[xmlsec] wsse tokens and encryption

Brian.Myers at zootweb.com Brian.Myers at zootweb.com
Tue Jun 17 14:10:44 PDT 2008

Hi Aleksey,
Well, using the debugger I figured out what is failing, but I don't know 
why or how to fix it.  So I'm going to try to explain my problem a bit 

My goal is to attach the subject key identifier, of the public cert used 
to encrypt the message, to the EncryptedKey node.

What I do (simplified for explanation):
- create and initialize a keys manager
        mngr = xmlSecKeysMngrCreate();
- load a public key into the keys manager
        key = xmlSecCryptoAppKeyLoad(file.c_str(), xmlSecKeyDataFormatPem, 
pwd, NULL, NULL);
        xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr, key);
- load an x509 certificate into the keys manager
        xmlSecCryptoAppKeysMngrCertLoad(mngr, nodeCertFile.c_str(), 
xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted); 
- create an xmlSecEncCtxPtr with the manager as its parameter
        encCtx = xmlSecEncCtxCreate(mngr);
- generate a session key for the encCtx->encKey
        encCtx->encKey = xmlSecKeyGenerate(xmlSecKeyDataDesId, 192, 
- create encryption template (with X509 data attached to the 
EncryptedKey's KeyInfo)
        encDataNode = xmlSecTmplEncDataCreate(doc, 
xmlSecTransformDes3CbcId, NULL, xmlSecTypeEncElement, NULL, NULL);
        keyInfoNode = xmlSecTmplEncDataEnsureKeyInfo(encDataNode, NULL);
        encKeyNode = xmlSecTmplKeyInfoAddEncryptedKey(keyInfoNode, 
xmlSecTransformRsaPkcs1Id, NULL, xmlSecEncKey, NULL);
        encKeyInfoNode = xmlSecTmplEncDataEnsureKeyInfo(encKeyNode, NULL);
        xmlSecTmplKeyInfoAddKeyName(encKeyInfoNode, BAD_CAST 
        certNode = xmlSecTmplKeyInfoAddX509Data(encKeyInfoNode);
- finally encrypt the data
        xmlSecEncCtxXmlEncrypt(encCtx, encDataNode, myDataNode);

Ok, all of the steps before actual encryption complete successfully.  I 
have checked the template that I am sending in, and it looks exactly like 
you'd expect it to.
The key and certificate loaded correctly into the keys manager, and the 
encryption context correctly copied the manager into itself.

During the encryption everything appears fine, though I must admit that 
there were more then a couple times that I was very confused.
Here is a backtrace of where I think my problem is:

(gdb) bt
#0  xmlSecKeyGetData (key=0x80962c0, dataId=0xb78188e0) at keys.c:837
#1  0xb76f0a73 in xmlSecOpenSSLKeyDataX509XmlWrite (id=0xb78188e0, 
key=0x80962c0, node=0x8096900, keyInfoCtx=0x80a7118)
    at x509.c:725
#2  0xb7722173 in xmlSecKeyInfoNodeWrite (keyInfoNode=0x80a4d50, 
key=0x80962c0, keyInfoCtx=0x80a7118) at keyinfo.c:179
#3  0xb771669c in xmlSecEncCtxEncDataNodeWrite (encCtx=0x80a7040) at 
#4  0xb77185e4 in xmlSecEncCtxBinaryEncrypt (encCtx=0x80a7040, 
    data=0x80a8c08 ">\205}E\r\fÜ\177\023ñ]\021Fú4Àë³t\217×÷£\222 ", 
dataSize=24) at xmlenc.c:334
#5  0xb7724e4a in xmlSecKeyDataEncryptedKeyXmlWrite (id=0xb7822da0, 
key=0x80980e0, node=0x80879c8, keyInfoCtx=0x80aeb68)
    at keyinfo.c:1542
#6  0xb7722173 in xmlSecKeyInfoNodeWrite (keyInfoNode=0x80878e0, 
key=0x80980e0, keyInfoCtx=0x80aeb68) at keyinfo.c:179
#7  0xb771669c in xmlSecEncCtxEncDataNodeWrite (encCtx=0x80aea90) at 
#8  0xb77180b2 in xmlSecEncCtxXmlEncrypt (encCtx=0x80aea90, 
tmpl=0x80a87b0, node=0x80a5e00) at xmlenc.c:441

In the openssl file x509.c, in function xmlSecOpenSSLKeyDataX509XmlWrite 
at line 725.
The process is trying to get a dataList out of the key, but the key has no 
dataList in it.  So the function returns NULL, exits out and no X509 data 
is written.
I thought there would be some kind of reference to the certificate that I 
loaded for this purpose, but when it gets to this point, there is no link 
to it at all.

Am I loading something wrong? Do I need to set some kind of processing 
flags? Do I need to manually put the cert into the key?
Is my goal something that xmlsec is coded not to do?
Thank you for any help you can give,

Brian S. Myers
Systems Developer, Engineering
brian.myers at zootweb.com
Tel: 406-556-8924  Fax: 406-587-8414
This email, including any attachments, is confidential and may not be 
redistributed without permission. If you are not an intended recipient, 
you have received this message in error. Please notify us immediately by 
replying to this message, and then delete it from your computer. Thank 

Aleksey Sanin <aleksey at aleksey.com> 
06/13/2008 04:24 PM

Brian.Myers at zootweb.com
xmlsec at aleksey.com
Re: [xmlsec] wsse tokens and encryption

I am really sorry but I don't understand what you are trying
to do. The only guess I have is that the certificate was not
associated with the key but I am not sure.

You might want to step through xmlsec source code in the debugger
and see why it doesn't do what you want it to do.


Brian.Myers at zootweb.com wrote:
> Hello,
> First off I'd like to say thank you to Aleksey and the mailing list. 
>  This library has saved me from trying to invent a security 
> implementation on my own,
> and the dialog in the mailing list has helped me fix difficult problems 
> that didn't seem to have obvious solutions.  Thank you!
> Now, the problem I'm having has to do with wsse security tokens and 
> encryption.
> More specifically the subject key identifier found in x509 certificates.
> I'm trying to fill out this node, which would be part of the 
> EncryptedKey node in the SOAP:Header:
> <wsse:SecurityTokenReference>
> <wsse:KeyIdentifier ValueType="wsse:X509SubjectKeyIdentifier" 
> EncodingType="wsse:Base64Binary"/>
> </wsse:SecurityTokenReference>
> with information that would be gathered from this node:
> <X509Data>
> <X509Certificate/>
> <X509SKI/>
> </X509Data>
> The problem is that encryption returns this for X509Data node:
> <X509Data>
> </X509Data>
> Empty.  I realize that you generally don't apply a certificate to 
> encryption, but I can't do this step with signature creation
> because I'd have to change the document, which would make the signature 
> invalid.
> What I'm doing:
> - I load up my key into a keys manager
> - I load up my cert into the keys manager
> - Create the encryption context object with the manager as its parameter
> - Set encryption context encKey to generated des key
> - Successfully create encrypted data template with X509Data, 
> X509Certificate, and X509SKI properly attached to KeyInfo node
> - Successfully encrypt data
> - Parse and print out document and see that the X509Data node is now 
> empty, thus not able to get the SKI info
> If the node had been filled out as I had hoped, I would have:
> - Located the X509Data node and unlinked it from the document
> - Set the content of the KeyIdentifier node to the content of the 
> X509SKI node
> Is there something I'm doing wrong, is this something that xmlsec can't 
> do, and/or is there a better way to do this?
> Thank you very much,
> Brian
> ------------------------------------------------------------------------
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20080617/e26cfe55/attachment-0002.htm

More information about the xmlsec mailing list