<br><font size=2 face="sans-serif">Hi Aleksey,</font>
<br><font size=2 face="sans-serif">Well, using the debugger I figured out
what is failing, but I don't know why or how to fix it. So I'm going
to try to explain my problem a bit better.</font>
<br>
<br><font size=2 face="sans-serif">My goal is to attach the subject key
identifier, of the public cert used to encrypt the message, to the EncryptedKey
node.</font>
<br>
<br><font size=2 face="sans-serif">What I do (simplified for explanation):</font>
<br><font size=2 face="sans-serif">- create and initialize a keys manager</font>
<br><font size=2 face="sans-serif"> </font><font size=2 face="Courier New">mngr
= xmlSecKeysMngrCreate();</font>
<br><font size=2 face="sans-serif"> </font><font size=2 face="Courier New">xmlSecCryptoAppDefaultKeysMngrInit(mngr);</font>
<br><font size=2 face="sans-serif">- load a public key into the keys manager</font>
<br><font size=2 face="sans-serif"> </font><font size=2 face="Courier New">key
= xmlSecCryptoAppKeyLoad(file.c_str(), xmlSecKeyDataFormatPem, pwd, NULL,
NULL);</font>
<br><font size=2 face="sans-serif"> </font><font size=2 face="Courier New">xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr,
key</font><font size=2 face="sans-serif">);</font>
<br><font size=2 face="sans-serif">- load an x509 certificate into the
keys manager</font>
<br><font size=2 face="sans-serif"> </font><font size=2 face="Courier New">xmlSecCryptoAppKeysMngrCertLoad(mngr,
nodeCertFile.c_str(), xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted)</font><font size=2 face="sans-serif">;
</font>
<br><font size=2 face="sans-serif">- create an xmlSecEncCtxPtr with the
manager as its parameter</font>
<br><font size=2 face="sans-serif"> </font><font size=2 face="Courier New">encCtx
= xmlSecEncCtxCreate(mngr);</font>
<br><font size=2 face="sans-serif">- generate a session key for the encCtx->encKey</font>
<br><font size=2 face="sans-serif"> </font><font size=2 face="Courier New">encCtx->encKey
= xmlSecKeyGenerate(xmlSecKeyDataDesId, 192, xmlSecKeyDataTypeSession);</font>
<br><font size=2 face="sans-serif">- create encryption template (with X509
data attached to the EncryptedKey's KeyInfo)</font>
<br><font size=2 face="sans-serif"> </font><font size=2 face="Courier New">encDataNode
= xmlSecTmplEncDataCreate(doc, xmlSecTransformDes3CbcId, NULL, xmlSecTypeEncElement,
NULL, NULL);</font>
<br><font size=2 face="sans-serif"> </font><font size=2 face="Courier New">xmlSecTmplEncDataEnsureCipherValue(encDataNode)</font><font size=2 face="sans-serif">;</font>
<br><font size=2 face="sans-serif"> </font><font size=2 face="Courier New">keyInfoNode
= xmlSecTmplEncDataEnsureKeyInfo(encDataNode, NULL);</font>
<br><font size=2 face="sans-serif"> </font><font size=2 face="Courier New">encKeyNode
= xmlSecTmplKeyInfoAddEncryptedKey(keyInfoNode, xmlSecTransformRsaPkcs1Id,
NULL, xmlSecEncKey, NULL);</font>
<br><font size=2 face="sans-serif"> </font><font size=2 face="Courier New">xmlSecTmplEncDataEnsureCipherValue(encKeyNode)</font><font size=2 face="sans-serif">;</font>
<br><font size=2 face="sans-serif"> </font><font size=2 face="Courier New">encKeyInfoNode
= xmlSecTmplEncDataEnsureKeyInfo(encKeyNode, NULL);</font>
<br><font size=2 face="Courier New"> xmlSecTmplKeyInfoAddKeyName(encKeyInfoNode,
BAD_CAST keyName.c_str());</font>
<br><font size=2 face="Courier New"> certNode
= xmlSecTmplKeyInfoAddX509Data(encKeyInfoNode);</font>
<br><font size=2 face="Courier New"> xmlSecTmplX509DataAddCertificate(certNode);</font>
<br><font size=2 face="Courier New"> xmlSecTmplX509DataAddSKI(certNode)</font><font size=2 face="sans-serif">;</font>
<br><font size=2 face="sans-serif">- finally encrypt the data</font>
<br><font size=2 face="sans-serif"> </font><font size=2 face="Courier New">xmlSecEncCtxXmlEncrypt(encCtx,
encDataNode, myDataNode);</font>
<br>
<br><font size=2 face="sans-serif">Ok, all of the steps before actual encryption
complete successfully. I have checked the template that I am sending
in, and it looks exactly like you'd expect it to.</font>
<br><font size=2 face="sans-serif">The key and certificate loaded correctly
into the keys manager, and the encryption context correctly copied the
manager into itself.</font>
<br>
<br><font size=2 face="sans-serif">During the encryption everything appears
fine, though I must admit that there were more then a couple times that
I was very confused.</font>
<br><font size=2 face="sans-serif">Here is a backtrace of where I think
my problem is:</font>
<br>
<br><font size=2 face="sans-serif">(gdb) bt</font>
<br><font size=2 face="sans-serif">#0 xmlSecKeyGetData (key=0x80962c0,
dataId=0xb78188e0) at keys.c:837</font>
<br><font size=2 face="sans-serif">#1 0xb76f0a73 in xmlSecOpenSSLKeyDataX509XmlWrite
(id=0xb78188e0, key=0x80962c0, node=0x8096900, keyInfoCtx=0x80a7118)</font>
<br><font size=2 face="sans-serif"> at x509.c:725</font>
<br><font size=2 face="sans-serif">#2 0xb7722173 in xmlSecKeyInfoNodeWrite
(keyInfoNode=0x80a4d50, key=0x80962c0, keyInfoCtx=0x80a7118) at keyinfo.c:179</font>
<br><font size=2 face="sans-serif">#3 0xb771669c in xmlSecEncCtxEncDataNodeWrite
(encCtx=0x80a7040) at xmlenc.c:946</font>
<br><font size=2 face="sans-serif">#4 0xb77185e4 in xmlSecEncCtxBinaryEncrypt
(encCtx=0x80a7040, tmpl=0x80879c8,</font>
<br><font size=2 face="sans-serif"> data=0x80a8c08 ">\205}E\r\fÜ\177\023ñ]\021Fú4Àë³t\217×÷£\222
", dataSize=24) at xmlenc.c:334</font>
<br><font size=2 face="sans-serif">#5 0xb7724e4a in xmlSecKeyDataEncryptedKeyXmlWrite
(id=0xb7822da0, key=0x80980e0, node=0x80879c8, keyInfoCtx=0x80aeb68)</font>
<br><font size=2 face="sans-serif"> at keyinfo.c:1542</font>
<br><font size=2 face="sans-serif">#6 0xb7722173 in xmlSecKeyInfoNodeWrite
(keyInfoNode=0x80878e0, key=0x80980e0, keyInfoCtx=0x80aeb68) at keyinfo.c:179</font>
<br><font size=2 face="sans-serif">#7 0xb771669c in xmlSecEncCtxEncDataNodeWrite
(encCtx=0x80aea90) at xmlenc.c:946</font>
<br><font size=2 face="sans-serif">#8 0xb77180b2 in xmlSecEncCtxXmlEncrypt
(encCtx=0x80aea90, tmpl=0x80a87b0, node=0x80a5e00) at xmlenc.c:441</font>
<br>
<br><font size=2 face="sans-serif">In the openssl file x509.c, in function
xmlSecOpenSSLKeyDataX509XmlWrite at line 725.</font>
<br><font size=2 face="sans-serif">The process is trying to get a dataList
out of the key, but the key has no dataList in it. So the function
returns NULL, exits out and no X509 data is written.</font>
<br><font size=2 face="sans-serif">I thought there would be some kind of
reference to the certificate that I loaded for this purpose, but when it
gets to this point, there is no link to it at all.</font>
<br>
<br><font size=2 face="sans-serif">Am I loading something wrong? Do I need
to set some kind of processing flags? Do I need to manually put the cert
into the key?</font>
<br><font size=2 face="sans-serif">Is my goal something that xmlsec is
coded not to do?</font>
<br><font size=2 face="sans-serif">Thank you for any help you can give,</font>
<br><font size=2 face="sans-serif">Brian</font>
<br>
<br><font size=2 face="sans-serif">***************************************************************<br>
Brian S. Myers<br>
Systems Developer, Engineering<br>
brian.myers@zootweb.com<br>
Tel: 406-556-8924 Fax: 406-587-8414<br>
***************************************************************<br>
This email, including any attachments, is confidential and may not be redistributed
without permission. If you are not an intended recipient, you have received
this message in error. Please notify us immediately by replying to this
message, and then delete it from your computer. Thank you.<br>
***************************************************************</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>Aleksey Sanin <aleksey@aleksey.com></b>
</font>
<p><font size=1 face="sans-serif">06/13/2008 04:24 PM</font>
<td width=59%>
<table width=100%>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td><font size=1 face="sans-serif">Brian.Myers@zootweb.com</font>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td><font size=1 face="sans-serif">xmlsec@aleksey.com</font>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td><font size=1 face="sans-serif">Re: [xmlsec] wsse tokens and encryption</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><tt><font size=2>I am really sorry but I don't understand what you
are trying<br>
to do. The only guess I have is that the certificate was not<br>
associated with the key but I am not sure.<br>
<br>
You might want to step through xmlsec source code in the debugger<br>
and see why it doesn't do what you want it to do.<br>
<br>
Aleksey<br>
<br>
Brian.Myers@zootweb.com wrote:<br>
> <br>
> Hello,<br>
> First off I'd like to say thank you to Aleksey and the mailing list.
<br>
> This library has saved me from trying to invent a security <br>
> implementation on my own,<br>
> and the dialog in the mailing list has helped me fix difficult problems
<br>
> that didn't seem to have obvious solutions. Thank you!<br>
> <br>
> Now, the problem I'm having has to do with wsse security tokens and
<br>
> encryption.<br>
> More specifically the subject key identifier found in x509 certificates.<br>
> I'm trying to fill out this node, which would be part of the <br>
> EncryptedKey node in the SOAP:Header:<br>
> <wsse:SecurityTokenReference><br>
> <wsse:KeyIdentifier ValueType="wsse:X509SubjectKeyIdentifier"
<br>
> EncodingType="wsse:Base64Binary"/><br>
> </wsse:SecurityTokenReference><br>
> <br>
> with information that would be gathered from this node:<br>
> <X509Data><br>
> <X509Certificate/><br>
> <X509SKI/><br>
> </X509Data><br>
> <br>
> The problem is that encryption returns this for X509Data node:<br>
> <X509Data><br>
> <br>
> <br>
> </X509Data><br>
> <br>
> Empty. I realize that you generally don't apply a certificate
to <br>
> encryption, but I can't do this step with signature creation<br>
> because I'd have to change the document, which would make the signature
<br>
> invalid.<br>
> What I'm doing:<br>
> - I load up my key into a keys manager<br>
> - I load up my cert into the keys manager<br>
> - Create the encryption context object with the manager as its parameter<br>
> - Set encryption context encKey to generated des key<br>
> - Successfully create encrypted data template with X509Data, <br>
> X509Certificate, and X509SKI properly attached to KeyInfo node<br>
> - Successfully encrypt data<br>
> - Parse and print out document and see that the X509Data node is now
<br>
> empty, thus not able to get the SKI info<br>
> <br>
> If the node had been filled out as I had hoped, I would have:<br>
> - Located the X509Data node and unlinked it from the document<br>
> - Set the content of the KeyIdentifier node to the content of the
<br>
> X509SKI node<br>
> <br>
> Is there something I'm doing wrong, is this something that xmlsec
can't <br>
> do, and/or is there a better way to do this?<br>
> Thank you very much,<br>
> Brian<br>
> <br>
> <br>
> ------------------------------------------------------------------------<br>
> <br>
> _______________________________________________<br>
> xmlsec mailing list<br>
> xmlsec@aleksey.com<br>
> http://www.aleksey.com/mailman/listinfo/xmlsec<br>
</font></tt>
<br>