On 12/02/2013 14:38, Aleksey Sanin wrote:
There is a stack trace printed for the error. What is it?
That is all we get - no further stack trace.
func=xmlSecOpenSSLX509FindCert:file=x509vfy.c:line=742:obj=unknown:subj=BN_dec2bn:error=4:crypto
library function failed:
I just noticed that the output file was being created - so that may have
been a warning.
However, the X509IssuerSerial element was not being populated as expected.
Instead there is a dump of the X509Certificate.
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<X509Data>
<X509IssuerSerial>
<X509IssuerName/>
<X509SerialNumber/>
</X509IssuerSerial>
<X509Certificate>MIIEmzCCA4OgAwIBAgIJAPvusOvlHmEXMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYD
VQQGEwJHQjEPMA0GA1UECBMGTG9uZG9uMRMwEQYDVQQHEwpXaGl0ZSBDaXR5MQww
...
This isn't a showstopper as I can inject the correct X509 details myself.
In the --print-debug output, I can see the X509 being extracted
== KEY
=== method: RSAKeyValue
=== key type: Public
=== key usage: -1
=== rsa key: size = 2048
=== list size: 1
=== X509 Data:
==== Certificate:
==== Subject Name:
/C=GB/ST=London/L=XXXXX/O=XXXX/OU=XXXX/CN=XXXX/[email protected]
==== Issuer Name:
/C=GB/ST=London/L=XXXXX/O=XXXX/OU=XXXX/CN=XXXX/[email protected]
==== Issuer Serial: FBEEB0EBE51E6117
Ash
Aleksey
On 2/12/13 1:19 AM, Ashley Hindmarsh wrote:
I'm trying to generate encrypted XML from a pre-signed SAML token using
xmlsec1.
Platform is RHEL5 (running as a VM).
I'm using this document (along with xmlsec docs) as a reference
http://users.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html#htoc9
This describes the use-case (hybrid encryption) very nicely.
/usr/bin/xmlsec1 encrypt \
--pubkey-cert-pem t/psdrsamlcert.pem \
--print-debug \
--session-key aes-256 \
--xml-data t/DecryptedToken.xml \
--output psdr-encrypted-xpath.xml \
--node-xpath / t/session-key-template.xml
psdrsamlcert.pem is generated using basic openssl defaults + an RSA key
pair (self-signed).
session-key-template.xml reads as follows:
<?xml version="1.0" encoding="UTF-8"?>
<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#";
Type="http://www.w3.org/2001/04/xmlenc#Element";>
<EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#";>
<EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
</EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<X509Data>
<X509IssuerSerial>
<X509IssuerName/>
<X509SerialNumber/>
</X509IssuerSerial>
</X509Data>
</KeyInfo>
<CipherData>
<CipherValue/>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue/>
</CipherData>
</EncryptedData>
The error I get is:
func=xmlSecOpenSSLX509FindCert:file=x509vfy.c:line=742:obj=unknown:subj=BN_dec2bn:error=4:crypto
library function failed:
I tried adding --X509-skip-strict-checks, but that makes no difference.
It seems that using self-signed certs may be a problem, but that
appeared to apply only to xmlsec verification functions
Is it the case that the same functions are required to extract the X509
credentials?
If so it there a work-around which avoids this.
I don't *need* to have X509Data in the token response, just some
reference to the issuer.
I tried using 'KeyName' in place of X509Data but again, it makes no
difference.
thanks for reading,
Ash
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
