[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problem with encrypted assertions



Christian Borup:
>> I'm not having any luck authenticating via a IdP that returns encrypted
>> assertions.
>>
>> Calling Net::SAML::simple_cf with the querry string the following is
>> printed to stderr and exit seems to be called.
>>
>> t    zxsig.c:318 zx_report_openssl_error        zx E EVP_CipherFinal_ex():
>> OpenSSL error(101077092) error:06065064:digital envelope
>> routines:EVP_DecryptFinal:bad decrypt (evp_enc.c:445): ? 0
>>
>> Clues anyone?

Eric Rybski:
> I was able to decrypt the message with xmlsec1, built with the same
> openssl versions and compiler.  So this leads me to believe that there may
> be an issue inside zxid, with data being passed to
> openssl EVP_CipherFinal_ex().
> Did you ever identify a solution for this?
|
| I suspect the issue is probably a simple one (perhaps zxid is
| mis-identifying the encryption algo, or loading an incomplete encrypted
| string from the XML?).  Nothing obvious issues jumped out at me yet when
| I was stepping through with gdb.

I found the same OpenSSL error(101077092) with a SiteMinder-run IdP and
my ZXID 0.64 SP.

We turned off assertion encryption on both our sides to debug and
found the SAMLResponse's failing on a digest mismatch in the signature
validation of the (unencrypted) assertion.  We tracked down the cause of
the mismatch to a whitespace problem.  The digest value was calculated
over the assertion having newline-terminated lines, while the SAMLResponse
was coming in with lines terminated with carriage returns and newlines.
Apparently, ZXID isn't canonicalizing the line termination characters to
newlines-only (XML standard), leading to the mismatch.  Other software,
including xmlsec1, it seems, do canonicalize the CR-NL's to NL.
Manually converting it to NL's and then feeding it to ZXID works fine.

I don't know if this accounts for others' OpenSSL error(101077092)'s
but it seems possible.

Regards,					Steve Kinzler

--
from the brain of Steve Kinzler    /o)\    kinzler@xxxxxxxxxxxxxx
an organ with a mind of its own    \(o/    www.cs.indiana.edu/~kinzler
Bargeboard pecksniffian / achlorhydria proleg nascence / surra hysteroid.