[xmlsec] hybrid encrypted data for multiple recipients doesn't find
keys in Keymanager after first during decryption
Bundschuh, Goetz
Goetz.Bundschuh at usd.de
Fri Oct 21 03:19:34 PDT 2005
Hi,
i have implemented an application with xmlsec that encrypts data for
multiple recipients using RSA 1_5/AES256 hybrid encryption. The AES Session
keys are stored as <EncryptedKey>'s, identified by <Keyname> (Example
below). Encryption works fine.
During decryption of the data, xmlsec only finds private decryption keys in
the Keystore I provide, if the <EncryptedKey> in the <KeyInfo> structure is
the first in the list. The Data is decrypted, everything works fine.. For
all other recipients I get the "Key not found" error, even if their key is
present in the Keymanager(with the correct <KeyName>). I checked the
XmlEncryption spec, the structure for the Encrypted Keys seems to be
correct. I'm using xmlsec 1.2.8 under WinXPSP2, using mscrypto.
Do i have to parse and modify the <EncryptedKey>-List myself for this to
work, or is there something to do with the Keymanager? Thanks.
Götz
Structure of an encrypted File, decryption will work only for key "DE,
Langen, usd de ag, it security, Goetz Bundschuh-DC00", not for "de, TU
Darmstadt, FB20, Goetz Bundschuh-6E", even if the private key with that name
is present in the Keymanager:
<?xml version="1.0" encoding="UTF-8"?>
<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#"
Type="http://www.w3.org/2001/04/xmlenc#Element">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>DE, Langen, usd de ag, it security, Goetz Bundschuh-DC00</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>i/Af7avQLO0fYhY+q7YM5FLqq40LnIE4GmT/FCXiZwmlx/wQzWvDekjAAOKCqpc
/
VdCuBRZLFPOzN5Ps4sqJHxY4qbWXHmqv7ixFLftBJxLCVkah+l2PHT6JmjKKf2gz
bKyKpwEeV3sSubqcG998sZaktyGM5fvMfvjveGMyvHc=</CipherValue>
</CipherData>
</EncryptedKey>
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>de, TU Darmstadt, FB20, Christian Valentin-6E</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>S2fbN1k+KPn2Z9gPIDspTjX7VUROWlrFPiSEHZS/aqpHa08tyQJSSNJqGUO/P6U
zQOCesgbA9Jt/24TBp8w+RJik2RYjIDspTjX7VUROWlFYBBulPH1D5wqV6PCEW9L
Q340OZ+LM0l0HveHn2VAQ9ZTUlJ/4eOCNIo6e5KxilQ=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
Here is the decryption code I use, adapted from the session key example:
int decryptData(xmlDocPtr doc, xmlSecKeysMngrPtr privKeyMngr)
{
xmlNodePtr node = NULL;
xmlSecEncCtxPtr encCtx = NULL;
int result = CRYPTERR_OK;
/* find start node */
node = xmlSecFindNode(xmlDocGetRootElement(doc),
xmlSecNodeEncryptedData, xmlSecEncNs);
if(node == NULL)
{
//Could not find start node of document
result = CRYPTERR_XML_STARTNODENOTFOUND;
goto done;
}
/* create decryption context */
encCtx = xmlSecEncCtxCreate(privKeyMngr);
if(encCtx == NULL)
{
//failed to create encryption context
result = CRYPTERR_XML_ENCODECREATEFAIL;
goto done;
}
/* decrypt the data */
if((xmlSecEncCtxDecrypt(encCtx, node) < 0) || (encCtx->result == NULL))
{
//decryption failed;
result = CRYPTERR_XML_DECRYPTFAIL;
goto done;
}
done:
/* cleanup */
if(encCtx != NULL)
{
xmlSecEncCtxDestroy(encCtx);
}
return result;
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3328 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20051021/d0fe361a/smime-0002.bin
More information about the xmlsec
mailing list