I am working on a case where we wish to take a xml message, encrypt it, sign the encrypted form, and then send that to a server over HTTP. Obviously XMLSec seems the right tool for the job. I am, unfortunately, rather inexperienced with XML, and I am running into issues trying to make a combined encryption/signing template, but everything I try seems to fail.
Working from various samples, I think what I want to do is use a template like: <?xml version="1.0" encoding="UTF-8"?> <xml> <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#"; Type="http://www.w3.org/2001/04/xmlenc#Element";> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#";> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> <KeyName/> </KeyInfo> <CipherData> <CipherValue/> </CipherData> </EncryptedKey> </KeyInfo> <CipherData> <CipherValue/> </CipherData> </EncryptedData> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue/> </Reference> </SignedInfo> <SignatureValue/> <KeyInfo> <X509Data> <X509SubjectName/> <X509IssuerSerial/> <X509Certificate/> </X509Data> <KeyValue/> </KeyInfo> </Signature> </xml> And I think it should leave everything for the signature untouched, unfortunately the output I get after I run "xmlsec1 encrypt --pubkey-pem ServerKeys/pubkey.pem --session-key des-192 --xml-data ClientRequest.xml --output ClientEncrypted.xml EncryptionTemplate.xml" is missing the signature block and <xml> at the top and bottom. Currently I have been working around this manually, I have the following working encryption template: <?xml version="1.0" encoding="UTF-8"?> <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#"; Type="http://www.w3.org/2001/04/xmlenc#Element";> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#";> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> <KeyName/> </KeyInfo> <CipherData> <CipherValue/> </CipherData> </EncryptedKey> </KeyInfo> <CipherData> <CipherValue/> </CipherData> </EncryptedData> I follow this with adding <Project> above the encrypted data, and attaching the rest of the signature message after it: <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI=""> <Transforms> <Transform Algorithm= "http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> </Transforms> <DigestMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue></DigestValue> </Reference> </SignedInfo> <SignatureValue /> <KeyInfo> <X509Data > <X509SubjectName/> <X509IssuerSerial/> <X509Certificate/> </X509Data> <KeyValue /> </KeyInfo> </Signature> </Project> This appears to work, but I am sure there is a cleaner way. Thanks in advance for any advice or pointing out whatever error it is I am making. Sam Lavitt
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
