[xmlsec] Encrypting with pub key in cert

Aleksey Sanin aleksey at aleksey.com
Tue Feb 12 06:38:12 PST 2013 

There is a stack trace printed for the error. What is it?

Aleksey

On 2/12/13 1:19 AM, Ashley Hindmarsh wrote:
> I'm trying to generate encrypted XML from a pre-signed SAML token using
> xmlsec1.
> 
> Platform is RHEL5 (running as a VM).
> 
> I'm using this document (along with xmlsec docs) as a reference
> http://users.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html#htoc9
> This describes the use-case (hybrid encryption) very nicely.
> 
> /usr/bin/xmlsec1 encrypt \
>  --pubkey-cert-pem t/psdrsamlcert.pem  \
>  --print-debug \
>  --session-key aes-256  \
>  --xml-data t/DecryptedToken.xml \
>  --output psdr-encrypted-xpath.xml \
>  --node-xpath / t/session-key-template.xml
> 
> psdrsamlcert.pem is generated using basic openssl defaults + an RSA key
> pair (self-signed).
> 
> session-key-template.xml reads as follows:
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#"
> Type="http://www.w3.org/2001/04/xmlenc#Element">
>   <EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
>   <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>     <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
>       <EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
>       </EncryptionMethod>
>       <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>         <X509Data>
>           <X509IssuerSerial>
>             <X509IssuerName/>
>             <X509SerialNumber/>
>           </X509IssuerSerial>
>         </X509Data>
>       </KeyInfo>
>       <CipherData>
>         <CipherValue/>
>       </CipherData>
>     </EncryptedKey>
>   </KeyInfo>
>   <CipherData>
>     <CipherValue/>
>   </CipherData>
> </EncryptedData>
> 
> The error I get is:
> func=xmlSecOpenSSLX509FindCert:file=x509vfy.c:line=742:obj=unknown:subj=BN_dec2bn:error=4:crypto
> library function failed:
> 
> I tried adding --X509-skip-strict-checks, but that makes no difference.
> 
> It seems that using self-signed certs may be a problem, but that
> appeared to apply only to xmlsec verification functions
> 
> Is it the case that the same functions are required to extract the X509
> credentials?
> 
> If so it there a work-around which avoids this.
> I don't *need* to have X509Data in the token response, just some
> reference to the issuer.
> I tried using 'KeyName' in place of X509Data but again, it makes no
> difference.
> 
> thanks for reading,
>   Ash
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list