OpenSAML user discussion

["Janardhanan, Srilakshmi" <>]

Title: Encrypting Assertion in Browser Post Profile Use case

Brent,

 

Thanks for your feedback. Yes, all I want is auto-generated data encryption key based on aes256-cbc using the following code:

EncryptionParameters encParams = SecurityHelper.buildDataEncryptionParams(null, null, null);

encParams.setAlgorithm(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256);

 

However, this throws the exception below ( works fine if I don't explicitly set the algo, it defaults to aes-128):

org.opensaml.xml.encryption.EncryptionException: Error encrypting XMLObject

at org.opensaml.xml.encryption.Encrypter.encryptElement(Encrypter.java:453)

at org.opensaml.saml2.encryption.Encrypter.encrypt(Encrypter.java:343)

at org.opensaml.saml2.encryption.Encrypter.encrypt(Encrypter.java:257)

at com.Test.encryptAssertion(Test.java:450)

at com.Test.generateSAMLResponse(Test.java:313)

at com.Test.main(Test.java:163)

Caused by: org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size or default parameters

Original Exception was java.security.InvalidKeyException: Illegal key size or default parameters

at org.apache.xml.security.encryption.XMLCipher.encryptData(Unknown Source)

at org.apache.xml.security.encryption.XMLCipher.encryptData(Unknown Source)

at org.opensaml.xml.encryption.Encrypter.encryptElement(Encrypter.java:450)

... 5 more

 

I have also tried generating the encryption key and credential myself but same exception.

 

---

From: Brent Putman [mailto:]
Sent: Monday, April 28, 2008 6:27 PM
To:
Subject: Re: [OpenSAML] Encrypting Assertion in Browser Post Profile Use case

Janardhanan, Srilakshmi wrote:

Hi,

I have the following code to encrypt an assertion and it works with the default parameters:

EncryptionParameters encParams = SecurityHelper.buildDataEncryptionParams(null, null, null);

BasicCredential encryptCredential = new BasicCredential();
encryptCredential.setPublicKey(pair.getCertificate().getPublicKey()); // Partner public cert
KeyEncryptionParameters kekParams = new KeyEncryptionParameters();
kekParams.setEncryptionCredential(encryptCredential);
kekParams.setAlgorithm(XMLCipher.RSA_v1dot5);

Encrypter encrypter = new Encrypter(encParams, kekParams);
encrypter.setKeyPlacement(KeyPlacement.INLINE);

EncryptedAssertion encryptedAssertion = encrypter.encrypt(assertion);

-- The assertion is encrypted with a generated key using the http://www.w3.org/2001/04/xmlenc#aes128-cbc and this key is encrypted with the Partner public key.

Firstly, could you pl review if this approach is correct.

Yes, it is functionally correct.

You could also automate the building of the KeyEncryptionParameters (like the data enc params) using the SecurityHelper#buildKeyEncryptionParameters.  I don't know if you want or need to send a ds:KeyInfo to help the partner identify the encryption key, but that will get included by default with that mechanism.

Also, you  might want to avoid using the constant from the Apache XMLCipher, we have a complete set of constants in the EncryptionConstants class. If we ever switch the underlying encryption impl to something else (e.g. something based on JSR106), that might go away.  If you use the helper method, the KEK algorithm URI will be selected dynamically.

Secondly, I am trying to generate a key using the aes256-cbc instead of aes128-cbc using the following code:

encParams.setEncryptionCredential(SecurityTestHelper.generateKeyPairAndCredential(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256, 1024, false));

You're mixing up several things there between the data encryption key and key encryption key pair, algorithm URI's, key lengths, etc.  Assuming all you want is just an auto-generated data encryption key based on aes256-cbc, then all you need to do is set the EncryptionParameters#setAlgorithm value to that EncryptionConstants algorithm URI. 

If you want to generate the data encrytpion key and credential yourself, you would use the SecurityHelper  generateSymmetricKey(String) and getSimpleCredential(SecretKey), but you're still responsible for setting the algorithm URI on the encParams correctly based on the key you supply.

I would avoid using things from the SecurityTestHelper class for production code.  The only reason it's not in the test source tree is b/c it's used by multiple projects in the java-opensaml2 stack.

--Brent