[xmlsec] EncryptedAssertion format

Aleksey Sanin aleksey at aleksey.com
Wed Mar 14 09:26:35 PDT 2012 

The encrypted data look like this

 xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                        IssueInstant="2012-03-14T14:55:01Z"
                        Version="2.0"
ID="b07b804c-7c29-ea16-7300-4f3d6f7928ac">
         <saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
....


Notice that "<saml2:Assertion" is missing? There is a problem either
with encryption or decryption.


Aleksey

On 3/14/12 7:59 AM, Claude Lecommandeur wrote:
> On 03/14/2012 03:19 PM, Aleksey Sanin wrote:
>> Do you mind posting the full xml document?
> 
>     The xml, certificate and private key are attached. Thanks for your
> attention.
> 
>         Claude.
> 
>>
>> Aleksey
>>
>> On 3/14/12 6:45 AM, Claude Lecommandeur wrote:
>>>     Hi,
>>>
>>>    I am trying to write a small SAML2 IDP and have a strange problem
>>> when
>>> creating encrypted saml2:Assertion.
>>> I create a saml2p:Response which contains an assertion :
>>>
>>> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>>>                   IssueInstant="2012-03-13T12:02:56Z"
>>>                   Version="2.0">
>>> ...
>>> </saml2:Assertion>
>>>
>>>    I crypted it with an AES key, and ebbed it inside
>>> saml2:EncryptedAssertion and xenc:EncryptedData and everything goes
>>> well. The problem arise wher I try to decrypt it with xmlsec1 --decrypt.
>>> I get this :
>>>
>>> ------------------------------------
>>> xmlsec1 --decrypt --trusted-pem kissrv64.crt --privkey kissrv64.key resp
>>> Entity: line 80: parser error : chunk is not well balanced
>>> </saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>
>>>                                                     ^
>>> func=xmlSecReplaceNodeBufferAndReturn:file=xmltree.c:line=573:obj=unknown:subj=xmlParseInNodeContext:error=5:libxml2
>>>
>>> library function failed:Failed to parse content
>>> func=xmlSecEncCtxDecrypt:file=xmlenc.c:line=648:obj=unknown:subj=xmlSecReplaceNodeBuffer:error=1:xmlsec
>>>
>>> library function failed:node=EncryptedData
>>> Error: failed to decrypt file
>>> Error: failed to decrypt file "resp"
>>> -----------------------------------
>>>
>>>    This is strange since my assertion is well balanced. If I remove the
>>> closing tag of the assertion, making it invalid XML, the decrypting
>>> works but produce an invalid result : no saml2:Assertion inside.
>>>
>>>     I then tried to insert a prefix to the assertion :
>>>
>>> <saml2:Assertion<saml2:Assertion
>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>>>                   IssueInstant="2012-03-13T12:02:56Z"
>>>                   Version="2.0">
>>> ...
>>> </saml2:Assertion>
>>>
>>>     Yes, perfect non sense but dectypting works and seems correct, but
>>> when feeding it to a Shibboleth SP, it chokes with "Decryption did not
>>> result in a single element."
>>>
>>>
>>>      I am lost, if anyone has a an advice ready for this case, I'll
>>> take it.
>>>
>>>        Claude.
>>>
> 
>

More information about the xmlsec mailing list