[prev in list] [next in list] [prev in thread] [next in thread]
List: xml-security-dev
Subject: Re: Is the sample program for XML encryption ok?
From: Gary Tse <gary.garytse () gmail ! com>
Date: 2009-02-20 8:38:04
Message-ID: 4557d9290902200038p3a1e295cobb28bf5424f5c194 () mail ! gmail ! com
[Download RAW message or body]
Dear gurus,
I'm getting confused at this point about the KeyInfo and EncryptedKey. I
have a XML to be encrypted by an AES session key then wrapped by RSA.
Which of the formats should I use or any other suggestions?
Format 1 (certificate placed at 1st layer of KeyInfo,
EncryptedData/KeyInfo/X509Data):
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Type="http://www.w3.org/2001/04/xmlenc#Content">
<xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes256-cbc"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue xmlns:xenc="
http://www.w3.org/2001/04/xmlenc#">...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
<ds:X509Data>
<!--Cert for key-wrapping-->
<ds:X509Certificate>
MIIC...
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#
">...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
Format 2 (certificate placed at under
EncryptedData/EncryptedKey/KeyInfo/X509Data):
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Type="http://www.w3.org/2001/04/xmlenc#Content">
<xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes256-cbc"></xenc:EncryptionMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey>
<xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></xenc:EncryptionMethod>
<ds:KeyInfo>
<ds:X509Data>
<!--Cert for key-wrapping-->
<ds:X509Certificate>
MIIC...
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
Thanks in advance,
Gary
On Wed, Feb 18, 2009 at 10:51 PM, Sean Mullan <Sean.Mullan@sun.com> wrote:
> Gary Tse wrote:
>
>> Dear gurus,
>>
>> I'm working with the Apache XML security 1.4.2 (Java version) and suspect
>> a problem in the sample.
>>
>> This sample is supplied with the 1.4.2 package:
>>
>> <xml-security-1_4_2>/src_samples/org/apache/xml/security/samples/encryption/Encrypter.java
>>
>> The sample runs fine and produced this (and the key-encryption-key file
>> kek):
>> <apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1">
>> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>> Type="http://www.w3.org/2001/04/xmlenc#Content">
>> <xenc:EncryptionMethod Algorithm="
>> http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="
>> http://www.w3.org/2001/04/xmlenc#"/>
>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>> <*xenc:EncryptedKey *xmlns:xenc="
>> http://www.w3.org/2001/04/xmlenc#">
>> <xenc:EncryptionMethod Algorithm="
>> http://www.w3.org/2001/04/xmlenc#kw-tripledes" xmlns:xenc="
>> http://www.w3.org/2001/04/xmlenc#"/>
>> <xenc:CipherData xmlns:xenc="
>> http://www.w3.org/2001/04/xmlenc#">
>> <xenc:CipherValue xmlns:xenc="
>> http://www.w3.org/2001/04/xmlenc#
>> ">YD/20hNbr8wNAGCJRxg+IqQaJF2I+pahDknGvmVAC3I=</xenc:CipherValue>
>> </xenc:CipherData>
>> </*xenc:EncryptedKey*>
>> </ds:KeyInfo>
>> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
>> <xenc:CipherValue xmlns:xenc="
>> http://www.w3.org/2001/04/xmlenc#
>> ">mblZKJ25HspqQopvfwUELnbE1hqrKDt54N849eksaQBMZZ4FgWf+N4HYTyA87GLh0m+bZSt3JtlX
>>
>> GWmPx395ZyGVGEaz3Ic7LoBK+65DSjkmWqKGt1XHSuqpSOK3UKdB4skLqnv7Ji48tmpyHF513Q==</xenc:CipherValue>
>> </xenc:CipherData>
>> </xenc:EncryptedData>
>> </apache:RootElement>
>>
>>
>> In the XML encryption spec, link here:
>>
>> http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#sec-Extensions-to-KeyInfo
>>
>> /"The |EncryptedData| or |EncryptedKey| element specify the associated
>> keying material via a child of |ds:KeyInfo|. All of the child elements of
>> ds:|KeyInfo| specified in [XML-DSIG <
>> http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#ref-XML-DSIG>]
>> MAY be used as qualified: /"
>>
>> From the XML spec, does it mean that an extra <ds:KeyInfo> should be
>> placed in the <xenc:EncryptedKey> element to provide information about the
>> encrypted key? If so, sample code might need updating.
>>
>
> It's not mandatory, but something to help identify the key would be useful,
> for example:
>
> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
> <ds:KeyName>Key XXX</ds:KeyName>
> </ds:KeyInfo>
> ...
>
> Keep in mind these are just samples and you should modify or adapt them to
> your specific requirements.
>
> Thanks,
> Sean
>
>
>
[Attachment #3 (text/html)]
Dear gurus,<br><br>I'm getting confused at this point about the KeyInfo and \
EncryptedKey. I have a XML to be encrypted by an AES session key then wrapped \
by RSA. <br><br>Which of the formats should I use or any other \
suggestions? <br> <br>Format 1 (certificate placed at 1st layer of KeyInfo, \
EncryptedData/KeyInfo/X509Data):<br><font style="font-family: courier new,monospace;" \
size="2"><font size="1"><xenc:EncryptedData xmlns:xenc="<a \
href="http://www.w3.org/2001/04/xmlenc#">http://www.w3.org/2001/04/xmlenc#</a>" \
<br> Type="<a \
href="http://www.w3.org/2001/04/xmlenc#Content">http://www.w3.org/2001/04/xmlenc#Content</a>"><br> \
<xenc:EncryptionMethod Algorithm="<a \
href="http://www.w3.org/2001/04/xmlenc#aes256-cbc">http://www.w3.org/2001/04/xmlenc#aes256-cbc</a>"<br>
xmlns:xenc="<a \
href="http://www.w3.org/2001/04/xmlenc#">http://www.w3.org/2001/04/xmlenc#</a>"/><br> \
<ds:KeyInfo xmlns:ds="<a \
href="http://www.w3.org/2000/09/xmldsig#">http://www.w3.org/2000/09/xmldsig#</a>"><br>
<xenc:EncryptedKey xmlns:xenc="<a \
href="http://www.w3.org/2001/04/xmlenc#">http://www.w3.org/2001/04/xmlenc#</a>"><br> \
<xenc:EncryptionMethod Algorithm="<a \
href="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</a>" \
<br> \
xmlns:xenc="<a href="http://www.w3.org/2001/04/xmlenc#">http://www.w3.org/2001/04 \
/xmlenc#</a>"/><br> \
<xenc:CipherData xmlns:xenc="<a \
href="http://www.w3.org/2001/04/xmlenc#">http://www.w3.org/2001/04/xmlenc#</a>"><br>
\
<xenc:CipherValue xmlns:xenc="<a \
href="http://www.w3.org/2001/04/xmlenc#">http://www.w3.org/2001/04/xmlenc#</a>"&g \
t;...</xenc:CipherValue><br> \
</xenc:CipherData><br> \
</xenc:EncryptedKey><br> \
<ds:X509Data><br> \
<!--Cert for key-wrapping--><br> \
<ds:X509Certificate><br> \
MIIC... <br> \
</ds:X509Certificate><br> \
</ds:X509Data><br> </ds:KeyInfo><br> \
<xenc:CipherData xmlns:xenc="<a \
href="http://www.w3.org/2001/04/xmlenc#">http://www.w3.org/2001/04/xmlenc#</a>"><br> \
<xenc:CipherValue xmlns:xenc="<a \
href="http://www.w3.org/2001/04/xmlenc#">http://www.w3.org/2001/04/xmlenc#</a>">...</xenc:CipherValue><br>
</xenc:CipherData><br></xenc:EncryptedData></font><br></font><br><br>Format \
2 (certificate placed at under EncryptedData/EncryptedKey/KeyInfo/X509Data):<br><font \
size="1"><span style="font-family: courier new,monospace;"><xenc:EncryptedData \
xmlns:xenc="<a href="http://www.w3.org/2001/04/xmlenc#">http://www.w3.org/2001/04/xmlenc#</a>" \
</span><br style="font-family: courier new,monospace;"> <span style="font-family: \
courier new,monospace;"> Type="<a \
href="http://www.w3.org/2001/04/xmlenc#Content">http://www.w3.org/2001/04/xmlenc#Content</a>"></span><br \
style="font-family: courier new,monospace;"> <span style="font-family: courier \
new,monospace;"> <xenc:EncryptionMethod Algorithm="<a \
href="http://www.w3.org/2001/04/xmlenc#aes256-cbc">http://www.w3.org/2001/04/xmlenc#aes256-cbc</a>"></xenc:EncryptionMethod></span><br \
style="font-family: courier new,monospace;"> <span style="font-family: courier \
new,monospace;"> <ds:KeyInfo xmlns:ds="<a \
href="http://www.w3.org/2000/09/xmldsig#">http://www.w3.org/2000/09/xmldsig#</a>"></span><br \
style="font-family: courier new,monospace;"> <span style="font-family: courier \
new,monospace;"> <xenc:EncryptedKey></span><br \
style="font-family: courier new,monospace;"><span style="font-family: courier \
new,monospace;"> <xenc:EncryptionMethod \
Algorithm="<a href="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">http://www.w \
3.org/2001/04/xmlenc#rsa-oaep-mgf1p</a>"></xenc:EncryptionMethod></span><br \
style="font-family: courier new,monospace;"> <span style="font-family: courier \
new,monospace;"> \
<ds:KeyInfo></span><br style="font-family: courier new,monospace;"><span \
style="font-family: courier \
new,monospace;"> \
<ds:X509Data><br></span></font><font style="font-family: courier \
new,monospace;" size="2"><font \
size="1"> \
<!--Cert for key-wrapping--></font></font><br style="font-family: courier \
new,monospace;"> <font size="1"><span style="font-family: courier \
new,monospace;"></span><span style="font-family: courier \
new,monospace;"> \
<ds:X509Certificate></span><br style="font-family: courier \
new,monospace;"><span style="font-family: courier \
new,monospace;"> \
MIIC...</span><br style="font-family: courier new,monospace;"> <span \
style="font-family: courier \
new,monospace;"> \
</ds:X509Certificate></span><br style="font-family: courier \
new,monospace;"><span style="font-family: courier \
new,monospace;"> \
</ds:X509Data></span><br style="font-family: courier new,monospace;"> <span \
style="font-family: courier \
new,monospace;"> \
</ds:KeyInfo></span><br style="font-family: courier new,monospace;"><span \
style="font-family: courier new,monospace;"> \
<xenc:CipherData></span><br style="font-family: courier new,monospace;"> <span \
style="font-family: courier \
new,monospace;"> \
<xenc:CipherValue>...</xenc:CipherValue></span><br style="font-family: \
courier new,monospace;"><span style="font-family: courier \
new,monospace;"> </xenc:CipherData></span><br \
style="font-family: courier new,monospace;"> <span style="font-family: courier \
new,monospace;"> </xenc:EncryptedKey></span><br \
style="font-family: courier new,monospace;"><span style="font-family: courier \
new,monospace;"> </ds:KeyInfo></span><br style="font-family: \
courier new,monospace;"> <span style="font-family: courier \
new,monospace;"> <xenc:CipherData></span><br \
style="font-family: courier new,monospace;"><span style="font-family: courier \
new,monospace;"> \
<xenc:CipherValue>...</xenc:CipherValue></span><br style="font-family: \
courier new,monospace;"> <span style="font-family: courier \
new,monospace;"> </xenc:CipherData></span><br \
style="font-family: courier new,monospace;"><span style="font-family: courier \
new,monospace;"></xenc:EncryptedData></span></font><br> <br>Thanks in \
advance,<br>Gary<br><br><br><div class="gmail_quote">On Wed, Feb 18, 2009 at 10:51 \
PM, Sean Mullan <span dir="ltr"><<a \
href="mailto:Sean.Mullan@sun.com">Sean.Mullan@sun.com</a>></span> \
wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, \
204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> Gary Tse wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); \
margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div><div></div><div class="Wj3C7c"> \
Dear gurus,<br> <br>
I'm working with the Apache XML security 1.4.2 (Java version) and suspect a \
problem in the sample.<br> <br>
This sample is supplied with the 1.4.2 package:<br>
<xml-security-1_4_2>/src_samples/org/apache/xml/security/samples/encryption/Encrypter.java<br>
<br>
The sample runs fine and produced this (and the key-encryption-key file kek):<br>
<apache:RootElement xmlns:apache="<a href="http://www.apache.org/ns/#app1" \
target="_blank">http://www.apache.org/ns/#app1</a>"><br> \
<xenc:EncryptedData xmlns:xenc="<a \
href="http://www.w3.org/2001/04/xmlenc#" \
target="_blank">http://www.w3.org/2001/04/xmlenc#</a>" Type="<a \
href="http://www.w3.org/2001/04/xmlenc#Content" \
target="_blank">http://www.w3.org/2001/04/xmlenc#Content</a>"><br>
<xenc:EncryptionMethod Algorithm="<a \
href="http://www.w3.org/2001/04/xmlenc#aes128-cbc" \
target="_blank">http://www.w3.org/2001/04/xmlenc#aes128-cbc</a>" \
xmlns:xenc="<a href="http://www.w3.org/2001/04/xmlenc#" \
target="_blank">http://www.w3.org/2001/04/xmlenc#</a>"/><br>
<ds:KeyInfo xmlns:ds="<a \
href="http://www.w3.org/2000/09/xmldsig#" \
target="_blank">http://www.w3.org/2000/09/xmldsig#</a>"><br> \
<*xenc:EncryptedKey *xmlns:xenc="<a \
href="http://www.w3.org/2001/04/xmlenc#" \
target="_blank">http://www.w3.org/2001/04/xmlenc#</a>"><br> \
<xenc:EncryptionMethod Algorithm="<a \
href="http://www.w3.org/2001/04/xmlenc#kw-tripledes" \
target="_blank">http://www.w3.org/2001/04/xmlenc#kw-tripledes</a>" \
xmlns:xenc="<a href="http://www.w3.org/2001/04/xmlenc#" \
target="_blank">http://www.w3.org/2001/04/xmlenc#</a>"/><br>
<xenc:CipherData \
xmlns:xenc="<a href="http://www.w3.org/2001/04/xmlenc#" \
target="_blank">http://www.w3.org/2001/04/xmlenc#</a>"><br> \
<xenc:CipherValue \
xmlns:xenc="<a href="http://www.w3.org/2001/04/xmlenc#" \
target="_blank">http://www.w3.org/2001/04/xmlenc#</a>">YD/20hNbr8wNAGCJRxg+IqQaJF2I+pahDknGvmVAC3I=</xenc:CipherValue><br>
</xenc:CipherData><br>
</*xenc:EncryptedKey*><br>
</ds:KeyInfo><br>
<xenc:CipherData xmlns:xenc="<a \
href="http://www.w3.org/2001/04/xmlenc#" \
target="_blank">http://www.w3.org/2001/04/xmlenc#</a>"><br> \
<xenc:CipherValue xmlns:xenc="<a \
href="http://www.w3.org/2001/04/xmlenc#" \
target="_blank">http://www.w3.org/2001/04/xmlenc#</a>">mblZKJ25HspqQopvfwUELnbE1hqrKDt54N849eksaQBMZZ4FgWf+N4HYTyA87GLh0m+bZSt3JtlX<br>
\
GWmPx395ZyGVGEaz3Ic7LoBK+65DSjkmWqKGt1XHSuqpSOK3UKdB4skLqnv7Ji48tmpyHF513Q==</xenc:CipherValue><br>
</xenc:CipherData><br>
</xenc:EncryptedData><br>
</apache:RootElement><br>
<br>
<br>
In the XML encryption spec, link here:<br>
<a href="http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#sec-Extensions-to-KeyInfo" \
target="_blank">http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#sec-Extensions-to-KeyInfo</a><br>
<br></div></div>
/"The |EncryptedData| or |EncryptedKey| element specify the associated keying \
material via a child of |ds:KeyInfo|. All of the child elements of ds:|KeyInfo| \
specified in [XML-DSIG <<a \
href="http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#ref-XML-DSIG" \
target="_blank">http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#ref-XML-DSIG</a>>] \
MAY be used as qualified: /"<div class="Ih2E3d"> <br>
<br>
From the XML spec, does it mean that an extra <ds:KeyInfo> should be \
placed in the <xenc:EncryptedKey> element to provide information about the \
encrypted key? If so, sample code might need updating.<br> </div></blockquote>
<br>
It's not mandatory, but something to help identify the key would be useful, for \
example:<div class="Ih2E3d"><br> <br>
<xenc:EncryptedKey xmlns:xenc="<a href="http://www.w3.org/2001/04/xmlenc#" \
target="_blank">http://www.w3.org/2001/04/xmlenc#</a>"><br></div> \
<ds:KeyInfo xmlns:ds='<a href="http://www.w3.org/2000/09/xmldsig#" \
target="_blank">http://www.w3.org/2000/09/xmldsig#</a>'><br> \
<ds:KeyName>Key XXX</ds:KeyName><br> </ds:KeyInfo><br>
...<br>
<br>
Keep in mind these are just samples and you should modify or adapt them to your \
specific requirements.<br> <br>
Thanks,<br><font color="#888888">
Sean<br>
<br>
<br>
</font></blockquote></div><br>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic