[xmlsec] wsse tokens and encryption

Brian.Myers at zootweb.com Brian.Myers at zootweb.com
Fri Jun 13 10:36:39 PDT 2008

First off I'd like to say thank you to Aleksey and the mailing list.  This 
library has saved me from trying to invent a security implementation on my 
and the dialog in the mailing list has helped me fix difficult problems 
that didn't seem to have obvious solutions.  Thank you!

Now, the problem I'm having has to do with wsse security tokens and 
More specifically the subject key identifier found in x509 certificates.
I'm trying to fill out this node, which would be part of the EncryptedKey 
node in the SOAP:Header:
<wsse:KeyIdentifier ValueType="wsse:X509SubjectKeyIdentifier" 

with information that would be gathered from this node:

The problem is that encryption returns this for X509Data node:


Empty.  I realize that you generally don't apply a certificate to 
encryption, but I can't do this step with signature creation
because I'd have to change the document, which would make the signature 
What I'm doing:
- I load up my key into a keys manager
- I load up my cert into the keys manager
- Create the encryption context object with the manager as its parameter
- Set encryption context encKey to generated des key
- Successfully create encrypted data template with X509Data, 
X509Certificate, and X509SKI properly attached to KeyInfo node
- Successfully encrypt data
- Parse and print out document and see that the X509Data node is now 
empty, thus not able to get the SKI info

If the node had been filled out as I had hoped, I would have:
- Located the X509Data node and unlinked it from the document
- Set the content of the KeyIdentifier node to the content of the X509SKI 

Is there something I'm doing wrong, is this something that xmlsec can't 
do, and/or is there a better way to do this?
Thank you very much,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20080613/1677e5d2/attachment-0002.htm

More information about the xmlsec mailing list