SquirrelHead has asked for the wisdom of the Perl Monks concerning the following question:
Hi all,
We are trying to decrypt the following SAML token using Perl.
If our understanding is correct we need to first extract the signature key value from the encrypted string held at string_1 above. We have created the following code to achieve this.<?xml version="1.0" encoding="UTF-8"?> <trust:RequestSecurityTokenResponseCollection xmlns:trust="http://docs +.oasis-open.org/ws-sx/ws-trust/200512"> <trust:RequestSecurityTokenResponse> <trust:Lifetime> <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/200 +4/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2015-07-07T16:09:50 +.137Z</wsu:Created> <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/200 +4/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2015-07-07T17:09:50 +.137Z</wsu:Expires> </trust:Lifetime> <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/0 +9/policy"> <EndpointReference xmlns="http://www.w3.org/2005/08/addres +sing"> <Address>https://www.someserver.co.uk/cgi-bin/saml/sam +l.pl</Address> </EndpointReference> </wsp:AppliesTo> <trust:RequestedSecurityToken> <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:ass +ertion"> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001 +/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element"> <xenc:EncryptionMethod Algorithm="http://www.w3.or +g/2001/04/xmlenc#aes256-cbc" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig# +"> <e:EncryptedKey xmlns:e="http://www.w3.org/200 +1/04/xmlenc#"> <e:EncryptionMethod Algorithm="http://www. +w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> <DigestMethod Algorithm="http://www.w3 +.org/2000/09/xmldsig#sha1" /> </e:EncryptionMethod> <KeyInfo> <o:SecurityTokenReference xmlns:o="htt +p://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex +t-1.0.xsd"> <X509Data> <X509IssuerSerial> <X509IssuerName>CN=SeeMyDa +ta, OU=Web Security, O=SomeCompany, C=GB</X509IssuerName> <X509SerialNumber>12698354 +7625965664326654654</X509SerialNumber> </X509IssuerSerial> </X509Data> </o:SecurityTokenReference> </KeyInfo> <e:CipherData> <e:CipherValue>encrypted string_1 goes + here</e:CipherValue> </e:CipherData> </e:EncryptedKey> </KeyInfo> <xenc:CipherData> <xenc:CipherValue>encrypted string_2 goes here +</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </EncryptedAssertion> </trust:RequestedSecurityToken> <trust:RequestedAttachedReference> <SecurityTokenReference xmlns="http://docs.oasis-open.org/ +wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:d4p1="h +ttp://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" d4 +p1:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-pro +file-1.1#SAMLV2.0"> <KeyIdentifier ValueType="http://docs.oasis-open.org/w +ss/oasis-wss-saml-token-profile-1.1#SAMLID">_8fad4766-e906-4f78-b8aa- +b1abdfe3f621</KeyIdentifier> </SecurityTokenReference> </trust:RequestedAttachedReference> <trust:RequestedUnattachedReference> <SecurityTokenReference xmlns="http://docs.oasis-open.org/ +wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:d4p1="h +ttp://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" d4 +p1:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-pro +file-1.1#SAMLV2.0"> <KeyIdentifier ValueType="http://docs.oasis-open.org/w +ss/oasis-wss-saml-token-profile-1.1#SAMLID">_8fad4766-e906-4f78-b8aa- +b1abdfe3f621</KeyIdentifier> </SecurityTokenReference> </trust:RequestedUnattachedReference> <trust:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</trust: +TokenType> <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/2 +00512/Issue</trust:RequestType> <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/20051 +2/Bearer</trust:KeyType> </trust:RequestSecurityTokenResponse> </trust:RequestSecurityTokenResponseCollection>
Despite trying every combination we can think of we just cannot seem to crack the decryption here. I am now starting to wonder if our logic is flawed and we are processing the SAML token incorrectly or there is something else that needs to be done. I've tied uri_decoding without success, different cipher values and we now have most of the Crypt modules installed on our server including Crypt::RSA that I thought looked promising. That generates an error though. We been struggling with this for over a week now so it is time to seek help. Thanks in advance to anyone who is able to help us with this. Probably also worth adding that the output that we get when running the above script appears as: �axl������Q� ��&�;�݉B6,�}Y�h9r If I change the encrypted string in any way then I get a "oaep encoding error" instead so it looks like the code works but the cipher or hash or something is wrong perhaps?#!/usr/bin/perl ## Remove this when errors are resolved use diagnostics -verbose; #print warning diagnostics use CGI qw(:standard); use CGI::Carp qw(fatalsToBrowser); use Convert::PEM; use Crypt::OpenSSL::RSA; use MIME::Base64; use strict; my $private_key = '/path/to/privatekey.pem'; my $encrypted_string =q(encrypted string_1 value); my $password = 'OurPassword'; my $key = decryptPrivate($private_key,$password,$encrypted_string); print "Content-type: text/html\n\n"; print "$key<br>"; exit; sub decryptPrivate { my ($private_key,$password,$string) = @_; my $key_string = readPrivateKey($private_key,$password); return(undef) unless ($key_string); # Decrypt failed. my $private = Crypt::OpenSSL::RSA->new_private_key($key_string) || die "$!"; $private->decrypt(decode_base64($string)); #$private->decrypt($string); } sub readPrivateKey { my ($file,$password) = @_; my $key_string; $key_string = decryptPEM($file,$password); } sub decryptPEM { my ($file,$password) = @_; my $pem = Convert::PEM->new( Name => 'RSA PRIVATE KEY', ASN => qq( RSAPrivateKey SEQUENCE { version INTEGER, n INTEGER, e INTEGER, d INTEGER, p INTEGER, q INTEGER, dp INTEGER, dq INTEGER, iqmp INTEGER } )); my $pkey = $pem->read(Filename => $file, Password => $password); return(undef) unless ($pkey); # Decrypt failed. $pem->encode(Content => $pkey); }
|
---|
Replies are listed 'Best First'. | |
---|---|
Re: Perl and Encrypted SAML Token
by GrandFather (Saint) on Jul 22, 2015 at 10:07 UTC | |
by SquirrelHead (Initiate) on Jul 22, 2015 at 14:13 UTC | |
Re: Perl and Encrypted SAML Token
by codiac (Beadle) on Jul 22, 2015 at 10:13 UTC | |
by SquirrelHead (Initiate) on Jul 22, 2015 at 14:15 UTC | |
Re: Perl and Encrypted SAML Token
by rdfield (Priest) on Jun 12, 2017 at 13:01 UTC | |
Re: Perl and Encrypted SAML Token
by Anonymous Monk on Jul 22, 2015 at 00:11 UTC | |
by SquirrelHead (Initiate) on Jul 22, 2015 at 00:18 UTC | |
by Anonymous Monk on Jul 22, 2015 at 01:07 UTC | |
by SquirrelHead (Initiate) on Jul 22, 2015 at 01:31 UTC |
Back to
Seekers of Perl Wisdom