[xmlsec] Missing encryptedkey ?

Roland Hedberg roland.hedberg at adm.umu.se
Sun Jun 10 12:15:40 PDT 2012

Sorry to bother you again Aleksey,
but there are things in the encryption process I just don't understand.

10 jun 2012 kl. 02:08 skrev Aleksey Sanin:

> You need to use KW transform. Take a look at
> tests/merlin-xmlenc-five/encrypt-element-tripledes-cbc-kw-aes128.tmpl

But enc-element-3des-kw-3des.tmpl also used KW transform, right ?

Obviously, there is something here I don't understand.

This is how I have reasoned:

Let's say I have a RSA key-pair and I want to use a des-192 key as the session key.

The template would then be something like tests/01-phaos-xmlenc-3/enc-element-3des-kt-rsa1_5.tmpl .
Except for the fact that I have the RSA key in a PEM file instead of in a key-file (as in keys.xml).
So, I modified the template file to be:

<?xml version="1.0" encoding="UTF-8"?>
<EncryptedData Id="ED" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
    <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <EncryptedKey Id="EK" xmlns="http://www.w3.org/2001/04/xmlenc#">
        <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <DataReference URI="#ED"/>

Right so far ?

On to the command line, here I get:

xmlsec1 encrypt --privkey-pem mykey.pem \
    --session-key des-192 --xml-data pre.xml \
    --node-xpath '/*[local-name()="Response"]/*[local-name()="Assertion"]/*[local-name()="Subject"]/*[local-name()="EncryptedID"]/text()' \

Now, the result I expected of this is that xmlsec would construct a 3des session key, encrypt the
value of the specified element and place that value in the EncryptedData/CipherData/CipherValue element.

In the EncryptedKey/CipherData/CipherValue element I would expect to find the 3des session key encrypted with the RSA key.

But this doesn't happen. 
What happens is that the whole <KeyInfo> element in the template doesn't appear in the output.
I do get something in the EncryptedData/CipherData/CipherValue element, but I don't know which key that was used to create that value.

So, isn't it possible to do what I want with xmlsec ?
If it is where did I go wrong ?

-- Roland
Roland Hedberg
IT Architect/Senior Researcher
ICT Services and System Development (ITS) 
Umeå University 
SE-901 87 Umeå, Sweden	
Phone +46 90 786 68 44
Mobile +46 70 696 68 44 

More information about the xmlsec mailing list