[Pyxmlsec-devel] Error while encrypting XML (SAML assertion)

Patrick Craston Patrick.Craston at contextis.co.uk
Wed Jun 4 17:26:20 CEST 2014

Hi Dieter

Apologies for contacting you again, but I'm having some trouble verifying a message signed using the method described here https://pypi.python.org/pypi/dm.xmlsec.binding/1.2 under "Signing with an X509 certificate". The signed XML looks fine.

However, when I verify the XML, it throws a ('verifying failed with return value', -1) error and if I run "xmlsec1 --verify" from the command line it throws a "data:data and digest do not match" error.

However, I have verified the exact XML string that is generated before the signing and the "PreDigest data" output from xmlsec1 (using the "--store-references" command) and they match up. (the only difference seems to be that there is a new line in the PreDigest data where it has removed the signature section - I couldn't figure out how to avoid this from being inserted)

Have you encountered this issue before?

Many thanks

-----Original Message-----
From: Dieter Maurer [mailto:dieter at handshake.de] 
Sent: 10 April 2014 18:50
To: Patrick Craston
Cc: pyxmlsec-devel at lists.labs.libre-entreprise.org
Subject: RE: [Pyxmlsec-devel] Error while encrypting XML (SAML assertion)

Patrick Craston wrote at 2014-4-10 11:50 +0100:
> ...
>It does not work with the "aes128-cbc" encryption, so it might well by an issue with my setup. I'm using openssl version 1.0.1 on Ubuntu 12.04.4 LTS. Do you know whether I need to install any additional packages to get this encryption method to work?

As far as I know "aes" is protected by a patent.

Software patents are a great danger for open source software (like OpenSSL) - and to be on the safe side, they often do not include them.
When I remember right (but I may be wrong), I have read a document (probably part of the "OpenSSL" distribution - but maybe on the web site) - which explains which cyptographic modules are not supported by default. When I remember right, to get "aes", you must obtain the "OpenSSL" source and explicitely compile it with "aes" support.
And then, you take responsibility for any potential patent issues with this use.


More information about the Pyxmlsec-devel mailing list