santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rlyders <Rich...@Lyders.Net>
Subject Re: Still stuck with problem. Re: Problem decrypting elements
Date Mon, 03 Dec 2007 13:37:57 GMT

Hi Brent,
yes, I do in fact have the Signature inside the EncryptedData element as you
suggested. I'll have to check with the web service that I am integrating
with to see if it will support some other grouping of the XML elements.
Currently the web service specification asks for one root <Orders> element
that contains multiple <Order> elements as shown below:

<?xml version="1.0" encoding="UTF-8"?>
<Orders xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:noNamespaceSchemaLocation="OrderRequest.xsd">
  <Order>
    <DocumentNumber>24773064</DocumentNumber>
  </Order>
  <Order>
    <DocumentNumber>24773064</DocumentNumber>
  </Order>
</Orders>

Once the element has been encrypted and signed, the result is shown below.
The web service that we are integrating with is not a full fledged SOAP WSDL
web service, but rather it simply uses HTTPS and XML. Our existing XML
document format where the XML Signature is enclosed by the EncryptedData
element seems to work well with the with the web service we are integrating
to. It is only in my local Java unit tests on my development computer that I
am seeing these problems with the Signature's KeyInfo element getting in the
way of decryption. The web service is written in .Net while my stuff is in
Java, so they must be doing something on their side in .Net to allow for a
Signature element enclosed in the EncryptedData element.

Here is what the resulting encrypted data looks like:
<?xml version="1.0" encoding="UTF-8"?>
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                    Type="http://www.w3.org/2001/04/xmlenc#Element">
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  ...
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    ...
    </ds:KeyInfo>
  </ds:Signature>
  <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#..."
                         xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
  <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  ...
  </ds:KeyInfo>
  <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    ...
    </xenc:CipherValue>
  </xenc:CipherData>
</xenc:EncryptedData>

I will check with the developer of the web service to see if we can slightly
adjust the encryption method so that the EncryptedData and Signature
elements are siblings contained within the <Orders> element. 

It would be a great help if you had a URI that I can reference to base a
change request on that mentions our illegal format having the enveloped
Signature as a child element of the EncryptedData element? I haven't been
able to find any information yet that specifically states that it is illegal
to place the Signature inside the EncryptedData element. It would be nice to
have it documented if possible.

Thanks for all your help and time.


Brent Putman wrote:
> 
> Brent Putman wrote:
> 
> So if you had a DOM tree something like:
> 
> <xenc:EncryptedData>
>    <ds:Signature>
>         <ds:KeyInfo>...</ds:KeyInfo>
>    </ds:Signature>
>    <ds:KeyInfo>
>         <xenc:EncryptedKey>...</xenc:EncryptedKey>
>    </ds:KeyInfo>
> </xenc:EncryptedData>
> 
> It actually would find the Signature KeyInfo first (due to document
> order)  and incorrectly set that one as the EncryptedData's KeyInfo
> member.  And that would account for what you described.
> 
> But like I said:  you can't place the Signature there like that inside
> the EncryptedData, it's not legal.
> 

-- 
View this message in context: http://www.nabble.com/Problem-decrypting-elements-tf4699611.html#a14130034
Sent from the Apache XML - Security - Dev mailing list archive at Nabble.com.


Mime
View raw message