Error translating Base64 DER encoding into OpenSSL X509 structure

Nate Klingenstein ndk at sudonym.me
Tue Aug 18 18:49:33 UTC 2020 

All,

I'm trying to help out a SAMLtest user who's hitting this weird error that
I've only seen mentioned once on the list which was obviously bum
metadata.  This is a homegrown IdP.

The error:

2020-08-18 18:30:49 DEBUG OpenSAML.MessageDecoder.SAML2 [1] [default]:
message from (
http://academiaback-sb.eba-4vfkg3f2.us-west-1.elasticbeanstalk.com/sso/metadata/369550
)
2020-08-18 18:30:49 DEBUG OpenSAML.MessageDecoder.SAML2 [1] [default]:
searching metadata for message issuer...
2020-08-18 18:30:49 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [1]
[default]: evaluating message flow policy (replay checking on, expiration
60)
2020-08-18 18:30:49 DEBUG XMLTooling.StorageService [1] [default]: inserted
record (_69742d45-82a1-4b4d-90dd-3b8795addf9c) in context (MessageFlow)
with expiration (1597775689)
2020-08-18 18:30:49 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]
[default]: validating signature profile
2020-08-18 18:30:49 DEBUG XMLTooling.KeyInfoResolver.Inline [1] [default]:
resolving ds:X509Certificate
2020-08-18 18:30:49 DEBUG XMLTooling.KeyInfoResolver.Inline [1] [default]:
resolved 1 certificate(s)
2020-08-18 18:30:49 DEBUG XMLTooling.KeyInfoResolver.Inline [1] [default]:
resolved 0 CRL(s)
2020-08-18 18:30:49 DEBUG XMLTooling.KeyInfoResolver.Inline [1] [default]:
resolving ds:X509Certificate
2020-08-18 18:30:49 ERROR XMLTooling.KeyInfoResolver.Inline [1] [default]:
caught XML-Security exception loading certificate: OpenSSL:X509 - Error
translating Base64 DER encoding into OpenSSL X509 structure


The metadata:

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
ID="AdrianIdP" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="
http://www.w3.org/XML/1998/namespace"
xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="
http://academiaback-sb.eba-4vfkg3f2.us-west-1.elasticbeanstalk.com/sso/metadata/369550
">
    <IDPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol
urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">

        <Extensions>

<!-- Display information about this IdP that can be used by SP's and
discovery
services to identify the IdP meaningfully for end users -->
            <mdui:UIInfo>
                <mdui:DisplayName xml:lang="en">Adrian
IdP</mdui:DisplayName>
                <mdui:Description xml:lang="en">Adrian
IdP</mdui:Description>
            </mdui:UIInfo>
        </Extensions>

        <KeyDescriptor use="signing">
            <ds:KeyInfo>
                    <ds:X509Data>
                        <ds:X509Certificate>
MIIDVjCCAj4CCQDwnBv3pZDwWjANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJV
UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEQ
MA4GA1UECgwHSmFua3lDbzEfMB0GA1UEAwwWVGVzdCBJZGVudGl0eSBQcm92aWRl
cjAeFw0yMDA4MTAyMjI0MzdaFw00MDA4MDUyMjI0MzdaMG0xCzAJBgNVBAYTAlVT
MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRAw
DgYDVQQKDAdKYW5reUNvMR8wHQYDVQQDDBZUZXN0IElkZW50aXR5IFByb3ZpZGVy
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvG+htArukq2gwPJf+t4k
L4kMiZIHF10EEfJF7HqG66ZoTqgprOvenw+mwWQOEM0nwWyBmOAQ1itMGzLp5R6h
Mde/kmfi9m3jB06TnlsA5sXrHwTECAhinNNoLZO8h4iSB+mLYNFJ0ad5GUTM3Xzb
fSmkw4r/r5XOtou9K/1dNyehYZ5WJ1B/9mKnHsvcGZToHv23RSjRevVsudSt2XsL
J7nrP0jrpjiCssxvUaao6rXhWwJrGGGLXloAB2tXT+B3pqkMGcJ8E34RelN/6/d8
HHnycpaZxCdcWzG8K140XVeSrtVIAjT+soYiP6GGNjaav+CJcXOIGMauRm6GgpyD
+QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQANJWWcBKJM/cNEgXKCGlNrJIbT+xVM
pJh+0OPawSjOM2UA0Kw21yxvPDEQDlfeBAxpi5JIpznNY7ArkpOIIsyItlgBxNXB
pkqmaXt4B6o2gXoaut7jYtiCkd1G77JvppCtsNWj1Ozzl9h9KsNnS35kz51qkrMR
CJh7L/t+U240S7IroHJGdcnpnkGGlrasjn51JTan8MHwWpg2Dm1qsfXrwYQQzw4W
NTFENRY6DUCV7Y37075oT1LvQe+cHzE3JWbTNr39MqvNzcszQzJE9gzdbhv84iNi
kX5bp/KC3XPfW1Jgyf64KiVCcCFfNJ/HNKgQFqWGhtrs8mSdTWO51xsJ
                        </ds:X509Certificate>
                    </ds:X509Data>
            </ds:KeyInfo>

        </KeyDescriptor>

        <KeyDescriptor use="encryption">
            <ds:KeyInfo>
                    <ds:X509Data>
                        <ds:X509Certificate>
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC8b6G0Cu6SraDA8l/63iQviQyJkgcXXQQR8kXseobrpmhOqCms696fD6bBZA4QzSfBbIGY4BDWK0wbMunlHqEx17+SZ+L2beMHTpOeWwDmxesfBMQICGKc02gtk7yHiJIH6Ytg0UnRp3kZRMzdfNt9KaTDiv+vlc62i70r/V03J6FhnlYnUH/2Yqcey9wZlOge/bdFKNF69Wy51K3Zewsnues/SOumOIKyzG9RpqjqteFbAmsYYYteWgAHa1dP4HemqQwZwnwTfhF6U3/r93wcefJylpnEJ1xbMbwrXjRdV5Ku1UgCNP6yhiI/oYY2Npq/4Ilxc4gYxq5GboaCnIP5AgMBAAECggEAfDeSfx8due9fIxIjlzpM3FEZxK5QomQcxL/SvFrhCgK+i+tq3aT3Mh+dK6sLYqP66xTeMaqzLpuIJf3gFbulQzgX/ykggpZZrH1t7lvLMlWR8vavSyRL7VmnOTREeYvbx/96c65DXUNrHu8tpWwjPFTxWj4M4vB8PfXMFG2Gv03swvmUfcXgczll8R0j4wmeDpznP6lSc1rhKcc57byNyKv23FsxxABNYvcc7IA2vVNUp6TtVVeYX3lcipCRsT9j0WBUrzvVp5/tMrgkdp7RVmZdR3Ol1FxaOh07RhVviooTm/fqy2AmuFywwDyUyY/FFgHJWtK8PBN6PhswiIB16QKBgQDl4tkosF6Y6HNcouFksoNN+RkqcAT+qOStpcLYw32JYCzA4wMl4MQBrAi4NsFxQqJdQqSiN+kkKk+0diiubbdoyQ8b0ncyTpk9XdyzOd++aQsgC5aqT/EGM2bsjJheA+kY4YgzX4zt1z1Ts2ZzsTjxbdrBNsy8AFGB+ORhr8DPLwKBgQDR12dy5LWjKeSSCgfBxLuID8K9Ot4+bSfRXG5wsBP62FuqVDOUf5RUESGmOyjkkd3RXysjZT8vzc/8lz0cnMzWNjyAp1V/rAtOC6CUjTEpjWpqRBqg9nT9q7xqUb85+7/PdoFE6/mUG1ILU96yfM9m5SnHQPGt6tT3GtfWUozVVwKBgHyLpD9JHlcVSLrde+OEW2L5G8tEGVCmzA3QCnpJn0+4DUcLNn9lAIwvWiIDeFYWVcTVAEDqraLsUXZhtbSauI1KsKbQJcfZkWgP3Cw1pKSSYHaiEKSA3wIPAyoRGdOFptnWBmZe1AlfXVhlj5IKZ+FVNPkM6WrJeV9DKuhJwdn9AoGBAITUcpKC/gt7wElFeiWJMCBvwZjhQ7+GfzcC6JICk5MtE9FdHY15uN4CPieouTj+sMgRExCDzZyoDmlZHwEWrH9Is8HIqtF3iWxs5chDHASulNcRpz2O5P2SkWFHv+GnX4KnBCspqMG9DZFIFOctJGiA1ZJgpNuvlAGbh1cOyEFfAoGAFp+VfAfOkrD+093NF1RxscteCXswEKwZ4swpQoVOKcEdLcvJC3QEbiyKb8YsZ+kTW6liAPlaYqukNUE3ibjgOxVOOn7Fn5Onadf1rZBQre6RycB1T8i+L2dE5MEYgkpb7ZOozoHSUdJtMBZPuJgu9XET4QfDYlCZGH07dKeIUaI=
                        </ds:X509Certificate>
                    </ds:X509Data>
            </ds:KeyInfo>

        </KeyDescriptor>

    <SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="
http://academiaback-sb.eba-4vfkg3f2.us-west-1.elasticbeanstalk.com/sso/SingleLogoutService/369550
"/>
    <!--
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
-->
    <SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="
http://academiaback-sb.eba-4vfkg3f2.us-west-1.elasticbeanstalk.com/sso/SingleSignOnService/369550
"/>

    </IDPSSODescriptor>

</EntityDescriptor>

When I use OpenSSL from the command line(openssl x509 -in /opt/adrian.crt
-text) the signature certificate passes through just fine.  It chokes on
the encryption certificate with:

unable to load certificate
140460810819472:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:1220:
140460810819472:error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:386:Type=X509_CINF
140460810819472:error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:tasn_dec.c:720:Field=cert_info, Type=X509
140460810819472:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
lib:pem_oth.c:83:

But I would have expected that to throw an error later on in assertion
decryption.

Anyone have any guesses?

Thanks in advance,
Nate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200818/b9bc84c9/attachment.htm>

More information about the users mailing list