Skip to Content.
Sympa Menu

mace-opensaml-users - works - RE: decrypting EncryptedAssertion in Browser Post profile use case

Subject: OpenSAML user discussion

List archive

works - RE: decrypting EncryptedAssertion in Browser Post profile use case


Chronological Thread 
  • From: "Singh, Manish" <>
  • To: <>
  • Subject: works - RE: decrypting EncryptedAssertion in Browser Post profile use case
  • Date: Fri, 29 Feb 2008 10:09:35 -0500

Title: decrypting EncryptedAssertion in Browser Post profile use case
finally it worked last night and yes it was a silly mistake.
 
Well, are you really, really sure?  :-) Just about the only way this could happen is if:  1) you really don't have the right private key in your decryption credential for that EncryptedData 2)  The EncryptedKey can't be decrypted b/c it's corrupted, etc  3) The EncryptedData can't be decrypted because it's corrupted, etc.
 
I use another tool to generate sample responses which only works in past so I go back in time to run the whole thing (does not involve time traveling;-)
so even though the encryption key was valid now but was not in that time in past.
I  created another key pair in past and used that and it resolved the exception. 

 
 btw I am able to verify the signature.

I assume you mean the signature on the Response that carried the EncryptedAssertion?  Just wondering. 
Yes you are right.

That's fine, but realize that that's completely irrelevant.  Except to perhaps indicate that the EncryptedAssertion was corrupted, etc. 
Other possibility was that the old key that I used to encrypt was somehow corrupted while loading.

Just sanity checking but:  the key pair with which you validate (peer's key) is not the key pair with which your decrypt (your key). 
You are correct. There are 2 key pairs involved one for sign and other for encryption. 

If you could, try turning on debug logging, minimally for the packages:
org.opensaml.xml.encryption
org.opensaml.saml2.encryption

That should give a much clearer picture of what's failing when, and why. 
Unfortunately there was much logged even at debug level from these packages, but before I tried logging from other packages the "past" hit me.
 
Brent: could you do me a favor and take a look at this code for verifying signature.
I assembled it from bits and pieces from opensaml unit test and javadocs.
It works fine but is there a better (assuming this is just a test code and will be reorganized) approach(in my use case saml response is signed).
 
DefaultBootstrap.bootstrap();
 
 BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext();
 messageContext.setInboundMessageTransport(new HttpServletRequestAdapter(request));
 
 BasicParserPool parser = new BasicParserPool();
 parser.setNamespaceAware(true);
   
    SAMLMessageDecoder decoder = new HTTPPostDecoder(parser);
    decoder.decode(messageContext);
 
 Response samlResponse = (Response)messageContext.getInboundMessage();
 Signature signature =  samlResponse.getSignature();
 
 Certificate certificate = ks.getCertificate("pi");
 PublicKey publicKey = certificate.getPublicKey();
 
 BasicCredential credential = new BasicCredential();
 credential.setPublicKey(publicKey);
 
 SignatureValidator signatureValidator = new SignatureValidator(credential);
 signatureValidator.validate(signature);
 
 
If you think our conversation could be useful to others too, then we can post these at the wiki. 

Thanks for your help.
Manish 







Archive powered by MHonArc 2.6.16.

Top of Page