[xmlsec] Encrypting with pub key in cert

Ashley Hindmarsh ashley.hindmarsh at bbc.co.uk
Tue Feb 12 01:19:42 PST 2013 

I'm trying to generate encrypted XML from a pre-signed SAML token using 
xmlsec1.

Platform is RHEL5 (running as a VM).

I'm using this document (along with xmlsec docs) as a reference
http://users.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html#htoc9
This describes the use-case (hybrid encryption) very nicely.

/usr/bin/xmlsec1 encrypt \
  --pubkey-cert-pem t/psdrsamlcert.pem  \
  --print-debug \
  --session-key aes-256  \
  --xml-data t/DecryptedToken.xml \
  --output psdr-encrypted-xpath.xml \
  --node-xpath / t/session-key-template.xml

psdrsamlcert.pem is generated using basic openssl defaults + an RSA key 
pair (self-signed).

session-key-template.xml reads as follows:

<?xml version="1.0" encoding="UTF-8"?>
<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" 
Type="http://www.w3.org/2001/04/xmlenc#Element">
   <EncryptionMethod 
Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
   <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
     <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
       <EncryptionMethod 
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
       </EncryptionMethod>
       <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
         <X509Data>
           <X509IssuerSerial>
             <X509IssuerName/>
             <X509SerialNumber/>
           </X509IssuerSerial>
         </X509Data>
       </KeyInfo>
       <CipherData>
         <CipherValue/>
       </CipherData>
     </EncryptedKey>
   </KeyInfo>
   <CipherData>
     <CipherValue/>
   </CipherData>
</EncryptedData>

The error I get is:
func=xmlSecOpenSSLX509FindCert:file=x509vfy.c:line=742:obj=unknown:subj=BN_dec2bn:error=4:crypto 
library function failed:

I tried adding --X509-skip-strict-checks, but that makes no difference.

It seems that using self-signed certs may be a problem, but that 
appeared to apply only to xmlsec verification functions

Is it the case that the same functions are required to extract the X509 
credentials?

If so it there a work-around which avoids this.
I don't *need* to have X509Data in the token response, just some 
reference to the issuer.
I tried using 'KeyName' in place of X509Data but again, it makes no 
difference.

thanks for reading,
   Ash

More information about the xmlsec mailing list