You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Clement Pellerin (Created) (JIRA)" <ji...@apache.org> on 2012/03/21 22:08:38 UTC
[jira] [Created] (SANTUARIO-305) No way to register internal key
resolvers in DECRYPT_MODE
No way to register internal key resolvers in DECRYPT_MODE
---------------------------------------------------------
Key: SANTUARIO-305
URL: https://issues.apache.org/jira/browse/SANTUARIO-305
Project: Santuario
Issue Type: Improvement
Affects Versions: C++ 1.5.1
Reporter: Clement Pellerin
Assignee: Colm O hEigeartaigh
There is no way to register internal key resolvers in DECRYPT_MODE. The internal resolvers are usually registered on a KeyInfo. When we call XMLCipher.doFinal(Document, Element) to decrypt, it creates a new EncryptedData object on the fly and uses it immediately (See XMLCipher.decryptToByteArray). There is no chance to modify the KeyInfo inside that EncryptedData before it is used. It is possible to call XMLCipher.loadEncryptedData() separately, but there is little we can do with that EncryptedData afterwards. Using the static resolvers is not thread-safe in general. By that I mean, you cannot configure the static resolver per thread unless you use thread local storage.
Possible solutions:
1. Let the XMLCipher maintain a list of internal key resolvers directly.
2. Pass internal resolvers when calling doFinal()
3. Add a method XMLCipher.decryptData(EncryptedData) similar to decryptKey(EncryptedKey),
So we could call XMLCipher.loadEncryptedData(Element), modify the KeyInfo inside the EncryptedData, and call XMLCipher.decryptData().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Closed] (SANTUARIO-305) No way to register internal key
resolvers in DECRYPT_MODE
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh closed SANTUARIO-305.
-----------------------------------------
> No way to register internal key resolvers in DECRYPT_MODE
> ---------------------------------------------------------
>
> Key: SANTUARIO-305
> URL: https://issues.apache.org/jira/browse/SANTUARIO-305
> Project: Santuario
> Issue Type: Improvement
> Affects Versions: Java 1.5.1
> Reporter: Clement Pellerin
> Assignee: Colm O hEigeartaigh
> Fix For: Java 1.5.2
>
> Attachments: santuario-305.diff, santuario-305.zip
>
>
> There is no way to register internal key resolvers in DECRYPT_MODE. The internal resolvers are usually registered on a KeyInfo. When we call XMLCipher.doFinal(Document, Element) to decrypt, it creates a new EncryptedData object on the fly and uses it immediately (See XMLCipher.decryptToByteArray). There is no chance to modify the KeyInfo inside that EncryptedData before it is used. It is possible to call XMLCipher.loadEncryptedData() separately, but there is little we can do with that EncryptedData afterwards. Using the static resolvers is not thread-safe in general. By that I mean, you cannot configure the static resolver per thread unless you use thread local storage.
> Possible solutions:
> 1. Let the XMLCipher maintain a list of internal key resolvers directly.
> 2. Pass internal resolvers when calling doFinal()
> 3. Add a method XMLCipher.decryptData(EncryptedData) similar to decryptKey(EncryptedKey),
> So we could call XMLCipher.loadEncryptedData(Element), modify the KeyInfo inside the EncryptedData, and call XMLCipher.decryptData().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SANTUARIO-305) No way to register internal key
resolvers in DECRYPT_MODE
Posted by "Clement Pellerin (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13240401#comment-13240401 ]
Clement Pellerin commented on SANTUARIO-305:
--------------------------------------------
Patch in diff format submitted.
> No way to register internal key resolvers in DECRYPT_MODE
> ---------------------------------------------------------
>
> Key: SANTUARIO-305
> URL: https://issues.apache.org/jira/browse/SANTUARIO-305
> Project: Santuario
> Issue Type: Improvement
> Affects Versions: Java 1.5.1
> Reporter: Clement Pellerin
> Assignee: Colm O hEigeartaigh
> Attachments: santuario-305.diff, santuario-305.zip
>
>
> There is no way to register internal key resolvers in DECRYPT_MODE. The internal resolvers are usually registered on a KeyInfo. When we call XMLCipher.doFinal(Document, Element) to decrypt, it creates a new EncryptedData object on the fly and uses it immediately (See XMLCipher.decryptToByteArray). There is no chance to modify the KeyInfo inside that EncryptedData before it is used. It is possible to call XMLCipher.loadEncryptedData() separately, but there is little we can do with that EncryptedData afterwards. Using the static resolvers is not thread-safe in general. By that I mean, you cannot configure the static resolver per thread unless you use thread local storage.
> Possible solutions:
> 1. Let the XMLCipher maintain a list of internal key resolvers directly.
> 2. Pass internal resolvers when calling doFinal()
> 3. Add a method XMLCipher.decryptData(EncryptedData) similar to decryptKey(EncryptedKey),
> So we could call XMLCipher.loadEncryptedData(Element), modify the KeyInfo inside the EncryptedData, and call XMLCipher.decryptData().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SANTUARIO-305) No way to register internal key
resolvers in DECRYPT_MODE
Posted by "Colm O hEigeartaigh (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated SANTUARIO-305:
------------------------------------------
Affects Version/s: (was: C++ 1.5.1)
Java 1.5.1
> No way to register internal key resolvers in DECRYPT_MODE
> ---------------------------------------------------------
>
> Key: SANTUARIO-305
> URL: https://issues.apache.org/jira/browse/SANTUARIO-305
> Project: Santuario
> Issue Type: Improvement
> Affects Versions: Java 1.5.1
> Reporter: Clement Pellerin
> Assignee: Colm O hEigeartaigh
>
> There is no way to register internal key resolvers in DECRYPT_MODE. The internal resolvers are usually registered on a KeyInfo. When we call XMLCipher.doFinal(Document, Element) to decrypt, it creates a new EncryptedData object on the fly and uses it immediately (See XMLCipher.decryptToByteArray). There is no chance to modify the KeyInfo inside that EncryptedData before it is used. It is possible to call XMLCipher.loadEncryptedData() separately, but there is little we can do with that EncryptedData afterwards. Using the static resolvers is not thread-safe in general. By that I mean, you cannot configure the static resolver per thread unless you use thread local storage.
> Possible solutions:
> 1. Let the XMLCipher maintain a list of internal key resolvers directly.
> 2. Pass internal resolvers when calling doFinal()
> 3. Add a method XMLCipher.decryptData(EncryptedData) similar to decryptKey(EncryptedKey),
> So we could call XMLCipher.loadEncryptedData(Element), modify the KeyInfo inside the EncryptedData, and call XMLCipher.decryptData().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SANTUARIO-305) No way to register internal key
resolvers in DECRYPT_MODE
Posted by "Clement Pellerin (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Clement Pellerin updated SANTUARIO-305:
---------------------------------------
Attachment: santuario-305.zip
Patch submitted.
> No way to register internal key resolvers in DECRYPT_MODE
> ---------------------------------------------------------
>
> Key: SANTUARIO-305
> URL: https://issues.apache.org/jira/browse/SANTUARIO-305
> Project: Santuario
> Issue Type: Improvement
> Affects Versions: Java 1.5.1
> Reporter: Clement Pellerin
> Assignee: Colm O hEigeartaigh
> Attachments: santuario-305.zip
>
>
> There is no way to register internal key resolvers in DECRYPT_MODE. The internal resolvers are usually registered on a KeyInfo. When we call XMLCipher.doFinal(Document, Element) to decrypt, it creates a new EncryptedData object on the fly and uses it immediately (See XMLCipher.decryptToByteArray). There is no chance to modify the KeyInfo inside that EncryptedData before it is used. It is possible to call XMLCipher.loadEncryptedData() separately, but there is little we can do with that EncryptedData afterwards. Using the static resolvers is not thread-safe in general. By that I mean, you cannot configure the static resolver per thread unless you use thread local storage.
> Possible solutions:
> 1. Let the XMLCipher maintain a list of internal key resolvers directly.
> 2. Pass internal resolvers when calling doFinal()
> 3. Add a method XMLCipher.decryptData(EncryptedData) similar to decryptKey(EncryptedKey),
> So we could call XMLCipher.loadEncryptedData(Element), modify the KeyInfo inside the EncryptedData, and call XMLCipher.decryptData().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SANTUARIO-305) No way to register internal key
resolvers in DECRYPT_MODE
Posted by "Colm O hEigeartaigh (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13235484#comment-13235484 ]
Colm O hEigeartaigh commented on SANTUARIO-305:
-----------------------------------------------
Hi Clement,
Could you submit a patch for whatever solution you think is best and I'll review it? It seems like a reasonable thing to be able to do - so long as the solution doesn't break backwards compatibility.
Colm.
> No way to register internal key resolvers in DECRYPT_MODE
> ---------------------------------------------------------
>
> Key: SANTUARIO-305
> URL: https://issues.apache.org/jira/browse/SANTUARIO-305
> Project: Santuario
> Issue Type: Improvement
> Affects Versions: Java 1.5.1
> Reporter: Clement Pellerin
> Assignee: Colm O hEigeartaigh
>
> There is no way to register internal key resolvers in DECRYPT_MODE. The internal resolvers are usually registered on a KeyInfo. When we call XMLCipher.doFinal(Document, Element) to decrypt, it creates a new EncryptedData object on the fly and uses it immediately (See XMLCipher.decryptToByteArray). There is no chance to modify the KeyInfo inside that EncryptedData before it is used. It is possible to call XMLCipher.loadEncryptedData() separately, but there is little we can do with that EncryptedData afterwards. Using the static resolvers is not thread-safe in general. By that I mean, you cannot configure the static resolver per thread unless you use thread local storage.
> Possible solutions:
> 1. Let the XMLCipher maintain a list of internal key resolvers directly.
> 2. Pass internal resolvers when calling doFinal()
> 3. Add a method XMLCipher.decryptData(EncryptedData) similar to decryptKey(EncryptedKey),
> So we could call XMLCipher.loadEncryptedData(Element), modify the KeyInfo inside the EncryptedData, and call XMLCipher.decryptData().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (SANTUARIO-305) No way to register internal key
resolvers in DECRYPT_MODE
Posted by "Colm O hEigeartaigh (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh resolved SANTUARIO-305.
-------------------------------------------
Resolution: Fixed
> No way to register internal key resolvers in DECRYPT_MODE
> ---------------------------------------------------------
>
> Key: SANTUARIO-305
> URL: https://issues.apache.org/jira/browse/SANTUARIO-305
> Project: Santuario
> Issue Type: Improvement
> Affects Versions: Java 1.5.1
> Reporter: Clement Pellerin
> Assignee: Colm O hEigeartaigh
> Fix For: Java 1.5.2
>
> Attachments: santuario-305.diff, santuario-305.zip
>
>
> There is no way to register internal key resolvers in DECRYPT_MODE. The internal resolvers are usually registered on a KeyInfo. When we call XMLCipher.doFinal(Document, Element) to decrypt, it creates a new EncryptedData object on the fly and uses it immediately (See XMLCipher.decryptToByteArray). There is no chance to modify the KeyInfo inside that EncryptedData before it is used. It is possible to call XMLCipher.loadEncryptedData() separately, but there is little we can do with that EncryptedData afterwards. Using the static resolvers is not thread-safe in general. By that I mean, you cannot configure the static resolver per thread unless you use thread local storage.
> Possible solutions:
> 1. Let the XMLCipher maintain a list of internal key resolvers directly.
> 2. Pass internal resolvers when calling doFinal()
> 3. Add a method XMLCipher.decryptData(EncryptedData) similar to decryptKey(EncryptedKey),
> So we could call XMLCipher.loadEncryptedData(Element), modify the KeyInfo inside the EncryptedData, and call XMLCipher.decryptData().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SANTUARIO-305) No way to register internal key
resolvers in DECRYPT_MODE
Posted by "Colm O hEigeartaigh (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13240333#comment-13240333 ]
Colm O hEigeartaigh commented on SANTUARIO-305:
-----------------------------------------------
Hi Clement,
Could you format your patches using "diff" so that I can apply them via "patch"?
Colm.
> No way to register internal key resolvers in DECRYPT_MODE
> ---------------------------------------------------------
>
> Key: SANTUARIO-305
> URL: https://issues.apache.org/jira/browse/SANTUARIO-305
> Project: Santuario
> Issue Type: Improvement
> Affects Versions: Java 1.5.1
> Reporter: Clement Pellerin
> Assignee: Colm O hEigeartaigh
> Attachments: santuario-305.zip
>
>
> There is no way to register internal key resolvers in DECRYPT_MODE. The internal resolvers are usually registered on a KeyInfo. When we call XMLCipher.doFinal(Document, Element) to decrypt, it creates a new EncryptedData object on the fly and uses it immediately (See XMLCipher.decryptToByteArray). There is no chance to modify the KeyInfo inside that EncryptedData before it is used. It is possible to call XMLCipher.loadEncryptedData() separately, but there is little we can do with that EncryptedData afterwards. Using the static resolvers is not thread-safe in general. By that I mean, you cannot configure the static resolver per thread unless you use thread local storage.
> Possible solutions:
> 1. Let the XMLCipher maintain a list of internal key resolvers directly.
> 2. Pass internal resolvers when calling doFinal()
> 3. Add a method XMLCipher.decryptData(EncryptedData) similar to decryptKey(EncryptedKey),
> So we could call XMLCipher.loadEncryptedData(Element), modify the KeyInfo inside the EncryptedData, and call XMLCipher.decryptData().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SANTUARIO-305) No way to register internal key
resolvers in DECRYPT_MODE
Posted by "Clement Pellerin (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Clement Pellerin updated SANTUARIO-305:
---------------------------------------
Attachment: santuario-305.diff
The files were already merged for the trunk. From now on, I'll submit a diff.
> No way to register internal key resolvers in DECRYPT_MODE
> ---------------------------------------------------------
>
> Key: SANTUARIO-305
> URL: https://issues.apache.org/jira/browse/SANTUARIO-305
> Project: Santuario
> Issue Type: Improvement
> Affects Versions: Java 1.5.1
> Reporter: Clement Pellerin
> Assignee: Colm O hEigeartaigh
> Attachments: santuario-305.diff, santuario-305.zip
>
>
> There is no way to register internal key resolvers in DECRYPT_MODE. The internal resolvers are usually registered on a KeyInfo. When we call XMLCipher.doFinal(Document, Element) to decrypt, it creates a new EncryptedData object on the fly and uses it immediately (See XMLCipher.decryptToByteArray). There is no chance to modify the KeyInfo inside that EncryptedData before it is used. It is possible to call XMLCipher.loadEncryptedData() separately, but there is little we can do with that EncryptedData afterwards. Using the static resolvers is not thread-safe in general. By that I mean, you cannot configure the static resolver per thread unless you use thread local storage.
> Possible solutions:
> 1. Let the XMLCipher maintain a list of internal key resolvers directly.
> 2. Pass internal resolvers when calling doFinal()
> 3. Add a method XMLCipher.decryptData(EncryptedData) similar to decryptKey(EncryptedKey),
> So we could call XMLCipher.loadEncryptedData(Element), modify the KeyInfo inside the EncryptedData, and call XMLCipher.decryptData().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SANTUARIO-305) No way to register internal key
resolvers in DECRYPT_MODE
Posted by "Clement Pellerin (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13235946#comment-13235946 ]
Clement Pellerin commented on SANTUARIO-305:
--------------------------------------------
I wish there would be more interest in design discussions. Anything to avoid repeating my previous disaster (SANTUARIO-227).
For SANTUARIO-305, I like option 3 and this is what I plan to submit as a patch within a couple days.
> No way to register internal key resolvers in DECRYPT_MODE
> ---------------------------------------------------------
>
> Key: SANTUARIO-305
> URL: https://issues.apache.org/jira/browse/SANTUARIO-305
> Project: Santuario
> Issue Type: Improvement
> Affects Versions: Java 1.5.1
> Reporter: Clement Pellerin
> Assignee: Colm O hEigeartaigh
>
> There is no way to register internal key resolvers in DECRYPT_MODE. The internal resolvers are usually registered on a KeyInfo. When we call XMLCipher.doFinal(Document, Element) to decrypt, it creates a new EncryptedData object on the fly and uses it immediately (See XMLCipher.decryptToByteArray). There is no chance to modify the KeyInfo inside that EncryptedData before it is used. It is possible to call XMLCipher.loadEncryptedData() separately, but there is little we can do with that EncryptedData afterwards. Using the static resolvers is not thread-safe in general. By that I mean, you cannot configure the static resolver per thread unless you use thread local storage.
> Possible solutions:
> 1. Let the XMLCipher maintain a list of internal key resolvers directly.
> 2. Pass internal resolvers when calling doFinal()
> 3. Add a method XMLCipher.decryptData(EncryptedData) similar to decryptKey(EncryptedKey),
> So we could call XMLCipher.loadEncryptedData(Element), modify the KeyInfo inside the EncryptedData, and call XMLCipher.decryptData().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SANTUARIO-305) No way to register internal key
resolvers in DECRYPT_MODE
Posted by "Colm O hEigeartaigh (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated SANTUARIO-305:
------------------------------------------
Fix Version/s: Java 1.5.2
> No way to register internal key resolvers in DECRYPT_MODE
> ---------------------------------------------------------
>
> Key: SANTUARIO-305
> URL: https://issues.apache.org/jira/browse/SANTUARIO-305
> Project: Santuario
> Issue Type: Improvement
> Affects Versions: Java 1.5.1
> Reporter: Clement Pellerin
> Assignee: Colm O hEigeartaigh
> Fix For: Java 1.5.2
>
> Attachments: santuario-305.diff, santuario-305.zip
>
>
> There is no way to register internal key resolvers in DECRYPT_MODE. The internal resolvers are usually registered on a KeyInfo. When we call XMLCipher.doFinal(Document, Element) to decrypt, it creates a new EncryptedData object on the fly and uses it immediately (See XMLCipher.decryptToByteArray). There is no chance to modify the KeyInfo inside that EncryptedData before it is used. It is possible to call XMLCipher.loadEncryptedData() separately, but there is little we can do with that EncryptedData afterwards. Using the static resolvers is not thread-safe in general. By that I mean, you cannot configure the static resolver per thread unless you use thread local storage.
> Possible solutions:
> 1. Let the XMLCipher maintain a list of internal key resolvers directly.
> 2. Pass internal resolvers when calling doFinal()
> 3. Add a method XMLCipher.decryptData(EncryptedData) similar to decryptKey(EncryptedKey),
> So we could call XMLCipher.loadEncryptedData(Element), modify the KeyInfo inside the EncryptedData, and call XMLCipher.decryptData().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SANTUARIO-305) No way to register internal key
resolvers in DECRYPT_MODE
Posted by "Clement Pellerin (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANTUARIO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13238547#comment-13238547 ]
Clement Pellerin commented on SANTUARIO-305:
--------------------------------------------
I investigated option 3 but the result did not really please me.
I considered the method Node decryptData(Document context, EncryptedData ed). This leaves the working document intact a la decryptKey() but leaves the caller with the problem of parenting the result. Reparenting requires more code than replaceChild() which might surprise some application developers and thus encourage bugs.
I considered the method Document decryptData(Element parent, EncryptedData ed). This modifies the working document which breaks symmetry with decryptKey(). This behavior is usually associated with doFinal() which breaks another symmetry.
I considered allowing null as the Element in doFinal(Document, Element). The idea was to use the EncryptedData member of XMLCipher in DECRYPT mode if the Element is null. That member is already set by loadEncryptedData(). This is workable but the feature is hidden by the choice of API.
Since I could not find an API that was clearly better than the others, I decided to implement option 1 (Let the XMLCipher maintain a list of internal key resolvers directly). The resolvers are only used in DECRYPT and UNWRAP mode. In other modes, the KeyInfo is created explicitly by the caller and therefore we let the caller populate it. The KeyResolvers are passed to the EncryptedKeyResolver when the KEK is still unknown. The EncryptedKeyResolver passes the KeyResolvers to the inner XMLCipher to help resolve the KEK.
The API works with one KeyResolver at a time as before. This avoids the problem of list ownership and whether the list is live in the object or just a copy.
> No way to register internal key resolvers in DECRYPT_MODE
> ---------------------------------------------------------
>
> Key: SANTUARIO-305
> URL: https://issues.apache.org/jira/browse/SANTUARIO-305
> Project: Santuario
> Issue Type: Improvement
> Affects Versions: Java 1.5.1
> Reporter: Clement Pellerin
> Assignee: Colm O hEigeartaigh
>
> There is no way to register internal key resolvers in DECRYPT_MODE. The internal resolvers are usually registered on a KeyInfo. When we call XMLCipher.doFinal(Document, Element) to decrypt, it creates a new EncryptedData object on the fly and uses it immediately (See XMLCipher.decryptToByteArray). There is no chance to modify the KeyInfo inside that EncryptedData before it is used. It is possible to call XMLCipher.loadEncryptedData() separately, but there is little we can do with that EncryptedData afterwards. Using the static resolvers is not thread-safe in general. By that I mean, you cannot configure the static resolver per thread unless you use thread local storage.
> Possible solutions:
> 1. Let the XMLCipher maintain a list of internal key resolvers directly.
> 2. Pass internal resolvers when calling doFinal()
> 3. Add a method XMLCipher.decryptData(EncryptedData) similar to decryptKey(EncryptedKey),
> So we could call XMLCipher.loadEncryptedData(Element), modify the KeyInfo inside the EncryptedData, and call XMLCipher.decryptData().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira