Hi.
I use Apache XML encryption.
I get key from SUN MS CAPI provider. It gets key from Windows Certificate
store, which gets key from smartcard.
So I guess the smart card reject decryption. The actual exception I get is this:
org.apache.xml.security.encryption.XMLEncryptionException: No Key Encryption
Key loaded and cannot determine using key resolvers
at
org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1483)
at
org.apache.xml.security.encryption.XMLCipher.decryptElement(XMLCipher.java:1388)
at
org.apache.xml.security.encryption.XMLCipher.doFinal(XMLCipher.java:825)
BR,ivan
-----Original Message-----
From: Arshad Noor [mailto:arshad.n...@strongauth.com]
Sent: Tuesday, January 05, 2010 4:06 PM
To: security-dev@xml.apache.org
Subject: Re: FW:
In the software that I write, Scott, I enforce this. From
experience, I also know that browsers and S/MIME User Agents
(Outlook, Thunderbird) also enforce this.
While I presume that cryptographic frameworks such as JCE,
CAPI, CNG, etc. also enforce this, I do not make assumptions
about the degree to which they enforce keyUsage bits. It
ensures that I don't get surprised later on. I presume the
developers of the applications I've listed above follow the
same rule.
Arshad Noor
StrongAuth, Inc.
Scott Cantor wrote:
> Arshad Noor wrote on 2010-01-05:
>> Not with well-behaved software that conform to PKIX standards.
>>
>> Signing keys are meant to only sign objects, while "Exchange"
>> keys are meant for encryption/decryption. That is the reason
>> why decryption works with the first, but not with the second.
>
> Out of curiosity, what layer of software is enforcing this? It certainly
> shouldn't be the core encryption/decryption code.
>
> -- Scott
>
>
