This doesn't sound right. This error is probably indicating that the certificate parsing was not done properly.
Not sure why is it happening. Aleksey On 2/13/13 1:51 AM, Ashley Hindmarsh wrote: > On 12/02/2013 14:38, Aleksey Sanin wrote: >> There is a stack trace printed for the error. What is it? > That is all we get - no further stack trace. > > func=xmlSecOpenSSLX509FindCert:file=x509vfy.c:line=742:obj=unknown:subj=BN_dec2bn:error=4:crypto > > library function failed: > > > I just noticed that the output file was being created - so that may have > been a warning. > > However, the X509IssuerSerial element was not being populated as expected. > Instead there is a dump of the X509Certificate. > > <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> > <X509Data> > <X509IssuerSerial> > <X509IssuerName/> > <X509SerialNumber/> > </X509IssuerSerial> > <X509Certificate>MIIEmzCCA4OgAwIBAgIJAPvusOvlHmEXMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYD > > VQQGEwJHQjEPMA0GA1UECBMGTG9uZG9uMRMwEQYDVQQHEwpXaGl0ZSBDaXR5MQww > ... > > This isn't a showstopper as I can inject the correct X509 details myself. > > In the --print-debug output, I can see the X509 being extracted > == KEY > === method: RSAKeyValue > === key type: Public > === key usage: -1 > === rsa key: size = 2048 > === list size: 1 > === X509 Data: > ==== Certificate: > ==== Subject Name: > /C=GB/ST=London/L=XXXXX/O=XXXX/OU=XXXX/CN=XXXX/[email protected] > ==== Issuer Name: > /C=GB/ST=London/L=XXXXX/O=XXXX/OU=XXXX/CN=XXXX/[email protected] > ==== Issuer Serial: FBEEB0EBE51E6117 > > Ash > >> Aleksey >> >> On 2/12/13 1:19 AM, Ashley Hindmarsh wrote: >>> I'm trying to generate encrypted XML from a pre-signed SAML token using >>> xmlsec1. >>> >>> Platform is RHEL5 (running as a VM). >>> >>> I'm using this document (along with xmlsec docs) as a reference >>> http://users.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html#htoc9 >>> >>> This describes the use-case (hybrid encryption) very nicely. >>> >>> /usr/bin/xmlsec1 encrypt \ >>> --pubkey-cert-pem t/psdrsamlcert.pem \ >>> --print-debug \ >>> --session-key aes-256 \ >>> --xml-data t/DecryptedToken.xml \ >>> --output psdr-encrypted-xpath.xml \ >>> --node-xpath / t/session-key-template.xml >>> >>> psdrsamlcert.pem is generated using basic openssl defaults + an RSA key >>> pair (self-signed). >>> >>> session-key-template.xml reads as follows: >>> >>> <?xml version="1.0" encoding="UTF-8"?> >>> <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#"; >>> Type="http://www.w3.org/2001/04/xmlenc#Element";> >>> <EncryptionMethod >>> Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> >>> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> >>> <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#";> >>> <EncryptionMethod >>> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";> >>> </EncryptionMethod> >>> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> >>> <X509Data> >>> <X509IssuerSerial> >>> <X509IssuerName/> >>> <X509SerialNumber/> >>> </X509IssuerSerial> >>> </X509Data> >>> </KeyInfo> >>> <CipherData> >>> <CipherValue/> >>> </CipherData> >>> </EncryptedKey> >>> </KeyInfo> >>> <CipherData> >>> <CipherValue/> >>> </CipherData> >>> </EncryptedData> >>> >>> The error I get is: >>> func=xmlSecOpenSSLX509FindCert:file=x509vfy.c:line=742:obj=unknown:subj=BN_dec2bn:error=4:crypto >>> >>> library function failed: >>> >>> I tried adding --X509-skip-strict-checks, but that makes no difference. >>> >>> It seems that using self-signed certs may be a problem, but that >>> appeared to apply only to xmlsec verification functions >>> >>> Is it the case that the same functions are required to extract the X509 >>> credentials? >>> >>> If so it there a work-around which avoids this. >>> I don't *need* to have X509Data in the token response, just some >>> reference to the issuer. >>> I tried using 'KeyName' in place of X509Data but again, it makes no >>> difference. >>> >>> thanks for reading, >>> Ash >>> >>> _______________________________________________ >>> xmlsec mailing list >>> [email protected] >>> http://www.aleksey.com/mailman/listinfo/xmlsec > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
