mace-opensaml-users - Re: [OpenSAML] [OpenSAML java] encrypted assertion
Subject: OpenSAML user discussion
List archive
- From: <>
- To: <>, <>
- Subject: Re: [OpenSAML] [OpenSAML java] encrypted assertion
- Date: Wed, 20 Apr 2011 16:02:45 +0800
Many thanks, Putmanb.
By the way, if I need digest assertion, should I digest signature info or digest only other assertion info except signature info?
Thanks&Best Regards
Li Ji Xian
----- Original Message -----
From: Brent Putman [mailto:]
To:
Sent: Mon, 18 Apr 2011 10:33:18 -0400
Subject: Re: [OpenSAML] [OpenSAML java] encrypted assertion
Well, you can't use RSA to encrypt the actual data, you have to use a symmetric block algorithm for the data encryption, and then encrypt the data encryption key as an EncryptedKey and send it along with the EncryptedAssertion. The examples in the wiki illustrate this.
The technical reason is that that RSA can only encrypt a block that is slightly smaller than it's modulus size, not nearly enough for a SAML assertion. And there are no cipher modes defined for RSA for multi-block encryption (or at least if there are, XML Encryption doesn't support them). For more info, you can google. Using an ephemeral symmetric data encryption key is is the standard approach to using RSA encryption for pretty much anything out there, not just SAML.
On 4/18/11 6:43 AM, wrote:
Hi Putmanb,
Thanks for your response.
I can run it, but I have another question, if I use RSA algorithm to encrypt, how do I set block size of RSA algorithm? Below is exception:
org.opensaml.xml.encryption.EncryptionException: Error encrypting XMLObject
at org.opensaml.xml.encryption.Encrypter.encryptElement(Encrypter.java:453)
at org.opensaml.saml2.encryption.Encrypter.encrypt(Encrypter.java:343)
at org.opensaml.saml2.encryption.Encrypter.encrypt(Encrypter.java:257)
at SamlTest.main(SamlTest.java:208)
Caused by: java.lang.ArrayIndexOutOfBoundsException: too much data for RSA block
at org.bouncycastle.jce.provider.JCERSACipher.engineDoFinal(Unknown Source)
at javax.crypto.Cipher.doFinal(Unknown Source)
at org.apache.xml.security.encryption.XMLCipher.encryptData(Unknown Source)
at org.apache.xml.security.encryption.XMLCipher.encryptData(Unknown Source)
at org.opensaml.xml.encryption.Encrypter.encryptElement(Encrypter.java:450)
... 3 more
Thanks&Best Regards
Li Ji Xian
----- Original Message -----
From: Brent Putman []
To:
Sent: Mon, 18 Apr 2011 02:20:39 -0400
Subject: Re: [OpenSAML] [OpenSAML java] encrypted assertion
This is documented pretty extensively in the wiki:
https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoUserManJavaXMLEncryption
On 4/18/11 1:56 AM, wrote:
>
> Hi,
>
> who can give me an example how to encrypt assertion? thanks.
>
> Thanks&Best Regards
> Li Ji Xian
>
- [OpenSAML] [OpenSAML java] encrypted assertion, jixian.li, 04/18/2011
- Re: [OpenSAML] [OpenSAML java] encrypted assertion, Brent Putman, 04/18/2011
- <Possible follow-up(s)>
- Re: [OpenSAML] [OpenSAML java] encrypted assertion, jixian.li, 04/18/2011
- Re: [OpenSAML] [OpenSAML java] encrypted assertion, Brent Putman, 04/18/2011
- Re: [OpenSAML] [OpenSAML java] encrypted assertion, jixian.li, 04/20/2011
- Re: [OpenSAML] [OpenSAML java] encrypted assertion, Brent Putman, 04/20/2011
- Re: [OpenSAML] [OpenSAML java] encrypted assertion, jixian.li, 04/21/2011
- Re: [OpenSAML] [OpenSAML java] encrypted assertion, Brent Putman, 04/21/2011
Archive powered by MHonArc 2.6.16.