Could not resolve key encryption credential

Brent Putman putmanb at georgetown.edu
Wed Oct 7 19:09:52 EDT 2015



On 10/7/15 6:50 PM, Willem D'Haeseleer wrote:
> Additionally. Should the X509Certificate contain any newlines, or
> should it be a string ?

I don't think it matters, but newlines are certainly easier to look at :-)

However, in testing your cert with openssl, I did discover the
problem.  The cert marked for encryption contains a DSA key.  That's
not supported for encryption, it's simply just not defined.  It pretty
much has to be an RSA key, for v2.  (For v3 we hope at some point to
support EC keys for encryption per XML Encryption 1.1, via EC
Diffie-Hellman).

So you just need to get/generate a cert with an RSA key for encryption
and put that in the metadata instead.

Your metadata encryption cert decoded by openssl:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d2:0b:e8:4e:cb:e0:28:bc
        Signature Algorithm: dsa_with_SHA256
        Issuer: C=CA, ST=British Columbia, L=Vancouver, O=OrigamiTest,
OU=Dev, CN=local.origami42.com/emailAddress=willem at origamilogic.com
        Validity
            Not Before: Oct  7 21:46:39 2015 GMT
            Not After : Nov  6 21:46:39 2015 GMT
        Subject: C=CA, ST=British Columbia, L=Vancouver, O=OrigamiTest,
OU=Dev, CN=local.origami42.com/emailAddress=willem at origamilogic.com
        Subject Public Key Info:
            Public Key Algorithm: dsaEncryption
            DSA Public Key:
                pub:
                    70:86:c3:83:54:54:49:14:ca:d8:17:2a:e6:12:0e:
                    12:f3:7e:3e:82:f1:9b:57:cc:d7:56:f3:40:ed:9e:
                    2e:89:2e:a7:34:1e:21:25:30:94:dd:66:31:03:e5:
                    0d:06:5e:5d:da:a9:18:67:bc:75:68:a1:d9:ba:61:
                    c5:41:d2:02:00:93:aa:96:9d:22:00:73:65:53:a1:
                    46:8f:85:02:63:a2:aa:66:4f:ab:84:bc:fc:fb:ec:
                    b9:d1:94:b6:8f:81:a5:33:d0:79:d0:6d:44:7b:bd:
                    92:e9:73:da:78:18:be:71:c1:63:48:d1:de:e7:88:
                    7a:e5:78:d6:de:ba:5e:31
                P:  
                    00:9d:84:ce:03:2c:9e:ce:f4:92:46:df:ac:33:70:
                    fe:48:28:11:e1:ae:2b:50:89:69:c8:8a:89:3d:83:
                    33:4f:46:cc:40:65:f2:f6:6f:fd:85:24:5b:c1:0a:
                    f1:e8:f7:0a:86:2a:92:9c:fa:17:46:a3:2e:20:a9:
                    74:eb:59:77:c0:ff:b7:15:6a:dd:d9:87:1d:14:8d:
                    ba:82:76:2c:c5:80:0d:75:40:84:1e:97:f0:4b:f8:
                    af:65:c7:f2:62:9b:5b:ec:85:85:b1:e5:37:57:b1:
                    8b:73:ea:9f:0f:72:e2:0e:a4:78:fa:33:ee:ba:0a:
                    64:3a:44:d9:bd:8d:df:58:57
                Q:  
                    00:bd:07:fb:eb:18:77:21:24:c4:10:cf:db:5b:d4:
                    77:a6:fb:6a:a6:53
                G:  
                    26:6b:1d:02:db:af:4f:04:1a:90:c0:66:fd:b0:e0:
                    10:18:53:43:6d:fe:cf:a7:2b:03:7d:94:ff:60:43:
                    5f:bb:d6:ee:29:b7:1e:ae:13:95:cb:43:d7:20:16:
                    25:ca:20:4f:3a:67:7d:13:e8:2d:72:f1:ec:f8:d9:
                    b5:05:b0:51:ff:11:47:a8:83:58:24:0f:d5:e5:a5:
                    e8:5e:c0:93:de:25:d4:95:06:31:a9:59:31:5c:66:
                    64:47:f6:ea:54:c0:66:04:c0:78:52:76:96:32:04:
                    ea:79:a6:9d:bf:45:f5:e0:74:cc:1a:f6:8b:d4:6a:
                    93:41:ef:03:b5:11:2d:15
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                63:68:86:BA:C5:AF:92:01:35:1E:94:5D:68:C2:DA:95:42:BE:28:E9
            X509v3 Authority Key Identifier:
               
keyid:63:68:86:BA:C5:AF:92:01:35:1E:94:5D:68:C2:DA:95:42:BE:28:E9

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: dsa_with_SHA256
        30:2d:02:14:3a:41:29:87:a2:bd:77:fe:3d:6a:6c:2c:0f:fe:
        1b:5d:78:80:1d:ce:02:15:00:88:80:66:5a:f8:c6:48:69:67:
        07:28:4e:88:cc:ff:5a:30:c4:13:4b




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20151007/e0fe3508/attachment.html>


More information about the users mailing list