|Pathologically Eclectic Rubbish Lister|
Re: Perl and Encrypted SAML Tokenby rdfield (Priest)
|on Jun 12, 2017 at 13:01 UTC||Need Help??|
Not sure if this helps, since the SAML2 Assertion XML is somewhat different, but here it is anyway:
1. generate a public/private key pair for encryption use
2. went to https://www.samltool.com/encrypt.php and generated an encrypted SAML2 Assertion, using RSA_OAEP_MGF1P for "Encrypted Method for key", "AES128_CBC" for "Encrypted Method for the data" and the public cert from step 1. Saved the output to a file, encrypted_assertion.xml
3. My private key was in PKCS#8 format, so generated a PKCS#1 version of it using openssl rsa -in myenc.key -out myenc1.key (the Perl code I use only accepts PKCS#1 format)
4. from the SAML2 spec I see that the first 128bits of the encrypted data is actually the IV, https://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#aes128-cbc (section 5.2.2)
5. using the code from http://stuff-things.net/2007/05/02/encrypting-sensitive-data-with-perl/ to retrieve the encrypted key from the XML (hence the PKCS#1 version of the private key in step 3, to use in the CBC decoding of the data, I came up with the following code (after much trial and error with the Crypt::CBC parameters):
There are some junk characters at the end of the output, I guess it's some padding.
This takes 0.455s to run.
Using perl -e 'print `xmlsec1 --decrypt --privkey-pem myenc.key encrypted_assertion.xml`' takes 0.015s, and outputs no junk.