You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by Roman Podstawa <ro...@gmail.com> on 2014/12/10 20:56:28 UTC

XML Element for EncryptedData

Hello,

I've found 2 things which make working with encrypted xml a little bit
difficult (and tricky). Both items are related:
1. I use the following code to encrypt some part of the xml document:
     XMLCipher clipper =
XMLCipher.getInstance(algorithmSuiteProvider.getEncryption());
     clipper.init(XMLCipher.ENCRYPT_MODE,context.EncryptionKey.key);
     clipper.setKEK(key);

      EncryptedData encryptedBody=clipper.getEncryptedData();
      String encryptedBodyId=IDGenerator.generate();

      encryptedBody.setId(encryptedBodyId);
      encryptedBody.setKeyInfo(keyInfo);

      clipper.doFinal(doc,elementToEncrypt.Element);
First small thing is that when I create a EncryptedData and set Id then I
would assume that in XML DOM element, this Id attribute has isId=true. For
now generated Id attribute is not marked as Id so it cannot be used for
calculate a signature for this EncryptedData.
So before I can sign this EncryptedData, I have to manually find Element in
DOM represents this EncryptedData part and mark Id property as identifier
like this;

      encryptedDataElement.setIdAttribute( "Id", true);

Can you tell me why this setIdAttribute is not set by default for encrypted
data?

2. Second problem is related with the first one. There is no easy way to
get Element object for EncryptedData. In the previous example to retrieve
encryptedDataElement and invoke setIdAttribute method, I need to invoke the
following code:

 Element getEncryptedDataElement(EncryptedData encryptedData,Document
document) throws XPathExpressionException {
        XPath xpath = XPathFactory.newInstance().newXPath();
        xpath.setNamespaceContext(new DSNamespaceContext());
        NodeList assertionNodes = (NodeList)
xpath.evaluate("//enc:EncryptedData[@Id='" + encryptedData.getId() + "']",
document, XPathConstants.NODESET);
        return (Element) assertionNodes.item(0);
    }

So basically I'm using XPath to retrieve Element for the given
EncryptedData object (by Id value). This is not very efficient. It would be
better to have a method getElement in EncryptedData which returns correct
XML Element. Similar to KeyInfo class or XMLSignature like:

KeyInfo key=new KeyInfo();
Element keyInfoElement=key.getElement();

There is another way to solve this problem. In EncryptedKey there is the
following way to get XML Element:

        EncryptedKey encryptedKey=clipper.encryptKey(doc,secretKey.key);
        Element encryptedKeyElement=clipper.martial(encryptedKey);

so for EncryptedData xml element could be returned by doFinal method like
this:

        Element
encryptedDataElement=clipper.doFinal(doc,elementToEncrypt.Element);

Having getElement method for EncryptedData object would simplify a code and
make it much faster. Is there a chance to add a easy way to get xml element
for EncryptedData object in the future release?

Thanks a lot!
Romek

Re: XML Element for EncryptedData

Posted by Colm O hEigeartaigh <co...@apache.org>.

Hi Romek,

> Can you tell me why this setIdAttribute is not set by default for
encrypted data?

The problem here is that the same (EncryptedData) code is used in Santuario
for both creation + processing. So it's not possible to call
setIdAttributeNS in EncryptedData.setId.

> Having getElement method for EncryptedData object would simplify a code
and make it much faster.

Yeah I agree. There is actually a "toElement" in the implementation of
EncryptedData given in XMLCipher. Could you create a JIRA + possibly submit
a patch if you have the time?

Colm.


On Wed, Dec 10, 2014 at 7:56 PM, Roman Podstawa <ro...@gmail.com> wrote:
>
> Hello,
>
> I've found 2 things which make working with encrypted xml a little bit
> difficult (and tricky). Both items are related:
> 1. I use the following code to encrypt some part of the xml document:
>      XMLCipher clipper =
> XMLCipher.getInstance(algorithmSuiteProvider.getEncryption());
>      clipper.init(XMLCipher.ENCRYPT_MODE,context.EncryptionKey.key);
>      clipper.setKEK(key);
>
>       EncryptedData encryptedBody=clipper.getEncryptedData();
>       String encryptedBodyId=IDGenerator.generate();
>
>       encryptedBody.setId(encryptedBodyId);
>       encryptedBody.setKeyInfo(keyInfo);
>
>       clipper.doFinal(doc,elementToEncrypt.Element);
> First small thing is that when I create a EncryptedData and set Id then I
> would assume that in XML DOM element, this Id attribute has isId=true. For
> now generated Id attribute is not marked as Id so it cannot be used for
> calculate a signature for this EncryptedData.
> So before I can sign this EncryptedData, I have to manually find Element
> in DOM represents this EncryptedData part and mark Id property as
> identifier like this;
>
>       encryptedDataElement.setIdAttribute( "Id", true);
>
> Can you tell me why this setIdAttribute is not set by default for
> encrypted data?
>
> 2. Second problem is related with the first one. There is no easy way to
> get Element object for EncryptedData. In the previous example to retrieve
> encryptedDataElement and invoke setIdAttribute method, I need to invoke the
> following code:
>
>  Element getEncryptedDataElement(EncryptedData encryptedData,Document
> document) throws XPathExpressionException {
>         XPath xpath = XPathFactory.newInstance().newXPath();
>         xpath.setNamespaceContext(new DSNamespaceContext());
>         NodeList assertionNodes = (NodeList)
> xpath.evaluate("//enc:EncryptedData[@Id='" + encryptedData.getId() + "']",
> document, XPathConstants.NODESET);
>         return (Element) assertionNodes.item(0);
>     }
>
> So basically I'm using XPath to retrieve Element for the given
> EncryptedData object (by Id value). This is not very efficient. It would be
> better to have a method getElement in EncryptedData which returns correct
> XML Element. Similar to KeyInfo class or XMLSignature like:
>
> KeyInfo key=new KeyInfo();
> Element keyInfoElement=key.getElement();
>
> There is another way to solve this problem. In EncryptedKey there is the
> following way to get XML Element:
>
>         EncryptedKey encryptedKey=clipper.encryptKey(doc,secretKey.key);
>         Element encryptedKeyElement=clipper.martial(encryptedKey);
>
> so for EncryptedData xml element could be returned by doFinal method like
> this:
>
>         Element
> encryptedDataElement=clipper.doFinal(doc,elementToEncrypt.Element);
>
> Having getElement method for EncryptedData object would simplify a code
> and make it much faster. Is there a chance to add a easy way to get xml
> element for EncryptedData object in the future release?
>
> Thanks a lot!
> Romek
>
>
>

-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com