search

SAML-Toolkits / ruby-saml

SAML SSO for Ruby
https://developers.onelogin.com/v1.0/page/saml-toolkit-for-ruby-on-rails
MIT License
898 stars 561 forks source link

ArgumentError: key must be 32 bytes #662

Closed davideluque closed 1 year ago

davideluque commented 1 year ago

Hi everyone,

I have an EncryptedAssertion that I need to decrypt. I generated the Private Key, a CSR, and a self-signed certificate. I added the certificate to the metadata on the IdP side and also on the settings of OmniAuth (which are passed to ruby-saml).

Screenshot 2023-04-20 at 13 19 01

I believe that ruby-saml is using the RSA Private key as the symmetric key and that is why I am getting this error.

Here is an example of the EncryptedAssertion (I changed parts of the encrypted data to random characters) 

    <saml:EncryptedAssertion>
        <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
            Type="http://www.w3.org/2001/04/xmlenc#Element">
            <xenc:EncryptionMethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm" />
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                    <xenc:EncryptionMethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                        Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep">
                        <ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                            Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                        <xenc11:MGF xmlns:xenc11="http://www.w3.org/2009/xmlenc11#"
                            Algorithm="http://www.w3.org/2009/xmlenc11#mgf1sha256" />
                    </xenc:EncryptionMethod>
                    <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                        <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                            aoidfuyhsdiufghdsgf/cRB1qGVvqT0PYPo/LQCy/4DCnRT+SHDFISHFasasdasd/saufhausfhasd+vD6A/DIHSDFIOSDGSDFGSF+dHYbOVWfld5n6f6blMOiBnHDdl7c8UlUWEHupQTPZC7bksmToPa58PFdprwkT5rbkLIfp9JadJNk9oPkLAStBw==</xenc:CipherValue>
                    </xenc:CipherData>
                </xenc:EncryptedKey>
            </ds:KeyInfo>
            <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                    EfBGm4iEta3eu1U5OG6lmDyF+xyxeDj4pakfuhsejkfhdskjgfhdsg9pe2g+aoIFGJSDGIKSDG/BDmVQnUb+QUxWrEzMgdGuBO7vSQMhe34umeE8tIVPMQY4RzB1m4QNM35DfNlogfLZ8HCr2BVDmlxQL+Rl/SGFIOHSDGIUDSHGIDSG+K9P4rxWNhWvQonsU2GPualA23jpsBtmxEPS561lCe1FkD9enQPh5aghF18NtKuIQzi0hfkESnRaCbokXdok8rGKrZlpDnNplh4H2nARzxinkfO5nEedtFvE78Uz4+SGIHDSGKJHDSGJKDSHG/OAKRW+Z85TZjg1MaP69Dkexy+9rymFFuHS7e/sdlifgjhdsgiodhfjgoidgh/g2w8IKzEPEOI1/1LxvTwx/eaouklnDDLaSKvOyIvcRJVNSF8iKPyJ+ZR/QEJBAT5fRAxoVDy0b8F7YNHGB2bIwHn/jp4t+8zAc2fe3QOtIN+UFoXBlbEB+qwjYUW9BPlUlXJWYGiSmIqomOSQ60Rf6C7C4MwMjUMe1a0sWucmy/NX9mSLeTYLbPieR00y86I3scbQruWekm2HwUHl1zxjQaia/g1E96SFGVFjau2ta8lIdzRsJyf0Qcrl3c3B+k3ToUkE4o/1oIYcaKoIAQ31bjh1RjGFw3zu2O/k0e7rlczXBNdKetPC6sq0Bb+fGNlUvHno+4o8f3CmuOGv+nZ1aXKIBrHRmsOkOb4udGRqzDwBSB0zu9NmfQNt8rFLgVl5Gjkuo1VxpzKTTsty4r8Hi3J7y3fWDvx6n+WQ/ciTEiIcsnqfko9qfCar5iJfG3dvFGsXHCIQaWODPX6uL1QY4mKdNDN2dFoEXdA6fc5GPxytqNOfhUFNXbcDsJkjJal5uNzBIMgAd6HQh3SN2xYRa3rbciK4SZf+Z86PP+vqaKPl23NChXTCYEJuGgcABlkFWU8POmsU/rPSUHLfNTeKUFPzo7SaxWVC9zmaJys9EBFkI3+3E9uHfmX13QSIl9jrdDSt9rmf0LHBLVSOsREgpE8jjEYeS7Fxhqjpedk7PJWgiuJgBvPMwvMFOgjc1jUCKHPg4pp6Q8O7UWmIvlEFxQs5svgoEai/nBJQHb9Twug0Bll/cP9CpVvWxnVf21bxeD+g8MIFEwi8ltC42NwrW8CbdL3eRNCdmgmfaJy2Y720blffHy0OtMyJECyTO4AJ0gXt0y7r0CohHHzXzIsyfYoZ2QGlT2T6Lg23k2VTq2cALtbJPPSKCQZWwSmdozmPI+Yc7wpGwy5zu8s+XDdQ07v2aww2oDyaMJvqO5BE10Cv1KOcxCJDigcDpIW9M/m2hLgY/AopDT4ULbYD/bHxwhEoaoPCO6k2OAylhGmnp+bGGBqteSrJIraeVS9YIdx3oKfkvDocN0Y3SQOkxMzb7yEfD3qGJcA+gNcLZ5U4W63HUgi9r/lucJ8WrASHvU0wLDcI4xPDNGpMsHndCgzZWfvTxRvMD6KTIVe8ctfP2SI4luLImqMsn8SkS8D3YQ+NnmiachHzRq2WfM/u8nMrfET3HM8oc6Ww7tAANdF5qmMr07LKIXG5HhAkHMi2uZWozyYwnxXfL0ADE6TQuWKAi6dbIXE1c06DQfHtI79XH/0SmDdsM6Q2HQlMwosSMbqmZKZmKshwPkXMf3zZYen3ilVf7sJqd9YhSKW5pOTUczsbLt2Hiy+c7/QhaOs5N6+644IrPA9Rp2IsAbxHmruxz5/brd5ZHBoIcGNkfalsf/s3EnDYpqWgoq4+HB7Ii++/Qm9H1P4qq6yrhiK4XUkLJ4hDJrc4j4g5mBjjA8gRSi1MR7oy/21NMzxFNBftXN8FnxbnaAdQMIateuYOIPhduRYb7sFvEN360Ok+jg+HtWPRjXfG0nWD3jPmwuDVl6x9qwD8C5vnThUx5+L5ZBWrgHgLUzHaxWrhlwrWqZOyZdnVzjw3BhPY7qk7+NYVeGVk/0FVhgev7XokOCHu/z/pfC0VZA5LSOj4bwOyURe0K15TpPhk8W3+W5OhQo8LfUaxXoqS8bCqLeYkArkqlNoUS8Dc2zptgGseVNoWwIObWEzH1JuwF3DqtCVJIGtHqyUjbutU1LG1X7Aja6v+K2pnKGiMcSPvpHnjbRRV2Mse4CHtGbFhUA81b7zUEm9encS81vfupqN5I21YHrE/fTHE5uJf0MyFFUjQN7REdENE7X+BiRJsL84xKNXGGb7cHt1OgbSFhcQ+7qM3vgCbR1Adc85X45ahD7TOLoKNmZaPwqyFGQjYjAXwzM9FBEvjj9S+jfnegkO82wk9D5XACJmEh3XibCR/uNTWcxMUonWaEa1gKYdsD3we0EDHnmZumkBuAxiL4DWx/IJjuHlAJq/CiQHBlYj5EIV7x87e2sUTuFj/OI8G+HT+AaTh5Uf98CdDQKdxOIVHYel6A/P1T08gELKTwbbeJ93+Y9SsS5QB8z3GdqxkXy6fIzojLbUA+DXkTr3oip5z0L3OQBpuLHKSGW0CLc1+gUydd0UXVf42cgrmhSrRzXZ3n0s22YDo2MtiWdsaU5+ck6jB0NokRqkfZbnVcuqHVIZG6cIJAfOJqpivQoCDGJ7JZofWaxssrpFoBhZIHUtY3zshuYb7hFj7/dR8ACz8CPQJyHFTgPqeAi8Z+QdFUP58q49PS6H/1t8sjh2Pj8CVM9S3eyzlsAAz/Dy/H3oDgwpNUoH3ZuvqBYGWT+cKd63j2wBDFAWzw5Uc/8i1l8OmxajVvZ2PHUW3iHFd4RvSfdUKMINHSwSxJgbICMhL2SFUqTTby72Tr27d7Gn2gfVOUthR/+WJ9wRzBlz7SdkiVyarm2qrPw8PrChvnUuH9I7lraqhGEYzrCZevjJDV0/oTxETtTTjADfh9KET3WIJUp+aFLQjKmrGnAAtVyrdbpAx40IVpybug/qkojplpmYYj29XvQILnrPjEGkX57DXHrRHK/q/+XYPljXbz+lPclWfgu3C9RvZpE7xNbZ/ouvHGP7VJ7VgTwgLBAvfPkkgp6Tr0OAq5ywvFMWQVqkFZyJ1E6U6/oEaZk2JwFeVdSSBIG1/ky9DZpz3yBqRBwNe3npE5XjJ4bEK0ibBznlnUaB6iN59SNSJPD+XxG9FF4xXtqbxKyXpUMxqUKD36OYC7TX+Vh0XS0CUD7LtqOFuAGvPly7qIpc/UWMLInVcwqlVmn0HLbkmiMZIzKW1dhjVh3Z+lvHNH1q5t1TC30omCAzOwdDRbk4ztsw5a+iWlhXH4juHcID11zWNDwyK/vxboQHciYoo7UHQsMAoKhmDl1zBdEeMkcqBqFUb06k7wKugHIFm/5VItUSmEmVlr8HlrOeTPXM3Yp/cD+St+8nbK804Q6+zYNf+jTvTIz+H+XBVH6WiS03TWsZmpsWGnfMjqxTzUWo5vjWFm9ZrHqgbPnDCLEg/+NFbzOA5Ctxz57/4uh7JW508OxXP8e5FGieoDHRSR+Don9FFWAnRApVJzc62XeQRqSgP3L8GQ/3yM6DCMFNAwo/mQpW+wIO07mrNUv5/6Zha97z1kVj8LvQbz8aUmBy93UbvcZcx/g1f4iI3bM9OcXjRhH4uIxyEbllsCq0wDNogzd/7MtX9VbV171xkcCGHNNYlcRH/lo0tHCENqdbH+XHlhoyE3smiaN879MX0tOS2u7kXYQNG39HQgIcn5+pGcbAOUAeC1cRTwQdptRKmQr6AoBNCL8f+rzcOFDfKgPH4QX5ibMEazeRaKrQhwNT0UUu0WoSBgO0Rwg8FYs7ZWnEGgjraIhbXUm3zOXvsyFaKTjZAW7gJXtNC1r8dxretmQUfUcCUqqm50hnVtkVqIt4VW1XEhXCUhViJvzVTpZQm/Cz5+ZkgpAkPRBHgOokVP1kqtqJK3ScY+RgV2WX6BTR7hhUXSXSJOcQ35aF6p2pekh+tvjdZ6av8hrSb49RbAal4M3OfJpTuM5uMC6zGl20x2liLI+kUjB8ARyAg6W5CZMa07ab/B+BYuSwz2dHYujDKWWik3RE/MHdBMa2Zm+NtOCiMds2CGs1CmMvRnVdd9kGjL4ZZN0RVDjV356Q6EW9jm/Qsyd+8vR+Hp2J9fKwzK1XJ2x0dX7rI+z/jre3xLwRBBO8+aIBBysugA+cqa536lG94ZdLy8c6bkfqofh8JPTdaG2ao/lGv1XJwfYM7uy3wEakTLWiNDhnwkNhwH6c1oGKJNmECIrjKADWDY4rhsCZ4LLgqdk/FXpIPHCxhzNrP4auhLrN42Sf9Cr0GLR42Ze1YcvmdJIN3smcszi6FOXkaFJs9LM+FMKKQOIIs+oy0sIXLhR3S9Cvk8VdL+bYHZcJ0AFT22r6d+A2SKii4662siduq1ZJog0JrTDVVxZjbOvOcUjKgVEGnltjgIIOe4VilQbjF6grF44AkHqfr9F1fdAI6xPC81kx2aZAOe6n2oJUDv2230ENFyd2yNS6Cp3McL4IV22ZMheseGhjdEYZZ/xtd1PhhstXhWBv3dGdab2COH8V3wJhHS0PP55HslGDhdhBzvvoe6cNmrwJyh+lupUC5661RIQWSOJ0iOzkw4kENaZ8tkizchhCYiB47DhWdk3f9xzZzj/OMHfZAyhVoRG2DuEqbp78yHojDlG0yKdsMqgorPXnaaV0zIQNkSebwoA9SHoujr8nGE9KScbNXuCX5KZ4ZxgvhdGPvlTs3yBZ/JJbamTMaULp/f1Pug6n9t3iNf6jCVdyLfitcyh9+3GpHWTT77nnMuQFXvgMHKi+189Lwn6PZzJVSYeTId9XXZvaX7aQ0QZlRV6cSvjkdL7KzcdC9I1Y5q5uMO4HBr+0j3Van/7iTmG6C7pGCJGF2QiQ20HHf95W2gayFBJP1/wrvVCAG/b0EFINUy65f6Zd/C4DlUh3LeL1Ba2J3ShEOGccMMmGJZfr9AtcMA8L0Ee8TTnWoa1XIsQ72VoS8yf+/N9cuFQuTlYTzMPWMOzjDkygN4kpDu/KerhOth7o/bNRhxL8708oMlEAVpy7qfxU5+HNLxMfPaEgx3d1EqrHEA/dVxj55FrJUxBWZVecomaNb5DoCKqb0JjjpUlVZ6VGw+U/eiQ735fBtC9UphznmD4vL811VoB8wnKWcvoDegoC1bNXH7IscwmpGO9k79qfX5F1eL3fSbqYYzcYHKhqOtrcpdKYhPQAKqib0OXVqgKIDVHiRVmBByR5VFajmb5uRX1ZZ9ffL88lSDurG5bKZfUaW/4BOUEUo3gKjxOn0Z9Dmax5tbRv8X7RSNbCJf5dXT0KoEtbH0FIJPjjsoUUB5z3zngbQXVlJmN+N6ziclessnreYjLv4UvfNUaZozIiefv+Kvr8uLrcoD5cY8AIB3Iz09INbqPik6Q6qEVzCsGk7hhH2Rw9baVs5Qo2fAlas3+wYBWvvP6OXp1gbTSWCaLqA0faGfw7SZXrUPi0dHsq3/8A7TFhgQwdwYJB34lk+ISNEKaXdnMNKF1/MQs//xA+2MUzZxndyQrHbyGWj2M04/AVn/XFHEQcXMmvrsKAzp0udYQkvVRFx282eVvI9W9/MzUFCFve3SeQVJ4Ks8EK9/NcDUivWaUbRw1yRD7BmxlaffnfzNOzwLIgTFw6Rnm6FwdXvAxsLekIfAX3cCWjEJNOa5rQFVhqDsZUcD9NDi2VFluABbj0j5euh8KfvxH96qDV7S6m0XIIzCL4fBqNJQ+wHHqW/5Irndb5+ffUgpOj8zbwpkwhO3R5n+B6IzvHE+R2VovwdU/8Sz4fTk8DnqPKW1my9tvAEQBOGJBw9fTvtkVpTCoJfQfQER0Vtk40apPypI4S750lWoidXL1CIYoaoC3EL0+zUa8OAr1iIR1TsXsEE+bOw/1WOc7Q+zL9HU5VW7XIgFU/CDfxq4Yv+XmrRe6Mnpk+DZDfMKBFkvN13lT5gWPrl+ryKbOHDrXc+MYn4t9kqlP3dnKhdSVl5YR8c+NjFolLah4orT7BXrsmfuUYHdpwnxw5dkWyTPnkr4H1rFrIkXb0hPV1pb7qN7ccdN9kqkEYDgOqJxcWc50Bs8gV0ZmEAEX9sNSkIU24mwpLVA2IMsr3tdl555uh/us5HRYES2D8b2XslDs/1o9GyCxKb2T59fsDkfx7UDPii2pKyv9sPn3jQ9vKa1V/CQZsPyVjg4bgexTCCenK1TmDls5EKtGSxvCEFW6hALAPnWBHt6U2p63VRZN5u+PCIBAlAZDtZ+a394E8nPAlTIE9TUnrBqfKbYFAZ+PNsW3jth1Li+3lDzx0Ijq97la5v4HJV8DwLsFdzwuzNSeb7ub4YbPSUNXo1q9vSL8NPAWiE97cQdxnDUiGT2SZd9pZ442M5aUuHRCB96+yhhASVmuvogieXDxYHMTQB9qsFHSzwEvFReZHaSM7+Ida11ommJy+ikb5qmeboao=</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </saml:EncryptedAssertion>
davideluque commented 1 year ago

From what I understand, Ruby-SAML does not support plain RSA-OAEP (http://www.w3.org/2009/xmlenc11#rsa-oaep)

I forced in my SP metadata the EncryptionMethod as http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p because it was using http://www.w3.org/2009/xmlenc11#rsa-oaep as default.

frederikspang commented 10 months ago

@davideluque I can’t seem to find this in the options, or source code. Did you add it manually in metadata, or are you not using the metadata generating from this gem?