OpenSSL error "... cannot be coerced into an X509 certificate!" with formated certificates

[klemenb]

I'm experiencing problems when trying to verify signature on XML documents with "formatted" certificates (i.e. prepended with whitespaces). An example document is this SAML metadata file for GRNET AAI federation - https://aai.grnet.gr/metadata.xml

The call to "XMLSecurityKey->loadKey()" fails with:
openssl_x509_read(): supplied parameter cannot be coerced into an X509 certificate!

I've isolated the issue to the line 486 of XMLSecEnc.php where the library strips away only carriage returns and line feeds - https://github.com/robrichards/xmlseclibs/blob/master/src/XMLSecEnc.php#L486

The resulting certificate inside $x509cert therefore looks garbled with whitespaces in the middle of lines. A simple addition of whitespace character in the "to-be-removed" array fixes the issue and XML document successfully validates.

(A similar issue has been raised and fixed in the lightsaml project - aerialship/lightsaml#10)

[Shamri04]

Hi @klemenb

Even with the code changes also I am getting this error, I am facing the issue with the XMLSecurityKey.php file. Please help with this.
Attaching the logs of nextcloud server.

"message":"openssl_x509_read(): supplied parameter cannot be coerced into an X509 certificate! at

{"reqId":"NfJcgjA9idr91KnSGG4w","level":3,"time":"July 14, 2023 08:36:49","remoteAddr":"172.20.16.152","user":"--","app":"PHP","method":"POST","url":"/index.php/apps/user_saml/saml/acs","message":"openssl_x509_read(): supplied parameter cannot be coerced into an X509 certificate! at /data/nextcloud/apps/user_saml/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php#363","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","version":"23.0.12.2","exception":{"Exception":"Error","Message":"openssl_x509_read(): supplied parameter cannot be coerced into an X509 certificate! at /data/nextcloud/apps/user_saml/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php#363","Code":0,"Trace":[{"function":"onError","class":"OC\Log\ErrorHandler","type":"::"},{"file":"/data/nextcloud/apps/user_saml/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php","line":363,"function":"openssl_x509_read"},{"file":"/data/nextcloud/apps/user_saml/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecEnc.php","line":490,"function":"loadKey","class":"RobRichards\XMLSecLibs\XMLSecurityKey","type":"->"},{"file":"/data/nextcloud/apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php","line":1484,"function":"staticLocateKeyInfo","class":"RobRichards\XMLSecLibs\XMLSecEnc","type":"::"},{"file":"/data/nextcloud/apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Response.php","line":431,"function":"validateSign","class":"OneLogin\Saml2\Utils","type":"::"},{"file":"/data/nextcloud/apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Auth.php","line":238,"function":"isValid","class":"OneLogin\Saml2\Response","type":"->"},{"file":"/data/nextcloud/apps/user_saml/lib/Controller/SAMLController.php","line":353,"function":"processResponse","class":"OneLogin\Saml2\Auth","type":"->"},{"file":"/data/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":217,"function":"assertionConsumerService","class":"OCA\User_SAML\Controller\SAMLController","type":"->"},{"file":"/data/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":126,"function":"executeController","class":"OC\AppFramework\Http\Dispatcher","type":"->"},{"file":"/data/nextcloud/lib/private/AppFramework/App.php","line":157,"function":"dispatch","class":"OC\AppFramework\Http\Dispatcher","type":"->"},{"file":"/data/nextcloud/lib/private/Route/Router.php","line":302,"function":"main","class":"OC\AppFramework\App","type":"::"},{"file":"/data/nextcloud/lib/base.php","line":1015,"function":"match","class":"OC\Route\Router","type":"->"},{"file":"/data/nextcloud/index.php","line":36,"function":"handleRequest","class":"OC","type":"::"}],"File":"/data/nextcloud/lib/private/Log/ErrorHandler.php","Line":92,"CustomMessage":"--"}}