[EMAIL PROTECTED] wrote:
Hi,
I tried to use your xmlSec library (ver 1.2.5) to encrypt an XML file. I looked at the sample program encrypt3.c as documented here: http://www.aleksey.com/xmlsec/api/xmlsec-encrypt-with-session-key.html and made a few modifications: - replaced des3 with aes128 - tried to use a different <EncryptedData Type=? > atribute. Here's the result - enctest4.xml Pretty much what I wanted but some problems: - Your library doesn't allowe one to use any type but the "Element" or "Content" type. I suspect that "Element" type is wrong in this example. It should mean that one has encrypted the contents of an xml element whereas the elements tags are still there. This is not the case when I encrypt the whole file. Please look here: http://www.w3.org/TR/xmlenc-core/#sec-eg-Arbitrary-Data. I think the element should have no type at all or just simply: <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' MimeType='text/xml'> One of the authors of XML-ENC standard (IBM) brings this example: http://www-106.ibm.com/developerworks/xml/library/x-encrypt/listing2.html Here they use actually: <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.isi.edu/in-notes/iana/assignments/media-types/text/xml'> ....
which leads me to think that if one encrypts the whole document then Type atribute could actually point to the type of data that is being encrypted. Suppose I encrypt a binary ZIP archive. Then I would use Type="http://www.isi.edu/in-notes/iana/assignments/media-types/application/zip"; instead. Do you think this would be correct ?
You can encrypt arbitrary data:
http://www.aleksey.com/xmlsec/api/xmlsec-xmlenc.html#XMLSECENCCTXBINARYENCRYPT
Note that you are mixing MimeType and Type attributes. The only two defined values for Type attribute are "content" and "element" :
http://www.w3.org/TR/xmlenc-core/#sec-Processing-Decryption
- I have to add more than one EncryptedKey to KeyInfo. Haven't tried it yet with your library. I suppose I just add another xmlSecKeysMngrPtr to encrypt file and use it? The point here is to encrypt with two different certs to enable many people decrypt the same file.
No, you need only one keys manager. Just make sure that you can identify correct encryption key from each EncryptedKey (e.g. using key name == cert subject).
1) You need to associate key with cert. For example, when you load pkcs12 file- How can one add the cert used for encrypting itself in the EncryptedKey? I found this sample in the XML-ENC solutions made by another library, and here I think they pack the whole cert to the encrypted file so that receiver can use it to find the corresponding private key to decrypt. I tried using xmlSecTmplKeyInfoAddX509Data() bu only an empty <X509Data> element appared. What would be the correct way to do it?
it happens automaticaly. Or you can use one of "xmlSec*KeyLoadCert*"
functions.
2) Next you need to put <X509Data/> into the template. You can further
specify what exactly do you want with <X509Data/> children (e.g.
<X509SKI>, etc.)
Aleksey
_______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
