Skip to Content.
Sympa Menu

mace-opensaml-users - Encrypt/Decrypt assertion

Subject: OpenSAML user discussion

List archive

Encrypt/Decrypt assertion


Chronological Thread 
  • From:
  • To:
  • Subject: Encrypt/Decrypt assertion
  • Date: Sat, 13 Dec 2008 08:41:10 -0500 (EST)
Hi,

I'm new to opensaml, and I was able to solve most everything, but now I
cannot encrypt an assertion and later decrypt it. The decrypter keeps telling
me "Data encryption key may not be null".

The xml I've created (the binary parts are replaced by ellipses):

<?xml version="1.0" encoding="UTF-8"?>
<saml:EncryptedAssertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Id="_ced59e212c89d4fb43e8593d3fb61258"
Type="http://www.w3.org/2001/04/xmlenc#Element";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<xenc:EncryptedKey Id="_4d7506f0f0ae1541b84048c600d5f9d8"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/></xenc:EncryptionMethod><ds:KeyInfo><ds:X509Data><ds:X509Certificate>.....</ds:X509Certificate></ds:X509Data></ds:KeyInfo><xenc:CipherData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:CipherValue
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>...</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></ds:KeyInfo><xenc:CipherData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:CipherValue
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
.....</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></saml:EncryptedAssertion>

It seems to me a correct encrypted assertion with inline key info.

When I read it back, I have the encryptedAssertion. This is how I try to
decrypt:

KeyStore.PrivateKeyEntry keyEntry =
(KeyStore.PrivateKeyEntry)keyStore.getEntry(alias, new
KeyStore.PasswordProtection(privatePassword.toCharArray()));

X509Certificate certificate = (X509Certificate)keyEntry.getCertificate();

BasicX509Credential credential = new BasicX509Credential();
credential.setEntityCertificate(certificate);

KeyInfoCredentialResolver keyResolver = new
StaticKeyInfoCredentialResolver(credential);

InlineEncryptedKeyResolver encryptionKeyResolver = new
InlineEncryptedKeyResolver();

Decrypter decrypter = new Decrypter(null, keyResolver, encryptionKeyResolver);

decrypter.setRootInNewDocument(true);

Assertion assertion = decrypter.decrypt(encryptedAssertion);

I must do something wrong, but I cannot find out what. For testing, I use the
very same java keystore for both the encrypt and decrypt keys, and that's how
I generate the data encryption parameters:

String algoURI = EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128;
Credential dataCredential =
SecurityTestHelper.generateKeyAndCredential(algoURI);
EncryptionParameters encryptParams = new EncryptionParameters();
encryptParams.setAlgorithm(algoURI);
encryptParams.setEncryptionCredential(dataCredential);

The key encryption parameters are generated by using the certificate from the
java key store:

BasicX509Credential credential = new BasicX509Credential();
credential.setEntityCertificate(certificate);

String kekURIRSA = EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP;
KeyEncryptionParameters keyEncryptParams = new KeyEncryptionParameters();
keyEncryptParams.setAlgorithm(kekURIRSA);
keyEncryptParams.setEncryptionCredential(credential);
keyEncryptParams.setKeyInfoGenerator(kig);


Could someone tell me what I have missed? Thanks in advance.

Best Regards,

Ivan

Archive powered by MHonArc 2.6.16.

Top of Page