[xmlsec] Encrypt and sign with one template file

Aleksey Sanin aleksey at aleksey.com
Tue Sep 6 11:35:23 PDT 2011


You really don't want to put two templates in the same file because
you are encrypting the element and encryption template specifies
just this element.

Aleksey


On 9/6/11 1:18 AM, Samuel.Lavitt at tectia.com wrote:
>
> I am working on a case where we wish to take a xml message, encrypt 
> it, sign the encrypted form, and then send that to a server over 
> HTTP.  Obviously XMLSec seems the right tool for the job.  I am, 
> unfortunately, rather inexperienced with XML, and I am running into 
> issues trying to make a combined encryption/signing template, but 
> everything I try seems to fail.
>
> Working from various samples, I think what I want to do is use a 
> template like:
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <xml>
>
> <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" 
> Type="http://www.w3.org/2001/04/xmlenc#Element">
>
> <EncryptionMethod 
> Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>
> <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
>
> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>
> <KeyName/>
>
> </KeyInfo>
>
> <CipherData>
>
> <CipherValue/>
>
> </CipherData>
>
> </EncryptedKey>
>
> </KeyInfo>
>
> <CipherData>
>
> <CipherValue/>
>
> </CipherData>
>
> </EncryptedData>
>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>
> <SignedInfo>
>
> <CanonicalizationMethod 
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>
> <Reference URI="">
>
> <Transforms>
>
> <Transform 
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
>
> </Transforms>
>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <DigestValue/>
>
> </Reference>
>
> </SignedInfo>
>
> <SignatureValue/>
>
> <KeyInfo>
>
> <X509Data>
>
> <X509SubjectName/>
>
> <X509IssuerSerial/>
>
> <X509Certificate/>
>
> </X509Data>
>
> <KeyValue/>
>
> </KeyInfo>
>
> </Signature>
>
> </xml>
>
> And I think it should leave everything for the signature untouched, 
> unfortunately the output I get after I run "xmlsec1 encrypt 
> --pubkey-pem ServerKeys/pubkey.pem --session-key des-192 --xml-data 
> ClientRequest.xml --output ClientEncrypted.xml EncryptionTemplate.xml" 
> is missing the signature block and <xml> at the top and bottom.
>
> Currently I have been working around this manually, I have the 
> following working encryption template:
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <EncryptedData   xmlns="http://www.w3.org/2001/04/xmlenc#" 
> Type="http://www.w3.org/2001/04/xmlenc#Element">
>
> <EncryptionMethod 
> Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>
> <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
>
> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>
> <KeyName/>
>
> </KeyInfo>
>
> <CipherData>
>
> <CipherValue/>
>
> </CipherData>
>
> </EncryptedKey>
>
> </KeyInfo>
>
> <CipherData>
>
> <CipherValue/>
>
> </CipherData>
>
> </EncryptedData>
>
> I follow this with adding <Project> above the encrypted data, and 
> attaching the rest of the signature message after it:
>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>
> <SignedInfo>
>
> <CanonicalizationMethod 
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>
> <Reference URI="">
>
> <Transforms>
>
> <Transform Algorithm=
>
>       "http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
>
> </Transforms>
>
> <DigestMethod Algorithm=
>
>       "http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <DigestValue></DigestValue>
>
> </Reference>
>
> </SignedInfo>
>
> <SignatureValue />
>
> <KeyInfo>
>
> <X509Data >
>
> <X509SubjectName/>
>
> <X509IssuerSerial/>
>
> <X509Certificate/>
>
> </X509Data>
>
> <KeyValue />
>
> </KeyInfo>
>
> </Signature>
>
> </Project>
>
> This appears to work, but I am sure there is a cleaner way.
>
> Thanks in advance for any advice or pointing out whatever error it is 
> I am making.
>
> Sam Lavitt
>
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20110906/071aae4c/attachment-0001.html>


More information about the xmlsec mailing list