XML Signature and Encryption

sid-desh · ‎12-12-2006

Hi,

I am trying to write a small standalone java application for testing XML Signature and XML Encryption. For testing this i created one key pair and public key certificate for Party A and another key pair and certificate for Party B.

I then used the test SSL certificate functionality in marketplace to sign both the CSR. I saved both the responses in form of *.cert files and imported them.

Now i want to exchange the public keys between both parties. For this purpose i am not sure which entry to export and save as an *.cert file. I mean should i export the CERTIFICATE entry and send it or should i send the response which i have saved as *.cert files.

I noticed that after importing the response only the PRIVATE KEY entry has changed and CERTIFICATE entry has not changed. This is why i am asking whether i should send the responses.

Please do let me know your suggestions.

Thanks and Regards

Sidharth Deshpande

Former Member · ‎12-12-2006

Hi Sidharth,

you should only exchange the certificates (they do include the public key) not the private keys !

Kind regards,

Patrick

sid-desh · ‎12-12-2006

Hi Patrick,

Thank you for your response.

Why i had asked the question is because when i generated the key pair i gave valid from and valid to date as 12/12/2006 and 12/12/2007. This is also the default. However the response i got from CA (Service Market place) only has validity for next three months. When i imported the certificate response the PRIVATE KEY dates changed however in the CERTIFICATE entry dates were unchanged. This got me thinking whether this is the correct one.

In such a scenario if the sender encrypts the message using the public key (which is valid) and the receiver tries to decrypt it using the private key (after the validity) will an exception be thrown. What is your opinion.

I relation to this i have another question. In case i want to try out the hybrid scenario wherein i use a shared secret key for encryption and decryption and key pair to encrypt and decrypt the secret key. How will this be achieved.

How can i generate just a key. Is it possible to embed such a key in the message itself.

Please do give your suggestions.

Thanks and Regards

Sidharth Deshpande

Former Member · ‎12-12-2006

H Sidharth,

CAs may choose their own validity dates which are not related to the key lifetime (you can get a new signature for the same key pair at a later time).

If the certificate is no longer valid, the signature validation will flag this. Decryption still will work, as there your own private key is being used. It may only be, that the encryption won't work, because of the expired certificate (depends on configuration).

If you want a symmetric key for encryption, you have first to transmit it to the receiver. For this you can use the assymetric encryption using the certificate of the receiver (this is called hybrid encryption, as it uses both encryption types), or you can do it out of band. You have to code this in your own, if you use XML-Enc directly. If you are using WS-Security, it depends on the infrastructure. In our case at the moment (nw2004s and earlier) we only support signatures not encryption but this will change in the future.

Kind regards, Patrick

yonko_yonchev · ‎12-12-2006

Hi Sidharth,

In relation to your question about the symmetric encryption: if you don't use WS intermediaries configuring you WS for SSL will do the job for you. You can at the same time use SOAP level security if you need it for other purposes such as auditing, etc.

Implementing something similar to SSL at the SOAP level is not supported in 04s and in any case will be a fairly advanced scenario for WS deployment, at least in my opinion.

BTW, you may find this example in the documentation useful:

http://help.sap.com/saphelp_nw2004s/helpdata/en/a4/d0201854fb6a4cb9545892b49d4851/frameset.htm

Regards,

Yonko

sid-desh · ‎12-12-2006

Hello Patrick,

I didnt get the last line. "In our case at the moment (nw2004s and earlier) we only support signatures not encryption but this will change in the future"

I thought that both Encryption and Signatures were supported in NW04s.

Have i misunderstood. Can you please xplain a little further.

Thanks and Regards

Sidharth Deshpande

sid-desh · ‎12-12-2006

Hello Yonko,

This is exactly the piece of code i have been refering to since morning today and since then i had just listed all the doubts that came in my mind.

Hence this series of questions.

I also found that API documentation was not that good for these libraries. I was able to find these API's in SP12 javadocs available on SDN but not in more recent javadocs. Are they stored somewhere else.

As of now my primary aim is to take an XML file and encrypt parts of it and sign it as well as has been shown in the sample code and then see how this fits in WS domain.

I agree without the presence of WS intermediaries SSL is just about sufficient.

I also would like to suggest a few very good articles on IBM developer works site describing in detail XML encryption and XML signature. In case we have a Wiki page for this i will update there itself.

Regards

Sidharth

Former Member · ‎12-13-2006

you can use XML signature and encryption programmatically but the WS-Security framework at the moment does not support message security using encrypted messages. So you have to encrypt, serialize and send the data yourself instead of just defining the data to be encrypted by the WS-Security stack..