Skip to Content.
Sympa Menu

mace-opensaml-users - Assertion Decryption

Subject: OpenSAML user discussion

List archive

Assertion Decryption


Chronological Thread 
  • From: Dennis Roberts <>
  • To:
  • Subject: Assertion Decryption
  • Date: Mon, 15 Mar 2010 18:03:54 -0700

I'm having a bit of a problem decrypting an encrypted assertion. Here's the
code to encrypt the assertion:

-------

public String encryptAssertion(Assertion assertion) throws
MarshallingException {
EncryptionParameters encryptionParameters =
buildEncryptionParameters();
KeyEncryptionParameters keyEncryptionParameters =
buildKeyEncryptionParameters();
Encrypter encrypter = new Encrypter(encryptionParameters,
keyEncryptionParameters);
EncryptedAssertion encryptedAssertion =
getEncryptedAssertion(encrypter, assertion);
return new Saml2Formatter().format(encryptedAssertion);
}

private EncryptionParameters buildEncryptionParameters() throws
MarshallingException {
validateEncryptionParameters();
EncryptionParameters parameters = new EncryptionParameters();
if (secretKey != null) {
logger.info("setting the encryption credential to " +
secretKey.hashCode());

parameters.setEncryptionCredential(SecurityHelper.getSimpleCredential(secretKey));
logger.info("finished setting the encryption credential to " +
secretKey.hashCode());
}
parameters.setAlgorithm(secretKeyAlgorithm);
return parameters;
}

private void validateEncryptionParameters() throws MarshallingException {
if (secretKeyAlgorithm == null) {
throwMarshallingException("attempt to encrypt an assertion
without a secret key algorithm");
}
}

private KeyEncryptionParameters buildKeyEncryptionParameters() throws
MarshallingException {
validateKeyEncryptionParameters();
KeyEncryptionParameters parameters = new KeyEncryptionParameters();
Credential credential = SecurityHelper.getSimpleCredential(publicKey,
null);
parameters.setEncryptionCredential(credential);
parameters.setAlgorithm(publicKeyAlgorithm);
parameters.setKeyInfoGenerator(getKeyInfoGenerator(credential));
return parameters;
}

private void validateKeyEncryptionParameters() throws
MarshallingException {
if (publicKey == null) {
throwMarshallingException("attempt to encrypt an assertion
without a public key");
}
if (publicKeyAlgorithm == null) {
throwMarshallingException("attempt to encrypt an assertion
without a public key algorithm");
}
}

private KeyInfoGenerator getKeyInfoGenerator(Credential credential) {
return
Configuration.getGlobalSecurityConfiguration().getKeyInfoGeneratorManager().getDefaultManager()
.getFactory(credential).newInstance();
}

private EncryptedAssertion getEncryptedAssertion(Encrypter encrypter,
Assertion assertion)
throws MarshallingException
{
try {
return encrypter.encrypt(assertion);
}
catch (EncryptionException e) {
String msg = "unable to encrypt the assertion";
logger.error(msg, e);
throw new MarshallingException(msg, e);
}
}

private void throwMarshallingException(String msg) throws
MarshallingException {
logger.error(msg);
throw new MarshallingException(msg);
}

-------

This code works fine and seems to produce a correct encrypted SAML assertion.
The problem that I'm having is when I try to decrypt the assertion, an
exception is being thrown indicating that the assertion can't be decrypted.
Here's the code:

-------

private Element decryptAssertion(String serializedAssertion) throws
Exception {
BasicParserPool parser = new BasicParserPool();
parser.setNamespaceAware(true);
Document document = parser.parse(new
StringReader(serializedAssertion));
UnmarshallerFactory unmarshallerFactory =
Configuration.getUnmarshallerFactory();
Unmarshaller unmarshaller =
unmarshallerFactory.getUnmarshaller(document.getDocumentElement());
EncryptedAssertion encryptedAssertion = (EncryptedAssertion)
unmarshaller.unmarshall(document.getDocumentElement());

logger.info(new
Saml2Formatter().format(encryptedAssertion.getEncryptedData()));

PublicKey publicKey = encryptingKeyPair.getPublic();
PrivateKey privateKey = encryptingKeyPair.getPrivate();
Credential credential = SecurityHelper.getSimpleCredential(publicKey,
privateKey);

StaticKeyInfoCredentialResolver resolver = new
StaticKeyInfoCredentialResolver(credential);

Decrypter decrypter = new Decrypter(null, resolver, new
InlineEncryptedKeyResolver());
Assertion assertion = decrypter.decrypt(encryptedAssertion);
return new Saml2Formatter().marshall(assertion);
}

-------

The logger message in the middle is just some debugging code to let me see
the encrypted data. Here's what it looks like:

-------

<?xml version="1.0" encoding="UTF-8"?><xenc:EncryptedData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Id="_eed2a9d3e825339e6469be143eafaa1f"
Type="http://www.w3.org/2001/04/xmlenc#Element";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey";
URI="#_644fac9576cba28e386bfc91feaf4f3b"/>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<xenc:CipherValue>BuxPihNl2rZfDrvlZ7mBCtmESjD0s8LEJy6J8r9yQB7qL+4mcVxF/n/ZbApjRiBkExCRrqMHe3rO
d6S0Fsz2gweI8NREa48iNI4ylhNiBpI8Irj/rOYEzs3hzWhs/JH/XWB7I/t1JeT0gLkVsCaG153n
BDYU9hjQvSqbZcdLATwhcYkLtukkC4h4trxn1c6Hb8TSddSN6x+h1Yu6qhT91KVPoYlc4jXUJoVH
tyvv+X6Yq36+i/oHyNLEnffFgC34y4ZJ1f8N6++0MrHQOinxHOa08dwjpffQw+oIORWoXL84Ufcj
NCFIInSKT7SdODHIvUrQhUt4ohY8ZxydcdulvKuZB8uD9RYz04Rg26GhhlWSpTBtastnK7byxWGI
Q+FqS+BCaG1Gzy9iSE6SEn4MHSass4tH9TfUiuxqU0QASWdRVwwaVf/bCoQcYjNpneUQlSAtnB4a
7og2hERDBqyLZLUPNS5j158i+prsVivKA7/wPrEmnhhe5ZMAORhxWUrnKX6ESsjK5V4JQka93tgw
yg04joIQJNEi5hTyEx3mModlnGgGYweXync7s/hxG9L54WChk9U3l8Bce+V59eiIm6e0zmiv5Fsm
7RvYmGqOy+G6pqhwFD1vXQjOq3Cw/d/euBnUXUBBoj29npqujV51QfBpFDvMsPdNsMXO8UE84Qv4
T3+iWIpNMnAjYoTR1ZPVw5uvYOjNsfV51eIrMDA7HPfkuZuNVMydFTkRO8T7tG3z4m3o9xjxm6Mo
wHPVOkdhkYS4TlLFm34t9I7dzP5alv6HSMWANJnp45rvh2R4iFZXywnR/v5v86D+z56cLzsS3MiU
zmYJ6Y7DBynjMI4wbWtfWiEPOd4HkUrpIqAgxntsj6XaKmcLM5bIe7o0Nses8tiifwB3t9/7PUPg
Mi6GbNhMC2Snkve2UlYd2E3WU07v71AbSy7D+G36blKQHc8megq2rRlP1hAyiDqNkZbZb6ETEV9H
A1UgqW5rlhFtXtUmvz/HgWi9F5LXSfuLtisILTgraV/XfEyGe/WuMP0Sd9RorzTovQYeOq+xj9Rb
XVfWoo5gDmlQhix/n/dJMCAzqMgPF+YakhBzVQz8yukYML1ohFktV/8TNlpULV924Dh9DCLyhOEF
WwCZmTUn/TYOewYllaXOuBsPX59N42RCCMPdbyQ+1EyVlf7wongoV2uNJgTMAPz3jylP9mo4EeH7
5WDxMIDpdJ2qRAE/NCIAh5F+QKSrMCAypn8yLZWjUybwek2FSaBZONnJsPxBb2kXJApB1DcZs09E
VP/y6r0cV7hEq3Qg3kjUrILEy4hWOK4GBLx77r8e4gu5efxJsbFxptGeM9l4Eqvl+wcB+QXUJg2P
xSMUWZ/jX8EMtdGa+v19Bt4DKnsJ3mnefJgBYWwwMkwLzG2dzAyY0HJM0lL4moX2mRz17enzTRXx
URRIKrks8ZFLXpb0I/3oPt8Mun5M</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>

-------

I searched for other messages that mention similar problems, but the only one
I found appears to have been solved by using objects in the SAML2 package
rather than the SAML1 package. That isn't this problem (I'm using only SAML2
objects).

I did step through the code a little, and it appears that part of the problem
is that the InlineEncryptedKeyResolver is unable to get the list of encrypted
keys from the encrypted data. This line of code from
org.opensaml.saml2.encryption.Decrypter passes only the encrypted data to
it's parent class:

-------

xmlObject = decryptData(encElement.getEncryptedData(),
isRootInNewDocument());

-------

This eventually gets to
org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(),
which calls the encrypted key resolver's resolve() method. This method then
calls encryptedData.getKeyInfo().getEncryptedKeys(), which returns an empty
list.

encryptedData.getKeyInfo() returns the ds:KeyInfo child element from the
encrypted data above. The problem occurs when getEncryptedKeys() is called.
This method looks for child ds:EncryptedKey child elements. In this case,
there aren't any ds:EncryptedKey child elements because the ds:KeyInfo
element only contains a ds:RetrievalMethod child element.

Am I doing something wrong or is the decryption of assertions in this format
not supported yet? If it isn't supported yet, is there an easy way to get
OpenSAML to put the keys directly in the ds:KeyInfo element of the encrypted
data? I'm using OpenSAML 2.3.1.

Thanks,
Dennis



Archive powered by MHonArc 2.6.16.

Top of Page