santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Frank Cornelis <i...@e-contract.be>
Subject XML encryption: multiple files and multiple recipients
Date Sat, 13 Dec 2014 17:17:19 GMT
Hi,


I'm trying to construct a generic encryption format based on OCF:
http://www.idpf.org/epub/30/spec/epub30-ocf.html#sec-container-metainf-encryption.xml
Besides the need to encrypt multiple files (within the ZIP), I also want 
to express multiple recipients. Each recipient has its own X509 certificate.
Thus the same AES key is being encrypted towards multiple recipient 
certificates.
It's not 100% clear how to express this from the XML Encryption 
specification.
What I came up with so far is the structure as shown below.
Is this the correct way to express what I'm looking for?
Not clear whether I should do this using multiple ds:RetrievalMethod 
elements within the ds:KeyInfo.


Kind Regards,
Frank.


<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<encryption xmlns="urn:oasis:names:tc:opendocument:xmlns:container">
   <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" 
Id="EK1">
     <xenc:EncryptionMethod 
Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep">
       <ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
       <xenc11:MGF xmlns:xenc11="http://www.w3.org/2009/xmlenc11#" 
Algorithm=" http://www.w3.org/2009/xmlenc11#mgf1sha512"/>
     </xenc:EncryptionMethod>
     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <ds:X509Data>
         <ds:X509Certificate>
             ...
         </ds:X509Certificate>
       </ds:X509Data>
     </ds:KeyInfo>
     <xenc:CipherData>
       <xenc:CipherValue>...</xenc:CipherValue>
     </xenc:CipherData>
   </xenc:EncryptedKey>
   <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" 
Id="EK2">
     <xenc:EncryptionMethod 
Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep">
       <ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
       <xenc11:MGF xmlns:xenc11="http://www.w3.org/2009/xmlenc11#" 
Algorithm=" http://www.w3.org/2009/xmlenc11#mgf1sha512"/>
     </xenc:EncryptionMethod>
     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <ds:X509Data>
         <ds:X509Certificate>
             ...
         </ds:X509Certificate>
       </ds:X509Data>
     </ds:KeyInfo>
     <xenc:CipherData>
       <xenc:CipherValue>...</xenc:CipherValue>
     </xenc:CipherData>
   </xenc:EncryptedKey>
   <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
     <xenc:EncryptionMethod 
Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <ds:RetrievalMethod 
Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey" URI="#EK1"/>
       <ds:RetrievalMethod 
Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey" URI="#EK2"/>
     </ds:KeyInfo>
     <xenc:CipherData>
       <xenc:CipherReference URI="file1.txt"/>
     </xenc:CipherData>
   </xenc:EncryptedData>
   <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
     <xenc:EncryptionMethod 
Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <ds:RetrievalMethod 
Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey" URI="#EK1"/>
       <ds:RetrievalMethod 
Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey" URI="#EK2"/>
     </ds:KeyInfo>
     <xenc:CipherData>
       <xenc:CipherReference URI="file2.txt"/>
     </xenc:CipherData>
   </xenc:EncryptedData>
</encryption>

Mime
View raw message