I'm not sure, if this is a question really about cryptography and whether it would better fit to Stack Overflow, but I try...
In my xml example, some elements are encrypted with xml-enc. I got this xml from a customer and changed attribute names and crypto keys to stay discreet.
There is an Entries Element, consisting of 1 one more Entry. Its SubSystem has Value1 and Value2, which are obviously encrypted using the transport-key.
Question: What is the KeyInfo after SubSystem for?
Does it contain the encrypted transport-key, using yet another public key, for which the decrypter must have a matching private key?
What is KeyName, X509Certificate for? I guess, that CipherData is the ciphered transport-key?
And why is there a KeyInfo in each Entry? Does it mean, the transport-key can be different for each Entry?
What does ReferenceList tell me ?
Somehow it says: Value1 and Value2 have been ciphered using this key. But this is also found in the EncryptedData / KeyInfo for Value1, Value2 above...
Is there a standard way to interprete this scheme or is it a matter of the application, to cope with exactly that kind of syntax?
The XML is:
<?xml version="1.0" encoding="utf-8"?>
<ExampleFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="urn:sim-delivery-file-schema">
<Entries>
<Entry>
<SubSystem>
<Value1>
<EncryptedData Id="Value1" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>transport-key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>ccc1...</CipherValue>
</CipherData>
</EncryptedData>
</Value1>
<Value2>
<EncryptedData Id="Value2" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>transport-key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>ccc2...</CipherValue>
</CipherData>
</EncryptedData>
</Value2>
</SubSystem>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey Recipient="CN=company, OU=department, O=MS, L=lll, S=state, C=DE, E=xxx@yyy.com" xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>KKK.......</KeyName>
<X509Data>
<X509Certificate>cert1....</X509Certificate>
</X509Data>
</KeyInfo>
<CipherData>
<CipherValue>cipher...</CipherValue>
</CipherData>
<ReferenceList>
<DataReference URI="#Value1" />
<DataReference URI="#Value2" />
</ReferenceList>
<CarriedKeyName>transport-key</CarriedKeyName>
</EncryptedKey>
</KeyInfo>
</Entry>
</Entries>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>digest....</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>sig....</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>cert2....</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</ExampleFile>
