Shibboleth Developers

[<>]

I screwed up the sequence of events as associated with the logfiles I
posted (I described the failure from one SP, while posting the logfiles
from a second SP).  So it's no wonder that the error didn't make sense.
When the testing switched from one pair oF IDPs/SPs to another that
could be changed, the key exchange algorithm was changed from rsa-1_5 to
RSA-OAEP, and the errors I posted to the list were from the RSA-OAEP
exchange algorithm, which I believe this other IDP is screwing up (we
switched this back to using rsa-1_5 after Brent suggested that, but not
before adding the X509 certificate to the Key Exchange).  

So there is a problem with this product and RSA-OAEP (I'm not sure they
even intended to support RSA-OAEP, so I'll look into that separately),
which is what generated the error message I posted previously.

The original error message I should have posted was: 

2008-03-11 16:30:14 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [4]:
signature verified against message issuer
2008-03-11 16:30:14 DEBUG Shibboleth.SSO.SAML2 [4]: processing message
against SAML 2.0 SSO profile
2008-03-11 16:30:14 DEBUG XMLTooling.KeyInfoResolver.Inline [4]:
resolved 0 certificate(s)
2008-03-11 16:30:14 ERROR Shibboleth.SSO.SAML2 [4]: Unable to locate an
encrypted key.


This shibboleth instance is only configured with a single credential
resolver, but I guess based on that error message, it does not find any
key with which to attempt decryption?  Could it be that the credential
pair I have is marked oddly such that Shibboleth by default assumes it
is only to be used for signing?

(I assume there is no interest in analyzing the RSA-OAEP key exchange
problem, since I believe the problem is internal to this other product,
but if you want more details on that, hit me off list, and I can get you
a copy of the assertion that failed and a copy of the relevant key
material as well)


-----Original Message-----
From: Scott Cantor 
[mailto:]
 
Sent: Wednesday, March 12, 2008 12:02 AM
To: 

Subject: Re: Shibboleth SP - Handling Encrypted Assertions

Is your SP running with more than one key? The logging sequence is odd, 
because that exception message normally would either indicate the wrong
key 
was used to attempt decryption, or some other error occured (which would
be 
logged ahead of that message).

Even if the wrong key was used, the code's not expecting that result.
There 
are two spots where that exception message is thrown, and one of them
just 
doesn't fit. The other one happens if the result of a decryption attempt

returns an unexpected number of decrypted bytes (<0), so I may have
misread 
the documentation (i.e. the code) in the xmlsec library for the
decryption 
method.

But if your SP is running with one key and it matches what the IdP
encrypted 
the symmetric key with, there's probably a crypto bug, which is unlikely
to 
be fixable by me, at least in a Shibboleth capacity.

I don't think the problem is with the lack of the KeyInfo. That would
cause 
other errors to show up if it literally couldn't come up with a key to
try 
(namely "Unable to resolve any key decryption keys.").

-- Scott