I read https://www.w3.org/TR/xmlenc-core/#sec-AES-GCM as requiring no padding.
No padding should be used during encryption but if I read 5.2.4 AES-GCM in the context of section 5.2 Block Encryption Algorithms then I guess the padding is required. Great things these standards :-) Tim Timothy Legge [email protected] [email protected] On Tue, Mar 29, 2022 at 9:12 PM Aleksey Sanin <[email protected]> wrote: > > Sorry forgot to add a pointer: > > https://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#sec-Alg-Block > > This is not the standard RFC 1423 padding that most of the software is > using these days. > > Aleksey > > On 3/29/22 8:10 PM, Aleksey Sanin wrote: > > I would check what kind of padding is used by the encryption software. > > That's one of the most common reasons for EVP_CipherFinal failure like > > that. > > > > Aleksey > > > > On 3/29/22 6:35 PM, Timothy Legge wrote: > >> That likely answers that particular issue. My module issue looks like > >> this: > >> > >> xmlsec1 --decrypt --privkey-pem > >> ~/perl-Net-SAML2/xt/testapp/sign-private.pem tmp.xml > >> func=xmlSecOpenSSLEvpBlockCipherCtxUpdateBlock:file=ciphers.c:line=250:obj=aes256-gcm:subj=EVP_CipherFinal:error=4:crypto > >> > >> library function failed:openssl error: 0: NULL: NULL NULL > >> func=xmlSecOpenSSLEvpBlockCipherGCMCtxFinal:file=ciphers.c:line=557:obj=aes256-gcm:subj=xmlSecOpenSSLEvpBlockCipherCtxUpdateBlock:error=1:xmlsec > >> > >> library function failed: > >> func=xmlSecOpenSSLEvpBlockCipherExecute:file=ciphers.c:line=843:obj=aes256-gcm:subj=xmlSecOpenSSLEvpBlockCipherCtxFinal:error=1:xmlsec > >> > >> library function failed: > >> func=xmlSecTransformDefaultPushBin:file=transforms.c:line=1927:obj=aes256-gcm:subj=xmlSecTransformExecute:error=1:xmlsec > >> > >> library function failed:final=1 > >> func=xmlSecTransformDefaultPushBin:file=transforms.c:line=1952:obj=aes256-gcm:subj=xmlSecTransformPushBin:error=1:xmlsec > >> > >> library function failed:final=1;outSize=74 > >> func=xmlSecTransformCtxBinaryExecute:file=transforms.c:line=941:obj=unknown:subj=xmlSecTransformPushBin:error=1:xmlsec > >> > >> library function failed:dataSize=102 > >> func=xmlSecEncCtxDecryptToBuffer:file=xmlenc.c:line=614:obj=unknown:subj=xmlSecTransformCtxBinaryExecute:error=1:xmlsec > >> > >> library function failed: > >> func=xmlSecEncCtxDecrypt:file=xmlenc.c:line=524:obj=unknown:subj=xmlSecEncCtxDecryptToBuffer:error=1:xmlsec > >> > >> library function failed: > >> Error: failed to decrypt file > >> Error: failed to decrypt file "tmp.xml" > >> > >> > >> > >> Timothy Legge > >> [email protected] > >> [email protected] > >> > >> On Tue, Mar 29, 2022 at 6:57 PM Aleksey Sanin <[email protected]> > >> wrote: > >>> > >>> Yes, basically you need to tell XML parser about ID attributes. > >>> As I said, section 3.2 in FAQ: > >>> > >>> https://www.aleksey.com/xmlsec/faq.html > >>> > >>> Aleksey > >>> > >>> On 3/29/22 5:52 PM, Timothy Legge wrote: > >>>> Hi > >>>> > >>>> I am missing the reference I think. Is it related to the --id-attr? > >>>> > >>>> Timothy Legge > >>>> [email protected] > >>>> [email protected] > >>>> > >>>> On Tue, Mar 29, 2022 at 6:36 PM Aleksey Sanin <[email protected]> > >>>> wrote: > >>>>> > >>>>> FAQ section 3.2 if I recall (or somewhere close by). > >>>>> > >>>>> Aleksey > >>>>> > >>>>> On 3/29/22 5:34 PM, Timothy Legge wrote: > >>>>>> Hi > >>>>>> > >>>>>> It also seems to be an issue with a IdP SAMLResponse from okta: > >>>>>> > >>>>>> I have attached the xml as test xml and the base64 version as well as > >>>>>> the private key (that private key is from perl-Net-SAML2 and is > >>>>>> already public so it is fine to post). My perl XML::Enc module > >>>>>> decrypts this file without any issues. > >>>>>> > >>>>>> I am continuing to review. > >>>>>> > >>>>>> Tim > >>>>>> > >>>>>> xmlsec1 --decrypt --privkey-pem sign-private-rsa.pem test.xml > >>>>>> func=xmlSecXPathDataExecute:file=xpath.c:line=246:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 > >>>>>> > >>>>>> library function > >>>>>> failed:expr=xpointer(id('_040a0aae3380dc9275ae08c24a8ddd72')); xml > >>>>>> error: 0: NULL > >>>>>> func=xmlSecXPathDataListExecute:file=xpath.c:line=330:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec > >>>>>> > >>>>>> library function failed: > >>>>>> func=xmlSecTransformXPathExecute:file=xpath.c:line=430:obj=xpointer:subj=xmlSecXPathDataListExecute:error=1:xmlsec > >>>>>> > >>>>>> library function failed: > >>>>>> func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2108:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec > >>>>>> > >>>>>> library function failed: > >>>>>> func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1044:obj=xpointer:subj=xmlSecTransformPushXml:error=1:xmlsec > >>>>>> > >>>>>> library function failed: > >>>>>> func=xmlSecTransformCtxExecute:file=transforms.c:line=1092:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec > >>>>>> > >>>>>> library function failed: > >>>>>> func=xmlSecKeyDataRetrievalMethodXmlRead:file=keyinfo.c:line=1108:obj=retrieval-method:subj=xmlSecTransformCtxExecute:error=1:xmlsec > >>>>>> > >>>>>> library function failed: > >>>>>> func=xmlSecKeyInfoNodeRead:file=keyinfo.c:line=121:obj=retrieval-method:subj=xmlSecKeyDataXmlRead:error=1:xmlsec > >>>>>> > >>>>>> library function failed:node=RetrievalMethod > >>>>>> func=xmlSecKeysMngrGetKey:file=keys.c:line=1234:obj=unknown:subj=xmlSecKeyInfoNodeRead:error=1:xmlsec > >>>>>> > >>>>>> library function failed:node=KeyInfo > >>>>>> func=xmlSecEncCtxEncDataNodeRead:file=xmlenc.c:line=779:obj=unknown:subj=unknown:error=45:key > >>>>>> > >>>>>> is not found:encMethod=aes256-gcm > >>>>>> func=xmlSecEncCtxDecryptToBuffer:file=xmlenc.c:line=596:obj=unknown:subj=xmlSecEncCtxEncDataNodeRead:error=1:xmlsec > >>>>>> > >>>>>> library function failed: > >>>>>> func=xmlSecEncCtxDecrypt:file=xmlenc.c:line=524:obj=unknown:subj=xmlSecEncCtxDecryptToBuffer:error=1:xmlsec > >>>>>> > >>>>>> library function failed: > >>>>>> Error: failed to decrypt file > >>>>>> Error: failed to decrypt file "test.xml" > >>>>>> > >>>>>> Timothy Legge > >>>>>> [email protected] > >>>>>> [email protected] > >>>>>> > >>>>>> On Tue, Mar 29, 2022 at 1:25 PM Timothy Legge <[email protected]> > >>>>>> wrote: > >>>>>>> > >>>>>>> perfect. I do get errors but my laptop is home at the moment. I > >>>>>>> will test again tonight and let you know. > >>>>>>> > >>>>>>> Tim > >>>>>>> > >>>>>>> On Tue., Mar. 29, 2022, 12:57 p.m. Aleksey Sanin, > >>>>>>> <[email protected]> wrote: > >>>>>>>> > >>>>>>>> Well, the gcm code for openssl is here: > >>>>>>>> > >>>>>>>> https://github.com/lsh123/xmlsec/blob/4b6ab2d86b71f8642f19ab3b7a0777984b6bce9a/src/openssl/ciphers.c#L80 > >>>>>>>> > >>>>>>>> > >>>>>>>> so adding printfs in these functions would help. > >>>>>>>> > >>>>>>>> Do you get any errors? > >>>>>>>> > >>>>>>>> Aleksey > >>>>>>>> > >>>>>>>> On 3/29/22 11:51 AM, Timothy Legge wrote: > >>>>>>>>> Hi > >>>>>>>>> > >>>>>>>>> I am working on adding support for aes*-gcm to perl's > >>>>>>>>> XML::Enc. I can: > >>>>>>>>> > >>>>>>>>> 1. Decrypt SAML responses encrypted with aes*-gcm using XML::Enc > >>>>>>>>> 2. Decrypt xmlsec encrypted aes*-gcm XML using XML::Enc > >>>>>>>>> 3. Encrypt XML using aes*-gcm with XML::Sec > >>>>>>>>> 4. Decrypt XML that was encrypted with XML::Sec using ases*-gcm > >>>>>>>>> > >>>>>>>>> However, I cannot use xmlsec to decrypt XML::Sec encrypted XML > >>>>>>>>> that > >>>>>>>>> uses aes*-gcm. > >>>>>>>>> > >>>>>>>>> I can't think of any issues that would allow me to encrypt and > >>>>>>>>> decrypt > >>>>>>>>> XML successfully with XML::Enc but not allow xmlsec to decrypt > >>>>>>>>> those > >>>>>>>>> files. > >>>>>>>>> > >>>>>>>>> I was wondering if there is a debug flag for XML sec that would > >>>>>>>>> allow > >>>>>>>>> me to output the following: > >>>>>>>>> > >>>>>>>>> 1. base64 of the CipherValue it reads from the XML file > >>>>>>>>> 2. base 64 of IV > >>>>>>>>> 3 base64 of encrypted data > >>>>>>>>> 4 base 64 of the tag > >>>>>>>>> 5 base 64 of the key > >>>>>>>>> > >>>>>>>>> I don't mind adding some print debugging and recompiling if you > >>>>>>>>> can > >>>>>>>>> point me to a starting place. It has been a while since I > >>>>>>>>> wrote much > >>>>>>>>> C but I have no issues. Finding the correct spot though... > >>>>>>>>> > >>>>>>>>> Tim > >>>>>>>>> > >>>>>>>>> Timothy Legge > >>>>>>>>> [email protected] > >>>>>>>>> [email protected] > >>>>>>>>> _______________________________________________ > >>>>>>>>> xmlsec mailing list > >>>>>>>>> [email protected] > >>>>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec > >>>> _______________________________________________ > >>>> xmlsec mailing list > >>>> [email protected] > >>>> http://www.aleksey.com/mailman/listinfo/xmlsec > > _______________________________________________ > > xmlsec mailing list > > [email protected] > > http://www.aleksey.com/mailman/listinfo/xmlsec _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
