Sorry to bother you again Aleksey, but there are things in the encryption process I just don't understand.
10 jun 2012 kl. 02:08 skrev Aleksey Sanin: > You need to use KW transform. Take a look at > > tests/merlin-xmlenc-five/encrypt-element-tripledes-cbc-kw-aes128.tmpl But enc-element-3des-kw-3des.tmpl also used KW transform, right ? Obviously, there is something here I don't understand. This is how I have reasoned: Let's say I have a RSA key-pair and I want to use a des-192 key as the session key. The template would then be something like tests/01-phaos-xmlenc-3/enc-element-3des-kt-rsa1_5.tmpl . Except for the fact that I have the RSA key in a PEM file instead of in a key-file (as in keys.xml). So, I modified the template file to be: <?xml version="1.0" encoding="UTF-8"?> <EncryptedData Id="ED" Type="http://www.w3.org/2001/04/xmlenc#Element"; xmlns="http://www.w3.org/2001/04/xmlenc#";> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <EncryptedKey Id="EK" xmlns="http://www.w3.org/2001/04/xmlenc#";> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> </ds:KeyInfo> <CipherData> <CipherValue> </CipherValue> </CipherData> <ReferenceList> <DataReference URI="#ED"/> </ReferenceList> </EncryptedKey> </ds:KeyInfo> <CipherData> <CipherValue> </CipherValue> </CipherData> </EncryptedData> Right so far ? On to the command line, here I get: xmlsec1 encrypt --privkey-pem mykey.pem \ --session-key des-192 --xml-data pre.xml \ --node-xpath '/*[local-name()="Response"]/*[local-name()="Assertion"]/*[local-name()="Subject"]/*[local-name()="EncryptedID"]/text()' \ enc-element-3des-kt-rsa1_5_mod.tmpl Now, the result I expected of this is that xmlsec would construct a 3des session key, encrypt the value of the specified element and place that value in the EncryptedData/CipherData/CipherValue element. In the EncryptedKey/CipherData/CipherValue element I would expect to find the 3des session key encrypted with the RSA key. But this doesn't happen. What happens is that the whole <KeyInfo> element in the template doesn't appear in the output. I do get something in the EncryptedData/CipherData/CipherValue element, but I don't know which key that was used to create that value. So, isn't it possible to do what I want with xmlsec ? If it is where did I go wrong ? -- Roland ------------------------------------------------------ Roland Hedberg IT Architect/Senior Researcher ICT Services and System Development (ITS) Umeå University SE-901 87 Umeå, Sweden Phone +46 90 786 68 44 Mobile +46 70 696 68 44 www.its.umu.se _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
