[xmlsec] Encrypting Content

Timothy Legge timlegge at gmail.com
Sat Mar 26 14:49:14 UTC 2022 

Hi Aleksey

I just wrote a perl module to encrypt and decrypt XML.  As part of the
test scripts I am using xmlsec to encrypt XML to verify that the
XML::Enc module can properly decrypt the XML.

I ran into trouble with xmlsec encrypting the content within a tag.
When I used the xpath /PayInfo/CreditCard/Number/text() to get the
Content xmlsec only seems to encrypt the Content correctly if I use
http://www.w3.org/2001/04/xmlenc#Element as the EncryptedData type.
If I try to use  http://www.w3.org/2001/04/xmlenc#Content it leaves
the Content of the Number empty.

My tests are in
https://github.com/perl-net-saml2/perl-XML-Enc/blob/main/t/07-decrypt-xmlsec.t
basically I test with both an Encrypted Element and Encrypted Content.
In the Module I have to use an option force_element_to_content so that
when the xmlsec encrypted Content is decrypted that includes the
http://www.w3.org/2001/04/xmlenc#Element as the EncryptedData Type I
treat it as if it was Content if it is not valide XML.  In this case
it is simply the credit card number.

I will take a look at the examples in case I am doing something
incorrect in my xmlsec commands.

Tim

Timothy Legge
timlegge at gmail.com
timlegge at cpan.org

On Sat, Mar 26, 2022 at 11:06 AM Aleksey Sanin <aleksey at aleksey.com> wrote:
>
> Hi Timothy,
>
> I am not exactly sure what are you trying to do but I recommend
> checking out examples:
>
> https://github.com/lsh123/xmlsec/tree/master/examples
>
> and tests:
>
> https://github.com/lsh123/xmlsec/tree/master/tests
>
> Also, if you can explain what is your goal, then it might be easier
> to provide a solution for your problem.
>
> Best,
>
> Aleksey
>
> On 3/25/22 7:15 PM, Timothy Legge wrote:
> > Hi
> >
> > Sorry, I sent this directly to Aleksey initially...
> >
> > I was following:
> > https://users.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html
> > (which is reasonably close enough for me to get encryption working.
> >
> > Specifically the following command results in the Content in
> > /PayInfo/CreditCard/Number/text() being properly encrypted.  However,
> > I would expect that the EncryptedData Type should be
> > "http://www.w3.org/2001/04/xmlenc#Content" instead of the specified
> > Element for this to properly encrypt the Content.  Changing it to
> > Content causes the doc-encrypted.xml created to be missing data in the
> > Number tags: "<Number></Number>".
> >
> > To me it appears this to be a bug but likely I am misreading the
> > XML-Enc specifications.
> >
> > Any thoughts?
> >
> > xmlsec1 --encrypt --pubkey-cert-pem t/sign-certonly.pem
> > --session-key des-192 --xml-data doc-plain.xml --output
> > doc-encrypted.xml --node-xpath '/PayInfo/CreditCard/Number/text()'
> > session-key-template.xml
> >
> > ========================================
> > doc-plain.xml
> > ========================================
> > <?xml version="1.0" encoding="utf-8" ?>
> > <PayInfo>
> >    <Name>John Smith</Name>
> >    <CreditCard Limit='2,000' Currency='USD'>
> >      <Number>1076 2478 0678 5589</Number>
> >      <Issuer>CitiBank</Issuer>
> >      <Expiration>06/10</Expiration>
> >    </CreditCard>
> > </PayInfo>
> > ========================================
> > session-key-template.xml
> > ==========================================
> > <?xml version="1.0" encoding="UTF-8"?>
> > <!--
> > XML Security Library example: Original XML
> >   doc file before encryption (encrypt3 example).
> > -->
> > <EncryptedData
> >    xmlns="http://www.w3.org/2001/04/xmlenc#"
> >    Type="http://www.w3.org/2001/04/xmlenc#Element">
> >   <EncryptionMethod Algorithm=
> >     "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
> >   <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> >    <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
> >     <EncryptionMethod Algorithm=
> >       "http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
> >     <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> >      <KeyName/>
> >     </KeyInfo>
> >     <CipherData>
> >      <CipherValue/>
> >     </CipherData>
> >    </EncryptedKey>
> >   </KeyInfo>
> >   <CipherData>
> >    <CipherValue/>
> >   </CipherData>
> > </EncryptedData>
> > ==========================================
> >
> >
> > Timothy Legge
> > timlegge at gmail.com
> > timlegge at cpan.org
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec at aleksey.com
> > http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list