[xmlsec] wsse tokens and encryption

Aleksey Sanin aleksey at aleksey.com
Fri Jun 13 15:24:09 PDT 2008 

I am really sorry but I don't understand what you are trying
to do. The only guess I have is that the certificate was not
associated with the key but I am not sure.

You might want to step through xmlsec source code in the debugger
and see why it doesn't do what you want it to do.

Aleksey

Brian.Myers at zootweb.com wrote:
> 
> Hello,
> First off I'd like to say thank you to Aleksey and the mailing list. 
>  This library has saved me from trying to invent a security 
> implementation on my own,
> and the dialog in the mailing list has helped me fix difficult problems 
> that didn't seem to have obvious solutions.  Thank you!
> 
> Now, the problem I'm having has to do with wsse security tokens and 
> encryption.
> More specifically the subject key identifier found in x509 certificates.
> I'm trying to fill out this node, which would be part of the 
> EncryptedKey node in the SOAP:Header:
> <wsse:SecurityTokenReference>
> <wsse:KeyIdentifier ValueType="wsse:X509SubjectKeyIdentifier" 
> EncodingType="wsse:Base64Binary"/>
> </wsse:SecurityTokenReference>
> 
> with information that would be gathered from this node:
> <X509Data>
> <X509Certificate/>
> <X509SKI/>
> </X509Data>
> 
> The problem is that encryption returns this for X509Data node:
> <X509Data>
> 
> 
> </X509Data>
> 
> Empty.  I realize that you generally don't apply a certificate to 
> encryption, but I can't do this step with signature creation
> because I'd have to change the document, which would make the signature 
> invalid.
> What I'm doing:
> - I load up my key into a keys manager
> - I load up my cert into the keys manager
> - Create the encryption context object with the manager as its parameter
> - Set encryption context encKey to generated des key
> - Successfully create encrypted data template with X509Data, 
> X509Certificate, and X509SKI properly attached to KeyInfo node
> - Successfully encrypt data
> - Parse and print out document and see that the X509Data node is now 
> empty, thus not able to get the SKI info
> 
> If the node had been filled out as I had hoped, I would have:
> - Located the X509Data node and unlinked it from the document
> - Set the content of the KeyIdentifier node to the content of the 
> X509SKI node
> 
> Is there something I'm doing wrong, is this something that xmlsec can't 
> do, and/or is there a better way to do this?
> Thank you very much,
> Brian
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list