I'm trying to illustrate how to take an OASIS WSSE SOAP Message and operate on it with the commands in OpenSSL. The SOAP Message encrypts the contents of an element in the Body with AES-256-CBC with a key that was encrypted with RSA-1_5 using a public key. We have an RSA encryption of a key for bulk AES encryption.
I am close, but not able to actually decrypt the element in the body. ----------------------------------------------------------------- 1) We see that it uses rsa-1_5: <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> 2) We have the BinarySecurityToken: <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-so ap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509v3" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse curity-secext-1.0.xsd">MIICczCCAdygAwIBAgIBPjANBgkqhkiG9w0BAQQFADCBgDELM AkGA1UEBhMCVVMxCzAJBgNVBAgT AkNBMRIwEAYDVQQHEwlQYWxvIEFsdG8xDjAMBgNVBAoTBVRJQkNPMQ4wDAYDVQQLEwVQIG4g RzER MA8GA1UEAxMIY2NsYWJDQTIxHTAbBgkqhkiG9w0BCQEWDndsYXVAdGliY28uY29tMB4XDTA4 MDQw MzIwNDYxOVoXDTEzMDkyNDIwNDYxOVowczELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQ4w DAYD VQQKEwVUSUJDTzEOMAwGA1UECxMFUCBuIEcxGDAWBgNVBAMTD1RJQkNPLTE4QkQ5N0NERDEd MBsG CSqGSIb3DQEJARYOd2xhdUB0aWJjby5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAnQvN Ya0D 1QTbzKoZeMgdzIHcIdjx8AwrS759GcJUFPew0F3UMvSOBrUoIYtk/uAqdg7oOwt7WRRH+paZ 7OHj iwIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBReUOEjIUlIigy5Ua8Do2BOKTn/ZzAf BgNV HSMEGDAWgBQY6w0NLn+7H8O5Q5oZK7NX8JLRCzANBgkqhkiG9w0BAQQFAAOBgQBb6qMC9lbV vl53 KnvAGjHZ15S2+SDuHM3EL0AqezxWgZPYtIF85Mnle7VwPm0ZgeNwrYqHs0EPx4qU+SZPV2KQ 3Mm7 hZo4KGCXjxnBqHSWKiKMIwVfrmqW/gZsPDPOLVrS95IeltKHDKv2RorFf6piNwkXDBf0W4eR OAAc adKZ6Q== </wsse:BinarySecurityToken> 3) We have the PKCS#12 certificate corresponding to the above certificate, so can obtain the private key. 4) We have the CipherValue for the EncryptedKey: <xenc:CipherValue>cZx/SXYEmZv0kkePPNoqN0S/8y58VeyODeLZYJP/1kfCnLUrqu2ZiV WuG2L7lIIgbtU+A+ODRfCH HPjSs5hS3w== </xenc:CipherValue> 5) We have knowledge of the cipher being used: <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"; xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/> 6) We have the Encrypted Data from the Body and know it is limited to the Content: <xenc:EncryptedData Id="EncDataId-1407437" Type="http://www.w3.org/2001/04/xmlenc#Content"; ... <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>tnOn/zq+2KhNLzsz8IvcfO2ZR YF1EWmRx25vL2u30Ws5oVrRTXf7sk2x9VRrAa0HeqNQNBclrKnf RMoCP6xtS/3qABSB3fwc6XuST9qgIcxr+YUy0paXbLWY8bb4mCJnr8+9nacB/BR3T0nQMHyn 7FsS +Rlvgz7TlxL4Tks6CJfFbwduNkn6aUkz7WHvAT69RF8/TMr8n8I4mk+2OF717exeMPfuChlm 24oS Sm5v1QR4oV+u8pEzTsUy71QYtw0gkK5xFjsUGYpqFXbUZbz3z9Gi4iLPQJ8wG9PicKTC48AC m274 vrkn7KkaF4iwOguX4S97NAR5jwP55Yn65uLU6Q== </xenc:CipherValue> ----------------------------- I should be able to use "openssl rsautl -decrypt -inkey private.key.pem -in CipherValueKey", but I get RSA operation error 3328:error:0406506C:rsa routines:RSA_EAY_PRIVATE_DECRYPT:data greater than mod len:.\crypto\rsa\rsa_eay.c:512: I convert the CipherValueKey to binary and the decryption works. I should be able to use the result as the symmetric key (I've tried binary and base64). Here I try it with the key in a binary format. openssl aes-256-cbc -d -in BodyCipherValue.txt -pass file:symmetric-key.bin bad magic number ------------------------------ Someone suggested that the CipherValue in the Body would be an ASN.1 structure, and that I'd have to know the offset (?), so I tried looking at it with ans1parse, and I got somewhere with blindly iterating through "-offset": #should be PEM as base64... C:\OpenSSL\bin\encryptCERT>openssl asn1parse -inform PEM -in BodyCipherValue.txt 0:d=0 hl=2 l= 115 cons: cont [ 22 ] Error in encoding 7644:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:.\crypto\asn1\asn1_lib.c:150: #nope, let's try DER... C:\OpenSSL\bin\encryptCERT>openssl asn1parse -inform DER -in BodyCipherValue.txt 0:d=0 hl=2 l= 110 cons: appl [ 20 ] Error in encoding 6480:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:.\crypto\asn1\asn1_lib.c:142: #both error in encoding? "Header too long" and "too long", different lines in the same c mod. #try convert to binary... C:\OpenSSL\bin\encryptCERT>openssl base64 -d <BodyCipherValue.txt>BCV.bin C:\OpenSSL\bin\encryptCERT>openssl asn1parse -inform PEM -in BCV.bin Error: offset too large #Different! Still, something too long or large! Let's try it with DER now that it is binary #play with offset C C:\OpenSSL\bin\encryptCERT>openssl asn1parse -inform DER -in BCV.bin -offset 7 0:d=0 hl=2 l= 77 cons: cont [ 8 ] 2:d=1 hl=2 l= 59 cons: <ASN1 15> Error in encoding 3860:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:.\crypto\asn1\asn1_lib.c:150: I'm now getting two lines from the asn1parse. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
