[xmlsec] Encrypting with pub key in cert

Tue, 12 Feb 2013 01:21:06 -0800

I'm trying to generate encrypted XML from a pre-signed SAML token using xmlsec1. 

Platform is RHEL5 (running as a VM).

I'm using this document (along with xmlsec docs) as a reference
http://users.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html#htoc9
This describes the use-case (hybrid encryption) very nicely.

/usr/bin/xmlsec1 encrypt \
 --pubkey-cert-pem t/psdrsamlcert.pem  \
 --print-debug \
 --session-key aes-256  \
 --xml-data t/DecryptedToken.xml \
 --output psdr-encrypted-xpath.xml \
 --node-xpath / t/session-key-template.xml
psdrsamlcert.pem is generated using basic openssl defaults + an RSA key pair (self-signed). 

session-key-template.xml reads as follows:

<?xml version="1.0" encoding="UTF-8"?>
<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#"; Type="http://www.w3.org/2001/04/xmlenc#Element";> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> 
  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
    <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#";>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";> 
      </EncryptionMethod>
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
        <X509Data>
          <X509IssuerSerial>
            <X509IssuerName/>
            <X509SerialNumber/>
          </X509IssuerSerial>
        </X509Data>
      </KeyInfo>
      <CipherData>
        <CipherValue/>
      </CipherData>
    </EncryptedKey>
  </KeyInfo>
  <CipherData>
    <CipherValue/>
  </CipherData>
</EncryptedData>

The error I get is:
func=xmlSecOpenSSLX509FindCert:file=x509vfy.c:line=742:obj=unknown:subj=BN_dec2bn:error=4:crypto library function failed: 

I tried adding --X509-skip-strict-checks, but that makes no difference.
It seems that using self-signed certs may be a problem, but that appeared to apply only to xmlsec verification functions
Is it the case that the same functions are required to extract the X509 credentials? 

If so it there a work-around which avoids this.
I don't *need* to have X509Data in the token response, just some reference to the issuer. I tried using 'KeyName' in place of X509Data but again, it makes no difference. 

thanks for reading,
  Ash

_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec

Reply via email to