Hi Brent, yes, I do in fact have the Signature inside the EncryptedData element as you suggested. I'll have to check with the web service that I am integrating with to see if it will support some other grouping of the XML elements. Currently the web service specification asks for one root <Orders> element that contains multiple <Order> elements as shown below:
<?xml version="1.0" encoding="UTF-8"?> <Orders xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:noNamespaceSchemaLocation="OrderRequest.xsd"> <Order> <DocumentNumber>24773064</DocumentNumber> </Order> <Order> <DocumentNumber>24773064</DocumentNumber> </Order> </Orders> Once the element has been encrypted and signed, the result is shown below. The web service that we are integrating with is not a full fledged SOAP WSDL web service, but rather it simply uses HTTPS and XML. Our existing XML document format where the XML Signature is enclosed by the EncryptedData element seems to work well with the with the web service we are integrating to. It is only in my local Java unit tests on my development computer that I am seeing these problems with the Signature's KeyInfo element getting in the way of decryption. The web service is written in .Net while my stuff is in Java, so they must be doing something on their side in .Net to allow for a Signature element enclosed in the EncryptedData element. Here is what the resulting encrypted data looks like: <?xml version="1.0" encoding="UTF-8"?> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Type="http://www.w3.org/2001/04/xmlenc#Element";> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> ... <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> ... </ds:KeyInfo> </ds:Signature> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#..."; xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> ... </ds:KeyInfo> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> ... </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> I will check with the developer of the web service to see if we can slightly adjust the encryption method so that the EncryptedData and Signature elements are siblings contained within the <Orders> element. It would be a great help if you had a URI that I can reference to base a change request on that mentions our illegal format having the enveloped Signature as a child element of the EncryptedData element? I haven't been able to find any information yet that specifically states that it is illegal to place the Signature inside the EncryptedData element. It would be nice to have it documented if possible. Thanks for all your help and time. Brent Putman wrote: > > Brent Putman wrote: > > So if you had a DOM tree something like: > > <xenc:EncryptedData> > <ds:Signature> > <ds:KeyInfo>...</ds:KeyInfo> > </ds:Signature> > <ds:KeyInfo> > <xenc:EncryptedKey>...</xenc:EncryptedKey> > </ds:KeyInfo> > </xenc:EncryptedData> > > It actually would find the Signature KeyInfo first (due to document > order) and incorrectly set that one as the EncryptedData's KeyInfo > member. And that would account for what you described. > > But like I said: you can't place the Signature there like that inside > the EncryptedData, it's not legal. > -- View this message in context: http://www.nabble.com/Problem-decrypting-elements-tf4699611.html#a14130034 Sent from the Apache XML - Security - Dev mailing list archive at Nabble.com.
