[xmlsec] Can't decrypt GCM based algorithms
Timothy Legge
timlegge at gmail.com
Tue Mar 29 22:35:06 UTC 2022
That likely answers that particular issue. My module issue looks like this:
xmlsec1 --decrypt --privkey-pem
~/perl-Net-SAML2/xt/testapp/sign-private.pem tmp.xml
func=xmlSecOpenSSLEvpBlockCipherCtxUpdateBlock:file=ciphers.c:line=250:obj=aes256-gcm:subj=EVP_CipherFinal:error=4:crypto
library function failed:openssl error: 0: NULL: NULL NULL
func=xmlSecOpenSSLEvpBlockCipherGCMCtxFinal:file=ciphers.c:line=557:obj=aes256-gcm:subj=xmlSecOpenSSLEvpBlockCipherCtxUpdateBlock:error=1:xmlsec
library function failed:
func=xmlSecOpenSSLEvpBlockCipherExecute:file=ciphers.c:line=843:obj=aes256-gcm:subj=xmlSecOpenSSLEvpBlockCipherCtxFinal:error=1:xmlsec
library function failed:
func=xmlSecTransformDefaultPushBin:file=transforms.c:line=1927:obj=aes256-gcm:subj=xmlSecTransformExecute:error=1:xmlsec
library function failed:final=1
func=xmlSecTransformDefaultPushBin:file=transforms.c:line=1952:obj=aes256-gcm:subj=xmlSecTransformPushBin:error=1:xmlsec
library function failed:final=1;outSize=74
func=xmlSecTransformCtxBinaryExecute:file=transforms.c:line=941:obj=unknown:subj=xmlSecTransformPushBin:error=1:xmlsec
library function failed:dataSize=102
func=xmlSecEncCtxDecryptToBuffer:file=xmlenc.c:line=614:obj=unknown:subj=xmlSecTransformCtxBinaryExecute:error=1:xmlsec
library function failed:
func=xmlSecEncCtxDecrypt:file=xmlenc.c:line=524:obj=unknown:subj=xmlSecEncCtxDecryptToBuffer:error=1:xmlsec
library function failed:
Error: failed to decrypt file
Error: failed to decrypt file "tmp.xml"
Timothy Legge
timlegge at gmail.com
timlegge at cpan.org
On Tue, Mar 29, 2022 at 6:57 PM Aleksey Sanin <aleksey at aleksey.com> wrote:
>
> Yes, basically you need to tell XML parser about ID attributes.
> As I said, section 3.2 in FAQ:
>
> https://www.aleksey.com/xmlsec/faq.html
>
> Aleksey
>
> On 3/29/22 5:52 PM, Timothy Legge wrote:
> > Hi
> >
> > I am missing the reference I think. Is it related to the --id-attr?
> >
> > Timothy Legge
> > timlegge at gmail.com
> > timlegge at cpan.org
> >
> > On Tue, Mar 29, 2022 at 6:36 PM Aleksey Sanin <aleksey at aleksey.com> wrote:
> >>
> >> FAQ section 3.2 if I recall (or somewhere close by).
> >>
> >> Aleksey
> >>
> >> On 3/29/22 5:34 PM, Timothy Legge wrote:
> >>> Hi
> >>>
> >>> It also seems to be an issue with a IdP SAMLResponse from okta:
> >>>
> >>> I have attached the xml as test xml and the base64 version as well as
> >>> the private key (that private key is from perl-Net-SAML2 and is
> >>> already public so it is fine to post). My perl XML::Enc module
> >>> decrypts this file without any issues.
> >>>
> >>> I am continuing to review.
> >>>
> >>> Tim
> >>>
> >>> xmlsec1 --decrypt --privkey-pem sign-private-rsa.pem test.xml
> >>> func=xmlSecXPathDataExecute:file=xpath.c:line=246:obj=unknown:subj=xmlXPtrEval:error=5:libxml2
> >>> library function
> >>> failed:expr=xpointer(id('_040a0aae3380dc9275ae08c24a8ddd72')); xml
> >>> error: 0: NULL
> >>> func=xmlSecXPathDataListExecute:file=xpath.c:line=330:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec
> >>> library function failed:
> >>> func=xmlSecTransformXPathExecute:file=xpath.c:line=430:obj=xpointer:subj=xmlSecXPathDataListExecute:error=1:xmlsec
> >>> library function failed:
> >>> func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2108:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec
> >>> library function failed:
> >>> func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1044:obj=xpointer:subj=xmlSecTransformPushXml:error=1:xmlsec
> >>> library function failed:
> >>> func=xmlSecTransformCtxExecute:file=transforms.c:line=1092:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec
> >>> library function failed:
> >>> func=xmlSecKeyDataRetrievalMethodXmlRead:file=keyinfo.c:line=1108:obj=retrieval-method:subj=xmlSecTransformCtxExecute:error=1:xmlsec
> >>> library function failed:
> >>> func=xmlSecKeyInfoNodeRead:file=keyinfo.c:line=121:obj=retrieval-method:subj=xmlSecKeyDataXmlRead:error=1:xmlsec
> >>> library function failed:node=RetrievalMethod
> >>> func=xmlSecKeysMngrGetKey:file=keys.c:line=1234:obj=unknown:subj=xmlSecKeyInfoNodeRead:error=1:xmlsec
> >>> library function failed:node=KeyInfo
> >>> func=xmlSecEncCtxEncDataNodeRead:file=xmlenc.c:line=779:obj=unknown:subj=unknown:error=45:key
> >>> is not found:encMethod=aes256-gcm
> >>> func=xmlSecEncCtxDecryptToBuffer:file=xmlenc.c:line=596:obj=unknown:subj=xmlSecEncCtxEncDataNodeRead:error=1:xmlsec
> >>> library function failed:
> >>> func=xmlSecEncCtxDecrypt:file=xmlenc.c:line=524:obj=unknown:subj=xmlSecEncCtxDecryptToBuffer:error=1:xmlsec
> >>> library function failed:
> >>> Error: failed to decrypt file
> >>> Error: failed to decrypt file "test.xml"
> >>>
> >>> Timothy Legge
> >>> timlegge at gmail.com
> >>> timlegge at cpan.org
> >>>
> >>> On Tue, Mar 29, 2022 at 1:25 PM Timothy Legge <timlegge at gmail.com> wrote:
> >>>>
> >>>> perfect. I do get errors but my laptop is home at the moment. I will test again tonight and let you know.
> >>>>
> >>>> Tim
> >>>>
> >>>> On Tue., Mar. 29, 2022, 12:57 p.m. Aleksey Sanin, <aleksey at aleksey.com> wrote:
> >>>>>
> >>>>> Well, the gcm code for openssl is here:
> >>>>>
> >>>>> https://github.com/lsh123/xmlsec/blob/4b6ab2d86b71f8642f19ab3b7a0777984b6bce9a/src/openssl/ciphers.c#L80
> >>>>>
> >>>>> so adding printfs in these functions would help.
> >>>>>
> >>>>> Do you get any errors?
> >>>>>
> >>>>> Aleksey
> >>>>>
> >>>>> On 3/29/22 11:51 AM, Timothy Legge wrote:
> >>>>>> Hi
> >>>>>>
> >>>>>> I am working on adding support for aes*-gcm to perl's XML::Enc. I can:
> >>>>>>
> >>>>>> 1. Decrypt SAML responses encrypted with aes*-gcm using XML::Enc
> >>>>>> 2. Decrypt xmlsec encrypted aes*-gcm XML using XML::Enc
> >>>>>> 3. Encrypt XML using aes*-gcm with XML::Sec
> >>>>>> 4. Decrypt XML that was encrypted with XML::Sec using ases*-gcm
> >>>>>>
> >>>>>> However, I cannot use xmlsec to decrypt XML::Sec encrypted XML that
> >>>>>> uses aes*-gcm.
> >>>>>>
> >>>>>> I can't think of any issues that would allow me to encrypt and decrypt
> >>>>>> XML successfully with XML::Enc but not allow xmlsec to decrypt those
> >>>>>> files.
> >>>>>>
> >>>>>> I was wondering if there is a debug flag for XML sec that would allow
> >>>>>> me to output the following:
> >>>>>>
> >>>>>> 1. base64 of the CipherValue it reads from the XML file
> >>>>>> 2. base 64 of IV
> >>>>>> 3 base64 of encrypted data
> >>>>>> 4 base 64 of the tag
> >>>>>> 5 base 64 of the key
> >>>>>>
> >>>>>> I don't mind adding some print debugging and recompiling if you can
> >>>>>> point me to a starting place. It has been a while since I wrote much
> >>>>>> C but I have no issues. Finding the correct spot though...
> >>>>>>
> >>>>>> Tim
> >>>>>>
> >>>>>> Timothy Legge
> >>>>>> timlegge at gmail.com
> >>>>>> timlegge at cpan.org
> >>>>>> _______________________________________________
> >>>>>> xmlsec mailing list
> >>>>>> xmlsec at aleksey.com
> >>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec at aleksey.com
> > http://www.aleksey.com/mailman/listinfo/xmlsec
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tmp.xml
Type: text/xml
Size: 1823 bytes
Desc: not available
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20220329/91027b68/attachment-0001.xml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sign-private-rsa.pem
Type: application/x-x509-ca-cert
Size: 3247 bytes
Desc: not available
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20220329/91027b68/attachment-0001.crt>
More information about the xmlsec
mailing list