mace-opensaml-users - works - RE: decrypting EncryptedAssertion in Browser Post profile use case
Subject: OpenSAML user discussion
List archive
- From: "Singh, Manish" <>
- To: <>
- Subject: works - RE: decrypting EncryptedAssertion in Browser Post profile use case
- Date: Fri, 29 Feb 2008 10:09:35 -0500
Title: decrypting EncryptedAssertion in Browser Post profile use case
finally it worked last night and yes it was a silly
mistake.
Well, are you really, really sure? :-) Just about the only way this
could happen is if: 1) you really don't have the right private key in your
decryption credential for that EncryptedData 2) The EncryptedKey can't be
decrypted b/c it's corrupted, etc 3) The EncryptedData can't be decrypted
because it's corrupted, etc.
I use another tool to generate sample
responses which only works in past so I go back in time to run the whole
thing (does not involve time traveling;-)
so even though the encryption key was valid now
but was not in that time in past.
I created another key pair in past
and used that and it resolved the
exception.
btw I am able to verify the
signature.
I assume you mean the signature on the Response that carried the EncryptedAssertion? Just wondering. Yes
you are right.
That's fine, but realize that that's completely irrelevant. Except to perhaps indicate that the EncryptedAssertion was corrupted, etc. Other
possibility was that the old key that I used to encrypt was somehow
corrupted while loading.
Just sanity checking but: the key pair with which you validate (peer's key) is not the key pair with which your decrypt (your key). You
are correct. There are 2 key pairs involved one for sign and other for
encryption.
If you could, try turning on debug logging, minimally for the packages: org.opensaml.xml.encryption org.opensaml.saml2.encryption That should give a much clearer picture of what's failing when, and why. Unfortunately there was much logged even at debug level from these
packages, but before I tried logging from other packages the "past" hit
me.
Brent:
could you do me a favor and take a look at this code for verifying signature.
I
assembled it from bits and pieces from opensaml unit test and
javadocs.
It
works fine but is there a better (assuming this is just a test code and
will be reorganized) approach(in my use case saml response is
signed).
DefaultBootstrap.bootstrap();
BasicSAMLMessageContext messageContext = new
BasicSAMLMessageContext();
messageContext.setInboundMessageTransport(new HttpServletRequestAdapter(request)); BasicParserPool parser = new
BasicParserPool();
parser.setNamespaceAware(true); SAMLMessageDecoder decoder = new HTTPPostDecoder(parser); decoder.decode(messageContext); Response samlResponse =
(Response)messageContext.getInboundMessage();
Signature signature = samlResponse.getSignature(); Certificate certificate =
ks.getCertificate("pi");
PublicKey publicKey = certificate.getPublicKey(); BasicCredential credential = new
BasicCredential();
credential.setPublicKey(publicKey); SignatureValidator signatureValidator = new
SignatureValidator(credential);
signatureValidator.validate(signature); If you
think our conversation could be useful to others too, then we
can post these at the wiki.
Thanks for your help. Manish
|
- decrypting EncryptedAssertion in Browser Post profile use case, Singh, Manish, 02/26/2008
- Re: decrypting EncryptedAssertion in Browser Post profile use case, Brent Putman, 02/26/2008
- RE: decrypting EncryptedAssertion in Browser Post profile use case, Singh, Manish, 02/26/2008
- Re: decrypting EncryptedAssertion in Browser Post profile use case, Brent Putman, 02/26/2008
- works - RE: decrypting EncryptedAssertion in Browser Post profile use case, Singh, Manish, 02/29/2008
- Re: works - RE: decrypting EncryptedAssertion in Browser Post profile use case, Brent Putman, 02/29/2008
- works - RE: decrypting EncryptedAssertion in Browser Post profile use case, Singh, Manish, 02/29/2008
- Re: decrypting EncryptedAssertion in Browser Post profile use case, Brent Putman, 02/26/2008
- RE: decrypting EncryptedAssertion in Browser Post profile use case, Singh, Manish, 02/26/2008
- Re: decrypting EncryptedAssertion in Browser Post profile use case, Brent Putman, 02/26/2008
Archive powered by MHonArc 2.6.16.