santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gary Tse <gary.gary...@gmail.com>
Subject Re: Is the sample program for XML encryption ok?
Date Fri, 20 Feb 2009 08:38:04 GMT
Dear gurus,

I'm getting confused at this point about the KeyInfo and EncryptedKey.  I
have a XML to be encrypted by an AES session key then wrapped by RSA.

Which of the formats should I use or any other suggestions?

Format 1 (certificate placed at 1st layer of KeyInfo,
EncryptedData/KeyInfo/X509Data):
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
        Type="http://www.w3.org/2001/04/xmlenc#Content">
    <xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes256-cbc"
        xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
            <xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
                xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
            <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                <xenc:CipherValue xmlns:xenc="
http://www.w3.org/2001/04/xmlenc#">...</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedKey>
        <ds:X509Data>
            <!--Cert for key-wrapping-->
            <ds:X509Certificate>
                MIIC...
            </ds:X509Certificate>
        </ds:X509Data>
    </ds:KeyInfo>
    <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
        <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#
">...</xenc:CipherValue>
    </xenc:CipherData>
</xenc:EncryptedData>


Format 2 (certificate placed at under
EncryptedData/EncryptedKey/KeyInfo/X509Data):
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
        Type="http://www.w3.org/2001/04/xmlenc#Content">
    <xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes256-cbc"></xenc:EncryptionMethod>
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <xenc:EncryptedKey>
        <xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></xenc:EncryptionMethod>
        <ds:KeyInfo>
            <ds:X509Data>
                <!--Cert for key-wrapping-->
                <ds:X509Certificate>
                    MIIC...
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    <xenc:CipherData>
        <xenc:CipherValue>...</xenc:CipherValue>
    </xenc:CipherData>
    </xenc:EncryptedKey>
    </ds:KeyInfo>
    <xenc:CipherData>
        <xenc:CipherValue>...</xenc:CipherValue>
    </xenc:CipherData>
</xenc:EncryptedData>

Thanks in advance,
Gary


On Wed, Feb 18, 2009 at 10:51 PM, Sean Mullan <Sean.Mullan@sun.com> wrote:

> Gary Tse wrote:
>
>> Dear gurus,
>>
>> I'm working with the Apache XML security 1.4.2 (Java version) and suspect
>> a problem in the sample.
>>
>> This sample is supplied with the 1.4.2 package:
>>
>> <xml-security-1_4_2>/src_samples/org/apache/xml/security/samples/encryption/Encrypter.java
>>
>> The sample runs fine and produced this (and the key-encryption-key file
>> kek):
>> <apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1">
>>    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>> Type="http://www.w3.org/2001/04/xmlenc#Content">
>>        <xenc:EncryptionMethod Algorithm="
>> http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="
>> http://www.w3.org/2001/04/xmlenc#"/>
>>        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>            <*xenc:EncryptedKey *xmlns:xenc="
>> http://www.w3.org/2001/04/xmlenc#">
>>                <xenc:EncryptionMethod Algorithm="
>> http://www.w3.org/2001/04/xmlenc#kw-tripledes" xmlns:xenc="
>> http://www.w3.org/2001/04/xmlenc#"/>
>>                <xenc:CipherData xmlns:xenc="
>> http://www.w3.org/2001/04/xmlenc#">
>>                    <xenc:CipherValue xmlns:xenc="
>> http://www.w3.org/2001/04/xmlenc#
>> ">YD/20hNbr8wNAGCJRxg+IqQaJF2I+pahDknGvmVAC3I=</xenc:CipherValue>
>>                </xenc:CipherData>
>>            </*xenc:EncryptedKey*>
>>        </ds:KeyInfo>
>>        <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
>>            <xenc:CipherValue xmlns:xenc="
>> http://www.w3.org/2001/04/xmlenc#
>> ">mblZKJ25HspqQopvfwUELnbE1hqrKDt54N849eksaQBMZZ4FgWf+N4HYTyA87GLh0m+bZSt3JtlX
>>
>>  GWmPx395ZyGVGEaz3Ic7LoBK+65DSjkmWqKGt1XHSuqpSOK3UKdB4skLqnv7Ji48tmpyHF513Q==</xenc:CipherValue>
>>        </xenc:CipherData>
>>    </xenc:EncryptedData>
>> </apache:RootElement>
>>
>>
>> In the XML encryption spec,  link here:
>>
>> http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#sec-Extensions-to-KeyInfo
>>
>> /"The |EncryptedData| or |EncryptedKey| element specify the associated
>> keying material via a child of |ds:KeyInfo|. All of the child elements of
>> ds:|KeyInfo| specified in [XML-DSIG <
>> http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#ref-XML-DSIG>]
>> MAY be used as qualified: /"
>>
>>  From the XML spec, does it mean that an extra <ds:KeyInfo> should be
>> placed in the <xenc:EncryptedKey> element to provide information about the
>> encrypted key?  If so, sample code might need updating.
>>
>
> It's not mandatory, but something to help identify the key would be useful,
> for example:
>
> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
>  <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
>    <ds:KeyName>Key XXX</ds:KeyName>
>  </ds:KeyInfo>
> ...
>
> Keep in mind these are just samples and you should modify or adapt them to
> your specific requirements.
>
> Thanks,
> Sean
>
>
>

Mime
View raw message