[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Problem with encrypted assertions
>> I'm not having any luck authenticating via a IdP that returns encrypted
>> Calling Net::SAML::simple_cf with the querry string the following is
>> printed to stderr and exit seems to be called.
>> t zxsig.c:318 zx_report_openssl_error zx E EVP_CipherFinal_ex():
>> OpenSSL error(101077092) error:06065064:digital envelope
>> routines:EVP_DecryptFinal:bad decrypt (evp_enc.c:445): ? 0
>> Clues anyone?
> I was able to decrypt the message with xmlsec1, built with the same
> openssl versions and compiler. So this leads me to believe that there may
> be an issue inside zxid, with data being passed to
> openssl EVP_CipherFinal_ex().
> Did you ever identify a solution for this?
| I suspect the issue is probably a simple one (perhaps zxid is
| mis-identifying the encryption algo, or loading an incomplete encrypted
| string from the XML?). Nothing obvious issues jumped out at me yet when
| I was stepping through with gdb.
I found the same OpenSSL error(101077092) with a SiteMinder-run IdP and
my ZXID 0.64 SP.
We turned off assertion encryption on both our sides to debug and
found the SAMLResponse's failing on a digest mismatch in the signature
validation of the (unencrypted) assertion. We tracked down the cause of
the mismatch to a whitespace problem. The digest value was calculated
over the assertion having newline-terminated lines, while the SAMLResponse
was coming in with lines terminated with carriage returns and newlines.
Apparently, ZXID isn't canonicalizing the line termination characters to
newlines-only (XML standard), leading to the mismatch. Other software,
including xmlsec1, it seems, do canonicalize the CR-NL's to NL.
Manually converting it to NL's and then feeding it to ZXID works fine.
I don't know if this accounts for others' OpenSSL error(101077092)'s
but it seems possible.
Regards, Steve Kinzler
from the brain of Steve Kinzler /o)\ kinzler@xxxxxxxxxxxxxx
an organ with a mind of its own \(o/ www.cs.indiana.edu/~kinzler
Bargeboard pecksniffian / achlorhydria proleg nascence / surra hysteroid.