[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problem with encrypted assertions



Hi Christian,

   I've started integrating with a SAML Shibboleth IdP (testshib.org) which
encrypts assertions, and am getting what looks to be the same error as you
encountered:

t    zxsig.c:319 zx_report_openssl_error zx E EVP_CipherFinal_ex(): OpenSSL
error(101077092) error:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad decrypt (evp_enc.c:337): ? 0

This is with zxid 0.62 and openssl 0.9.8o.  Also tried with openssl 0.9.7m.
 I'm getting the same result with my own certs as well as allowing zxid to
generate keys/certs.

   I was able to decrypt the message with xmlsec1, built with the same
openssl versions and compiler.  So this leads me to believe that there may
be an issue inside zxid, with data being passed to
openssl EVP_CipherFinal_ex().

Did you ever identify a solution for this?

Regards,
Eric

On Wed, Jan 20, 2010 at 10:03 AM, Christian Borup <borup@xxxxxxxx> wrote:

> Hi all
>
> I'm not having any luck authenticating via a IdP that returns encrypted
> assertions.
>
> Calling Net::SAML::simple_cf with the querry string the following is
> printed to stderr and exit seems to be called.
>
> t    zxsig.c:318 zx_report_openssl_error        zx E EVP_CipherFinal_ex():
> OpenSSL error(101077092) error:06065064:digital envelope
> routines:EVP_DecryptFinal:bad decrypt (evp_enc.c:445): ? 0
>
> If I save the SAMLResponse the file xmlsec1 will decrypt it just fine
> (after base64 decode, obviously). Using the command line:
>  xmlsec1 --decrypt --privkey-pem /var/zxid/pem/enc-nopw-cert.pem
> SAMLResponse.xml
>
> xmlsec1 and zxid are both compiled with the same OpenSSL.
>
> Clues anyone?