[xmlsec] Encrypt and sign with one template file
Samuel.Lavitt at tectia.com
Samuel.Lavitt at tectia.com
Tue Sep 6 01:18:37 PDT 2011
I am working on a case where we wish to take a xml message, encrypt it, sign the encrypted form, and then send that to a server over HTTP. Obviously XMLSec seems the right tool for the job. I am, unfortunately, rather inexperienced with XML, and I am running into issues trying to make a combined encryption/signing template, but everything I try seems to fail.
Working from various samples, I think what I want to do is use a template like:
<?xml version="1.0" encoding="UTF-8"?>
<xml>
<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName/>
</KeyInfo>
<CipherData>
<CipherValue/>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue/>
</CipherData>
</EncryptedData>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue/>
</Reference>
</SignedInfo>
<SignatureValue/>
<KeyInfo>
<X509Data>
<X509SubjectName/>
<X509IssuerSerial/>
<X509Certificate/>
</X509Data>
<KeyValue/>
</KeyInfo>
</Signature>
</xml>
And I think it should leave everything for the signature untouched, unfortunately the output I get after I run "xmlsec1 encrypt --pubkey-pem ServerKeys/pubkey.pem --session-key des-192 --xml-data ClientRequest.xml --output ClientEncrypted.xml EncryptionTemplate.xml" is missing the signature block and <xml> at the top and bottom.
Currently I have been working around this manually, I have the following working encryption template:
<?xml version="1.0" encoding="UTF-8"?>
<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName/>
</KeyInfo>
<CipherData>
<CipherValue/>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue/>
</CipherData>
</EncryptedData>
I follow this with adding <Project> above the encrypted data, and attaching the rest of the signature message after it:
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="">
<Transforms>
<Transform Algorithm=
"http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</Transforms>
<DigestMethod Algorithm=
"http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue></DigestValue>
</Reference>
</SignedInfo>
<SignatureValue />
<KeyInfo>
<X509Data >
<X509SubjectName/>
<X509IssuerSerial/>
<X509Certificate/>
</X509Data>
<KeyValue />
</KeyInfo>
</Signature>
</Project>
This appears to work, but I am sure there is a cleaner way.
Thanks in advance for any advice or pointing out whatever error it is I am making.
Sam Lavitt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20110906/57a769f9/attachment.html>
More information about the xmlsec
mailing list