That likely answers that particular issue. My module issue looks like this:
xmlsec1 --decrypt --privkey-pem ~/perl-Net-SAML2/xt/testapp/sign-private.pem tmp.xml func=xmlSecOpenSSLEvpBlockCipherCtxUpdateBlock:file=ciphers.c:line=250:obj=aes256-gcm:subj=EVP_CipherFinal:error=4:crypto library function failed:openssl error: 0: NULL: NULL NULL func=xmlSecOpenSSLEvpBlockCipherGCMCtxFinal:file=ciphers.c:line=557:obj=aes256-gcm:subj=xmlSecOpenSSLEvpBlockCipherCtxUpdateBlock:error=1:xmlsec library function failed: func=xmlSecOpenSSLEvpBlockCipherExecute:file=ciphers.c:line=843:obj=aes256-gcm:subj=xmlSecOpenSSLEvpBlockCipherCtxFinal:error=1:xmlsec library function failed: func=xmlSecTransformDefaultPushBin:file=transforms.c:line=1927:obj=aes256-gcm:subj=xmlSecTransformExecute:error=1:xmlsec library function failed:final=1 func=xmlSecTransformDefaultPushBin:file=transforms.c:line=1952:obj=aes256-gcm:subj=xmlSecTransformPushBin:error=1:xmlsec library function failed:final=1;outSize=74 func=xmlSecTransformCtxBinaryExecute:file=transforms.c:line=941:obj=unknown:subj=xmlSecTransformPushBin:error=1:xmlsec library function failed:dataSize=102 func=xmlSecEncCtxDecryptToBuffer:file=xmlenc.c:line=614:obj=unknown:subj=xmlSecTransformCtxBinaryExecute:error=1:xmlsec library function failed: func=xmlSecEncCtxDecrypt:file=xmlenc.c:line=524:obj=unknown:subj=xmlSecEncCtxDecryptToBuffer:error=1:xmlsec library function failed: Error: failed to decrypt file Error: failed to decrypt file "tmp.xml" Timothy Legge [email protected] [email protected] On Tue, Mar 29, 2022 at 6:57 PM Aleksey Sanin <[email protected]> wrote: > > Yes, basically you need to tell XML parser about ID attributes. > As I said, section 3.2 in FAQ: > > https://www.aleksey.com/xmlsec/faq.html > > Aleksey > > On 3/29/22 5:52 PM, Timothy Legge wrote: > > Hi > > > > I am missing the reference I think. Is it related to the --id-attr? > > > > Timothy Legge > > [email protected] > > [email protected] > > > > On Tue, Mar 29, 2022 at 6:36 PM Aleksey Sanin <[email protected]> wrote: > >> > >> FAQ section 3.2 if I recall (or somewhere close by). > >> > >> Aleksey > >> > >> On 3/29/22 5:34 PM, Timothy Legge wrote: > >>> Hi > >>> > >>> It also seems to be an issue with a IdP SAMLResponse from okta: > >>> > >>> I have attached the xml as test xml and the base64 version as well as > >>> the private key (that private key is from perl-Net-SAML2 and is > >>> already public so it is fine to post). My perl XML::Enc module > >>> decrypts this file without any issues. > >>> > >>> I am continuing to review. > >>> > >>> Tim > >>> > >>> xmlsec1 --decrypt --privkey-pem sign-private-rsa.pem test.xml > >>> func=xmlSecXPathDataExecute:file=xpath.c:line=246:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 > >>> library function > >>> failed:expr=xpointer(id('_040a0aae3380dc9275ae08c24a8ddd72')); xml > >>> error: 0: NULL > >>> func=xmlSecXPathDataListExecute:file=xpath.c:line=330:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec > >>> library function failed: > >>> func=xmlSecTransformXPathExecute:file=xpath.c:line=430:obj=xpointer:subj=xmlSecXPathDataListExecute:error=1:xmlsec > >>> library function failed: > >>> func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2108:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec > >>> library function failed: > >>> func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1044:obj=xpointer:subj=xmlSecTransformPushXml:error=1:xmlsec > >>> library function failed: > >>> func=xmlSecTransformCtxExecute:file=transforms.c:line=1092:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec > >>> library function failed: > >>> func=xmlSecKeyDataRetrievalMethodXmlRead:file=keyinfo.c:line=1108:obj=retrieval-method:subj=xmlSecTransformCtxExecute:error=1:xmlsec > >>> library function failed: > >>> func=xmlSecKeyInfoNodeRead:file=keyinfo.c:line=121:obj=retrieval-method:subj=xmlSecKeyDataXmlRead:error=1:xmlsec > >>> library function failed:node=RetrievalMethod > >>> func=xmlSecKeysMngrGetKey:file=keys.c:line=1234:obj=unknown:subj=xmlSecKeyInfoNodeRead:error=1:xmlsec > >>> library function failed:node=KeyInfo > >>> func=xmlSecEncCtxEncDataNodeRead:file=xmlenc.c:line=779:obj=unknown:subj=unknown:error=45:key > >>> is not found:encMethod=aes256-gcm > >>> func=xmlSecEncCtxDecryptToBuffer:file=xmlenc.c:line=596:obj=unknown:subj=xmlSecEncCtxEncDataNodeRead:error=1:xmlsec > >>> library function failed: > >>> func=xmlSecEncCtxDecrypt:file=xmlenc.c:line=524:obj=unknown:subj=xmlSecEncCtxDecryptToBuffer:error=1:xmlsec > >>> library function failed: > >>> Error: failed to decrypt file > >>> Error: failed to decrypt file "test.xml" > >>> > >>> Timothy Legge > >>> [email protected] > >>> [email protected] > >>> > >>> On Tue, Mar 29, 2022 at 1:25 PM Timothy Legge <[email protected]> wrote: > >>>> > >>>> perfect. I do get errors but my laptop is home at the moment. I will > >>>> test again tonight and let you know. > >>>> > >>>> Tim > >>>> > >>>> On Tue., Mar. 29, 2022, 12:57 p.m. Aleksey Sanin, <[email protected]> > >>>> wrote: > >>>>> > >>>>> Well, the gcm code for openssl is here: > >>>>> > >>>>> https://github.com/lsh123/xmlsec/blob/4b6ab2d86b71f8642f19ab3b7a0777984b6bce9a/src/openssl/ciphers.c#L80 > >>>>> > >>>>> so adding printfs in these functions would help. > >>>>> > >>>>> Do you get any errors? > >>>>> > >>>>> Aleksey > >>>>> > >>>>> On 3/29/22 11:51 AM, Timothy Legge wrote: > >>>>>> Hi > >>>>>> > >>>>>> I am working on adding support for aes*-gcm to perl's XML::Enc. I can: > >>>>>> > >>>>>> 1. Decrypt SAML responses encrypted with aes*-gcm using XML::Enc > >>>>>> 2. Decrypt xmlsec encrypted aes*-gcm XML using XML::Enc > >>>>>> 3. Encrypt XML using aes*-gcm with XML::Sec > >>>>>> 4. Decrypt XML that was encrypted with XML::Sec using ases*-gcm > >>>>>> > >>>>>> However, I cannot use xmlsec to decrypt XML::Sec encrypted XML that > >>>>>> uses aes*-gcm. > >>>>>> > >>>>>> I can't think of any issues that would allow me to encrypt and decrypt > >>>>>> XML successfully with XML::Enc but not allow xmlsec to decrypt those > >>>>>> files. > >>>>>> > >>>>>> I was wondering if there is a debug flag for XML sec that would allow > >>>>>> me to output the following: > >>>>>> > >>>>>> 1. base64 of the CipherValue it reads from the XML file > >>>>>> 2. base 64 of IV > >>>>>> 3 base64 of encrypted data > >>>>>> 4 base 64 of the tag > >>>>>> 5 base 64 of the key > >>>>>> > >>>>>> I don't mind adding some print debugging and recompiling if you can > >>>>>> point me to a starting place. It has been a while since I wrote much > >>>>>> C but I have no issues. Finding the correct spot though... > >>>>>> > >>>>>> Tim > >>>>>> > >>>>>> Timothy Legge > >>>>>> [email protected] > >>>>>> [email protected] > >>>>>> _______________________________________________ > >>>>>> xmlsec mailing list > >>>>>> [email protected] > >>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec > > _______________________________________________ > > xmlsec mailing list > > [email protected] > > http://www.aleksey.com/mailman/listinfo/xmlsec
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Type="http://www.w3.org/2001/04/xmlenc#Element";><xenc:EncryptionMethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";><xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:EncryptionMethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";><dsig:KeyName xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/></dsig:KeyInfo><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>PGFq/iEdH23aRpOSrBOoUsM1CpHE4rR4QbfeYmPAEbw1vAoZWCXC2++UM0UXXSOB/+/D1svT5ef1 zzQPkLXbzzJZbqmaO24SN0b+s5TSfBRGR7vKHT6LpEbeGZeucZlJxwIDhvfzNyH7GxspbBwZDL/L HtzsUvk58VZwoYu3jHssScwkBYwiMfaWQDUg75+ynIdXNGhY73Wyi0Y491zxybNUKi0vvaLBW7yD Mo3kT4o0xaxARZ/wPdvkco92KsMg/FDosKHTNCj+kQTNvry1EdFsOZ+m8McWaKJWe6y1Nk5m2Rk6 1Qc//89VKoufGra6hFiz0GXnp3wmSz8AoIOVGwFT7+MMcZjWZheuzXIbpek4YQjh4DLXk+Rod92Z oqFl+uvzmMzpSo8btmeXZsm8rcxKErZ+66+KeLSBqSPQDdlVGWHsVa832yQYBwQYzV8YFZr9dhyi x0CQaRsYMWlI4GwGV1YhnP/zksOljqmN2RH1CFEiPGtZx90f/smTNfsONGeSPuuDzJUXGMs0V2Xa EAO+MSpmfuVVvQuu/kkVFBDY32FUewzrfk9Uy8xLGXEy6UGeiq9V2D77jhISR4T8oM32NhzQbSwq gwwnUxAhpIhYFV4UqNuSC2//dC3KXe/o8/7cbGjQYTrykaZVE2YnpQf+CYs2WV9fSVD+y1VoJNc= </xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></dsig:KeyInfo><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>d5nC3Mdj4C/7LB9IxMuFo/NAerrpbgU28DVekDC7yGdmOrcE5/MZNxZn42G4N8BtALSmlTQdVDTV vuVV0/1VmfZI7YqKb+8ytYg= </xenc:CipherValue></xenc:CipherData></xenc:EncryptedData>
sign-private-rsa.pem
Description: application/x509-ca-cert
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
