[xmlsec] Encrypting Content

Timothy Legge timlegge at gmail.com
Mon Mar 28 12:50:08 UTC 2022


Thanks, now I am trying to figure out GCM support...

Timothy Legge
timlegge at gmail.com
timlegge at cpan.org

On Mon, Mar 28, 2022 at 9:44 AM Aleksey Sanin <aleksey at aleksey.com> wrote:
>
> Glad you figured it out!
>
> Best,
>
> Aleksey
>
> On 3/26/22 4:26 PM, Timothy Legge wrote:
> > Hi
> >
> > I was sitting watching my son play hockey and realized my issue.
> >
> > The example I was using --node-xpath
> > '/PayInfo/CreditCard/Number/text()' grabs the text of the Number
> > element.  As it is already text,
> > http://www.w3.org/2001/04/xmlenc#Content is not valid.
> >
> > Changing it to --node-xpath '/PayInfo/CreditCard/Number allows me to
> > use http://www.w3.org/2001/04/xmlenc#Content in the template and it
> > correctly encrypts just the credit card number.
> >
> > So the example from
> > https://users.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html
> > was incorrect.
> >
> > Thanks for the earlier reply.
> >
> > Tim
> >
> > Timothy Legge
> > timlegge at gmail.com
> > timlegge at cpan.org
> >
> > On Sat, Mar 26, 2022 at 11:49 AM Timothy Legge <timlegge at gmail.com> wrote:
> >>
> >> Hi Aleksey
> >>
> >> I just wrote a perl module to encrypt and decrypt XML.  As part of the
> >> test scripts I am using xmlsec to encrypt XML to verify that the
> >> XML::Enc module can properly decrypt the XML.
> >>
> >> I ran into trouble with xmlsec encrypting the content within a tag.
> >> When I used the xpath /PayInfo/CreditCard/Number/text() to get the
> >> Content xmlsec only seems to encrypt the Content correctly if I use
> >> http://www.w3.org/2001/04/xmlenc#Element as the EncryptedData type.
> >> If I try to use  http://www.w3.org/2001/04/xmlenc#Content it leaves
> >> the Content of the Number empty.
> >>
> >> My tests are in
> >> https://github.com/perl-net-saml2/perl-XML-Enc/blob/main/t/07-decrypt-xmlsec.t
> >> basically I test with both an Encrypted Element and Encrypted Content.
> >> In the Module I have to use an option force_element_to_content so that
> >> when the xmlsec encrypted Content is decrypted that includes the
> >> http://www.w3.org/2001/04/xmlenc#Element as the EncryptedData Type I
> >> treat it as if it was Content if it is not valide XML.  In this case
> >> it is simply the credit card number.
> >>
> >> I will take a look at the examples in case I am doing something
> >> incorrect in my xmlsec commands.
> >>
> >> Tim
> >>
> >> Timothy Legge
> >> timlegge at gmail.com
> >> timlegge at cpan.org
> >>
> >> On Sat, Mar 26, 2022 at 11:06 AM Aleksey Sanin <aleksey at aleksey.com> wrote:
> >>>
> >>> Hi Timothy,
> >>>
> >>> I am not exactly sure what are you trying to do but I recommend
> >>> checking out examples:
> >>>
> >>> https://github.com/lsh123/xmlsec/tree/master/examples
> >>>
> >>> and tests:
> >>>
> >>> https://github.com/lsh123/xmlsec/tree/master/tests
> >>>
> >>> Also, if you can explain what is your goal, then it might be easier
> >>> to provide a solution for your problem.
> >>>
> >>> Best,
> >>>
> >>> Aleksey
> >>>
> >>> On 3/25/22 7:15 PM, Timothy Legge wrote:
> >>>> Hi
> >>>>
> >>>> Sorry, I sent this directly to Aleksey initially...
> >>>>
> >>>> I was following:
> >>>> https://users.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html
> >>>> (which is reasonably close enough for me to get encryption working.
> >>>>
> >>>> Specifically the following command results in the Content in
> >>>> /PayInfo/CreditCard/Number/text() being properly encrypted.  However,
> >>>> I would expect that the EncryptedData Type should be
> >>>> "http://www.w3.org/2001/04/xmlenc#Content" instead of the specified
> >>>> Element for this to properly encrypt the Content.  Changing it to
> >>>> Content causes the doc-encrypted.xml created to be missing data in the
> >>>> Number tags: "<Number></Number>".
> >>>>
> >>>> To me it appears this to be a bug but likely I am misreading the
> >>>> XML-Enc specifications.
> >>>>
> >>>> Any thoughts?
> >>>>
> >>>> xmlsec1 --encrypt --pubkey-cert-pem t/sign-certonly.pem
> >>>> --session-key des-192 --xml-data doc-plain.xml --output
> >>>> doc-encrypted.xml --node-xpath '/PayInfo/CreditCard/Number/text()'
> >>>> session-key-template.xml
> >>>>
> >>>> ========================================
> >>>> doc-plain.xml
> >>>> ========================================
> >>>> <?xml version="1.0" encoding="utf-8" ?>
> >>>> <PayInfo>
> >>>>     <Name>John Smith</Name>
> >>>>     <CreditCard Limit='2,000' Currency='USD'>
> >>>>       <Number>1076 2478 0678 5589</Number>
> >>>>       <Issuer>CitiBank</Issuer>
> >>>>       <Expiration>06/10</Expiration>
> >>>>     </CreditCard>
> >>>> </PayInfo>
> >>>> ========================================
> >>>> session-key-template.xml
> >>>> ==========================================
> >>>> <?xml version="1.0" encoding="UTF-8"?>
> >>>> <!--
> >>>> XML Security Library example: Original XML
> >>>>    doc file before encryption (encrypt3 example).
> >>>> -->
> >>>> <EncryptedData
> >>>>     xmlns="http://www.w3.org/2001/04/xmlenc#"
> >>>>     Type="http://www.w3.org/2001/04/xmlenc#Element">
> >>>>    <EncryptionMethod Algorithm=
> >>>>      "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
> >>>>    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> >>>>     <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
> >>>>      <EncryptionMethod Algorithm=
> >>>>        "http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
> >>>>      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> >>>>       <KeyName/>
> >>>>      </KeyInfo>
> >>>>      <CipherData>
> >>>>       <CipherValue/>
> >>>>      </CipherData>
> >>>>     </EncryptedKey>
> >>>>    </KeyInfo>
> >>>>    <CipherData>
> >>>>     <CipherValue/>
> >>>>    </CipherData>
> >>>> </EncryptedData>
> >>>> ==========================================
> >>>>
> >>>>
> >>>> Timothy Legge
> >>>> timlegge at gmail.com
> >>>> timlegge at cpan.org
> >>>> _______________________________________________
> >>>> xmlsec mailing list
> >>>> xmlsec at aleksey.com
> >>>> http://www.aleksey.com/mailman/listinfo/xmlsec


More information about the xmlsec mailing list