[xmlsec] Missing encryptedkey ?

Aleksey Sanin aleksey at aleksey.com
Sun Jun 10 17:51:02 PDT 2012


Roland,

I am not 100% sure what is going with your template. I know that the
tests in the tests folder pass and I am pretty sure that this particular
scenario works. I would suggest you start from running xmlsec unit
tests. In the log file you will find exact commands used and then you
can start modifying the command step by step to get what you need.

Best,

Aleksey

On 6/10/12 12:15 PM, Roland Hedberg wrote:
> Sorry to bother you again Aleksey,
> but there are things in the encryption process I just don't understand.
> 
> 10 jun 2012 kl. 02:08 skrev Aleksey Sanin:
> 
>> You need to use KW transform. Take a look at
>>
>> tests/merlin-xmlenc-five/encrypt-element-tripledes-cbc-kw-aes128.tmpl
> 
> But enc-element-3des-kw-3des.tmpl also used KW transform, right ?
> 
> Obviously, there is something here I don't understand.
> 
> This is how I have reasoned:
> 
> Let's say I have a RSA key-pair and I want to use a des-192 key as the session key.
> 
> The template would then be something like tests/01-phaos-xmlenc-3/enc-element-3des-kt-rsa1_5.tmpl .
> Except for the fact that I have the RSA key in a PEM file instead of in a key-file (as in keys.xml).
> So, I modified the template file to be:
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <EncryptedData Id="ED" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
>     <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
>     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>       <EncryptedKey Id="EK" xmlns="http://www.w3.org/2001/04/xmlenc#">
>         <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
>         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>         </ds:KeyInfo>
>         <CipherData>
>           <CipherValue>
>           </CipherValue>
>         </CipherData>
>         <ReferenceList>
>           <DataReference URI="#ED"/>
>         </ReferenceList>
>       </EncryptedKey>
>     </ds:KeyInfo>
>     <CipherData>
>       <CipherValue>
>       </CipherValue>
>     </CipherData>
> </EncryptedData>
> 
> Right so far ?
> 
> On to the command line, here I get:
> 
> xmlsec1 encrypt --privkey-pem mykey.pem \
>     --session-key des-192 --xml-data pre.xml \
>     --node-xpath '/*[local-name()="Response"]/*[local-name()="Assertion"]/*[local-name()="Subject"]/*[local-name()="EncryptedID"]/text()' \
>     enc-element-3des-kt-rsa1_5_mod.tmpl 
> 
> Now, the result I expected of this is that xmlsec would construct a 3des session key, encrypt the
> value of the specified element and place that value in the EncryptedData/CipherData/CipherValue element.
> 
> In the EncryptedKey/CipherData/CipherValue element I would expect to find the 3des session key encrypted with the RSA key.
> 
> But this doesn't happen. 
> What happens is that the whole <KeyInfo> element in the template doesn't appear in the output.
> I do get something in the EncryptedData/CipherData/CipherValue element, but I don't know which key that was used to create that value.
> 
> So, isn't it possible to do what I want with xmlsec ?
> If it is where did I go wrong ?
> 
> -- Roland
> ------------------------------------------------------
> Roland Hedberg
> IT Architect/Senior Researcher
> ICT Services and System Development (ITS) 
> Umeå University 
> SE-901 87 Umeå, Sweden	
> Phone +46 90 786 68 44
> Mobile +46 70 696 68 44 
> www.its.umu.se 
> 


More information about the xmlsec mailing list