Brent Putman wrote:
>
>
> I don't see how it could be getting the two KeyInfo's confused. All the
> Apache EncryptedData.getKeyInfo() does is return a data member, it
> doesn't do any searching or resolution.
>
>
> ........................
>
> Sound like you're trying to sign the EncryptedData itself?
>
> <xenc:EncryptedData>
> <ds:Signature>...</ds:Signature>
> </xenc:EncryptedData>
>
>
> Note that you can't do that. It's not schema valid, xenc:EncryptedData
> (actually xenc:EncryptedType) doesn't have an open content model, you
> can't just add arbitrary child elements.
>
> And even if it did, I'm still not seeing how the Apache EncryptedData
> would be pulling the KeyInfo out of the ds:Signature rather than it's
> own immediate child.
>
Just to follow up on my own post: I actually do see now why that is
happening, if you are doing the above. The factory code in XMLCipher
that unmarshals the EncryptedData DOM Element into the Apache
EncryptedData object uses Element#getElementsByTagNameNS (which finds
*all* matching descendants, not just immediate children) and takes the
first one:
Element keyInfoElement =
(Element) element.getElementsByTagNameNS(
Constants.SignatureSpecNS,
Constants._TAG_KEYINFO).item(0);
(Which might be a buggy way to do that in and of itself, since the
EncryptionMethod which order-wise precedes the real KeyInfo has an open
content model and might theoretically somehow have a ds:KeyInfo buried
in there somewhere.... Maybe should be fixed to iterate over the
immediate children only?)
So if you had a DOM tree something like:
<xenc:EncryptedData>
<ds:Signature>
<ds:KeyInfo>...</ds:KeyInfo>
</ds:Signature>
<ds:KeyInfo>
<xenc:EncryptedKey>...</xenc:EncryptedKey>
</ds:KeyInfo>
</xenc:EncryptedData>
It actually would find the Signature KeyInfo first (due to document
order) and incorrectly set that one as the EncryptedData's KeyInfo
member. And that would account for what you described.
But like I said: you can't place the Signature there like that inside
the EncryptedData, it's not legal.
Hope that helps,
Brent
