[xmlsec] EncryptedAssertion format
Claude Lecommandeur
claude.lecommandeur at epfl.ch
Wed Mar 14 07:59:47 PDT 2012
On 03/14/2012 03:19 PM, Aleksey Sanin wrote:
> Do you mind posting the full xml document?
The xml, certificate and private key are attached. Thanks for your attention.
Claude.
>
> Aleksey
>
> On 3/14/12 6:45 AM, Claude Lecommandeur wrote:
>> Hi,
>>
>> I am trying to write a small SAML2 IDP and have a strange problem when
>> creating encrypted saml2:Assertion.
>> I create a saml2p:Response which contains an assertion :
>>
>> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>> IssueInstant="2012-03-13T12:02:56Z"
>> Version="2.0">
>> ...
>> </saml2:Assertion>
>>
>> I crypted it with an AES key, and ebbed it inside
>> saml2:EncryptedAssertion and xenc:EncryptedData and everything goes
>> well. The problem arise wher I try to decrypt it with xmlsec1 --decrypt.
>> I get this :
>>
>> ------------------------------------
>> xmlsec1 --decrypt --trusted-pem kissrv64.crt --privkey kissrv64.key resp
>> Entity: line 80: parser error : chunk is not well balanced
>> </saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>
>> ^
>> func=xmlSecReplaceNodeBufferAndReturn:file=xmltree.c:line=573:obj=unknown:subj=xmlParseInNodeContext:error=5:libxml2
>> library function failed:Failed to parse content
>> func=xmlSecEncCtxDecrypt:file=xmlenc.c:line=648:obj=unknown:subj=xmlSecReplaceNodeBuffer:error=1:xmlsec
>> library function failed:node=EncryptedData
>> Error: failed to decrypt file
>> Error: failed to decrypt file "resp"
>> -----------------------------------
>>
>> This is strange since my assertion is well balanced. If I remove the
>> closing tag of the assertion, making it invalid XML, the decrypting
>> works but produce an invalid result : no saml2:Assertion inside.
>>
>> I then tried to insert a prefix to the assertion :
>>
>> <saml2:Assertion<saml2:Assertion
>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>> IssueInstant="2012-03-13T12:02:56Z"
>> Version="2.0">
>> ...
>> </saml2:Assertion>
>>
>> Yes, perfect non sense but dectypting works and seems correct, but
>> when feeding it to a Shibboleth SP, it chokes with "Decryption did not
>> result in a single element."
>>
>>
>> I am lost, if anyone has a an advice ready for this case, I'll take it.
>>
>> Claude.
>>
--
Claude Lecommandeur claude.lecommandeur at epfl.ch
EPFL - PL-DIT - KIS +41 21 6932297
1015 Lausanne (Switzerland) http://slpc1.epfl.ch/public/Claude.html
This signature intentionally left boring.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samlresp.xml
Type: text/xml
Size: 17358 bytes
Desc: not available
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20120314/2dcead91/attachment-0001.xml>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: samltest.crt
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20120314/2dcead91/attachment-0002.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: samltest.key
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20120314/2dcead91/attachment-0003.ksh>
More information about the xmlsec
mailing list