[xmlsec] EncryptedAssertion format

Aleksey Sanin aleksey at aleksey.com
Wed Mar 14 07:19:28 PDT 2012 

Do you mind posting the full xml document?

Aleksey

On 3/14/12 6:45 AM, Claude Lecommandeur wrote:
> 
>    Hi,
> 
>   I am trying to write a small SAML2 IDP and have a strange problem when
> creating encrypted saml2:Assertion.
> I create a saml2p:Response which contains an assertion :
> 
> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>                  IssueInstant="2012-03-13T12:02:56Z"
>                  Version="2.0">
> ...
> </saml2:Assertion>
> 
>   I crypted it with an AES key, and ebbed it inside
> saml2:EncryptedAssertion and xenc:EncryptedData and everything goes
> well. The problem arise wher I try to decrypt it with xmlsec1 --decrypt.
> I get this :
> 
> ------------------------------------
> xmlsec1 --decrypt --trusted-pem kissrv64.crt --privkey kissrv64.key resp
> Entity: line 80: parser error : chunk is not well balanced
> </saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>
>                                                    ^
> func=xmlSecReplaceNodeBufferAndReturn:file=xmltree.c:line=573:obj=unknown:subj=xmlParseInNodeContext:error=5:libxml2
> library function failed:Failed to parse content
> func=xmlSecEncCtxDecrypt:file=xmlenc.c:line=648:obj=unknown:subj=xmlSecReplaceNodeBuffer:error=1:xmlsec
> library function failed:node=EncryptedData
> Error: failed to decrypt file
> Error: failed to decrypt file "resp"
> -----------------------------------
> 
>   This is strange since my assertion is well balanced. If I remove the
> closing tag of the assertion, making it invalid XML, the decrypting
> works but produce an invalid result : no saml2:Assertion inside.
> 
>    I then tried to insert a prefix to the assertion :
> 
> <saml2:Assertion <saml2:Assertion
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>                  IssueInstant="2012-03-13T12:02:56Z"
>                  Version="2.0">
> ...
> </saml2:Assertion>
> 
>    Yes, perfect non sense but dectypting works and seems correct, but
> when feeding it to a Shibboleth SP, it chokes with "Decryption did not
> result in a single element."
> 
> 
>     I am lost, if anyone has a an advice ready for this case, I'll take it.
> 
>       Claude.
>

More information about the xmlsec mailing list