Re: Is the sample program for XML encryption ok?

Wed, 18 Feb 2009 06:52:42 -0800 

Gary Tse wrote:

Dear gurus,
I'm working with the Apache XML security 1.4.2 (Java version) and suspect a problem in the sample. 

This sample is supplied with the 1.4.2 package:
<xml-security-1_4_2>/src_samples/org/apache/xml/security/samples/encryption/Encrypter.java
The sample runs fine and produced this (and the key-encryption-key file kek): 
<apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1";>
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Type="http://www.w3.org/2001/04/xmlenc#Content";> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"; xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/> 
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<*xenc:EncryptedKey *xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#kw-tripledes"; xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>YD/20hNbr8wNAGCJRxg+IqQaJF2I+pahDknGvmVAC3I=</xenc:CipherValue> 
                </xenc:CipherData>
            </*xenc:EncryptedKey*>
        </ds:KeyInfo>
        <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>mblZKJ25HspqQopvfwUELnbE1hqrKDt54N849eksaQBMZZ4FgWf+N4HYTyA87GLh0m+bZSt3JtlX GWmPx395ZyGVGEaz3Ic7LoBK+65DSjkmWqKGt1XHSuqpSOK3UKdB4skLqnv7Ji48tmpyHF513Q==</xenc:CipherValue> 
        </xenc:CipherData>
    </xenc:EncryptedData>
</apache:RootElement>


In the XML encryption spec,  link here:
http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#sec-Extensions-to-KeyInfo
/"The |EncryptedData| or |EncryptedKey| element specify the associated keying material via a child of |ds:KeyInfo|. All of the child elements of ds:|KeyInfo| specified in [XML-DSIG <http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#ref-XML-DSIG>] MAY be used as qualified: /"
From the XML spec, does it mean that an extra <ds:KeyInfo> should be placed in the <xenc:EncryptedKey> element to provide information about the encrypted key? If so, sample code might need updating.
It's not mandatory, but something to help identify the key would be useful, for example: 

<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
  <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
    <ds:KeyName>Key XXX</ds:KeyName>
  </ds:KeyInfo>
...
Keep in mind these are just samples and you should modify or adapt them to your specific requirements. 

Thanks,
Sean

Reply via email to