[xmlsec] wsse tokens and encryption

Aleksey Sanin aleksey at aleksey.com
Fri Jun 13 15:24:09 PDT 2008

I am really sorry but I don't understand what you are trying
to do. The only guess I have is that the certificate was not
associated with the key but I am not sure.

You might want to step through xmlsec source code in the debugger
and see why it doesn't do what you want it to do.


Brian.Myers at zootweb.com wrote:
> Hello,
> First off I'd like to say thank you to Aleksey and the mailing list. 
>  This library has saved me from trying to invent a security 
> implementation on my own,
> and the dialog in the mailing list has helped me fix difficult problems 
> that didn't seem to have obvious solutions.  Thank you!
> Now, the problem I'm having has to do with wsse security tokens and 
> encryption.
> More specifically the subject key identifier found in x509 certificates.
> I'm trying to fill out this node, which would be part of the 
> EncryptedKey node in the SOAP:Header:
> <wsse:SecurityTokenReference>
> <wsse:KeyIdentifier ValueType="wsse:X509SubjectKeyIdentifier" 
> EncodingType="wsse:Base64Binary"/>
> </wsse:SecurityTokenReference>
> with information that would be gathered from this node:
> <X509Data>
> <X509Certificate/>
> <X509SKI/>
> </X509Data>
> The problem is that encryption returns this for X509Data node:
> <X509Data>
> </X509Data>
> Empty.  I realize that you generally don't apply a certificate to 
> encryption, but I can't do this step with signature creation
> because I'd have to change the document, which would make the signature 
> invalid.
> What I'm doing:
> - I load up my key into a keys manager
> - I load up my cert into the keys manager
> - Create the encryption context object with the manager as its parameter
> - Set encryption context encKey to generated des key
> - Successfully create encrypted data template with X509Data, 
> X509Certificate, and X509SKI properly attached to KeyInfo node
> - Successfully encrypt data
> - Parse and print out document and see that the X509Data node is now 
> empty, thus not able to get the SKI info
> If the node had been filled out as I had hoped, I would have:
> - Located the X509Data node and unlinked it from the document
> - Set the content of the KeyIdentifier node to the content of the 
> X509SKI node
> Is there something I'm doing wrong, is this something that xmlsec can't 
> do, and/or is there a better way to do this?
> Thank you very much,
> Brian
> ------------------------------------------------------------------------
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list