ERR_OSSL_ASN1_TOO_LONG error

gustavo.yoshizaki · March 13, 2023, 7:31pm

Hi

When enabling SAML integration, after a successful authentication in the IdP, kibana fails with the following error:

[14:08:29:249] [error][plugins][ReadonlyREST][samlRouterFactory] saml_serv1 error: Error: error:0D07209B:asn1 encoding routines:ASN1_get_object:too long
    at Verify.verify (node:internal/crypto/sig:230:24)
    at RSASHA256.verifySignature (/usr/share/kibana/plugins/readonlyrestkbn/node_modules/xml-crypto/lib/signed-xml.js:140:24)
    at SignedXml.validateSignatureValue (/usr/share/kibana/plugins/readonlyrestkbn/node_modules/xml-crypto/lib/signed-xml.js:460:20)
    at SignedXml.checkSignature (/usr/share/kibana/plugins/readonlyrestkbn/node_modules/xml-crypto/lib/signed-xml.js:397:15)
    at validateXmlSignatureForCert (/usr/share/kibana/plugins/readonlyrestkbn/node_modules/passport-saml/lib/node-saml/xml.js:83:16)
    at /usr/share/kibana/plugins/readonlyrestkbn/node_modules/passport-saml/lib/node-saml/saml.js:553:58
    at Array.some (<anonymous>)
    at SAML.validateSignature (/usr/share/kibana/plugins/readonlyrestkbn/node_modules/passport-saml/lib/node-saml/saml.js:552:22)
    at SAML.validatePostResponseAsync (/usr/share/kibana/plugins/readonlyrestkbn/node_modules/passport-saml/lib/node-saml/saml.js:571:22)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5) {
  opensslErrorStack: [
    'error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error',
    'error:0D068066:asn1 encoding routines:asn1_check_tlen:bad object header'
  ],
  library: 'asn1 encoding routines',
  function: 'ASN1_get_object',
  reason: 'too long',
  code: 'ERR_OSSL_ASN1_TOO_LONG'
}

Any ideas?

Thanks in advance.

sscarduzio · March 13, 2023, 7:42pm

About the ERR_OSSL_ASN1_TOO_LONG error

it can be an issue with the format of the “cert” string. According to passport-saml documentation:

you can provide the Identity Provider’s public PEM-encoded X.509 signing certificate using the cert configuration key. The “BEGIN CERTIFICATE” and “END CERTIFICATE” lines should be stripped out and the certificate should be provided on a single line.

So can you please double check the “cert” string in your kibana.yml, and ensure it contains the right format cert string.

gustavo.yoshizaki · March 13, 2023, 8:01pm

Hi @sscarduzio

This was the case.

Thanks!