login about faq

Does any one have experience decrypting a base64 sting that is signed with my public ssl(pki) key? The application is in asp classic so I can not use any of the pre-built .net libraries. Looking at the saml, it is just a xml doc. My question is the decryption part.

This is what I have so far:

FN = "C:ecerts_insurancevisions_com.cer"

Set oCert = Server.CreateObject("Chilkat.Cert") Set crypt = Server.CreateObject("Chilkat.Crypt2")

crypt.UnlockComponent "123456" crypt.AddEncryptCert oCert crypt.CryptAlgorithm = "pki" crypt.EncodingMode = "base64"

strBase64 = "za4K/+V645Uyj1l5AjmTiM8Ys4zYt8htPastC7Lk29J5JrBO99yqRXv52y9....."

decoded = crypt.DecryptStringENC(strBase64) Response.Write crypt.lasterrorhtml Response.Write len(decoded) Response.Write Server.HTMLEncode(decoded)

Here is the last error that is returned


    DllDate: Apr 17 2012
    UnlockPrefix: 30-day trial
    Architecture: Little Endian; 32-bit
    Language: ActiveX
    hcCurDate: Thu, 17 Jan 2013 09:34:02 -0800
    hcExpire: 7/2012
    SizeAfterDecoding: 4640
    algorithm: pki
    ASN.1 length should not be more than 4 bytes in definite long-form.
    This error typically occurs when trying to decode data that is not ASN.1
    A common cause is when decrypting ASN.1 data with an invalid password,
    which results in garbage data. An attempt is made to decode the garbage bytes
    as ASN.1, and this error occurs...
    Failed to parse ASN.1 header.
    DER contains no ASN.1 nodes.
    Failed to decode DER.
    Not PKCS7 DER
    Failed to decrypt.
    Failed to decrypt data.

asked Jan 17 '13 at 13:19

emartinson's gravatar image


I base64 decoded the first part of the string you provided ("za4K/+V645Uyj1l5AjmTiM8Ys4zYt8htPastC7Lk29J5JrBO99yqRXv52y9") and it does not decode to any recognizable DER-encoded ASN.1 -- which agrees with the information in the LastErrorText. Unfortunately, I don't know what it is you have in your Base64 string.


answered Jan 21 '13 at 08:43

chilkat's gravatar image

chilkat ♦♦

Can I ask for your help figuring out the encryption? I think that there is multiple layers of encryption. Can I email you the SAML/XML so that you can see what I am working with and point me in the right direction?

(Jan 21 '13 at 13:11) emartinson

I don't think the SAML/XML would help. What I would need to know is the format (if any) of what you are trying to decrypt. If it's the output of some encryption algorithm (such as AES, Triple-DES, etc.) then there is no format and the only way to decrypt is to know what algorithm was used, along with other params such as cipher mode, IV, padding scheme, etc.

(Jan 21 '13 at 17:01) chilkat ♦♦

The XML is 'supposed' to describe the encryption used. From what I see, there is PKI/x509, SHA-1, AES-256 and RSA listed. From what I read on other pages, the encryption used is something called 'XML encryption' (http://www.w3.org/TR/xmlenc-core/).

(Jan 21 '13 at 19:33) emartinson

Sure, please do send it.

(Jan 22 '13 at 08:56) chilkat ♦♦

I had a look, and my guess is that you have to use your private key to decrypt the encrypted key found in under the "EncryptedKey" tag. Once that key is decrypted, you use it to decrypt the data in "EncryptedData". The "xenc:EncryptionMethod" tag shows the encryption method: 256-bit AES, CBC mode. If you don't find an IV specified, assume all 0 bytes. Also, if no padding scheme is specified, just use the default (which is most common).

(Jan 22 '13 at 16:49) chilkat ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: Jan 17 '13 at 13:19

Seen: 4,020 times

Last updated: Jan 22 '13 at 16:49

powered by OSQA