Kent Wong
Reputation: 581
Why can't I decrypt this xmlsec encrypted WSSE enhanced soap message?
I have used py-wsse from PIP but it seems broken. I've refactored/fixed it up to
- Add X509 standards : Signature block with signing, and public/private key usage via a certificate
I was able to encrypt/decrypt this using plain old XMLSEC, after adding the WSSE components I am not able to.
The underlying imports are xmlsec (1.35), and OpenSSL. Encrypt/Decrypt is performed by xmlsec, the key/certificate generation are done by openssl. Signing using these certificates/keyfiles are done by xmlsec.
I do pre/post processing on the xmlsec signed document to create the wsse document. Likewise when I decrypt, I process the document to move the key information back into the EncryptedData block
Here is my Signed and Encrypted Document, as far as I can tell, the encrypteddata block looks the same as my vanilla XMLSEC document asides from a few additional tags. This cannot be decrypted.
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ns0="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ns1="http://hcv.health.ontario.ca/"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Header>
<wsse:Security mustUnderstand="true">
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="id-12e0aebc-9024-476f-a43a-5666e9ea2838">
__cipher__text__here__
</wsse:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#id-f147f091-fef5-4f6a-a8fc-50cd1199280a">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>qW0RXziKgv89NQN1Jh3r6GiE68k=</DigestValue>
</Reference>
<Reference URI="#id-392912e7-0b10-4243-86ea-836e13e445f0">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>2RT70EVr3SxEQIsYFRTlCv+E/VQ=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
__cipher__text__here__
</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>
CN=example.com
</X509IssuerName>
<X509SerialNumber>1000</X509SerialNumber>
</X509IssuerSerial>
<X509Certificate>
__cipher__text__here__
</X509Certificate>
</X509Data>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
<wsu:Timestamp wsu:Id="id-392912e7-0b10-4243-86ea-836e13e445f0">
<wsu:Created>2017-07-18T01:32:47.577170+00:00</wsu:Created>
<wsu:Expires>2017-07-18T01:34:17.577170+00:00</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</SOAP-ENV:Header>
<ns0:Body wsu:Id="id-f147f091-fef5-4f6a-a8fc-50cd1199280a">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Type="http://www.w3.org/2001/04/xmlenc#Element"
wsu:Id="id-2ba0c3b4-7784-415d-aeca-08a45d504660">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
<xenc:CipherData>
<xenc:CipherValue>
__cipher__text__here__
</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference
URI="#id-2ba0c3b4-7784-415d-aeca-08a45d504660"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>
__cipher__text__here__
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</ns0:Body>
</SOAP-ENV:Envelope>
Here is "vanilla XMLSEC" signed and encrypted document, this can be decrypted:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ns0="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ns1="http://example.com/"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Header>
<wsse:Security mustUnderstand="true">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#id-61b880d6-e56b-4cfc-bec6-471121c72547">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>NvKgiRH+6Q/xMSJxx/7qtkc+IFY=</DigestValue>
</Reference>
<Reference URI="#id-6b86d1cc-0d2b-42a8-ad1e-78e9448f9983">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>5IoUfViIk5hJTt3Whl7I/jFq+Ww=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
RmbXCTcji8c0ZWuRrCYdBL57FtGiwmX5HlZIol1k/d7d8PIdj0YR/41qP7DlSTD2
fspVNXLYc9kEh+YbTbodRsGvHQ/ZUWhXC6dX3/1BjdxrycPcQI37REIO+btla5wR
Icn5FvXMHPPJfln9y3ulj/RAjHU44nDKE4m0zWJ8lUo=
</SignatureValue>
<KeyInfo>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>
CN=example.com
</X509IssuerName>
<X509SerialNumber>1000</X509SerialNumber>
</X509IssuerSerial>
<X509Certificate>
MIICOjCCAaMCAgPoMA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYTAlVTMRAwDgYD
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<wsse:UsernameToken>
<wsse:Username>test_user</wsse:Username>
<wsse:Password>test_pass</wsse:Password>
</wsse:UsernameToken>
<wsu:Timestamp wsu:Id="id-6b86d1cc-0d2b-42a8-ad1e-78e9448f9983">
<wsu:Created>2017-07-18T01:32:47.577170+00:00</wsu:Created>
<wsu:Expires>2017-07-18T01:34:17.577170+00:00</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</SOAP-ENV:Header>
<ns0:Body wsu:Id="id-61b880d6-e56b-4cfc-bec6-471121c72547">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
<xenc:CipherData>
<xenc:CipherValue>
KViKBt8yTp/ELA/vWWRhrGl86c/cCBORsmg5aYKctmFMfLMx8thU7acMC5TqpGzB
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</dsig:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>
GPkZpozkWMISAkMJ8OuBuKE6wNLmsftEmK6tt5+0/EpY+TpWI8ffh7KWoxjHTGL6
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</ns0:Body>
</SOAP-ENV:Envelope>
Upvotes: 0
Views: 940
Answers (1)
Kent Wong
Reputation: 581
Through "debugging" (manually splicing the Signed+Encrypted+Processed document), I managed to decrypt it.
Normal assumption is that order is irrelevant in XML docs, however XMLSEC seems to explicitly expect to expect KeyInfo immediately after Encryption Method within EncryptionData. A simple Swapping of the Encrypted Data CipherData and KeyInfo fixed it.
It would appear XMLSEC is not truly parsing XML, instead it's most likely behaving like the following:
Find 'EncryptedData'
Find 'EncryptionMethod'
Find 'KeyInfo'
Within this KeyInfo, Find it's nested 'CipherData' block, find the 'CipherValue'
Get out of KeyInfo
Then proceed to the Encrypted Data's CipherData Block which is outside of KeyInfo.
Upvotes: 0
Related Questions
- How to parse SOAP XML with Python?
- Encrypt soap envelope with Python
- Parse XML SOAP response with Python
- Python xmlsec XML Signature Value mismatch
- Parse Salesforce.com XML message in Python
- How to sign XML with xmlsec (or other more appropriate package)
- Python XML SOAP parsing
- XMLSEC error: "failed to load certificate"
- TypeError in SOAP Request (using pysimplesoap)
- How to construct SOAP message with pysimplesoap?