[xmlsec] Re: XML-ENC questions

Aleksey Sanin aleksey at aleksey.com
Wed Jun 30 02:43:56 PDT 2004



Veiko.Sinivee at seb.se wrote:

> Hi,
> 
> I tried to use your xmlSec library (ver 1.2.5) to encrypt an XML
> file. I looked at the sample program encrypt3.c as documented
> here: http://www.aleksey.com/xmlsec/api/xmlsec-encrypt-with-session-key.html
> and made a few modifications:
> - replaced des3 with aes128
> - tried to use a different <EncryptedData Type=? > atribute.
> Here's the result - enctest4.xml
> Pretty much what I wanted but some problems:
> - Your library doesn't allowe one to use any type but the "Element" or "Content" type.
> I suspect that "Element" type is wrong in this example. It should mean that one
> has encrypted the contents of an xml element whereas the elements tags are still
> there. This is not the case when I encrypt the whole file. Please look here:
> http://www.w3.org/TR/xmlenc-core/#sec-eg-Arbitrary-Data.
> I think the element should have no type at all or just simply:
> <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#'
>    MimeType='text/xml'>
> One of the authors of XML-ENC standard (IBM) brings this example:
> http://www-106.ibm.com/developerworks/xml/library/x-encrypt/listing2.html
> Here they use actually:
> <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#'
> 		Type='http://www.isi.edu/in-notes/iana/assignments/media-types/text/xml'>
> ....
> 
> which leads me to think that if one encrypts the whole document then Type atribute could
> actually point to the type of data that is being encrypted. Suppose I encrypt a binary ZIP archive.
> Then I would use Type="http://www.isi.edu/in-notes/iana/assignments/media-types/application/zip"
> instead. Do you think this would be correct ?
You can encrypt arbitrary data:

http://www.aleksey.com/xmlsec/api/xmlsec-xmlenc.html#XMLSECENCCTXBINARYENCRYPT

Note that you are mixing MimeType and Type attributes. The only two
defined values for Type attribute are "content" and "element" :

http://www.w3.org/TR/xmlenc-core/#sec-Processing-Decryption


> 
> - I have to add more than one EncryptedKey to KeyInfo. Haven't tried it yet with
> your library. I suppose I just add another xmlSecKeysMngrPtr to encrypt file and
> use it? The point here is to encrypt with two different certs to enable many people
> decrypt the same file.
> 
No, you need only one keys manager. Just make sure that you can identify
correct encryption key from each EncryptedKey (e.g. using key name ==
cert subject).


> - How can one add the cert used for encrypting itself in the EncryptedKey?
> I found this sample in the XML-ENC solutions made by another library,
> and here I think they pack the whole cert to the encrypted file so that
> receiver can use it to find the corresponding private key to decrypt.
> I tried using xmlSecTmplKeyInfoAddX509Data() bu only an empty <X509Data>
> element appared. What would be the correct way to do it?
1) You need to associate key with cert. For example, when you load 
pkcs12 file
it happens automaticaly. Or you can use one of "xmlSec*KeyLoadCert*"
functions.
2) Next you need to put <X509Data/> into the template. You can further
specify what exactly do you want with <X509Data/> children (e.g.
<X509SKI>, etc.)


Aleksey





More information about the xmlsec mailing list