Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-8862

encryption key size is not read from ServiceProvider (SP) meta data in spec compliant way

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Not a defect
    • Affects Version/s: 10.0.0, 10.0.1, 10.1.0-Xpress, 10.0.2, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.5.0, 13.5.1, 13.5.2, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 14.5.1, 5.5.1, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.0.0.6, 6.5.0, 6.5.0.1
    • Fix Version/s: None
    • Component/s: SAML
    • Labels:
    • Story Points:
      2
    • Support Ticket IDs:

      Description

      OpenAM successfully imported the SP meta-data which includes

          <md:KeyDescriptor use="encryption">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
              <ds:X509Data>
                <ds:X509Certificate>ENCODED_CERTIFICATE</ds:X509Certificate>
              </ds:X509Data>
            </ds:KeyInfo>
            <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc">
              <md:keysize xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">265</md:keysize>
            </md:EncryptionMethod>
            <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
            <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
          </md:KeyDescriptor>
      

      However this leads to the following error later on, when encryption is used

      ERROR: FMEncProvider.encrypt: Data encryption algorithm http://www.w3.org/2001/04/xmlenc#aes256-cbcand strength 0 mismatch.
      libSAML2:05/07/2016 01:12:45:943 PM EDT: Thread[http-bio-8443-exec-3,5,main]
      ERROR: IDPSSOFederate.doSSOFederate: Unable to do sso or federation.
      com.sun.identity.saml2.common.SAML2Exception: Data encryption algorithm and strength mismatch.
      

      According to https://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#sec-EncryptionMethod:

      The presence of any child element under EncryptionMethod which is not permitted by the algorithm or the presence of a KeySize child inconsistent with the algorithm MUST be treated as an error. (All algorithm URIs specified in this document imply a key size but this is not true in general. Most popular stream cipher algorithms take variable size keys.)

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jonthomas Jonathan Thomas
                Reporter:
                bthalmayr Bernhard Thalmayr
              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: