santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brent Putman <putm...@georgetown.edu>
Subject Re: Still stuck with problem. Re: Problem decrypting elements
Date Fri, 30 Nov 2007 23:10:16 GMT
Hi,
I'm not completely clear on what you're doing, but it sounds like at a
minimum you're perhaps doing something that's not legal. More below.


rlyders wrote:
> Brent,
> Your comments lead me to debug the XMCipher java class to find out that my
> enveloped Signature is confusing the default decryption. 

Can you clarify what you mean when you say you are using an enveloped
signature?  Enveloped by what?

If you mean you have:

<Foo>
   <ds:Signature>...</ds:Signature>
</Foo>


then when you encrypt that Foo element, the signature (and it's
subordinate KeyInfo) will be completely invisible within the resultant
xenc:EncryptedData (prior to and during decryption), because it's part
of the encrypted data (encoded octets within xenc:CipherValue).  No way
it could be finding that signature KeyInfo there.

If you mean you have:

<Foo>
  <Bar> ... </Bar>
  <ds:Signature>...</ds:Signature>
</Foo>

and then you encrypt Bar:

<Foo>
  <xenc:EncryptedData>....</xenc:EncryptedData>
  <ds:Signature>...</ds:Signature>
</Foo>


I don't see how it could be getting the two KeyInfo's confused. All the
Apache EncryptedData.getKeyInfo() does is return a data member, it
doesn't do any searching or resolution.

> My XML Signature
> element that is enveloped by the EncryptedData element contains it's own
> KeyInfo element that is being found by the call to
> "encryptedData.getKeyInfo();" (see
> http://www.koders.com/java/fidFC09B90248DEB9C9318CA3CAE0C9809BEEC94EEC.aspx#L1422)
>   

> So, to work around this issue, immediately after validating the enveloped
> signature, I am deleting the signature from the XML Document object
> "encryptedDataElement.removeChild(signatureNode);" so that it does not
> interfere with the decryption of the EncryptedData.
>   


Sound like you're trying to sign the EncryptedData itself?

<xenc:EncryptedData>
 <ds:Signature>...</ds:Signature>
</xenc:EncryptedData>


Note that you can't do that.   It's not schema valid, xenc:EncryptedData
(actually xenc:EncryptedType) doesn't have an open content model, you
can't just add arbitrary child elements.

And even if it did, I'm still not seeing how the Apache EncryptedData
would be pulling the KeyInfo out of the ds:Signature rather than it's
own immediate child.

--Brent

Mime
View raw message