Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag #808

da201501245 · 2022-11-10T07:43:02Z

Receiving error on encrypted SAML Response.

Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
at Object.privateDecrypt (node:internal/crypto/cipher:79:12)
at decryptKeyInfoWithScheme (/home/myloft/app/node_modules/xml-encryption/lib/xmlenc.js:258:26)
at decryptKeyInfo (/home/myloft/app/node_modules/xml-encryption/lib/xmlenc.js:246:14)
at Object.decrypt (/home/myloft/app/node_modules/xml-encryption/lib/xmlenc.js:187:24)
at node:internal/util:361:7
at new Promise ()
at Object.decrypt (node:internal/util:347:12)
at decryptXml (/home/myloft/app/node_modules/passport-saml/lib/node-saml/xml.js:39:93)
at SAML.validatePostResponseAsync (/home/myloft/app/node_modules/passport-saml/lib/node-saml/saml.js:591:65)
at runMicrotasks ()
at processTicksAndRejections (node:internal/process/task_queues:96:5)

after upgrading node version from 12.20.0 to 16.13.2 and passport-saml to 3.2.4

I have decryptionPvk is the same as the previous version with the format start line and end line -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----

earlier this was working fine after upgrading to the latest version it stopped working.

To Reproduce

pass encrypted SAML Response in passport.authenticate()

Expected behaviour

it should decrypt SAML Response have working on earlier version.

Environment

Node.js version:
16.13.2
passport-saml version:
3.2.4

The text was updated successfully, but these errors were encountered:

srd90 · 2022-11-10T10:13:20Z

...
after upgrading node version from 12.20.0 to 16.13.2 and passport-saml to 3.2.4
...
earlier this was working fine after upgrading to the latest version it stopped working.
...
Environment

Node.js version:

16.13.2

passport-saml version:

3.2.4

Care to share your earlier passport-saml version?

srd90 · 2022-11-10T21:28:29Z

tl;dr; at the moment it seems that this issue is caused by user error in configurations.

Lets try some guessing what might be wrong but first lets check whether v3.2.4's test pass in your current env:

node -v
v16.13.2
npm -v
8.1.2

git checkout v3.2.4

rm -rf node_modules
git clean -qfdx

npm install
npm run test
205 passing (3s)

All tests passed including e.g.

Now guessing part:

You mentioned that your old node.js version was 12.20.0 which implicates that maybe rest of the stack was also quite old (i.e. maybe passport-saml was 2.x or maybe even 1.x or earlier).

In the context of your issue report this means that maybe you had previously used privateCert configuration option to configure privateKey.
That option was deprecated in 2.x and removed in 3.x leaving privateKey as only way to configure private key (see change log of 3.x and especially change introduced to 3.0.0 #569 ).

So during the passport-saml update debugging (after you got some error due privateCert not working anymore) you might have copy pasted certs & keys all over the place and it could be possible that content of decryptionPvk was also affected somehow. With incorrect content or with typo.

After few trials of obvious typos it turned out that with this change to test material

diff --git a/test/static/testshib encryption pvk.pem b/test/static/testshib encryption pvk.pem
index eebdaa1..add5b49 100644
--- a/test/static/testshib encryption pvk.pem   
+++ b/test/static/testshib encryption pvk.pem   
@@ -1,4 +1,4 @@
------BEGIN RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
 MIIJKgIBAAKCAgEA5hqjaroJpB+aR8FME7hQ9nMV0h7MpKtmgFLcK3vwP67feAK+
 xdt17i8RyUhxil9FCFR5K08Wjwo3NiHZqHqEKitw+IJSndjLSsoNgKEIaiFSug2e
 V1oYElz06DBXTxc8iq/LazndqTUom51Ode9yI9AGa88cDM5iOqq9mhuGuvwuLtoy
@@ -48,4 +48,4 @@ d8HD6ARQhav0TorWKo3IjpWjIqbGJGmEKy5Vq/CFGHbNv6SNi/MUkY81/SkyhkwZ
 Dw54gyjiNALCKYfbzUf6L4Ptm05aCK+iZPBKgOwh+bbTrDjkHJB5Ln4I2NdSoThZ
 KotlP13Scdq0vxFHqCTKwEJgJJ1Jgh66NwaoXsATOP3WrupwXp8CDob0ECc+RZMb
 S/KF7YZXCQa+ggtrMuEV3I0q6S84RD9d3N9j0j9JaMVjA+F1BmoROinAec08Uw==
------END RSA PRIVATE KEY-----
+-----END PRIVATE KEY-----

all of the aforementioned tests started to fail with:

error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag

Another way to get exactly same error code is to copy paste e.g. base64 encoded public certificate between decryptionPvk's BEGIN/END RSA PRIVATE KEY lines.

E.g. with base64 content of test/static/testshib encryption pub.pem placed to test/static/testshib_encryption_pvk.pem all aforementioned tests started to fail with

error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag

error code. I.e. error code was replicated with this change:

diff --git a/test/static/testshib encryption pvk.pem b/test/static/testshib encryption pvk.pem
index eebdaa1..54c5153 100644
--- a/test/static/testshib encryption pvk.pem	
+++ b/test/static/testshib encryption pvk.pem	
@@ -1,51 +1,14 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIJKgIBAAKCAgEA5hqjaroJpB+aR8FME7hQ9nMV0h7MpKtmgFLcK3vwP67feAK+
-xdt17i8RyUhxil9FCFR5K08Wjwo3NiHZqHqEKitw+IJSndjLSsoNgKEIaiFSug2e
-V1oYElz06DBXTxc8iq/LazndqTUom51Ode9yI9AGa88cDM5iOqq9mhuGuvwuLtoy
-U78Ld+s1Ea6Mgf7L8M7fZVO7Ncu+FgIzI6Gt035ohYCLBmOoM7o0uj7DcMEvKOMF
-ziwF40wYmyp3hCLlq3qwkM9pTVJltuz0Bt1vqDdrq3kTheA9JHMayRz3I/BZxAV3
-iRd4hzLKTkegD8ToTGU10Gme+ZAr1w/erc5hVrM0/XBmHQlnI5d31GU/mfIkm0XP
-TGRSpPy7E+dUvj9djvm/VqDdojf3uuwirGeLMRlO9P/lCerTktW3g27SV8gn3ETm
-2Mm7rkNqf24KJpDv0tKDosgbdaHr2IEYD4RpqySp8kd25BhzushqKRkS8Xu5t7HA
-lVSHwiFhuLqrr4dUfkB8kZeM/ycfZLCn7oNUDFdgjGYSVMpakL97sC9slAW4/8Ut
-XXZxLqcyq/YxdpCysPYP1hsAp+VgPC7GI6CyiNojKPOptMqLZRYnViKxlOiWBJBz
-UBRUVuac8LXrMiDw8btWGa1Gh5vThuFUKsvmRoeuk7eyXEN9J7j6+fTYjnsCAwEA
-AQKCAgBiGVE6Gv4pPl/j34Czl4zMxNu0rPTJ71jPtIOw9jHCtKcI3wK+D4YDeYW3
-rm7ZcyxXFMxjrmALs2s+ZMgKj9DwuXx8NfNK4DYrOGDxSbXwqSw/rbanvv0sNv0i
-UBmo2lsxNSkgGZdqoAMj9LiShva+Vd2m8LEgtIwkPs5+eOXDqed2igeStIwLH/eM
-BkJY2WvQyiFrbXsOwEHV2DI9KpyU4ftljxu2KZ54DxaToFZqJ7IXWFINR69q6/JB
-lKVHbClGJhRIaGSYVlyO1A5lLtp/eMEqZX/xP1xRwdDVlMe4Rqu+aiZACAWWfgzJ
-urd+gZAXob6Dj8P62YAXO+jPaIEOSk2D0NcMdDKp/avpooEYEXNP2K+GnTqe3rBN
-cyLgdmpLMLcopz7Ez3BgyY5nZv7NaA8hczkW01KJ1Eoay+qTvCwzbDb4evB19M0b
-6o93r4oBupFQf7pRjcWbVLGD99G+3/x8rVtNuP7bYP4bJNFvOn8ptag7i2zUgHX8
-l4HELqrbWAtxuqTG6Legzc82hfo1ZCSY8ov7ZfazxcU7kRqebnWV/Yn7G+4gMsEN
-okKiTruaG28CG2zMN5Y/ykh+BYyCUTPS9n8SQph8Rt9rkAKQfULNCaT/lkzLQQS6
-3JkSJvvO3FpJGKB5LpKGFY5XBF/5mC5NOHpgn1uwfdIqBVAuIQKCAQEA/VO+0wcu
-x95sM8aDP65gebUs3fiIrYx3SEFTV7Nz6E2owfPLPcIKetovvpsrRNY6dY7i6NUq
-m4minkMI73pBVxyKjdFED4tRz5ow7asBn56FHCqHlIxR1bY3vdetmiOabS7fIZgh
-rnOPzMbkn7MU/HmmA59u2r6bjBLCGjEsjSjFHfgiOipEr8Jsmpha5m4ggoYrA1KD
-XP7+LK8mlr5SLZouU7k2SKMoG/drvsK9R/UqCsInKT4eFsgujJoYyyHNw5d4BUqb
-GSw3jft2yWPr5mM0F9j1pgI02RW0xZN/VL14qPnJAB8fB5/XHrnaItPW1NT0woZm
-VxAZ/RU5UMrDZwKCAQEA6Igqb4g5LOh/0zN3pMp8HQkz4CqgRDtPmB25DY5rWZDR
-s/r0/YT1+3Iz+EjJncs+MNkD9VId3hCIsPNCVMfo7wwhE61E0BjS21vA0NLwB3mu
-IhIydu6/cwLbkJfu5TNGnOpWh8MroiShlWhL4yQVtVLeXNvVjkUHPFYQV2ngGc76
-994sretYYJSNmtfwXO/utIvUXVELR5bIcc4HI0VVJhyBTDe2GKV9UX8MusiVkxXr
-Ro04ZWaM2G4ho7Vws9L+w86cyf7/SiPs2cHI/2Gqn27vlTU5hpRhxUEyeJI0BmIc
-h3JdeijSP99+3k5oYn5Q1oLuUOkHGLJACmCayUUjzQKCAQEAncY3thTmJOM5frGn
-ctT3DzYwoHq3HWe7rsvIzXlduhQMA+gD8A3XGxai39Kiizflpuv8FMkWxVJebrUP
-bp807L1A6fyoqAm8RVEiIhP8ad5/xsASOwl9ul3Hr7wRSkvcVR35KGIosA8XQ5Go
-OHJ/opNdOypkD2bhV8cjDs8LkUsQIY82OgWzS8gKfepfyt5R7xkC1wnf+N5zjX70
-yLP2WKKLMefLkEfVpj1d5KxC2PsvWQ389+nRMZ0xqK4cvP7ruWKwBJOnr3DjlNFF
-9T3/YTjt6+Bbdi4vnfiv4tHvXua2rH8Nmb7IQ6Zgg6l623AWf+22FyU/vf+wP/ik
-/tWaBwKCAQEAh0V3Ukyv3jUe71FYf7AfhZCt8fE6LJdIVVitJ3q7bm413/rU/IqV
-woIMQ5qsVzQ96JLGn7b2kxGRQ0cwRjvJgQ7QSy8YAer+9wcoYxLi+aZKq51kaBW5
-oAGAk1wfaIxsvqoATpg2UOv4Z/81bly2mDYuD1z/nfUAIZR7iy6XZMwo6XsBCOgJ
-EJ46xmJqfNZDShqyHtsfsbTAxJuzQUx7HWGlwh4Cu9HB1mAPmrVHdjphFTjgHvUK
-aHmg7iiF+MZ82JHgWg4SmyHNDlySPial6HvTujwtS+IUAnlMECIVS8VVjWH1iTQo
-I2oz1sVMKkgLZM7kLoNxUmeXo7HROdcT3QKCAQEAwZhEY5g95nH02dWcCm3PYeUm
-8fVeNF3W1B1yjSz8S+dCfZUAvpTg/39VmhdXpP2Pgl322PkNbHWbg+MXbASLApMK
-d8HD6ARQhav0TorWKo3IjpWjIqbGJGmEKy5Vq/CFGHbNv6SNi/MUkY81/SkyhkwZ
-Dw54gyjiNALCKYfbzUf6L4Ptm05aCK+iZPBKgOwh+bbTrDjkHJB5Ln4I2NdSoThZ
-KotlP13Scdq0vxFHqCTKwEJgJJ1Jgh66NwaoXsATOP3WrupwXp8CDob0ECc+RZMb
-S/KF7YZXCQa+ggtrMuEV3I0q6S84RD9d3N9j0j9JaMVjA+F1BmoROinAec08Uw==
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5hqjaroJpB+aR8FME7hQ
+9nMV0h7MpKtmgFLcK3vwP67feAK+xdt17i8RyUhxil9FCFR5K08Wjwo3NiHZqHqE
+Kitw+IJSndjLSsoNgKEIaiFSug2eV1oYElz06DBXTxc8iq/LazndqTUom51Ode9y
+I9AGa88cDM5iOqq9mhuGuvwuLtoyU78Ld+s1Ea6Mgf7L8M7fZVO7Ncu+FgIzI6Gt
+035ohYCLBmOoM7o0uj7DcMEvKOMFziwF40wYmyp3hCLlq3qwkM9pTVJltuz0Bt1v
+qDdrq3kTheA9JHMayRz3I/BZxAV3iRd4hzLKTkegD8ToTGU10Gme+ZAr1w/erc5h
+VrM0/XBmHQlnI5d31GU/mfIkm0XPTGRSpPy7E+dUvj9djvm/VqDdojf3uuwirGeL
+MRlO9P/lCerTktW3g27SV8gn3ETm2Mm7rkNqf24KJpDv0tKDosgbdaHr2IEYD4Rp
+qySp8kd25BhzushqKRkS8Xu5t7HAlVSHwiFhuLqrr4dUfkB8kZeM/ycfZLCn7oNU
+DFdgjGYSVMpakL97sC9slAW4/8UtXXZxLqcyq/YxdpCysPYP1hsAp+VgPC7GI6Cy
+iNojKPOptMqLZRYnViKxlOiWBJBzUBRUVuac8LXrMiDw8btWGa1Gh5vThuFUKsvm
+Roeuk7eyXEN9J7j6+fTYjnsCAwEAAQ==
 -----END RSA PRIVATE KEY-----

So at the moment it seems that this issue is caused by user error in configurations.

cjbarth · 2022-11-12T15:02:12Z

@srd90, that is some good detective work, thanks. I'll close this pending more information from the end user.

da201501245 added the bug label Nov 10, 2022

cjbarth closed this as completed Nov 12, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag #808

Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag #808

da201501245 commented Nov 10, 2022 •

edited

Loading

srd90 commented Nov 10, 2022

srd90 commented Nov 10, 2022 •

edited

Loading

cjbarth commented Nov 12, 2022

Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag #808

Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag #808

Comments

da201501245 commented Nov 10, 2022 • edited Loading

srd90 commented Nov 10, 2022

srd90 commented Nov 10, 2022 • edited Loading

cjbarth commented Nov 12, 2022

da201501245 commented Nov 10, 2022 •

edited

Loading

srd90 commented Nov 10, 2022 •

edited

Loading