Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17201

XMLEncryption does not comply with standard when 'rsa-oaep-mgf1p' is being used

    XMLWordPrintable

    Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 6.5.0.2, 6.5.2, 6.5.2.1, 6.5.2.2, 6.5.2.3, 7.0.0, 6.5.3, 7.0.1
    • None
    • SAML
    • Oracle JDK 1.8.0_201-b09
      Apache Tomcat 9.0.8
      AM 6.5.2.3
    • Rank:
      1|i0349j:

      Description

      Bug description

      'EncryptedKey' element in SAML message does not comply with XMLEncryption sepcification https://www.w3.org/TR/xmlenc-core1/ when 'rsa-oaep-mgf1p' is being used.

      How to reproduce the issue

      1. Setup AM as hosted SP
      2. Setup another AM as hosted IdP
      3. Create SAML trust and configure the IdPs meta data's KeyDescriptor to use 'rsa-oaep-mgf1p'
      4. Configure SP to encrypt NameId
      5. Perform SP-initiated SSO
      6. Perform SP-initiated SLO using HTTP POST binding
      Expected behaviour
      EncryptedKey element in SLO request should be spec compliant.
      
      Current behaviour
      EncryptedKey element is not spec compliant
      
      EncryptedKey element present in SAML message
      <xenc:EncryptedKey>
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
          <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
          <xenc11:MGF xmlns:null="http://www.w3.org/2009/xmlenc11#" xmlns:xenc11="http://www.w3.org/2009/xmlenc11#" Algorithm="http://www.w3.org/2009/xmlenc11#mgf1sha1"/>
        </xenc:EncryptionMethod>
        <xenc:CipherData>
          <xenc:CipherValue>VCV...</xenc:CipherValue>
        </xenc:CipherData>
      </xenc:EncryptedKey>
      

      https://www.w3.org/TR/xmlenc-core1/#sec-RSA-OAE
      states

      The http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p identifier defines the mask generation function as the fixed value of MGF1 with SHA1. In this case the optional xenc11:MGF element of the xenc:EncryptionMethod element MUST NOT be provided.

      The bug is caused by Apache Santuario, potentially it's fixed with https://issues.apache.org/jira/browse/SANTUARIO-293

        Attachments

          Activity

            People

            Unassigned Unassigned
            bthalmayr Bernhard Thalmayr
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: