mace-opensaml-users - Re: decrypting EncryptedAssertion in Browser Post profile use case
Subject: OpenSAML user discussion
List archive
- From: Brent Putman <>
- To:
- Subject: Re: decrypting EncryptedAssertion in Browser Post profile use case
- Date: Tue, 26 Feb 2008 18:57:44 -0500
Title: decrypting EncryptedAssertion in Browser Post profile use case
Singh, Manish wrote:
Ok, use of that EncryptedElementTypeEncryptedKeyResolver as the EncryptedKeyResolver would have resulted in that failure before, based on the document example you had. That's the one for resolving EncryptedKey elements which are peers of the EncryptedData within the SAML 2.0 EncryptedElementType (e.g. EncryptedAssertion).
Hmm, that looks correct. Assuming you are successfully getting the key out of the key store, etc.
Yes, BasicCredential is fine. Technically an asymmetric Credential should always have a public key (per the interface contract), but here it wouldn't matter, only the private key is relevant for decryption purposes.
Well, are you really, really sure? :-) Just about the only way this could happen is if: 1) you really don't have the right private key in your decryption credential for that EncryptedData 2) The EncryptedKey can't be decrypted b/c it's corrupted, etc 3) The EncryptedData can't be decrypted because it's corrupted, etc.
I assume you mean the signature on the Response that carried the EncryptedAssertion? Just wondering. That's fine, but realize that that's completely irrelevant. Except to perhaps indicate that the EncryptedAssertion was corrupted, etc. Just sanity checking but: the key pair with which you validate (peer's key) is not the key pair with which your decrypt (your key).
Based on where that exception gets thrown, it's caused by one of the reason's above (assuming the static KeyInfo KEK resolver has the key and the EncryptedKeyResolver is doing it's thing properly). If you could, try turning on debug logging, minimally for the packages: org.opensaml.xml.encryption org.opensaml.saml2.encryption That should give a much clearer picture of what's failing when, and why. --Brent |
- decrypting EncryptedAssertion in Browser Post profile use case, Singh, Manish, 02/26/2008
- Re: decrypting EncryptedAssertion in Browser Post profile use case, Brent Putman, 02/26/2008
- RE: decrypting EncryptedAssertion in Browser Post profile use case, Singh, Manish, 02/26/2008
- Re: decrypting EncryptedAssertion in Browser Post profile use case, Brent Putman, 02/26/2008
- works - RE: decrypting EncryptedAssertion in Browser Post profile use case, Singh, Manish, 02/29/2008
- Re: works - RE: decrypting EncryptedAssertion in Browser Post profile use case, Brent Putman, 02/29/2008
- works - RE: decrypting EncryptedAssertion in Browser Post profile use case, Singh, Manish, 02/29/2008
- Re: decrypting EncryptedAssertion in Browser Post profile use case, Brent Putman, 02/26/2008
- RE: decrypting EncryptedAssertion in Browser Post profile use case, Singh, Manish, 02/26/2008
- Re: decrypting EncryptedAssertion in Browser Post profile use case, Brent Putman, 02/26/2008
Archive powered by MHonArc 2.6.16.