Forbidden error: asn1: structure error: tags don't match

[mrajashree]

The service provider uses crewjam/saml. It integrates with pingFederate IdP, but a shibboleth IdP throws this error

asn1: structure error: tags don't match (2 vs {class:0 tag:16 length:13 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} @5

My IdP's private key seems to be correct and works for an older version of crewjam/saml, when crypto/ripemd wasn't used. What is to be changed to avoid this error?

[mrajashree]

This was because of the x509.ParsePKCS1PrivateKey call in line https://github.com/crewjam/saml/blob/master/service_provider.go#L435
My service provider's key needed to be converted to rsa privateKey. I'm not sure what the difference between the earlier and newer key was, because even the older one was generated using openssl rsa command

[crewjam]

This is almost certainly a regression due to ditching xmlsec. Next steps here, for me or you or anyone who wants to help, is to try and generate some failing test cases with from shibboleth.

[mrajashree]

@crewjam I don't have much (actually any) knowledge about RSA keys generation.
But you're right about switching from xmlsec causing this
I first generated a key certificate pair for my service provider using this command
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
I used the privateKey.key for shibboleth IdP, and that threw the Forbidden error.
Then I generated a new key from my original one using this command:
openssl rsa -in privateKey.key -out server_new.key
The new key server_new.key worked, I no longer get that asn1 error. Although I'm still unable to configure access control. But that seems to be some certificate issue.

Anyway I just thought I'd share what I did as a test case possibly...or we can document this that the private key should begin with
-----BEGIN RSA PRIVATE KEY-----
and not
-----BEGIN PRIVATE KEY-----

If you or anyone can help me in getting to know why this worked that'll be great.

I'm going to do my research later, but I need to figure out and get my current connection working first

[crewjam]

The change in [08dd8e9] makes us more type safe w/r/t to keys and stuff. Although your code may need to change, it might make the trouble you are having more obvious. HTH.