I
encrypted a XML document containing a <xenc:EncryptedKey> element and a
<xenc:EncryptedData> element using XML Apache XML security. I tried
to decrypt it using XSS4J library and I didn't succeed!!! The problem seems to occur when the
secret key encapsulated into the <xenc:EncryptedKey> element is decrypted
by XSS4J library.
Doing some investigation, I found that XML Apache security library encrypts the secret key using the algorithm http://www.w3.org/2001/04/xmlenc#rsa-1_5 with a cipher ‘RSA/ECB/PKCS1Padding’ and that IBM XSS4J uses ‘RSA/ECB/NoPadding’.
The “XML Encryption Syntax and Processing” specifications of the W3C is not clear for me concernig the rsa-1_5 encryption algorithm. Is a padding associated to rsa-1_5 encryption or not ?
Who has right ? IBM XSS4J library or XML Apache Security library ?
I
think it is a critical bug either
into XSS4J or into Apache XML
security ... or
am I wrong ?
Thanks
for your answer.
Regards.
Yvan Hess
Here
is the XML encrypted (partial).
<edoc:data
xmlns:edoc="http://www.imtf.com/hypersuite/edoc/2.0/"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptedKey
Id="Revision-1-Encryption-1-EncryptedKey-1">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo>
<ds:KeyName>SphinxTest</ds:KeyName>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>PMblWX1U9dQhiMTSMXsX9kO8Udg8Pii8XhrRmOKJ+HiuSZUEvsfBtDwFzoXjwnCdYb+LkqPxYZ8EzgQxbxObI1RrUdg6iy4R3T0d+/H/tK34cjm8itoqDDSkyod9/bOtqnEnv3AzAgkBFNCbR7NZ3N7i7gonjMAzes6wuNRCYsg=</xenc:CipherValue>
</xenc:CipherData>
<xenc:CarriedKeyName>secretKey</xenc:CarriedKeyName>
</xenc:EncryptedKey>
<xenc:EncryptedData
Id="Revision-1-Encryption-1-EncryptedData-1">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<ds:KeyInfo>
<ds:KeyName>secretKey</ds:KeyName>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherReference
URI="urn:hypersuite:534177D3-C0A8027601B4E829-57982AC1.txt"/>
</xenc:CipherData>
</xenc:EncryptedData>
</edoc:data>
