Error creating SP metadata when adding X509 certificate for encryption

Lipscomb, Gary glipscomb at csu.edu.au
Thu Mar 1 05:49:21 EST 2018 

I've modified the SP's metadata to use the KeyValue element to add the public key. I don't know if they have changed the padding from PKCS1.5

   <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:KeyValue>
            <ds:RSAKeyValue>
            	<ds:Modulus>MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuhmq5s3VLyw3qLmu8Epb
JWXJ5kRiX9PyezBRz0irSbkeRJUe35wricISL0tvf9gioJQ6AmDlL/Zrd4JPq5yn
E6pfA9Me6YBGUyRo1Sxsz97voTE3aC4CKGYGe5+TOpozvak2cTny3c0DXiEe99+E
XFdxae7/NK4bmFCwaZsBr2QPVyZ1g+G31pfjRF+WBrcF9D26kOEpdHYNCg3fQfkB
........
........
KS5nestS+TMHmN7NO5M0Xk6GL4MxhgMN2R2YsRzuWLi6RhBiqi4QfP9jbZopFS+R
BGQQ5lwnoK82UMxYrJvstRjF/EtUsBpqTg03tv3MJjZPTOYnQWWuTX8YwLa36Hrx
RF8lxMj04YzBm8Bd31gT7gr7UIcjDEUtNWAZAkxt2mJBO29zlF5SprBZ0Gbq8bVh
//XSVm8BG8WN/lqG0a7JHq6GzORiD8ZHoEn3dvDS8y2b6nv13pqzskd7O0IwrJyW
BlZ59/VX+yggkmAP94LXLiMCAwEAAQ==</ds:Modulus>
	<ds:Exponent>AQAB</ds:Exponent>
            </ds:RSAKeyValue>
        </ds:KeyValue>
      </ds:KeyInfo>


Shibboleth is now happy but the SP vendor is now saying 

" The last errors that you received when testing the SSO connection means that the encrypted assertion that was sent was decrypted successfully but this decrypted assertion is again encrypted. Can you please create a SAML2 assertion and encrypted only once?"

------------------------ Error ------------------------
Error Code 8: Unable to decrypt the encrypted assertion.
------------------------ Error ------------------------
Error Code 8: We decrypted the assertion but the result is another encrypted assertion.

Is this at all possible?

Regards

Gary


-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Tuesday, 27 February 2018 12:48 PM
To: Shib Users <users at shibboleth.net>
Subject: RE: Error creating SP metadata when adding X509 certificate for encryption

> I'm a bit confused. Are you saying even if I had a valid certificate not using the
> PKCS 1.5 in the SP metadata it wouldn't be used.

Certificates do not "use" RSA methods like PKCS 1.5. OAEP and PKCS1.5 are padding methods used when encrypting AES keys with RSA public keys. The certificate has nothing to do with this, it's merely a way of communicating a public key to begin with.

I don't recall exactly what it will do when there's an EncryptionMethod algorithm included that is barred. It may fall back to the OAEP padding method that's not broken or it may give up and assume the SP doesn't support anything else. I thought it did the latter, but you're not getting far enough to tell.

I simply was observing that they don't know what they're doing even more than was already noted and that using that metadata as is might not work even if the certificate weren't broken.

-- Scott

-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list