Is the sample program for XML encryption ok?

Wed, 18 Feb 2009 04:03:07 -0800 

Dear gurus,

I'm working with the Apache XML security 1.4.2 (Java version) and suspect a
problem in the sample.

This sample is supplied with the 1.4.2 package:
<xml-security-1_4_2>/src_samples/org/apache/xml/security/samples/encryption/Encrypter.java

The sample runs fine and produced this (and the key-encryption-key file
kek):
<apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1";>
    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Type="http://www.w3.org/2001/04/xmlenc#Content";>
        <xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes128-cbc"; xmlns:xenc="
http://www.w3.org/2001/04/xmlenc#"/>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
            <*xenc:EncryptedKey *xmlns:xenc="
http://www.w3.org/2001/04/xmlenc#";>
                <xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#kw-tripledes"; xmlns:xenc="
http://www.w3.org/2001/04/xmlenc#"/>
                <xenc:CipherData xmlns:xenc="
http://www.w3.org/2001/04/xmlenc#";>
                    <xenc:CipherValue xmlns:xenc="
http://www.w3.org/2001/04/xmlenc#
">YD/20hNbr8wNAGCJRxg+IqQaJF2I+pahDknGvmVAC3I=</xenc:CipherValue>
                </xenc:CipherData>
            </*xenc:EncryptedKey*>
        </ds:KeyInfo>
        <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
            <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#
">mblZKJ25HspqQopvfwUELnbE1hqrKDt54N849eksaQBMZZ4FgWf+N4HYTyA87GLh0m+bZSt3JtlX

GWmPx395ZyGVGEaz3Ic7LoBK+65DSjkmWqKGt1XHSuqpSOK3UKdB4skLqnv7Ji48tmpyHF513Q==</xenc:CipherValue>
        </xenc:CipherData>
    </xenc:EncryptedData>
</apache:RootElement>


In the XML encryption spec,  link here:
http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#sec-Extensions-to-KeyInfo

*"The EncryptedData or EncryptedKey element specify the associated keying
material via a child of ds:KeyInfo. All of the child elements of
ds:KeyInfospecified in [
XML-DSIG<http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#ref-XML-DSIG>]
MAY be used as qualified: *"

>From the XML spec, does it mean that an extra <ds:KeyInfo> should be placed
in the <xenc:EncryptedKey> element to provide information about the
encrypted key?  If so, sample code might need updating.


Regards,
Gary

Reply via email to