There is a stack trace printed for the error. What is it? Aleksey
On 2/12/13 1:19 AM, Ashley Hindmarsh wrote: > I'm trying to generate encrypted XML from a pre-signed SAML token using > xmlsec1. > > Platform is RHEL5 (running as a VM). > > I'm using this document (along with xmlsec docs) as a reference > http://users.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html#htoc9 > This describes the use-case (hybrid encryption) very nicely. > > /usr/bin/xmlsec1 encrypt \ > --pubkey-cert-pem t/psdrsamlcert.pem \ > --print-debug \ > --session-key aes-256 \ > --xml-data t/DecryptedToken.xml \ > --output psdr-encrypted-xpath.xml \ > --node-xpath / t/session-key-template.xml > > psdrsamlcert.pem is generated using basic openssl defaults + an RSA key > pair (self-signed). > > session-key-template.xml reads as follows: > > <?xml version="1.0" encoding="UTF-8"?> > <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#"; > Type="http://www.w3.org/2001/04/xmlenc#Element";> > <EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> > <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> > <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#";> > <EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";> > </EncryptionMethod> > <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> > <X509Data> > <X509IssuerSerial> > <X509IssuerName/> > <X509SerialNumber/> > </X509IssuerSerial> > </X509Data> > </KeyInfo> > <CipherData> > <CipherValue/> > </CipherData> > </EncryptedKey> > </KeyInfo> > <CipherData> > <CipherValue/> > </CipherData> > </EncryptedData> > > The error I get is: > func=xmlSecOpenSSLX509FindCert:file=x509vfy.c:line=742:obj=unknown:subj=BN_dec2bn:error=4:crypto > library function failed: > > I tried adding --X509-skip-strict-checks, but that makes no difference. > > It seems that using self-signed certs may be a problem, but that > appeared to apply only to xmlsec verification functions > > Is it the case that the same functions are required to extract the X509 > credentials? > > If so it there a work-around which avoids this. > I don't *need* to have X509Data in the token response, just some > reference to the issuer. > I tried using 'KeyName' in place of X509Data but again, it makes no > difference. > > thanks for reading, > Ash > > _______________________________________________ > xmlsec mailing list > [email protected] > http://www.aleksey.com/mailman/listinfo/xmlsec _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
