XML encryption: multiple files and multiple recipients

Sat, 13 Dec 2014 09:18:02 -0800 

Hi,


I'm trying to construct a generic encryption format based on OCF:
http://www.idpf.org/epub/30/spec/epub30-ocf.html#sec-container-metainf-encryption.xml
Besides the need to encrypt multiple files (within the ZIP), I also want to express multiple recipients. Each recipient has its own X509 certificate. Thus the same AES key is being encrypted towards multiple recipient certificates. It's not 100% clear how to express this from the XML Encryption specification. 
What I came up with so far is the structure as shown below.
Is this the correct way to express what I'm looking for?
Not clear whether I should do this using multiple ds:RetrievalMethod elements within the ds:KeyInfo. 


Kind Regards,
Frank.


<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<encryption xmlns="urn:oasis:names:tc:opendocument:xmlns:container">
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Id="EK1"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep";> <ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/> <xenc11:MGF xmlns:xenc11="http://www.w3.org/2009/xmlenc11#"; Algorithm=" http://www.w3.org/2009/xmlenc11#mgf1sha512"/> 
    </xenc:EncryptionMethod>
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
      <ds:X509Data>
        <ds:X509Certificate>
            ...
        </ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
    <xenc:CipherData>
      <xenc:CipherValue>...</xenc:CipherValue>
    </xenc:CipherData>
  </xenc:EncryptedKey>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Id="EK2"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep";> <ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/> <xenc11:MGF xmlns:xenc11="http://www.w3.org/2009/xmlenc11#"; Algorithm=" http://www.w3.org/2009/xmlenc11#mgf1sha512"/> 
    </xenc:EncryptionMethod>
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
      <ds:X509Data>
        <ds:X509Certificate>
            ...
        </ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
    <xenc:CipherData>
      <xenc:CipherValue>...</xenc:CipherValue>
    </xenc:CipherData>
  </xenc:EncryptedKey>
  <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/> 
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"; URI="#EK1"/> <ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"; URI="#EK2"/> 
    </ds:KeyInfo>
    <xenc:CipherData>
      <xenc:CipherReference URI="file1.txt"/>
    </xenc:CipherData>
  </xenc:EncryptedData>
  <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/> 
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"; URI="#EK1"/> <ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"; URI="#EK2"/> 
    </ds:KeyInfo>
    <xenc:CipherData>
      <xenc:CipherReference URI="file2.txt"/>
    </xenc:CipherData>
  </xenc:EncryptedData>
</encryption>

Reply via email to