[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problem with encrypted assertions



Eric Rybski <rybskej@xxxxxxxxx> said:
> I've identified and addressed my specific issue with encryption and a
> Shibboleth IdP.  The XML Encryption standard isn't guaranteed compliant with
> RFC1423, but OpenSSL is expecting it to be compliant.
> 
> In this case, Shibboleth 2 (Java project utilizing OpenSAML libraries)
> generates the expected final padding byte, but all other padding bytes are
> unpredictable as allowed by XML Enc (
> http://www.w3.org/TR/2002/REC-xmlenc-core-20021210).  So this is a false
> positive error reported by OpenSSL.
> 
> A Google search revealed that Sampo also identified this back in 2005:
> http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=1067 .
>  The recommended solution is for the caller to implement custom XML Enc
> padding check.

I am glad someone else is finally worried about this. Back then the
response was dismal: nobody seemed to care and my bug report got
ignored by the Bouncing Castle folks and kind of explained away by OpenSSL.
Failing to fix this universally probably has contributed in its part
to the notion that XML signature and crypto stuff is difficult to
interoperate (needless to say that my commercial products have
had this patch applied all the time so they interoperated
perfectly - sometimes open source folks do not see the pressing
problem and think it is somebody else's problem).

I am still working on the line termination... releasing soon.

Cheers,
--Sampo

> So, below is the patch I'm using.  Essentially, it disables OpenSSL padding
> check before final validation, and then validates the last padding byte and
> trims the rest.  It's a simplified function from OpenSSL 0.9.8o.  This
> should be fine for regular use with OpenSSL 0.9.7 and later, although the
> function could benefit from more detailed exception reporting.
> 
> Similarly, the xmlsec1 utility performs its own custom padding validation,
> which is why it didn't trigger decryption errors on Shibboleth2 assertions.
> 
> Regards,