Ex: Error translating Base64 DER encoding into OpenSSL X509 structure

Nate Klingenstein ndk at sudonym.me
Wed Aug 19 04:32:01 UTC 2020

Yes, it was strange to me that a bad encryption certificate would result in
a failure to validate a signature when the signature certificate was
valid.  I hypothesized the SP might just throw out all the certificates
when it hit a bad one and give up on the whole operation, but after further
digging, I don't think that was the case.

In the post-mortem and after I posed the question, I think the ultimate
issues were two: both a bad encryption certificate and a signature that was
being applied to the wrong source data(they were apparently signing just a
fixed SignedInfo element rather than the Response element, even though the
reference was to the XML ID of the Response), so there were two errors that
were unrelated to each other.

The joys of someone else rolling their own crypto...

On Tue, Aug 18, 2020 at 10:23 PM Paul B. Henson <henson at cpp.edu> wrote:

> > From: Nate Klingenstein
> > Sent: Tuesday, August 18, 2020 11:50 AM
> [...]
> > 2020-08-18 18:30:49 ERROR XMLTooling.KeyInfoResolver.Inline [1]
> [default]:
> > caught XML-Security exception loading certificate: OpenSSL:X509 - Error
> > translating Base64 DER encoding into OpenSSL X509 structure
> [...]
> > unable to load certificate
> Dunno, looks like bad certificate data in the metadata to me. If openssl
> can't parse it, it's pretty clearly not valid? I assume it parses the
> certificates when it reads the metadata, not when it actually needs the
> certificate to do any cryptography.
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200818/a3f659a0/attachment.htm>

More information about the users mailing list