OpenSAML user discussion

[Brent Putman <>]

Title: decrypting EncryptedAssertion in Browser Post profile use case

Singh, Manish wrote:

Brent,

 

I modified [Old Code] code below to [New Code] section after that but still the same error (pl. find at the end of email)

 

[Old Code]

PrivateKey privateKey = (PrivateKey)ks.getKey( "cssso", keystorePassword);
 credential = new BasicCredential();
 credential.setPrivateKey(privateKey);
 Decrypter decrypter = new Decrypter(null, new StaticKeyInfoCredentialResolver(credential), new EncryptedElementTypeEncryptedKeyResolver());

Ok, use of that EncryptedElementTypeEncryptedKeyResolver as the EncryptedKeyResolver would have resulted in that failure before, based on the document example you had.  That's the one for resolving EncryptedKey elements which are peers of the EncryptedData within the SAML 2.0 EncryptedElementType (e.g. EncryptedAssertion).

 

[NEW Code]

PrivateKey privateKey = (PrivateKey)ks.getKey( "cssso", keystorePassword);
credential = new BasicCredential();
credential.setPrivateKey(privateKey);
Decrypter decrypter = new Decrypter(null, new StaticKeyInfoCredentialResolver(credential), new InlineEncryptedKeyResolver());

Hmm, that looks correct.  Assuming you are successfully getting the key out of the key store, etc.

I also tried setting both public and private key in BasicCredential but no use. Is BasicCredential right class for this.

Yes, BasicCredential is fine.  Technically an asymmetric Credential should always have a public key (per the interface contract), but here it wouldn't matter, only the private key is relevant for decryption purposes.

I am generating the SAML response from Ping Identity so I am sure about having the right keys to decrypt.

Well, are you really, really sure?  :-) Just about the only way this could happen is if:  1) you really don't have the right private key in your decryption credential for that EncryptedData 2)  The EncryptedKey can't be decrypted b/c it's corrupted, etc  3) The EncryptedData can't be decrypted because it's corrupted, etc.

btw I am able to verify the signature.

I assume you mean the signature on the Response that carried the EncryptedAssertion?  Just wondering.

That's fine, but realize that that's completely irrelevant.  Except to perhaps indicate that the EncryptedAssertion was corrupted, etc.

Just sanity checking but:  the key pair with which you validate (peer's key) is not the key pair with which your decrypt (your key).

 

org.opensaml.xml.encryption.DecryptionException: Valid decryption key for EncryptedData could not be resolved
	org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:460)
	org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:378)
	org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:337)
	org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:166)
	org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:96)
	org.apache.jsp.saml3_jsp._jspService(saml3_jsp.java:115)
	org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
	org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:384)
	org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320)
	org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
	org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
  

Based on where that exception gets thrown, it's caused by one of the reason's above (assuming the static KeyInfo KEK resolver has the key and the EncryptedKeyResolver is doing it's thing properly).

If you could, try turning on debug logging, minimally for the packages:
org.opensaml.xml.encryption
org.opensaml.saml2.encryption

That should give a much clearer picture of what's failing when, and why.

--Brent