|
Decryption essentially involves reversing the encryption steps.
Because none of these items are mandatory, they may be omitted from the EncryptedType structure if they are already known by the decrypting entity. If they are not already known to the decryptor, the parameters are to be found in the EncryptedData structure (see step 2 of the encryption steps for a sample EncryptedData structure).
The key may be located using the ds:KeyInfo structure. If the key is encrypted and contained in an EncryptedKey structure, it must be decrypted using the decrypting party’s private key.
Alternatively, if the key is referenced by its name in a KeyName element, the key should be retrieved from the local key store using the name, or a binding between this name and the name of the key. The key can be held locally or, alternatively, it could be the key name for an XKMS query.
If the data is obtained from a CipherValue element, the text must be base64 decoded to obtain the encryped octet sequence that the encryption algorithm expects. If the data is obtained by dereferencing a URI from a CipherReference element, any transforms specified must be performed on the data in order to retrieve the encrypted octet sequence. Decrypt the octet sequence according to the algorithm and key determined earlier.
At this stage, we have obtained UTF-8 encoded data. This must be placed into the original XML data in place of the EncryptedData structure. If the data is not an XML element or the content of an XML element, then skip to step 5.
If the decrypted data is not an XML element or data in an XML element, then we pass it back to the application, which must know what to do with it. This is where the type information is essential. If it is not included with the encrypted data, it must be already known by the decrypting application.
|