[xmlsec] Can't decrypt GCM based algorithms

Aleksey Sanin aleksey at aleksey.com
Wed Mar 30 00:10:12 UTC 2022 

I would check what kind of padding is used by the encryption software.
That's one of the most common reasons for EVP_CipherFinal failure like
that.

Aleksey

On 3/29/22 6:35 PM, Timothy Legge wrote:
> That likely answers that particular issue.  My module issue looks like this:
> 
> xmlsec1 --decrypt --privkey-pem
> ~/perl-Net-SAML2/xt/testapp/sign-private.pem tmp.xml
> func=xmlSecOpenSSLEvpBlockCipherCtxUpdateBlock:file=ciphers.c:line=250:obj=aes256-gcm:subj=EVP_CipherFinal:error=4:crypto
> library function failed:openssl error: 0: NULL: NULL NULL
> func=xmlSecOpenSSLEvpBlockCipherGCMCtxFinal:file=ciphers.c:line=557:obj=aes256-gcm:subj=xmlSecOpenSSLEvpBlockCipherCtxUpdateBlock:error=1:xmlsec
> library function failed:
> func=xmlSecOpenSSLEvpBlockCipherExecute:file=ciphers.c:line=843:obj=aes256-gcm:subj=xmlSecOpenSSLEvpBlockCipherCtxFinal:error=1:xmlsec
> library function failed:
> func=xmlSecTransformDefaultPushBin:file=transforms.c:line=1927:obj=aes256-gcm:subj=xmlSecTransformExecute:error=1:xmlsec
> library function failed:final=1
> func=xmlSecTransformDefaultPushBin:file=transforms.c:line=1952:obj=aes256-gcm:subj=xmlSecTransformPushBin:error=1:xmlsec
> library function failed:final=1;outSize=74
> func=xmlSecTransformCtxBinaryExecute:file=transforms.c:line=941:obj=unknown:subj=xmlSecTransformPushBin:error=1:xmlsec
> library function failed:dataSize=102
> func=xmlSecEncCtxDecryptToBuffer:file=xmlenc.c:line=614:obj=unknown:subj=xmlSecTransformCtxBinaryExecute:error=1:xmlsec
> library function failed:
> func=xmlSecEncCtxDecrypt:file=xmlenc.c:line=524:obj=unknown:subj=xmlSecEncCtxDecryptToBuffer:error=1:xmlsec
> library function failed:
> Error: failed to decrypt file
> Error: failed to decrypt file "tmp.xml"
> 
> 
> 
> Timothy Legge
> timlegge at gmail.com
> timlegge at cpan.org
> 
> On Tue, Mar 29, 2022 at 6:57 PM Aleksey Sanin <aleksey at aleksey.com> wrote:
>>
>> Yes, basically you need to tell XML parser about ID attributes.
>> As I said, section 3.2 in FAQ:
>>
>> https://www.aleksey.com/xmlsec/faq.html
>>
>> Aleksey
>>
>> On 3/29/22 5:52 PM, Timothy Legge wrote:
>>> Hi
>>>
>>> I am missing the reference I think.  Is it related to the --id-attr?
>>>
>>> Timothy Legge
>>> timlegge at gmail.com
>>> timlegge at cpan.org
>>>
>>> On Tue, Mar 29, 2022 at 6:36 PM Aleksey Sanin <aleksey at aleksey.com> wrote:
>>>>
>>>> FAQ section 3.2 if I recall (or somewhere close by).
>>>>
>>>> Aleksey
>>>>
>>>> On 3/29/22 5:34 PM, Timothy Legge wrote:
>>>>> Hi
>>>>>
>>>>> It also seems to be an issue with a IdP SAMLResponse from okta:
>>>>>
>>>>> I have attached the xml as test xml and the base64 version as well as
>>>>> the private key (that private key is from perl-Net-SAML2 and is
>>>>> already public so it is fine to post).  My perl XML::Enc module
>>>>> decrypts this file without any issues.
>>>>>
>>>>> I am continuing to review.
>>>>>
>>>>> Tim
>>>>>
>>>>> xmlsec1 --decrypt --privkey-pem sign-private-rsa.pem test.xml
>>>>> func=xmlSecXPathDataExecute:file=xpath.c:line=246:obj=unknown:subj=xmlXPtrEval:error=5:libxml2
>>>>> library function
>>>>> failed:expr=xpointer(id('_040a0aae3380dc9275ae08c24a8ddd72')); xml
>>>>> error: 0: NULL
>>>>> func=xmlSecXPathDataListExecute:file=xpath.c:line=330:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec
>>>>> library function failed:
>>>>> func=xmlSecTransformXPathExecute:file=xpath.c:line=430:obj=xpointer:subj=xmlSecXPathDataListExecute:error=1:xmlsec
>>>>> library function failed:
>>>>> func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2108:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec
>>>>> library function failed:
>>>>> func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1044:obj=xpointer:subj=xmlSecTransformPushXml:error=1:xmlsec
>>>>> library function failed:
>>>>> func=xmlSecTransformCtxExecute:file=transforms.c:line=1092:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec
>>>>> library function failed:
>>>>> func=xmlSecKeyDataRetrievalMethodXmlRead:file=keyinfo.c:line=1108:obj=retrieval-method:subj=xmlSecTransformCtxExecute:error=1:xmlsec
>>>>> library function failed:
>>>>> func=xmlSecKeyInfoNodeRead:file=keyinfo.c:line=121:obj=retrieval-method:subj=xmlSecKeyDataXmlRead:error=1:xmlsec
>>>>> library function failed:node=RetrievalMethod
>>>>> func=xmlSecKeysMngrGetKey:file=keys.c:line=1234:obj=unknown:subj=xmlSecKeyInfoNodeRead:error=1:xmlsec
>>>>> library function failed:node=KeyInfo
>>>>> func=xmlSecEncCtxEncDataNodeRead:file=xmlenc.c:line=779:obj=unknown:subj=unknown:error=45:key
>>>>> is not found:encMethod=aes256-gcm
>>>>> func=xmlSecEncCtxDecryptToBuffer:file=xmlenc.c:line=596:obj=unknown:subj=xmlSecEncCtxEncDataNodeRead:error=1:xmlsec
>>>>> library function failed:
>>>>> func=xmlSecEncCtxDecrypt:file=xmlenc.c:line=524:obj=unknown:subj=xmlSecEncCtxDecryptToBuffer:error=1:xmlsec
>>>>> library function failed:
>>>>> Error: failed to decrypt file
>>>>> Error: failed to decrypt file "test.xml"
>>>>>
>>>>> Timothy Legge
>>>>> timlegge at gmail.com
>>>>> timlegge at cpan.org
>>>>>
>>>>> On Tue, Mar 29, 2022 at 1:25 PM Timothy Legge <timlegge at gmail.com> wrote:
>>>>>>
>>>>>> perfect.  I do get errors but my laptop is home at the moment.  I will test again tonight and let you know.
>>>>>>
>>>>>> Tim
>>>>>>
>>>>>> On Tue., Mar. 29, 2022, 12:57 p.m. Aleksey Sanin, <aleksey at aleksey.com> wrote:
>>>>>>>
>>>>>>> Well, the gcm code for openssl is here:
>>>>>>>
>>>>>>> https://github.com/lsh123/xmlsec/blob/4b6ab2d86b71f8642f19ab3b7a0777984b6bce9a/src/openssl/ciphers.c#L80
>>>>>>>
>>>>>>> so adding printfs in these functions would help.
>>>>>>>
>>>>>>> Do you get any errors?
>>>>>>>
>>>>>>> Aleksey
>>>>>>>
>>>>>>> On 3/29/22 11:51 AM, Timothy Legge wrote:
>>>>>>>> Hi
>>>>>>>>
>>>>>>>> I am working on adding support for aes*-gcm to perl's XML::Enc.  I can:
>>>>>>>>
>>>>>>>> 1. Decrypt SAML responses encrypted with aes*-gcm using XML::Enc
>>>>>>>> 2. Decrypt xmlsec encrypted aes*-gcm XML using XML::Enc
>>>>>>>> 3. Encrypt XML using aes*-gcm with XML::Sec
>>>>>>>> 4. Decrypt XML that was encrypted with XML::Sec using ases*-gcm
>>>>>>>>
>>>>>>>> However, I cannot use xmlsec to decrypt XML::Sec encrypted XML that
>>>>>>>> uses aes*-gcm.
>>>>>>>>
>>>>>>>> I can't think of any issues that would allow me to encrypt and decrypt
>>>>>>>> XML successfully with XML::Enc but not allow xmlsec to decrypt those
>>>>>>>> files.
>>>>>>>>
>>>>>>>> I was wondering if there is a debug flag for XML sec that would allow
>>>>>>>> me to output the following:
>>>>>>>>
>>>>>>>> 1. base64 of the CipherValue it reads from the XML file
>>>>>>>> 2. base 64 of IV
>>>>>>>> 3 base64 of encrypted data
>>>>>>>> 4 base 64 of the tag
>>>>>>>> 5 base 64 of the key
>>>>>>>>
>>>>>>>> I don't mind adding some print debugging and recompiling if you can
>>>>>>>> point me to a starting place.  It has been a while since I wrote much
>>>>>>>> C but I have no issues.  Finding the correct spot though...
>>>>>>>>
>>>>>>>> Tim
>>>>>>>>
>>>>>>>> Timothy Legge
>>>>>>>> timlegge at gmail.com
>>>>>>>> timlegge at cpan.org
>>>>>>>> _______________________________________________
>>>>>>>> xmlsec mailing list
>>>>>>>> xmlsec at aleksey.com
>>>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list