RSA 1.5 and blacklisting

Praveen Pinto praveen.pinto at peopleadmin.com
Wed Feb 27 12:34:00 EST 2013 

Hi Scott,

I pulled the impacted customer to a new server, and set the logs to debug
so that I could get a clear picture of what is happening, and excerpts
from the logs are below.
shibboleth version 2.5.1 and Ubuntu 10.04 LTS. We have tried to get the
customer to move away from RSA 1.5, but for the short term are stuck with
it.  I have a copy of my security-policy.xml where we have
IncludeDefaultBlacklist set to false.  It appears that it ignores that
setting altogether based on the logs.  Since the key cannot be decrypted,
a random key is used, and nameid is not parsed.  Any insight or direction
I need to look at is appreciated.


Thanks
Praveen

Shibd.log excerpt:

2013-02-22 15:23:56 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]:
validating signature profile
2013-02-22 15:23:56 DEBUG XMLTooling.KeyInfoResolver.Inline [1]: resolving
ds:X509Certificate
2013-02-22 15:23:56 DEBUG XMLTooling.KeyInfoResolver.Inline [1]: resolved
1 certificate(s)
2013-02-22 15:23:56 DEBUG XMLTooling.KeyInfoResolver.Inline [1]: resolved
0 CRL(s)
2013-02-22 15:23:56 DEBUG XMLTooling.KeyInfoResolver.Inline [1]: resolving
ds:X509Certificate
2013-02-22 15:23:56 DEBUG XMLTooling.KeyInfoResolver.Inline [1]: resolved
1 certificate(s)
2013-02-22 15:23:56 DEBUG XMLTooling.KeyInfoResolver.Inline [1]: resolved
0 CRL(s)
2013-02-22 15:23:56 DEBUG XMLTooling.TrustEngine.ExplicitKey [1]:
attempting to validate
signature with the peer's credentials
2013-02-22 15:23:56 DEBUG XMLTooling.TrustEngine.ExplicitKey [1]:
signature validated with
credential
2013-02-22 15:23:56 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]:
signature verified against
message issuer
2013-02-22 15:23:56 DEBUG OpenSAML.SecurityPolicyRule.BearerConfirmation
[1]: assertion satisfied
bearer confirmation requirements
2013-02-22 15:23:56 DEBUG XMLTooling.KeyInfoResolver.Inline [1]: resolved
0 certificate(s)
2013-02-22 15:23:56 WARN XMLTooling.Decrypter [1]: XMLSecurity exception
while decrypting key:
XSECAlgorithmMapper::mapURIToHandler - URI
http://www.w3.org/2001/04/xmlenc#rsa-1_5
disallowed by whitelist/blacklist policy
2013-02-22 15:23:56 WARN XMLTooling.Decrypter [1]: unable to decrypt key,
generating random 
key for defensive purposes
2013-02-22 15:23:56 ERROR Shibboleth.SSO.SAML2 [1]: failed to decrypt
NameID: XMLSecurity
exception while decrypting: OpenSSL:SymmetricKey::decryptFinish - Out of
range padding value in
final block
2013-02-22 15:23:56 DEBUG Shibboleth.SSO.SAML2 [1]: SSO profile processing
completed successfully
2013-02-22 15:23:56 DEBUG Shibboleth.SSO.SAML2 [1]: extracting pushed
attributes...
2013-02-22 15:23:56 DEBUG Shibboleth.AttributeExtractor.XML [1]: unable to
extract attributes,
unknown XML object type: samlp:Response






security-policy.xml content:

<SecurityPolicies xmlns="urn:mace:shibboleth:2.0:native:sp:config">
    
    <Policy id="default" validate="false">
        <PolicyRule type="MessageFlow" checkReplay="true" expires="60"/>
        <PolicyRule type="Conditions">
            <PolicyRule type="Audience"/>
            
            
        </PolicyRule>
        <PolicyRule type="ClientCertAuth" errorFatal="true"/>
        <PolicyRule type="XMLSigning" errorFatal="true"/>
        <PolicyRule type="SimpleSigning" errorFatal="true"/>
    </Policy>
    
    <Policy id="entity-attributes">
        <PolicyRule type="Conditions"/>
        <PolicyRule type="XMLSigning" errorFatal="true"/>
    </Policy>
    
    <AlgorithmBlacklist includeDefaultBlacklist="false"/>
</SecurityPolicies>

More information about the users mailing list