Could not resolve key encryption credential
Brent Putman
putmanb at georgetown.edu
Wed Oct 7 19:09:52 EDT 2015
On 10/7/15 6:50 PM, Willem D'Haeseleer wrote:
> Additionally. Should the X509Certificate contain any newlines, or
> should it be a string ?
I don't think it matters, but newlines are certainly easier to look at :-)
However, in testing your cert with openssl, I did discover the
problem. The cert marked for encryption contains a DSA key. That's
not supported for encryption, it's simply just not defined. It pretty
much has to be an RSA key, for v2. (For v3 we hope at some point to
support EC keys for encryption per XML Encryption 1.1, via EC
Diffie-Hellman).
So you just need to get/generate a cert with an RSA key for encryption
and put that in the metadata instead.
Your metadata encryption cert decoded by openssl:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d2:0b:e8:4e:cb:e0:28:bc
Signature Algorithm: dsa_with_SHA256
Issuer: C=CA, ST=British Columbia, L=Vancouver, O=OrigamiTest,
OU=Dev, CN=local.origami42.com/emailAddress=willem at origamilogic.com
Validity
Not Before: Oct 7 21:46:39 2015 GMT
Not After : Nov 6 21:46:39 2015 GMT
Subject: C=CA, ST=British Columbia, L=Vancouver, O=OrigamiTest,
OU=Dev, CN=local.origami42.com/emailAddress=willem at origamilogic.com
Subject Public Key Info:
Public Key Algorithm: dsaEncryption
DSA Public Key:
pub:
70:86:c3:83:54:54:49:14:ca:d8:17:2a:e6:12:0e:
12:f3:7e:3e:82:f1:9b:57:cc:d7:56:f3:40:ed:9e:
2e:89:2e:a7:34:1e:21:25:30:94:dd:66:31:03:e5:
0d:06:5e:5d:da:a9:18:67:bc:75:68:a1:d9:ba:61:
c5:41:d2:02:00:93:aa:96:9d:22:00:73:65:53:a1:
46:8f:85:02:63:a2:aa:66:4f:ab:84:bc:fc:fb:ec:
b9:d1:94:b6:8f:81:a5:33:d0:79:d0:6d:44:7b:bd:
92:e9:73:da:78:18:be:71:c1:63:48:d1:de:e7:88:
7a:e5:78:d6:de:ba:5e:31
P:
00:9d:84:ce:03:2c:9e:ce:f4:92:46:df:ac:33:70:
fe:48:28:11:e1:ae:2b:50:89:69:c8:8a:89:3d:83:
33:4f:46:cc:40:65:f2:f6:6f:fd:85:24:5b:c1:0a:
f1:e8:f7:0a:86:2a:92:9c:fa:17:46:a3:2e:20:a9:
74:eb:59:77:c0:ff:b7:15:6a:dd:d9:87:1d:14:8d:
ba:82:76:2c:c5:80:0d:75:40:84:1e:97:f0:4b:f8:
af:65:c7:f2:62:9b:5b:ec:85:85:b1:e5:37:57:b1:
8b:73:ea:9f:0f:72:e2:0e:a4:78:fa:33:ee:ba:0a:
64:3a:44:d9:bd:8d:df:58:57
Q:
00:bd:07:fb:eb:18:77:21:24:c4:10:cf:db:5b:d4:
77:a6:fb:6a:a6:53
G:
26:6b:1d:02:db:af:4f:04:1a:90:c0:66:fd:b0:e0:
10:18:53:43:6d:fe:cf:a7:2b:03:7d:94:ff:60:43:
5f:bb:d6:ee:29:b7:1e:ae:13:95:cb:43:d7:20:16:
25:ca:20:4f:3a:67:7d:13:e8:2d:72:f1:ec:f8:d9:
b5:05:b0:51:ff:11:47:a8:83:58:24:0f:d5:e5:a5:
e8:5e:c0:93:de:25:d4:95:06:31:a9:59:31:5c:66:
64:47:f6:ea:54:c0:66:04:c0:78:52:76:96:32:04:
ea:79:a6:9d:bf:45:f5:e0:74:cc:1a:f6:8b:d4:6a:
93:41:ef:03:b5:11:2d:15
X509v3 extensions:
X509v3 Subject Key Identifier:
63:68:86:BA:C5:AF:92:01:35:1E:94:5D:68:C2:DA:95:42:BE:28:E9
X509v3 Authority Key Identifier:
keyid:63:68:86:BA:C5:AF:92:01:35:1E:94:5D:68:C2:DA:95:42:BE:28:E9
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: dsa_with_SHA256
30:2d:02:14:3a:41:29:87:a2:bd:77:fe:3d:6a:6c:2c:0f:fe:
1b:5d:78:80:1d:ce:02:15:00:88:80:66:5a:f8:c6:48:69:67:
07:28:4e:88:cc:ff:5a:30:c4:13:4b
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20151007/e0fe3508/attachment.html>
More information about the users
mailing list