Hi all,
We are trying to decrypt the following SAML token using Perl.
<?xml version="1.0" encoding="UTF-8"?>
<trust:RequestSecurityTokenResponseCollection xmlns:trust="http://docs
+.oasis-open.org/ws-sx/ws-trust/200512">
<trust:RequestSecurityTokenResponse>
<trust:Lifetime>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/200
+4/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2015-07-07T16:09:50
+.137Z</wsu:Created>
<wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/200
+4/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2015-07-07T17:09:50
+.137Z</wsu:Expires>
</trust:Lifetime>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/0
+9/policy">
<EndpointReference xmlns="http://www.w3.org/2005/08/addres
+sing">
<Address>https://www.someserver.co.uk/cgi-bin/saml/sam
+l.pl</Address>
</EndpointReference>
</wsp:AppliesTo>
<trust:RequestedSecurityToken>
<EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:ass
+ertion">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001
+/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.or
+g/2001/04/xmlenc#aes256-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#
+">
<e:EncryptedKey xmlns:e="http://www.w3.org/200
+1/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.
+w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3
+.org/2000/09/xmldsig#sha1" />
</e:EncryptionMethod>
<KeyInfo>
<o:SecurityTokenReference xmlns:o="htt
+p://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex
+t-1.0.xsd">
<X509Data>
<X509IssuerSerial>
<X509IssuerName>CN=SeeMyDa
+ta, OU=Web Security, O=SomeCompany, C=GB</X509IssuerName>
<X509SerialNumber>12698354
+7625965664326654654</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>encrypted string_1 goes
+ here</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>encrypted string_2 goes here
+</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</EncryptedAssertion>
</trust:RequestedSecurityToken>
<trust:RequestedAttachedReference>
<SecurityTokenReference xmlns="http://docs.oasis-open.org/
+wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:d4p1="h
+ttp://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" d4
+p1:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-pro
+file-1.1#SAMLV2.0">
<KeyIdentifier ValueType="http://docs.oasis-open.org/w
+ss/oasis-wss-saml-token-profile-1.1#SAMLID">_8fad4766-e906-4f78-b8aa-
+b1abdfe3f621</KeyIdentifier>
</SecurityTokenReference>
</trust:RequestedAttachedReference>
<trust:RequestedUnattachedReference>
<SecurityTokenReference xmlns="http://docs.oasis-open.org/
+wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:d4p1="h
+ttp://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" d4
+p1:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-pro
+file-1.1#SAMLV2.0">
<KeyIdentifier ValueType="http://docs.oasis-open.org/w
+ss/oasis-wss-saml-token-profile-1.1#SAMLID">_8fad4766-e906-4f78-b8aa-
+b1abdfe3f621</KeyIdentifier>
</SecurityTokenReference>
</trust:RequestedUnattachedReference>
<trust:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</trust:
+TokenType>
<trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/2
+00512/Issue</trust:RequestType>
<trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/20051
+2/Bearer</trust:KeyType>
</trust:RequestSecurityTokenResponse>
</trust:RequestSecurityTokenResponseCollection>
If our understanding is correct we need to first extract the signature key value from the encrypted string held at string_1 above. We have created the following code to achieve this.
#!/usr/bin/perl
## Remove this when errors are resolved
use diagnostics -verbose; #print warning diagnostics
use CGI qw(:standard);
use CGI::Carp qw(fatalsToBrowser);
use Convert::PEM;
use Crypt::OpenSSL::RSA;
use MIME::Base64;
use strict;
my $private_key = '/path/to/privatekey.pem';
my $encrypted_string =q(encrypted string_1 value);
my $password = 'OurPassword';
my $key = decryptPrivate($private_key,$password,$encrypted_string);
print "Content-type: text/html\n\n";
print "$key<br>";
exit;
sub decryptPrivate {
my ($private_key,$password,$string) = @_;
my $key_string = readPrivateKey($private_key,$password);
return(undef) unless ($key_string); # Decrypt failed.
my $private = Crypt::OpenSSL::RSA->new_private_key($key_string) ||
die "$!";
$private->decrypt(decode_base64($string));
#$private->decrypt($string);
}
sub readPrivateKey {
my ($file,$password) = @_;
my $key_string;
$key_string = decryptPEM($file,$password);
}
sub decryptPEM {
my ($file,$password) = @_;
my $pem = Convert::PEM->new(
Name => 'RSA PRIVATE KEY',
ASN => qq(
RSAPrivateKey SEQUENCE {
version INTEGER,
n INTEGER,
e INTEGER,
d INTEGER,
p INTEGER,
q INTEGER,
dp INTEGER,
dq INTEGER,
iqmp INTEGER
}
));
my $pkey = $pem->read(Filename => $file, Password => $password);
return(undef) unless ($pkey); # Decrypt failed.
$pem->encode(Content => $pkey);
}
Despite trying every combination we can think of we just cannot seem to crack the decryption here. I am now starting to wonder if our logic is flawed and we are processing the SAML token incorrectly or there is something else that needs to be done. I've tied uri_decoding without success, different cipher values and we now have most of the Crypt modules installed on our server including Crypt::RSA that I thought looked promising. That generates an error though.
We been struggling with this for over a week now so it is time to seek help.
Thanks in advance to anyone who is able to help us with this.
Probably also worth adding that the output that we get when running the above script appears as:
�axl������Q� ��&�;�݉B6,�}Y�h9r
If I change the encrypted string in any way then I get a "oaep encoding error" instead so it looks like the code works but the cipher or hash or something is wrong perhaps?