XML Encryption Syntax and Processing support available?

0 votes
asked Mar 21 by christian.harter (220 points)

Hello,

we are using Rebex Secure Mail since the beginning of the year with great satisfaction. We needed functionality to encrypt/decrypt mails with RSAES-OAEP and sign with RSASSA-PSS. With Rebex Secure Mail that’s really easy.

Is there any part of your suites used to sign/encrypt XML too? Especially we are looking for components to encrypt according to definitions in https://www.w3.org/2008/xmlsec/Drafts/xmlenc-core-11/ (XML Encryption Syntax and Processing, Chapter 5.5.3) or rather in http://santuario.apache.org/.

I thank you for information in this regard,
Best wishes,
Christian

1 Answer

0 votes
answered Mar 21 by Lukas Matyska (47,190 points)

Thank you for your appreciation.

Unfortunately, we don't have API for signing/encrypting XML.


However, I have done this in my private project. I have got inspired by blogpost of Rick Strahl (or just source code on GitHub).

I needed to sign a XML using RSA SHA-2 certificate. I am not sure whether SignedXml class is capable of RSASSA-PSS. If not, Rebex component can probably help.

Signing data using Rebex certificate API looks like this:

var cert = Certificate.LoadPfx(@"c:\data\cert.pfx", "password");

var parameters = new SignatureParameters();
parameters.PaddingScheme = SignaturePaddingScheme.Pss;
parameters.HashAlgorithm = HashingAlgorithmId.SHA384;

// sign a message (data)
var signature = cert.SignMessage(messageBytes, parameters);

// or sign already computed hash of the message (data)
// this method is not currently public (please let us know if you need it)
var signature = cert.SignHash(hashBytes, parameters);

The easiest way to sign XML using RSASSA-PSS (if SignedXml doesn't support it natively) seems to be:

  1. Use Rick Strahl's code to create RSA SHA-1 signed XML
  2. Compute RSASSA-PSS signature using Rebex certificate API based on generated hash (digest)
  3. Replace necessary data (SignatureMethod, SignatureValue) with correct values

I didn't try it, but it can work.

...