OpenSAML user discussion

[Brent Putman <>]

On 7/31/10 1:02 AM, 

 wrote:
> I was able to resolve this myself. Thought of posting there solution as it 
> can
> benefit other new SAML users.
> 
> BasicCredential credential = new BasicCredential();
> credential.setPrivateKey(privateKey);
> KeyInfoCredentialResolver keyResolver = new
> StaticKeyInfoCredentialResolver(credential);
> EncryptedKey key =
> encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys().get(0);
> Decrypter decrypter = new Decrypter(null, keyResolver, null);
> SecretKey dkey = (SecretKey) decrypter.decryptKey(
>                               key,
> encryptedAssertion.getEncryptedData().getEncryptionMethod().getAlgorithm());
> Credential shared = SecurityHelper.getSimpleCredential(dkey);
> decrypter = new Decrypter(new StaticKeyInfoCredentialResolver(shared), null,
> null);
> Assertion assertion = decrypter.decrypt(encryptedAssertion);
> 
> Above code fully works.


Yes, it works, but you are handling there a lot of details that the
Decrypter is designed to hide, specifically the details of first
decrypting the encrypted data encryption key, and then performing the
actual data decryption.  The reason for the 2nd
KeyInfoCredentialResolver constructor arg (newKEKResolver, "KEK" = "key
encryption key") is so that it can handle it all in one operation.

You can certainly do things in this more "manual" way, but it's doing
more work than you have to.

See the first decryption example on the wiki, that's pretty much the
simpler code for what you do above (which is in turn similar to your
earlier post, so something else must be going wrong somewhere):

https://spaces.internet2.edu/display/OpenSAML/OSTwoUserManJavaXMLEncryption


> 
> Now the only question I am left with is: Does this code handle all kinds of
> SAMLResponses or is there anything I need to do to make it work for both
> symmetric and assymmetric encryptions. I see that I might have to use
> ChainEncryptedKeyResolver. Can anyone throw some light on it please?



Those are 2 different issues.  Usage of multiple EncryptedKeyResolvers
via a ChainingEncryptedKeyResolver handles the multiple cases of
placement of the EncryptedKey element (if a key encryption key or KEK is
in fact being used), for example inside the KeyInfo of the EncryptedData
vs. as a peer of the EncryptedData inside EncryptedAssertion vs other
possibilities.

Handling symmetric and asymmetric cases simultaneously would be handled
by the individual impl types and combination of
KeyInfoCredentialResolvers that you pass to the Decrypter.

Note also that using a StaticKeyInfoCredentialResolver makes tons of
simplifying assumptions, and in general is probably not what you want
for production code, unless the usage environment is also corresponding
simple.

--Brent