[xmlsec] Encrypting with pub key in cert
Ashley Hindmarsh
ashley.hindmarsh at bbc.co.uk
Wed Feb 13 01:51:08 PST 2013
On 12/02/2013 14:38, Aleksey Sanin wrote:
> There is a stack trace printed for the error. What is it?
That is all we get - no further stack trace.
func=xmlSecOpenSSLX509FindCert:file=x509vfy.c:line=742:obj=unknown:subj=BN_dec2bn:error=4:crypto
library function failed:
I just noticed that the output file was being created - so that may have
been a warning.
However, the X509IssuerSerial element was not being populated as expected.
Instead there is a dump of the X509Certificate.
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509IssuerSerial>
<X509IssuerName/>
<X509SerialNumber/>
</X509IssuerSerial>
<X509Certificate>MIIEmzCCA4OgAwIBAgIJAPvusOvlHmEXMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYD
VQQGEwJHQjEPMA0GA1UECBMGTG9uZG9uMRMwEQYDVQQHEwpXaGl0ZSBDaXR5MQww
...
This isn't a showstopper as I can inject the correct X509 details myself.
In the --print-debug output, I can see the X509 being extracted
== KEY
=== method: RSAKeyValue
=== key type: Public
=== key usage: -1
=== rsa key: size = 2048
=== list size: 1
=== X509 Data:
==== Certificate:
==== Subject Name:
/C=GB/ST=London/L=XXXXX/O=XXXX/OU=XXXX/CN=XXXX/emailAddress=xxx at example.com
==== Issuer Name:
/C=GB/ST=London/L=XXXXX/O=XXXX/OU=XXXX/CN=XXXX/emailAddress=xxx at example.com
==== Issuer Serial: FBEEB0EBE51E6117
Ash
> Aleksey
>
> On 2/12/13 1:19 AM, Ashley Hindmarsh wrote:
>> I'm trying to generate encrypted XML from a pre-signed SAML token using
>> xmlsec1.
>>
>> Platform is RHEL5 (running as a VM).
>>
>> I'm using this document (along with xmlsec docs) as a reference
>> http://users.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html#htoc9
>> This describes the use-case (hybrid encryption) very nicely.
>>
>> /usr/bin/xmlsec1 encrypt \
>> --pubkey-cert-pem t/psdrsamlcert.pem \
>> --print-debug \
>> --session-key aes-256 \
>> --xml-data t/DecryptedToken.xml \
>> --output psdr-encrypted-xpath.xml \
>> --node-xpath / t/session-key-template.xml
>>
>> psdrsamlcert.pem is generated using basic openssl defaults + an RSA key
>> pair (self-signed).
>>
>> session-key-template.xml reads as follows:
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#"
>> Type="http://www.w3.org/2001/04/xmlenc#Element">
>> <EncryptionMethod
>> Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
>> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>> <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
>> <EncryptionMethod
>> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
>> </EncryptionMethod>
>> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>> <X509Data>
>> <X509IssuerSerial>
>> <X509IssuerName/>
>> <X509SerialNumber/>
>> </X509IssuerSerial>
>> </X509Data>
>> </KeyInfo>
>> <CipherData>
>> <CipherValue/>
>> </CipherData>
>> </EncryptedKey>
>> </KeyInfo>
>> <CipherData>
>> <CipherValue/>
>> </CipherData>
>> </EncryptedData>
>>
>> The error I get is:
>> func=xmlSecOpenSSLX509FindCert:file=x509vfy.c:line=742:obj=unknown:subj=BN_dec2bn:error=4:crypto
>> library function failed:
>>
>> I tried adding --X509-skip-strict-checks, but that makes no difference.
>>
>> It seems that using self-signed certs may be a problem, but that
>> appeared to apply only to xmlsec verification functions
>>
>> Is it the case that the same functions are required to extract the X509
>> credentials?
>>
>> If so it there a work-around which avoids this.
>> I don't *need* to have X509Data in the token response, just some
>> reference to the issuer.
>> I tried using 'KeyName' in place of X509Data but again, it makes no
>> difference.
>>
>> thanks for reading,
>> Ash
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
More information about the xmlsec
mailing list