[xmlsec] EncryptedAssertion format

Claude Lecommandeur claude.lecommandeur at epfl.ch
Thu Mar 15 00:54:20 PDT 2012


On 03/14/2012 05:26 PM, Aleksey Sanin wrote:
> The encrypted data look like this
>
>   xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>                          IssueInstant="2012-03-14T14:55:01Z"
>                          Version="2.0"
> ID="b07b804c-7c29-ea16-7300-4f3d6f7928ac">
>           <saml2:Issuer
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
> ....
>
>
> Notice that "<saml2:Assertion" is missing? There is a problem either
> with encryption or decryption.

     Yes, I understand, now the problem is the EncryptedData with type Element. The crypted content is supposed to have a 16 bytes header. I think that it is interpreted as a digest, but what is digested, I don't know. Neither xmlxec nor the Shibboleth SP use it, any sequence of 16 bytes is accepted. Since I didn't add this header, the 16 first bytes of the Assertion where removed. I now add the 16 bytes and everything is OK. If someone has a reference that describe this header, I take it.

    Thanks a lot to Aleksey for his software and kindly answer.

       Claude.

>
>
> Aleksey
>
> On 3/14/12 7:59 AM, Claude Lecommandeur wrote:
>> On 03/14/2012 03:19 PM, Aleksey Sanin wrote:
>>> Do you mind posting the full xml document?
>>      The xml, certificate and private key are attached. Thanks for your
>> attention.
>>
>>          Claude.
>>
>>> Aleksey
>>>
>>> On 3/14/12 6:45 AM, Claude Lecommandeur wrote:
>>>>      Hi,
>>>>
>>>>     I am trying to write a small SAML2 IDP and have a strange problem
>>>> when
>>>> creating encrypted saml2:Assertion.
>>>> I create a saml2p:Response which contains an assertion :
>>>>
>>>> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>>>>                    IssueInstant="2012-03-13T12:02:56Z"
>>>>                    Version="2.0">
>>>> ...
>>>> </saml2:Assertion>
>>>>
>>>>     I crypted it with an AES key, and ebbed it inside
>>>> saml2:EncryptedAssertion and xenc:EncryptedData and everything goes
>>>> well. The problem arise wher I try to decrypt it with xmlsec1 --decrypt.
>>>> I get this :
>>>>
>>>> ------------------------------------
>>>> xmlsec1 --decrypt --trusted-pem kissrv64.crt --privkey kissrv64.key resp
>>>> Entity: line 80: parser error : chunk is not well balanced
>>>> </saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>
>>>>                                                      ^
>>>> func=xmlSecReplaceNodeBufferAndReturn:file=xmltree.c:line=573:obj=unknown:subj=xmlParseInNodeContext:error=5:libxml2
>>>>
>>>> library function failed:Failed to parse content
>>>> func=xmlSecEncCtxDecrypt:file=xmlenc.c:line=648:obj=unknown:subj=xmlSecReplaceNodeBuffer:error=1:xmlsec
>>>>
>>>> library function failed:node=EncryptedData
>>>> Error: failed to decrypt file
>>>> Error: failed to decrypt file "resp"
>>>> -----------------------------------
>>>>
>>>>     This is strange since my assertion is well balanced. If I remove the
>>>> closing tag of the assertion, making it invalid XML, the decrypting
>>>> works but produce an invalid result : no saml2:Assertion inside.
>>>>
>>>>      I then tried to insert a prefix to the assertion :
>>>>
>>>> <saml2:Assertion<saml2:Assertion
>>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>>>>                    IssueInstant="2012-03-13T12:02:56Z"
>>>>                    Version="2.0">
>>>> ...
>>>> </saml2:Assertion>
>>>>
>>>>      Yes, perfect non sense but dectypting works and seems correct, but
>>>> when feeding it to a Shibboleth SP, it chokes with "Decryption did not
>>>> result in a single element."
>>>>
>>>>
>>>>       I am lost, if anyone has a an advice ready for this case, I'll
>>>> take it.
>>>>
>>>>         Claude.
>>>>
>>


-- 
Claude Lecommandeur           claude.lecommandeur at epfl.ch
EPFL - PL-DIT - KIS           +41 21 6932297
1015 Lausanne (Switzerland)   http://slpc1.epfl.ch/public/Claude.html

This signature intentionally left boring.



More information about the xmlsec mailing list