[xmlsec] Encrypting with pub key in cert

Aleksey Sanin aleksey at aleksey.com
Wed Feb 13 10:36:51 PST 2013 

This doesn't sound right. This error is probably indicating
that the certificate parsing was not done properly.

Not sure why is it happening.

Aleksey

On 2/13/13 1:51 AM, Ashley Hindmarsh wrote:
> On 12/02/2013 14:38, Aleksey Sanin wrote:
>> There is a stack trace printed for the error. What is it?
> That is all we get - no further stack trace.
> 
> func=xmlSecOpenSSLX509FindCert:file=x509vfy.c:line=742:obj=unknown:subj=BN_dec2bn:error=4:crypto
> 
> library function failed:
> 
> 
> I just noticed that the output file was being created - so that may have
> been a warning.
> 
> However, the X509IssuerSerial element was not being populated as expected.
> Instead there is a dump of the X509Certificate.
> 
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>         <X509Data>
>           <X509IssuerSerial>
>             <X509IssuerName/>
>             <X509SerialNumber/>
>           </X509IssuerSerial>
> <X509Certificate>MIIEmzCCA4OgAwIBAgIJAPvusOvlHmEXMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYD
> 
> VQQGEwJHQjEPMA0GA1UECBMGTG9uZG9uMRMwEQYDVQQHEwpXaGl0ZSBDaXR5MQww
> ...
> 
> This isn't a showstopper as I can inject the correct X509 details myself.
> 
> In the --print-debug output, I can see the X509 being extracted
> == KEY
> === method: RSAKeyValue
> === key type: Public
> === key usage: -1
> === rsa key: size = 2048
> === list size: 1
> === X509 Data:
> ==== Certificate:
> ==== Subject Name:
> /C=GB/ST=London/L=XXXXX/O=XXXX/OU=XXXX/CN=XXXX/emailAddress=xxx at example.com
> ==== Issuer Name:
> /C=GB/ST=London/L=XXXXX/O=XXXX/OU=XXXX/CN=XXXX/emailAddress=xxx at example.com
> ==== Issuer Serial: FBEEB0EBE51E6117
> 
>    Ash
> 
>> Aleksey
>>
>> On 2/12/13 1:19 AM, Ashley Hindmarsh wrote:
>>> I'm trying to generate encrypted XML from a pre-signed SAML token using
>>> xmlsec1.
>>>
>>> Platform is RHEL5 (running as a VM).
>>>
>>> I'm using this document (along with xmlsec docs) as a reference
>>> http://users.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html#htoc9
>>>
>>> This describes the use-case (hybrid encryption) very nicely.
>>>
>>> /usr/bin/xmlsec1 encrypt \
>>>   --pubkey-cert-pem t/psdrsamlcert.pem  \
>>>   --print-debug \
>>>   --session-key aes-256  \
>>>   --xml-data t/DecryptedToken.xml \
>>>   --output psdr-encrypted-xpath.xml \
>>>   --node-xpath / t/session-key-template.xml
>>>
>>> psdrsamlcert.pem is generated using basic openssl defaults + an RSA key
>>> pair (self-signed).
>>>
>>> session-key-template.xml reads as follows:
>>>
>>> <?xml version="1.0" encoding="UTF-8"?>
>>> <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#"
>>> Type="http://www.w3.org/2001/04/xmlenc#Element">
>>>    <EncryptionMethod
>>> Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
>>>    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>>>      <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
>>>        <EncryptionMethod
>>> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
>>>        </EncryptionMethod>
>>>        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>>>          <X509Data>
>>>            <X509IssuerSerial>
>>>              <X509IssuerName/>
>>>              <X509SerialNumber/>
>>>            </X509IssuerSerial>
>>>          </X509Data>
>>>        </KeyInfo>
>>>        <CipherData>
>>>          <CipherValue/>
>>>        </CipherData>
>>>      </EncryptedKey>
>>>    </KeyInfo>
>>>    <CipherData>
>>>      <CipherValue/>
>>>    </CipherData>
>>> </EncryptedData>
>>>
>>> The error I get is:
>>> func=xmlSecOpenSSLX509FindCert:file=x509vfy.c:line=742:obj=unknown:subj=BN_dec2bn:error=4:crypto
>>>
>>> library function failed:
>>>
>>> I tried adding --X509-skip-strict-checks, but that makes no difference.
>>>
>>> It seems that using self-signed certs may be a problem, but that
>>> appeared to apply only to xmlsec verification functions
>>>
>>> Is it the case that the same functions are required to extract the X509
>>> credentials?
>>>
>>> If so it there a work-around which avoids this.
>>> I don't *need* to have X509Data in the token response, just some
>>> reference to the issuer.
>>> I tried using 'KeyName' in place of X509Data but again, it makes no
>>> difference.
>>>
>>> thanks for reading,
>>>    Ash
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>

More information about the xmlsec mailing list