[xmlsec] EncryptedAssertion format

Claude Lecommandeur claude.lecommandeur at epfl.ch
Wed Mar 14 06:45:03 PDT 2012 

    Hi,

   I am trying to write a small SAML2 IDP and have a strange problem when creating encrypted saml2:Assertion.
I create a saml2p:Response which contains an assertion :

<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                  IssueInstant="2012-03-13T12:02:56Z"
                  Version="2.0">
...
</saml2:Assertion>

   I crypted it with an AES key, and ebbed it inside saml2:EncryptedAssertion and xenc:EncryptedData and everything goes well. The problem arise wher I try to decrypt it with xmlsec1 --decrypt. I get this :

------------------------------------
xmlsec1 --decrypt --trusted-pem kissrv64.crt --privkey kissrv64.key resp
Entity: line 80: parser error : chunk is not well balanced
</saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>
                                                    ^
func=xmlSecReplaceNodeBufferAndReturn:file=xmltree.c:line=573:obj=unknown:subj=xmlParseInNodeContext:error=5:libxml2 library function failed:Failed to parse content
func=xmlSecEncCtxDecrypt:file=xmlenc.c:line=648:obj=unknown:subj=xmlSecReplaceNodeBuffer:error=1:xmlsec library function failed:node=EncryptedData
Error: failed to decrypt file
Error: failed to decrypt file "resp"
-----------------------------------

   This is strange since my assertion is well balanced. If I remove the closing tag of the assertion, making it invalid XML, the decrypting works but produce an invalid result : no saml2:Assertion inside.

    I then tried to insert a prefix to the assertion :

<saml2:Assertion <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                  IssueInstant="2012-03-13T12:02:56Z"
                  Version="2.0">
...
</saml2:Assertion>

    Yes, perfect non sense but dectypting works and seems correct, but when feeding it to a Shibboleth SP, it chokes with "Decryption did not result in a single element."


     I am lost, if anyone has a an advice ready for this case, I'll take it.

       Claude.

-- 
Claude Lecommandeur           claude.lecommandeur at epfl.ch
EPFL - PL-DIT - KIS           +41 21 6932297
1015 Lausanne (Switzerland)   http://slpc1.epfl.ch/public/Claude.html

This signature intentionally left boring.

More information about the xmlsec mailing list