You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-c-dev@ws.apache.org by "Supun Kamburugamuva (JIRA)" <ji...@apache.org> on 2008/05/12 14:01:55 UTC
[jira] Commented: (RAMPARTC-74) wrong encryption with
oxs_token_build_encrypted_data_element
[ https://issues.apache.org/jira/browse/RAMPARTC-74?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12596044#action_12596044 ]
Supun Kamburugamuva commented on RAMPARTC-74:
---------------------------------------------
The way we use this API is as follows. First we create the EncryptedData element. Then we give this empty EncryptedData element to the actual encryption method along with the actual node to be encrypted.
Here is an example. sec_node is the security node, node_to_enc is the node to be encrypted and enc_data_node is the empty EncryptedData node.
enc_data_node = oxs_token_build_encrypted_data_element(
env, sec_node, OXS_TYPE_ENC_ELEMENT, id );
enc_status = oxs_xml_enc_encrypt_node(
env, enc_ctx, node_to_enc, &enc_data_node, key_reference_for_encrypted_data);
The newly created enc_data_node should be the immediate sibling of the node to be encrypted(i.e enc_data_node). But if the node to be encrypted is the root node we are in trouble.
My suggestion is to introduce another method with something like oxs_token_build_encrypted_data_element_with_enc_node. This method will take one additional argument i.e node to be encrypted. If the node to be encrypted has a parent this method will create the enc_data_node as an immediate child of the node to be encrypted.
I'm suggesting a new method because otherwise we will have to do an API change. But my personal belief is that the existing oxs_token_build_encrypted_data_element is incorrect and we should change that method.
> wrong encryption with oxs_token_build_encrypted_data_element
> ------------------------------------------------------------
>
> Key: RAMPARTC-74
> URL: https://issues.apache.org/jira/browse/RAMPARTC-74
> Project: Rampart/C
> Issue Type: Bug
> Components: Rampart-core
> Reporter: Lukas JOSEFIK
> Assignee: S.Uthaiyashankar
>
> if you encrypt data and use oxs_token_build_encrypted_data_element, there can be problem with signed encrypted data verification. Problem is that oxs_token_build_encrypted_data_element calls axiom_element_create, which adds ecnrypteddata element to the end of children list. but if we consider element X and we want encrypt subelement B(<X>0x0a<B>0x0a<X>), encryption ends with <X>0x0a0x0a<EncryptedData...><X>. After decryption the data looks <X>0x0a0x0a<B><X> and verification fails...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.