err:CX01
The canonicalization algorithm is not supported.
err:CX02
The digest algorithm is not supported.
err:CX03
The signature algorithm is not supported.
err:CX04
The XPath expression is invalid.
err:CX05
Argument $digital-certificate does not conform to its schema.
err:CX07
The keystore is null.
err:CX08
I/O error while reading keystore.
err:CX09
Permission denied to read keystore.
err:CX10
The keystore URL is invalid.
err:CX11
The keystore type is not supported.
err:CX12
Cannot find key for alias in given keystore.
err:CX15
Cannot find Signature element.
err:CX16
No such padding.
err:CX17
Incorrect padding.
err:CX18
The encryption type is not supported.
err:CX19
The secret key is invalid.
err:CX20
Illegal block size.
err:CX21
The algorithm or transformation is not supported.
err:CX22
The decryption type is not supported.
err:CX23
The provider is not set.
err:CX24
The output format is not supported.