You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by bu...@apache.org on 2009/08/15 01:25:45 UTC

DO NOT REPLY [Bug 47695] New: X509Data Incorrectly Generated

https://issues.apache.org/bugzilla/show_bug.cgi?id=47695

           Summary: X509Data Incorrectly Generated
           Product: Security
           Version: unspecified
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Signature
        AssignedTo: security-dev@xml.apache.org
        ReportedBy: rjohnsog@gmu.edu


--- Comment #0 from rjohnsog@gmu.edu 2009-08-14 16:25:42 PDT ---
The bug reported below in Internet2 also seems to be appearing in Apache's XML
Security (I think Java 1.4.3).  (I'm assuming Internet2 is something different
and that this bug just happens to be in both places and I needed to report it
here?)  I assumed it was user error until I found this link.  Although the XML
encrypted file can be decrypted in Java, it will not decrypt in .Net. .Net
raises this error: "[CryptographicException: Unable to retrieve the decryption
key.]" Seems to mess up the parsing. By manually editing the encrypted document
(moving X509Data inside the Encrypted Key element, and wrapping the X509Data
element in a second KeyInfo element), all becomes well, so it appears to be the
same type of problem as the Internet2 bug.  Not sure if this is in Signature
(mostly ds: elements) or in Encryption (I was encrypting and wrapping a
symmetric key in the X.509 public key of the recipient).


https://bugs.internet2.edu/jira/browse/CPPXT-31
In other words, it's sending this: 
EncryptedData 
    KeyInfo 
        EncryptedKey 
        X509Data (with SP's key) 
The correct nesting is this: 
EncryptedData 
    KeyInfo 
        EncryptedKey 
            KeyInfo 
                X509Data (with SP's key) 



Here is the part of my code that raises the problem.
  KeyInfo keyInfo = new KeyInfo(document);  
  X509Data x509dat = new X509Data(document);
  x509dat.addCertificate(cert);                //cert is an X509Certificate
  keyInfo.add(encryptedKey);                   //encryptedKey contains an AES 
  symmetric key
  keyInfo.add(x509dat);
  encryptedDataElement.setKeyInfo(keyInfo);    //encryptedDataElement is
                                               //EncryptedData

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

DO NOT REPLY [Bug 47695] X509Data Incorrectly Generated

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47695


rjohnsog@gmu.edu changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID


--- Comment #2 from rjohnsog@gmu.edu 2009-08-17 16:03:38 PDT ---
Thank you very much!  Your suggestion allowed me to generate the correct
structure (replaced "keyInfo.add(encryptedKey)" with
"encryptedDataElement.setKeyInfo(keyInfo)", for anyone using this solution in
the future).  I really appreciate the help.

Per your question, what led me to post this as a bug rather than somewhere else
requesting syntactical help was that, from my understanding of the referenced
post, he was indicating that the following is invalid XML and thus XML Security
should never allow it to be generated, nor should it decrypt this structure. 
Since .Net failed to decrypt this but Apache did decrypt it, I assumed there
was a problem.  I am a novice to all of this, but it did seem logical that
perhaps an error or a different (syntactically legal?) structure should have
been generated in the encrypted document (rather than generating apparently
invalid XML syntax).

EncryptedData 
    KeyInfo 
        EncryptedKey 
        X509Data

I will mark this as Resolved, assuming that my deductions above are incorrect. 
Thanks again for the help.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

DO NOT REPLY [Bug 47695] X509Data Incorrectly Generated

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47695



--- Comment #1 from coheigea <co...@apache.org> 2009-08-17 02:51:56 PDT ---
I don't get it...how is this a bug in XML Security? To get a structure like 

EncryptedData 
    KeyInfo 
        EncryptedKey 
            KeyInfo 
                X509Data (with SP's key) 

you should be using two KeyInfo objects, something like this:

  KeyInfo keyInfo = new KeyInfo(document);  
  X509Data x509dat = new X509Data(document);
  x509dat.addCertificate(cert);   
  keyInfo.add(x509dat);
  encryptedKey.add(keyInfo);

  keyInfo = new KeyInfo(document);
  keyInfo.add(encryptedKey);                  
  encryptedDataElement.setKeyInfo(keyInfo); 

Colm.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.