eXist-db
diff --git a/‎.github/workflows/exist.yml‎
Lines changed: 138 additions & 0 deletions b/‎.github/workflows/exist.yml‎
Lines changed: 138 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 9 additions & 0 deletions b/‎.gitignore‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 201 additions & 0 deletions b/‎README.md‎
Lines changed: 201 additions & 0 deletions
@@ -0,0 +1,138 @@
+# This workflow builds a xar archive, deploys it into exist and runs a smoke test.
+
+name: exist-db CI
+
+on: [push, pull_request]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+       fail-fast: false
+       matrix:
+         exist-version: [latest]
+
+    steps:
+      - uses: actions/checkout@v6
+
+      # Build with Maven
+      - name: Set up JDK 21
+        uses: actions/setup-java@v5
+        with:
+          java-version: '21'
+          distribution: 'temurin'
+          cache: maven
+
+      # Extract exist-core JAR from Docker image for compilation,
+      # since the published 7.0.0-SNAPSHOT in the Maven repo is stale.
+      - name: Pull eXist-db image
+        run: docker pull existdb/existdb:${{ matrix.exist-version }}
+
+      - name: Install exist-core from Docker image into local Maven repo
+        run: |
+          id=$(docker create existdb/existdb:${{ matrix.exist-version }})
+          docker cp "$id:/exist/lib/exist.uber.jar" /tmp/exist.uber.jar
+          docker rm "$id"
+          mvn install:install-file -Dfile=/tmp/exist.uber.jar \
+            -DgroupId=org.exist-db -DartifactId=exist-core \
+            -Dversion=7.0.0-SNAPSHOT -Dpackaging=jar -q
+
+      - name: Build with Maven
+        run: mvn clean package -DskipTests -q
+
+      # Deploy XAR in Container
+      - name: Start eXist-db container
+        run: |
+          docker run -dit -p 8080:8080 \
+          -v ${{ github.workspace }}/target:/exist/autodeploy \
+          --name exist --rm --health-interval=1s --health-start-period=1s \
+          existdb/existdb:${{ matrix.exist-version }}
+
+      - name: Wait for eXist-db to start and deploy packages
+        timeout-minutes: 5
+        run: |
+          while ! docker logs exist | grep -q "Server has started"; \
+          do sleep 6s; \
+          done
+          sleep 5
+
+      # Smoke test: verify module loads and functions work
+      - name: Test crypto:hash with known SHA-256 vector
+        run: |
+          result=$(curl -sf -u admin: -H "Content-Type: application/xml" --data '
+          <query xmlns="http://exist.sourceforge.net/NS/exist">
+            <text><![CDATA[
+              import module namespace crypto = "http://expath.org/ns/crypto";
+              crypto:hash("test", "SHA-256", "hex")
+            ]]></text>
+          </query>' "http://localhost:8080/exist/rest/db")
+          echo "$result"
+          echo "$result" | grep -q "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" || (echo "FAIL: SHA-256 hash mismatch" && exit 1)
+
+      - name: Test crypto:hmac with SHA256 hex output
+        run: |
+          result=$(curl -sf -u admin: -H "Content-Type: application/xml" --data '
+          <query xmlns="http://exist.sourceforge.net/NS/exist">
+            <text><![CDATA[
+              import module namespace crypto = "http://expath.org/ns/crypto";
+              string-length(crypto:hmac("test", "key", "SHA256", "hex"))
+            ]]></text>
+          </query>' "http://localhost:8080/exist/rest/db")
+          echo "$result"
+          echo "$result" | grep -q ">64<" || (echo "FAIL: expected 64 hex chars" && exit 1)
+
+      - name: Test crypto:hmac with base64 output
+        run: |
+          result=$(curl -sf -u admin: -H "Content-Type: application/xml" --data '
+          <query xmlns="http://exist.sourceforge.net/NS/exist">
+            <text><![CDATA[
+              import module namespace crypto = "http://expath.org/ns/crypto";
+              string-length(crypto:hmac("test", "key", "SHA256")) > 0
+            ]]></text>
+          </query>' "http://localhost:8080/exist/rest/db")
+          echo "$result"
+          echo "$result" | grep -q "true" || (echo "FAIL: expected non-empty base64" && exit 1)
+
+      - name: Test crypto:encrypt and crypto:decrypt round-trip
+        run: |
+          result=$(curl -sf -u admin: -H "Content-Type: application/xml" --data '
+          <query xmlns="http://exist.sourceforge.net/NS/exist">
+            <text><![CDATA[
+              import module namespace crypto = "http://expath.org/ns/crypto";
+              let $key := "0123456789abcdef"
+              let $enc := crypto:encrypt("secret message", "symmetric", $key, "AES")
+              return crypto:decrypt($enc, "symmetric", $key, "AES")
+            ]]></text>
+          </query>' "http://localhost:8080/exist/rest/db")
+          echo "$result"
+          echo "$result" | grep -q "secret message" || (echo "FAIL: decrypt did not return original" && exit 1)
+
+      - name: Test crypto:generate-signature produces Signature element
+        run: |
+          result=$(curl -sf -u admin: -H "Content-Type: application/xml" --data '
+          <query xmlns="http://exist.sourceforge.net/NS/exist">
+            <text><![CDATA[
+              import module namespace crypto = "http://expath.org/ns/crypto";
+              let $doc := <root><data>test</data></root>
+              let $signed := crypto:generate-signature($doc, "inclusive", "SHA256", "RSA_SHA256", "dsig", "enveloped")
+              return exists($signed//*[local-name() = "Signature"])
+            ]]></text>
+          </query>' "http://localhost:8080/exist/rest/db")
+          echo "$result"
+          echo "$result" | grep -q "true" || (echo "FAIL: expected Signature element" && exit 1)
+
+      - name: Test multiple HMAC algorithms
+        run: |
+          result=$(curl -sf -u admin: -H "Content-Type: application/xml" --data '
+          <query xmlns="http://exist.sourceforge.net/NS/exist">
+            <text><![CDATA[
+              import module namespace crypto = "http://expath.org/ns/crypto";
+              string-join(
+                for $alg in ("MD5", "SHA1", "SHA256", "SHA384", "SHA512")
+                return string-length(crypto:hmac("test", "key", $alg, "hex")),
+                ","
+              )
+            ]]></text>
+          </query>' "http://localhost:8080/exist/rest/db")
+          echo "$result"
+          echo "$result" | grep -q "32,40,64,96,128" || (echo "FAIL: expected 32,40,64,96,128" && exit 1)
@@ -0,0 +1,9 @@
+target/
+.mvn/
+.m2-repo/
+.env
+*.iml
+.idea/
+.classpath
+.project
+.settings/
@@ -0,0 +1,201 @@
+# EXPath Crypto Module for eXist-db
+
+A standalone XAR package implementing the [EXPath Cryptographic Module](http://expath.org/spec/crypto) for eXist-db 7.0+. Provides cryptographic hashing, HMAC authentication, symmetric encryption/decryption, and XML digital signatures using Java's built-in JCE (Java Cryptography Extension) — no external dependencies.
+
+## Install
+
+Download the `.xar` from [Releases](https://github.com/joewiz/exist-crypto/releases) and install with the eXist-db Package Manager or the `xst` CLI:
+
+```bash
+xst package install exist-crypto-0.9.0-SNAPSHOT.xar
+```
+
+## Functions
+
+| Function | Description |
+|----------|-------------|
+| `crypto:hash($data, $algorithm)` | Cryptographic hash with Base64 output |
+| `crypto:hash($data, $algorithm, $encoding)` | Cryptographic hash with specified encoding (`base64` or `hex`) |
+| `crypto:hmac($data, $key, $algorithm)` | HMAC with Base64 output |
+| `crypto:hmac($data, $key, $algorithm, $encoding)` | HMAC with specified encoding (`base64` or `hex`) |
+| `crypto:encrypt($data, $type, $key, $algorithm)` | Symmetric encryption (AES or DES) |
+| `crypto:decrypt($data, $type, $key, $algorithm)` | Symmetric decryption |
+| `crypto:generate-signature($data, $c14n, $digest, $sig, $prefix, $type)` | Generate XML digital signature |
+| `crypto:validate-signature($data)` | Validate XML digital signature |
+
+**Module namespace:** `http://expath.org/ns/crypto`
+
+### Hash
+
+```xquery
+import module namespace crypto = "http://expath.org/ns/crypto";
+
+(: Base64 output (default) :)
+crypto:hash("data", "SHA-256")
+
+(: Hex output :)
+crypto:hash("data", "SHA-256", "hex")
+```
+
+**Algorithms:** MD5, SHA-1, SHA-256, SHA-384, SHA-512
+
+For new code, prefer `fn:hash()` (XQuery 4.0) or `util:hash()`. `crypto:hash` is provided for backward compatibility with the EXPath spec and cross-engine portability (BaseX also implements it).
+
+### HMAC
+
+```xquery
+import module namespace crypto = "http://expath.org/ns/crypto";
+
+(: Base64 output (default) :)
+crypto:hmac("data", "secret-key", "SHA256")
+
+(: Hex output :)
+crypto:hmac("data", "secret-key", "SHA256", "hex")
+```
+
+**Algorithms:** MD5, SHA1, SHA256, SHA384, SHA512
+
+### Symmetric Encryption
+
+```xquery
+import module namespace crypto = "http://expath.org/ns/crypto";
+
+let $key := "0123456789abcdef"  (: 16 bytes = AES-128 :)
+let $encrypted := crypto:encrypt("secret message", "symmetric", $key, "AES")
+return crypto:decrypt($encrypted, "symmetric", $key, "AES")
+```
+
+**Algorithms:** AES (16/24/32-byte key), DES (8-byte key)
+
+A random initialization vector (IV) is automatically generated and prepended to the ciphertext.
+
+### XML Digital Signatures
+
+```xquery
+import module namespace crypto = "http://expath.org/ns/crypto";
+
+let $doc := <order id="123"><total>99.99</total></order>
+let $signed := crypto:generate-signature(
+    $doc, "inclusive", "SHA256", "RSA_SHA256", "dsig", "enveloped")
+return crypto:validate-signature($signed)
+```
+
+## Upgrading from expath-crypto-module
+
+This package is a clean-room replacement for the legacy [`expath-crypto-module`](https://github.com/eXist-db/expath-crypto-module) (maintained by Claudius Teodorescu, last updated 2020). Both packages implement the same EXPath Cryptographic Module specification and use the same module namespace (`http://expath.org/ns/crypto`), so they **cannot be installed simultaneously**.
+
+### Why upgrade?
+
+| | Legacy (`expath-crypto-module`) | This package (`exist-crypto`) |
+|---|---|---|
+| **eXist-db compatibility** | 5.x–6.x (broken on 7.x due to Type constant renumbering) | 7.0+ |
+| **Java version** | Java 8+ | Java 21+ |
+| **Dependencies** | External `crypto-java` library (ro.kuberam) | Zero — uses Java's built-in JCE |
+| **Parent POM** | `exist-apps-parent` 1.11.0 | `exist-apps-parent` 2.0.0 |
+| **`crypto:hash`** | Yes (2–3 arity) | Yes (2–3 arity, compatible) |
+
+### Upgrade steps
+
+1. **Install the new package** — a `pre-install.xq` script automatically detects and removes the old `expath-crypto-module` if present:
+
+   ```bash
+   xst package install exist-crypto-0.9.0-SNAPSHOT.xar
+   ```
+
+   To remove the old package manually (e.g., before downloading the new one):
+
+   ```bash
+   xst package remove http://expath.org/ns/crypto
+   ```
+
+2. **Update your XQuery code** — see the migration guide below.
+
+### Migration guide
+
+#### No changes needed
+
+The module namespace is identical, so **import statements require no changes**:
+
+```xquery
+import module namespace crypto = "http://expath.org/ns/crypto";
+```
+
+Calls to `crypto:hash`, `crypto:hmac`, and `crypto:validate-signature` are compatible as-is for the most common usage patterns.
+
+#### `crypto:hmac` — return type changed
+
+| | Legacy | New |
+|---|---|---|
+| **Parameter types** | `$data as xs:atomic*`, `$key as xs:atomic*` | `$data as xs:string`, `$key as xs:string` |
+| **Return type** | `xs:byte*` | `xs:string` |
+
+The legacy module accepted binary types and returned a byte sequence. The new module accepts strings and returns a string (Base64 or hex). If your code passes `xs:string` arguments (the common case), no changes are needed.
+
+**If you passed binary data:** Convert to string first with `util:binary-to-string()`.
+
+#### `crypto:encrypt` / `crypto:decrypt` — IV handling changed
+
+| | Legacy | New |
+|---|---|---|
+| **IV parameter** | Optional 5th argument (`xs:base64Binary`) | Automatic (random IV prepended to ciphertext) |
+| **Provider parameter** | Optional 6th argument | Not supported |
+| **Arity** | 4–6 | 4 |
+
+The new module always generates a random IV and prepends it to the ciphertext. The decrypt function extracts the IV automatically. This is more secure than reusing IVs but means **ciphertext from the old module cannot be decrypted by the new module** (and vice versa) unless the IV handling is compatible.
+
+**If you stored encrypted data:** You will need to re-encrypt data during migration. Decrypt with the old module, then re-encrypt with the new one.
+
+**If you used a custom provider:** Remove the provider argument. Java's default JCE provider is used.
+
+#### `crypto:generate-signature` — fewer arities
+
+| | Legacy | New |
+|---|---|---|
+| **Arities** | 6, 7 (XPath), 8 (certificate), 3 (private key) | 6 |
+| **Signature algorithms** | RSA\_SHA1, DSA\_SHA1 | RSA\_SHA1, DSA\_SHA1, RSA\_SHA256 |
+
+The 6-argument form is compatible. The XPath subsetting (7-arg), certificate (8-arg), and private key (3-arg) variants are not yet implemented.
+
+**If you used the 6-argument form:** No changes needed.
+
+**If you used XPath subsetting or certificates:** These features are not yet available. File an issue if you need them.
+
+#### `crypto:hash` — return type changed
+
+| | Legacy | New |
+|---|---|---|
+| **Parameter types** | `$data as item()*` | `$data as item()` |
+| **Return type** | `xs:byte*` | `xs:string` |
+
+The legacy module returned a byte sequence. The new module returns a string (Base64 or hex encoded). The function signatures and algorithm names are otherwise compatible.
+
+For new code, prefer `fn:hash()` (XQuery 4.0) or `util:hash()`. `crypto:hash` is provided for backward compatibility with the EXPath Cryptographic Module specification and cross-engine portability (BaseX also implements it).
+
+### Package identity comparison
+
+| Property | Legacy | New |
+|---|---|---|
+| Package name (URI) | `http://expath.org/ns/crypto` | `http://exist-db.org/pkg/crypto` |
+| Package abbreviation | `crypto` | `exist-crypto` |
+| Module namespace | `http://expath.org/ns/crypto` | `http://expath.org/ns/crypto` |
+| Maven groupId | `org.exist-db.xquery.extensions.expath` | `org.exist-db` |
+| Maven artifactId | `expath-crypto-module` | `exist-crypto` |
+| Java package | `org.expath.exist.crypto` | `org.exist.xquery.modules.crypto` |
+
+The package abbreviations now differ (`crypto` vs `exist-crypto`), but both register the same module namespace. A `pre-install.xq` script automatically removes the old package if present.
+
+## Build
+
+```bash
+JAVA_HOME=/path/to/java-21 mvn clean package -DskipTests
+```
+
+Run integration tests (requires exist-core 7.0.0-SNAPSHOT in your local Maven repo):
+
+```bash
+mvn test -Pintegration-tests
+```
+
+## License
+
+[GNU Lesser General Public License v2.1](https://opensource.org/licenses/LGPL-2.1)