Hi Aleksey I just wrote a perl module to encrypt and decrypt XML. As part of the test scripts I am using xmlsec to encrypt XML to verify that the XML::Enc module can properly decrypt the XML.
I ran into trouble with xmlsec encrypting the content within a tag. When I used the xpath /PayInfo/CreditCard/Number/text() to get the Content xmlsec only seems to encrypt the Content correctly if I use http://www.w3.org/2001/04/xmlenc#Element as the EncryptedData type. If I try to use http://www.w3.org/2001/04/xmlenc#Content it leaves the Content of the Number empty. My tests are in https://github.com/perl-net-saml2/perl-XML-Enc/blob/main/t/07-decrypt-xmlsec.t basically I test with both an Encrypted Element and Encrypted Content. In the Module I have to use an option force_element_to_content so that when the xmlsec encrypted Content is decrypted that includes the http://www.w3.org/2001/04/xmlenc#Element as the EncryptedData Type I treat it as if it was Content if it is not valide XML. In this case it is simply the credit card number. I will take a look at the examples in case I am doing something incorrect in my xmlsec commands. Tim Timothy Legge [email protected] [email protected] On Sat, Mar 26, 2022 at 11:06 AM Aleksey Sanin <[email protected]> wrote: > > Hi Timothy, > > I am not exactly sure what are you trying to do but I recommend > checking out examples: > > https://github.com/lsh123/xmlsec/tree/master/examples > > and tests: > > https://github.com/lsh123/xmlsec/tree/master/tests > > Also, if you can explain what is your goal, then it might be easier > to provide a solution for your problem. > > Best, > > Aleksey > > On 3/25/22 7:15 PM, Timothy Legge wrote: > > Hi > > > > Sorry, I sent this directly to Aleksey initially... > > > > I was following: > > https://users.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html > > (which is reasonably close enough for me to get encryption working. > > > > Specifically the following command results in the Content in > > /PayInfo/CreditCard/Number/text() being properly encrypted. However, > > I would expect that the EncryptedData Type should be > > "http://www.w3.org/2001/04/xmlenc#Content"; instead of the specified > > Element for this to properly encrypt the Content. Changing it to > > Content causes the doc-encrypted.xml created to be missing data in the > > Number tags: "<Number></Number>". > > > > To me it appears this to be a bug but likely I am misreading the > > XML-Enc specifications. > > > > Any thoughts? > > > > xmlsec1 --encrypt --pubkey-cert-pem t/sign-certonly.pem > > --session-key des-192 --xml-data doc-plain.xml --output > > doc-encrypted.xml --node-xpath '/PayInfo/CreditCard/Number/text()' > > session-key-template.xml > > > > ======================================== > > doc-plain.xml > > ======================================== > > <?xml version="1.0" encoding="utf-8" ?> > > <PayInfo> > > <Name>John Smith</Name> > > <CreditCard Limit='2,000' Currency='USD'> > > <Number>1076 2478 0678 5589</Number> > > <Issuer>CitiBank</Issuer> > > <Expiration>06/10</Expiration> > > </CreditCard> > > </PayInfo> > > ======================================== > > session-key-template.xml > > ========================================== > > <?xml version="1.0" encoding="UTF-8"?> > > <!-- > > XML Security Library example: Original XML > > doc file before encryption (encrypt3 example). > > --> > > <EncryptedData > > xmlns="http://www.w3.org/2001/04/xmlenc#"; > > Type="http://www.w3.org/2001/04/xmlenc#Element";> > > <EncryptionMethod Algorithm= > > "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> > > <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> > > <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#";> > > <EncryptionMethod Algorithm= > > "http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> > > <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> > > <KeyName/> > > </KeyInfo> > > <CipherData> > > <CipherValue/> > > </CipherData> > > </EncryptedKey> > > </KeyInfo> > > <CipherData> > > <CipherValue/> > > </CipherData> > > </EncryptedData> > > ========================================== > > > > > > Timothy Legge > > [email protected] > > [email protected] > > _______________________________________________ > > xmlsec mailing list > > [email protected] > > http://www.aleksey.com/mailman/listinfo/xmlsec _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
