[xmlsec] Encrypting Content

Sat Mar 26 20:26:51 UTC 2022

Hi

I was sitting watching my son play hockey and realized my issue.

The example I was using --node-xpath
'/PayInfo/CreditCard/Number/text()' grabs the text of the Number
element.  As it is already text,
http://www.w3.org/2001/04/xmlenc#Content is not valid.

Changing it to --node-xpath '/PayInfo/CreditCard/Number allows me to
use http://www.w3.org/2001/04/xmlenc#Content in the template and it
correctly encrypts just the credit card number.

So the example from
https://users.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html
was incorrect.

Thanks for the earlier reply.

Tim

Timothy Legge
timlegge at gmail.com
timlegge at cpan.org

On Sat, Mar 26, 2022 at 11:49 AM Timothy Legge <timlegge at gmail.com> wrote:
>
> Hi Aleksey
>
> I just wrote a perl module to encrypt and decrypt XML.  As part of the
> test scripts I am using xmlsec to encrypt XML to verify that the
> XML::Enc module can properly decrypt the XML.
>
> I ran into trouble with xmlsec encrypting the content within a tag.
> When I used the xpath /PayInfo/CreditCard/Number/text() to get the
> Content xmlsec only seems to encrypt the Content correctly if I use
> http://www.w3.org/2001/04/xmlenc#Element as the EncryptedData type.
> If I try to use  http://www.w3.org/2001/04/xmlenc#Content it leaves
> the Content of the Number empty.
>
> My tests are in
> https://github.com/perl-net-saml2/perl-XML-Enc/blob/main/t/07-decrypt-xmlsec.t
> basically I test with both an Encrypted Element and Encrypted Content.
> In the Module I have to use an option force_element_to_content so that
> when the xmlsec encrypted Content is decrypted that includes the
> http://www.w3.org/2001/04/xmlenc#Element as the EncryptedData Type I
> treat it as if it was Content if it is not valide XML.  In this case
> it is simply the credit card number.
>
> I will take a look at the examples in case I am doing something
> incorrect in my xmlsec commands.
>
> Tim
>
> Timothy Legge
> timlegge at gmail.com
> timlegge at cpan.org
>
> On Sat, Mar 26, 2022 at 11:06 AM Aleksey Sanin <aleksey at aleksey.com> wrote:
> >
> > Hi Timothy,
> >
> > I am not exactly sure what are you trying to do but I recommend
> > checking out examples:
> >
> > https://github.com/lsh123/xmlsec/tree/master/examples
> >
> > and tests:
> >
> > https://github.com/lsh123/xmlsec/tree/master/tests
> >
> > Also, if you can explain what is your goal, then it might be easier
> > to provide a solution for your problem.
> >
> > Best,
> >
> > Aleksey
> >
> > On 3/25/22 7:15 PM, Timothy Legge wrote:
> > > Hi
> > >
> > > Sorry, I sent this directly to Aleksey initially...
> > >
> > > I was following:
> > > https://users.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html
> > > (which is reasonably close enough for me to get encryption working.
> > >
> > > Specifically the following command results in the Content in
> > > /PayInfo/CreditCard/Number/text() being properly encrypted.  However,
> > > I would expect that the EncryptedData Type should be
> > > "http://www.w3.org/2001/04/xmlenc#Content" instead of the specified
> > > Element for this to properly encrypt the Content.  Changing it to
> > > Content causes the doc-encrypted.xml created to be missing data in the
> > > Number tags: "<Number></Number>".
> > >
> > > To me it appears this to be a bug but likely I am misreading the
> > > XML-Enc specifications.
> > >
> > > Any thoughts?
> > >
> > > xmlsec1 --encrypt --pubkey-cert-pem t/sign-certonly.pem
> > > --session-key des-192 --xml-data doc-plain.xml --output
> > > doc-encrypted.xml --node-xpath '/PayInfo/CreditCard/Number/text()'
> > > session-key-template.xml
> > >
> > > ========================================
> > > doc-plain.xml
> > > ========================================
> > > <?xml version="1.0" encoding="utf-8" ?>
> > > <PayInfo>
> > >    <Name>John Smith</Name>
> > >    <CreditCard Limit='2,000' Currency='USD'>
> > >      <Number>1076 2478 0678 5589</Number>
> > >      <Issuer>CitiBank</Issuer>
> > >      <Expiration>06/10</Expiration>
> > >    </CreditCard>
> > > </PayInfo>
> > > ========================================
> > > session-key-template.xml
> > > ==========================================
> > > <?xml version="1.0" encoding="UTF-8"?>
> > > <!--
> > > XML Security Library example: Original XML
> > >   doc file before encryption (encrypt3 example).
> > > -->
> > > <EncryptedData
> > >    xmlns="http://www.w3.org/2001/04/xmlenc#"
> > >    Type="http://www.w3.org/2001/04/xmlenc#Element">
> > >   <EncryptionMethod Algorithm=
> > >     "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
> > >   <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> > >    <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
> > >     <EncryptionMethod Algorithm=
> > >       "http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
> > >     <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> > >      <KeyName/>
> > >     </KeyInfo>
> > >     <CipherData>
> > >      <CipherValue/>
> > >     </CipherData>
> > >    </EncryptedKey>
> > >   </KeyInfo>
> > >   <CipherData>
> > >    <CipherValue/>
> > >   </CipherData>
> > > </EncryptedData>
> > > ==========================================
> > >
> > >
> > > Timothy Legge
> > > timlegge at gmail.com
> > > timlegge at cpan.org
> > > _______________________________________________
> > > xmlsec mailing list
> > > xmlsec at aleksey.com
> > > http://www.aleksey.com/mailman/listinfo/xmlsec