ComponentSpace

Forums



Unsupported key encryption method http://www.w3.org/2009/xmlenc11#rsa-oaep


Unsupported key encryption method...

Author
Message
Andrix
Andrix
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Forum Members
Posts: 2, Visits: 13
I am getting "unsupported key encryption method" exception when trying to decode IdP response.
We are dealing with IdPs which we don't control.
Is there anything we can do enable this algorithm within ComponentSpace ?

This is part of the response, formatted for readability:

<xenc:EncryptedData Id="_5632a10009b70a2c34b875e40c9b1706" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey Id="_841aa1a3fd5f9b047853d8f18ab4ab6a" Recipient="******************************" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<xenc11:MGF Algorithm="http://www.w3.org/2009/xmlenc11#mgf1sha1" xmlns:xenc11="http://www.w3.org/2009/xmlenc11#" />
</xenc:EncryptionMethod><ds:KeyInfo>.....


The exception:


SP: Error in assertion consumer service -- Unsupported key encryption method http://www.w3.org/2009/xmlenc11#rsa-oaep:  at ComponentSpace.SAML2.Utility.XmlEncryption.Decrypt(XmlElement encryptedElement, XmlNodeList encryptedKeysNodeList, AsymmetricAlgorithm keyDecryptingKey, EncryptionMethod keyEncryptionMethod, EncryptionMethod dataEncryptionMethod) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\Utility\XmlEncryption.cs:line 464
 at ComponentSpace.SAML2.Assertions.EncryptedAssertion.DecryptToXml(AsymmetricAlgorithm keyDecryptingKey, EncryptionMethod keyEncryptionMethod, EncryptionMethod dataEncryptionMethod) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\Assertions\EncryptedAssertion.cs:line 765
 at ComponentSpace.SAML2.Assertions.EncryptedAssertion.Decrypt(AsymmetricAlgorithm keyDecryptingKey, EncryptionMethod keyEncryptionMethod, EncryptionMethod dataEncryptionMethod) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\Assertions\EncryptedAssertion.cs:line 1100
....

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)

Group: Administrators
Posts: 2.2K, Visits: 5.9K
We support the following key encryption algorithms.
http://www.w3.org/2001/04/xmlenc#rsa-1_5
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p
The most commonly used algorithm, whose support is mandatory as per the XML encryption specification, is:
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p
I'm afraid we don't support http://www.w3.org/2009/xmlenc11#rsa-oaep.
I suggest asking the identity provider to switch to http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.

Regards
ComponentSpace Development
Andrix
Andrix
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Forum Members
Posts: 2, Visits: 13

Isn't that the same thing ?
Per http://shibboleth.net/pipermail/dev/2015-February/006014.html, it sounds like rsa-oaep and rsa-oaep-mgf1p are the same as far as Shibboleth IdP is concerned.
Anyway, it's not possible modify this in IdP itself, but I was able to work around the problem by removing rsa-oaep entry from our SP metadata given to Idp:


<md:SPSSODescriptor ...>
   <md:KeyDescriptor>
      ...
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
     <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
     <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
     <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
                    <!-- <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/> -->
     <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>



ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)

Group: Administrators
Posts: 2.2K, Visits: 5.9K
These are different algorithms.
The XML encryption specification (https://www.w3.org/TR/xmlenc-core1/) states:
Key Transport
REQUIRED RSA-OAEP (including MGF1 with SHA1)
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p
Optional RSA-OAEP
http://www.w3.org/2009/xmlenc11#rsa-oaep
OPTIONAL RSA-v1.5 (see RSA-v1.5 security note)
http://www.w3.org/2001/04/xmlenc#rsa-1_5
Anyway, I'm glad you found a workaround and thanks for sharing.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









Forums, Documentation & Knowledge Base - ComponentSpace


Search