mace-opensaml-users - Re: decrypting EncryptedAssertion in Browser Post profile use case
Subject: OpenSAML user discussion
List archive
- From: Brent Putman <>
- To:
- Subject: Re: decrypting EncryptedAssertion in Browser Post profile use case
- Date: Tue, 26 Feb 2008 17:31:05 -0500
Title: decrypting EncryptedAssertion in Browser Post profile use case
Hi, IMHO, handling decryption is by far the most complex and confusing aspect of XML signature and encryption topics, because of all the use cases and possibilities, etc. (Signature C14N comes a close second). That's why it's not immediately obvious. :-) Just all FYI. I hope to have some better docs up on the new wiki space soon. More below.
That's fine. Since the EncryptedKey doesn't contain a KeyInfo, I'll assume that you know from context the local key pair (with private key for decryption) that is to be used for decrypting the wrapped data encryption key. If not, then be aware of that. The key resolution stuff is what makes all of this hard and complex. If you assume that away, then it gets a lot easier.
To summarize the options and components here:
This is for resolving the data decryption key from the EncryptedData/KeyInfo directly. In theory you could supply a KeyInfoCredentialResolver impl that just does whatever that implies, including handling EncryptedKeys, etc. But in reality this would probably mostly be used for cases where you aren't using an EncryptedKey, where you're instead using a shared secret symmetric data encryption key, that is either known from context or is identified by the EncryptedData/KeyInfo. You're not doing any of that, so you could safely pass a null here.
This handles resolving the key used to decrypt an EncryptedKey, based on the EncryptedKey/KeyInfo. Assuming asymmetric key transport, practically speaking this means resolving the private key that corresponds to the public key used by the peer to encrypt the EncryptedKey, where the latter is perhaps identified (by value or by identifier/reference) in the EncryptedKey/KeyInfo. There is a KeyInfoCredentialResolver specialization called LocalKeyInfoCredentialResolver which could be used for this purpose for the general case. However, since you (presumably) know in advance the decryption key pair from context (since there's no EncryptedKey/KeyInfo), you could just just a StaticKeyInfoCredentialResolver there.
This handles resolving the EncryptedKey(s) elements which contain the (encrypted) data decryption key for a given EncryptedData. Again, this can be very complex to support all use cases, especially when the encrypted data is being "multicast" to multiple recipients. Note SAML 2.0 has special allowance in the schema for locating the EncryptedKey(s) as peer elements to the EncryptedData, rather than inside it. But fortunately here you have the simplest case, where the (single) EncryptedKey is "inline" inside the EncryptedData/KeyInfo. So you can just use an instance of InlineEncryptedKeyResolver there. So that's what the main Decrypter-related components do. So in short try passing to the Decrypter constructor: 1st arg - null 2nd arg - a StaticKeyInfoCredentialResolver (with a Credential containing your decryption key pair) 3rd arg - an InlineEncryptedKeyResolver (takes no constructor arguments) Thanks, Brent |
- decrypting EncryptedAssertion in Browser Post profile use case, Singh, Manish, 02/26/2008
- Re: decrypting EncryptedAssertion in Browser Post profile use case, Brent Putman, 02/26/2008
- RE: decrypting EncryptedAssertion in Browser Post profile use case, Singh, Manish, 02/26/2008
- Re: decrypting EncryptedAssertion in Browser Post profile use case, Brent Putman, 02/26/2008
- works - RE: decrypting EncryptedAssertion in Browser Post profile use case, Singh, Manish, 02/29/2008
- Re: works - RE: decrypting EncryptedAssertion in Browser Post profile use case, Brent Putman, 02/29/2008
- works - RE: decrypting EncryptedAssertion in Browser Post profile use case, Singh, Manish, 02/29/2008
- Re: decrypting EncryptedAssertion in Browser Post profile use case, Brent Putman, 02/26/2008
- RE: decrypting EncryptedAssertion in Browser Post profile use case, Singh, Manish, 02/26/2008
- Re: decrypting EncryptedAssertion in Browser Post profile use case, Brent Putman, 02/26/2008
Archive powered by MHonArc 2.6.16.