You really don't want to put two templates in the same file because
you are encrypting the element and encryption template specifies
just this element.
Aleksey
On 9/6/11 1:18 AM, [email protected] wrote:
I am working on a case where we wish to take a xml message, encrypt
it, sign the encrypted form, and then send that to a server over
HTTP. Obviously XMLSec seems the right tool for the job. I am,
unfortunately, rather inexperienced with XML, and I am running into
issues trying to make a combined encryption/signing template, but
everything I try seems to fail.
Working from various samples, I think what I want to do is use a
template like:
<?xml version="1.0" encoding="UTF-8"?>
<xml>
<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#";
Type="http://www.w3.org/2001/04/xmlenc#Element";>
<EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#";>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<KeyName/>
</KeyInfo>
<CipherData>
<CipherValue/>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue/>
</CipherData>
</EncryptedData>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue/>
</Reference>
</SignedInfo>
<SignatureValue/>
<KeyInfo>
<X509Data>
<X509SubjectName/>
<X509IssuerSerial/>
<X509Certificate/>
</X509Data>
<KeyValue/>
</KeyInfo>
</Signature>
</xml>
And I think it should leave everything for the signature untouched,
unfortunately the output I get after I run "xmlsec1 encrypt
--pubkey-pem ServerKeys/pubkey.pem --session-key des-192 --xml-data
ClientRequest.xml --output ClientEncrypted.xml EncryptionTemplate.xml"
is missing the signature block and <xml> at the top and bottom.
Currently I have been working around this manually, I have the
following working encryption template:
<?xml version="1.0" encoding="UTF-8"?>
<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#";
Type="http://www.w3.org/2001/04/xmlenc#Element";>
<EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#";>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<KeyName/>
</KeyInfo>
<CipherData>
<CipherValue/>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue/>
</CipherData>
</EncryptedData>
I follow this with adding <Project> above the encrypted data, and
attaching the rest of the signature message after it:
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="">
<Transforms>
<Transform Algorithm=
"http://www.w3.org/2000/09/xmldsig#enveloped-signature"; />
</Transforms>
<DigestMethod Algorithm=
"http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue></DigestValue>
</Reference>
</SignedInfo>
<SignatureValue />
<KeyInfo>
<X509Data >
<X509SubjectName/>
<X509IssuerSerial/>
<X509Certificate/>
</X509Data>
<KeyValue />
</KeyInfo>
</Signature>
</Project>
This appears to work, but I am sure there is a cleaner way.
Thanks in advance for any advice or pointing out whatever error it is
I am making.
Sam Lavitt
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
