Re: Exception decrypting SAML2 Assertions

[Olav Morken]

On Thu, Sep 27, 2012 at 00:38:50 -0700, Julian wrote:
> Hi,
>
> I'm setting up a SP at our University. For that I configured it and added
> the IdPs Metadata. When testing the SP there's that Exception:
>
> SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
>
> Backtrace:
> 0 /var/simplesamlphp-1.10.0-rc2/www/module.php:180 (N/A)
> Caused by: Exception: Failed to decrypt XML element.
> Backtrace:
> 6 /var/simplesamlphp-1.10.0-rc2/lib/SAML2/Utils.php:486 (SAML2_Utils::decryptElement)
> 5 /var/simplesamlphp-1.10.0-rc2/lib/SAML2/EncryptedAssertion.php:89 (SAML2_EncryptedAssertion::getAssertion)
> 4 /var/simplesamlphp-1.10.0-rc2/modules/saml/lib/Message.php:350 (sspmod_saml_Message::decryptAssertion)
> 3 /var/simplesamlphp-1.10.0-rc2/modules/saml/lib/Message.php:549 (sspmod_saml_Message::processAssertion)
> 2 /var/simplesamlphp-1.10.0-rc2/modules/saml/lib/Message.php:523 (sspmod_saml_Message::processResponse)
> 1 /var/simplesamlphp-1.10.0-rc2/modules/saml/www/sp/saml2-acs.php:75 (require)
> 0 /var/simplesamlphp-1.10.0-rc2/www/module.php:135 (N/A)
>
>
>
> Apache's error.log gives me that error:
> [Thu Sep 27 09:17:10 2012] [error] [client ****] PHP Warning:
> openssl_pkey_get_details() expects parameter 1 to be resource, boolean
> given in /var/simplesamlphp-1.10.0-rc2/lib/SAML2/Utils.php on line 414,
> referer: https://****/idp/profile/SAML2/Redirect/SSO
>
> It seems that the Assertion cannot be decrypted?!
>
> The authsources looks like that:
> '****' => array(
> 'saml:SP',
> 'entityID' => NULL,
> 'name' => array(
> 'de' => '****',
> ),
> 'OrganizationName' => array(
> 'de' => '****',
> ),
> 'OrganizationURL' => array(
> 'de' => 'http://****.de',
> ),
> 'contacts' => array (
> 'contactType' => 'technical',
> 'givenName' => 'Julian',
> 'surName' => '****',
> 'emailAddress' => 'admin@****.de',
> ),
> 'idp' => 'https://****/idp/shibboleth',
> 'discoURL' => NULL,
> 'certificate' => 'cert-5653817700514965.pem',
> 'privatekey' => 'key.pem',
> 'attributes' => array(
> 'mail',
> 'givenName',
> 'eduPersonScopedAffiliation',
> ),
> 'attributes.required' => array (
> 'mail',
> ),
> 'NameIDPolicy' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
> ),
>
>
> The Metadata for the IdP is based on an XML FIle (BTW. I think there are
> some bugs in the metadata converter?!) and looks like that:
> saml20-idp-remote.php
>
>
>
> $metadata['https://****/idp/shibboleth'] = array(
>
> 'entityid' => 'https://****/idp/shibboleth',
> 'OrganizationName' => '****',
> 'OrganizationDisplayName' => '****',
> 'OrganizationURL' => 'http://www.****.de',
> 'name' => '****',
> 'description' => '****',
> 'url' => 'http://www.****.de',
> 'contacts' => array (
> 0 => array (
> 'contactType' => 'administrative',
> 'givenName' => '****',
> 'surName' => '****',
> 'emailAddress' =>
> array (
> 0 => '****',
> ),
> ),
> 1 => array (
> 'contactType' => 'technical',
> 'givenName' => '****',
> 'surName' => '****',
> 'emailAddress' =>
> array (
> 0 => '****',
> ),
> ),
> ),
> 'SingleSignOnService' => array (
> 0 =>
> array (
> 'Binding' => 'urn:mace:shibboleth:1.0:profiles:AuthnRequest',
> 'Location' => 'https://****/idp/profile/Shibboleth/SSO',
> ),
> 1 =>
> array (
> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
> 'Location' => 'https://****/idp/profile/SAML2/POST/SSO',
> ),
> 2 =>
> array (
> 'isDefault' => TRUE,
> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
> 'Location' => 'https://****/idp/profile/SAML2/Redirect/SSO',
> ),
> ),
> 'ArtifactResolutionService' => array (
> 0 => array (
> 'Binding' => 'urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding',
> 'Location' => 'https://****:8443/idp/profile/SAML1/SOAP/ArtifactResolution',
> 'index' => 1,
> ),
> 1 => array (
> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
> 'Location' => 'https://****:8443/idp/profile/SAML2/SOAP/ArtifactResolution',
> 'index' => 2,
> ),
> ),
> 'certificate' => '****.pem',
> 'certFingerprint' =>
> '4D:14:6A:41:CE:FC:CD:B0:83:F3:66:DF:59:A7:F2:D9:2B:BC:DC:9E',
> 'assertion.encryption' => TRUE,
> 'scope' => array (
> 0 => '****',
> ),
> );
>
> I tried to paste the Certificate of the IdP directly to the Metadata File
> using certData but it didn't worked aswell.
>
> Any Ideas?

My guess is that there is a problem loading the private key of the SP,
or maybe that it is incorrectly formatted.

Best regards,
Olav Morken
UNINETT / Feide

[Julian]

Hi,

I'm not sure if I configured the encryption correctly.

1. I generated a private key (A) on the server and send a CSR to the CA of our University.
2. They returned me a (signed) certificate (B).
3. I got a XML Metadata file of the IdP with the public key of the IdP (C).

I added the private key and the signed cert in the authsources.php.

'certificate' => 'cert-5653817700514965.pem', (B)

'privatekey' => 'key.pem', (A)

The Metadata from the XML contains a x509 Cert:

      <KeyDescriptor use="encryption">

        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

          <ds:KeyName>idp.****.de</ds:KeyName>

          <ds:X509Data>

            <ds:X509SubjectName>CN=****,C=DE</ds:X509SubjectName>

            <ds:X509Certificate>MIIFZjCCBE6gAwIBAgIEDGNY9DANBgkqhkiG9w0BAQUFADCBxjELMAkGA1UEBhMC

REUxJDAiBgNVBAoTG1VuaXZlcnNpdGFldCBEdWlzYnVyZy1Fc3NlbjE1MDMGA1UE

CxMsWmVudHJ1bSBmdWVyIEluZm9ybWF0aW9ucy0gdW5kIE1lZGllbmRpZW5zdGUx

LDAqBgNVBAMTI1VuaXZlcnNpdGFldCBEdWlzYnVyZy1Fc3NlbiBDQSAtRzAxMSww

...

</ds:X509Certificate>

          </ds:X509Data>

        </ds:KeyInfo>

      </KeyDescriptor>

The metadataconverter couldn't convert it properly, so i saved the cert in a seperate file and added to saml20-idp-remote.php:

'certificate' => 'idp.***.de.pem',

'certFingerprint' => '4D:14:6A:41:CE:FC:CD:B0:83:F3:66:DF:59:A7:F3:D9:2B:BC:DC:9E',

'assertion.encryption' => TRUE,

All Certs are in the cert dir of simplesaml.

Is there a way to see the crypted assertion? And maybe check it?

Thanks

Julian

[Olav Morken]

On Thu, Oct 18, 2012 at 08:25:09 -0700, Julian wrote:
> Hi,
>
> I'm not sure if I configured the encryption correctly.
>

> 1. I generated a private key (A) on the server and send a CSR to the CA
> of our University.
> 2. They returned me a (signed) certificate (B).
> 3. I got a XML Metadata file of the IdP with the public key of the IdP
> (C).

Note that the IdPs public/private key has nothing to do with your
problem. The problem here is on the SP, where it fails to decrypt the
message using its own private key.

> I added the private key and the signed cert in the *authsources.php*.

Here you are talking about SP key & cert?

> 'certificate' => 'cert-5653817700514965.pem', (B)
> 'privatekey' => 'key.pem', (A)
>
> The Metadata from the XML contains a x509 Cert:
> <KeyDescriptor use="encryption">
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:KeyName>idp.****.de</ds:KeyName>
> <ds:X509Data>
> <ds:X509SubjectName>CN=****,C=DE</ds:X509SubjectName>
>
> <ds:X509Certificate>MIIFZjCCBE6gAwIBAgIEDGNY9DANBgkqhkiG9w0BAQUFADCBxjELMAkGA1UEBhMC
> REUxJDAiBgNVBAoTG1VuaXZlcnNpdGFldCBEdWlzYnVyZy1Fc3NlbjE1MDMGA1UE
> CxMsWmVudHJ1bSBmdWVyIEluZm9ybWF0aW9ucy0gdW5kIE1lZGllbmRpZW5zdGUx
> LDAqBgNVBAMTI1VuaXZlcnNpdGFldCBEdWlzYnVyZy1Fc3NlbiBDQSAtRzAxMSww
>
> ...
> </ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
> </KeyDescriptor>
>
> The metadataconverter couldn't convert it properly,

What error did you get?

> so i saved the cert in

> a seperate file and added to *saml20-idp-remote.php*:

>
> 'certificate' => 'idp.***.de.pem',
> 'certFingerprint' =>
> '4D:14:6A:41:CE:FC:CD:B0:83:F3:66:DF:59:A7:F3:D9:2B:BC:DC:9E',
> 'assertion.encryption' => TRUE,
>
> All Certs are in the cert dir of simplesaml.
>
> Is there a way to see the crypted assertion? And maybe check it?

Set 'debug' to TRUE in config/config.php. You may also have to adjust
the logging level. That should cause your SP to log the response before
the assertion is decrypted. If it successfully decrypts the assertion,
it will be logged also.

[Julian]

Hi,

thanks for the help. I enabled debugging and noticed, that i didn't set the passphrase for the private key.

Cheers

Julian

[Nirajan Khadga]

Hi Julian,

I have come across this post cause I am stuck with the error you were struggling with more than 3 years back.

The error I am getting is "Key is missing data to perform the decryption".

I see that you were able to solve the issue by adding a passphrase for the private key.  Do I do this on the metadata file of the SP?  Do you mind telling me what the attribute I am missing on my metadata file below is?

SP Metadata:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://cat.banana-qa.net/SignIn/SamlMetaData">


  <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
    <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  </md:Extensions>


  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
    <md:Extensions>
      <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
        <mdui:DisplayName xml:lang="en">Display Name</mdui:DisplayName>
        <mdui:Description xml:lang="en">Description</mdui:Description>
        <mdui:Logo>LogoUrl</mdui:Logo>
        <mdui:PrivacyStatementURL xml:lang="en">PrivacyPolicy/</mdui:PrivacyStatementURL>
      </mdui:UIInfo>
    </md:Extensions>
    <md:KeyDescriptor>

      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

        <ds:X509Data>
          <ds:X509Certificate>MIIFODC...................=</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://cat.banana-qa.net/SignOut/SamlLogout"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://cat.banana-qa.net/SignIn/SamlAcs" index="1"/>
  </md:SPSSODescriptor>


</md:EntityDescriptor>

SAML Response:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://cct.bananaqa.net/SignIn/SamlAcs" ID="_584d6720576184d6a6f7c396f850b019" InResponseTo="Banana_7a26613a-b24e-461c-af39-b5ea8e11be89" IssueInstant="2016-04-13T18:10:00.709Z" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://scb1.cct.edu/idp/shibboleth</saml2:Issuer>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></saml2p:Status>
    <saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_4cd6916c8c1adc98c371a202c6c50f4f" Type="http://www.w3.org/2001/04/xmlenc#Element">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" />

            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

                <xenc:EncryptedKey Id="_aa1cb5932dd3ed1a5d968e09f41c79e8" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
                    </xenc:EncryptionMethod>
                    <ds:KeyInfo>
                        <ds:X509Data>
                            <ds:X509Certificate>MIIFODCCBCCgAwIBAgIJAOqAYZiaSD9SMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2.......BgwFoAUQMK9J47MNIMwojPX+2yz8LQsgM4wMwYDVR0RBCwwKoIUKi5hd2FyZHNwcmluZy1xYS5uZXSCEmF3YXJkc3ByaW5nLXFhLm5ldDAdBgNVHQ4EFgQUADqtjmhLN8HW6DDSOJ5PE2UVNKgwDQY.......Eh6G+GMByWVvSi80WXqnzV2oGTthFx3a2hyT3ndcr9RL17GE7wT5nw=</ds:X509Certificate>
                        </ds:X509Data>
                    </ds:KeyInfo>
                    <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                        <xenc:CipherValue>......w8QEZG0qI/asmzbIDcP4ahkfeKQ96pUDg7xTtcPhKseRlOxUW7alwe2PHVYP9O0bWWxz/4Ih6kvl2cVPDql6QRpJAimmdY...==</xenc:CipherValue>
                    </xenc:CipherData>
                </xenc:EncryptedKey>
            </ds:KeyInfo>
            <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                <xenc:CipherValue>.........SEGgqL4Kxr/Ddon78edBK4tSLUyLS12bmYHKQQRCauL9kuIskAQJdx8dMEW0dKC+r+n445Gc5k2fGuvIReIKRU4SgUloWhqme29SYC3La5t1k9QvGFuh7qc1/KrH/UAdtA47NfnxE4ZXdjTmAAwxrf41ARHFCEb5it9F8zvv21vfkACExYVQFY8Kgcww2augZldehH/Ycx4IdDVgGQmLz46HGrHfFM3y9Yy1GET1jELQ/R/HLc35KbFdzHa8fxKB4/boS+Yp2e6Sme62FCVJkSljP1XOGhfX/K+p6X67YR9Atyqova4UqNP+8Fv8qAlPM5kQC75WqKI2LtpjvngTG5MjqCUphZM/wKFKWFjH8D5YatK31xIcG9hqdxpDcq3Eh84tRPWKG+WF2Rl3kmjCy1XvyTPhcAqGna/BRtqcrtFrDY4GyOAJTtj.......</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </saml2:EncryptedAssertion>
</saml2p:Response>

I extremely appreciate your help.

Thank you in advance,

NK

[Nate Klingenstein]

Nirajan,

He may not answer after 3 and a half years, but your problem is the same.  You just can’t load the private key.

You shouldn’t change your metadata unless it has the wrong public key in it — you would only know after you can load the private key, really — and you should definitely never, ever put the private key or any passphrases in your metadata.  It’s public data.

Instead, you should figure out why your key is not loading properly.  You could try privatekey_pass here.

https://simplesamlphp.org/docs/stable/saml:sp

Take care,

Nate.

[Nirajan Khadga]

Nate,

Thank you so much for your reply.  From what I gather, the metadata file without the passphrase is how it should be.  Because I have the x509Certificate, I am able to get the private key from that and use that to decrypt the key value.  

I think I am looking at the correct node for the key (//xenc:EncryptedKey//xenc:CipherData//xenc:CipherValue) .

I will look into the link you sent me for privatekey_pass.  

Again, thank you.  I appreciate your response.

Nirajan.

[Nate Klingenstein]

Nirajan,

Let me try clarifying:

The IdP’s metadata will contain the IdP’s signing certificate. That signing certificate has the IdP’s public signing key in it. Your SP will load that metadata, and check the signature using it.

The SP’s metadata will contain the SP’s encryption certificate. IdP’s will use the public key in that certificate to encrypt messages bound for your SP. If different IdP’s are loading different metadata, they will be encrypting messages with different keys.

Your SP needs to be able to load the private key that matches the certificate used for encryption. That is the step that is failing.

The actual encryption is done using a symmetric key which is itself encrypted using the public key, just because it’s faster. You wouldn’t look there. In the SAML message with typical namespace prefixes, it would be:

xenc:EncryptedData//ds:KeyInfo//xenc:EncryptedKey//ds:KeyInfo//ds:X509Data//ds:X509Certificate

I hope this helps,
Nate.

> --
> You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at https://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.

[Nirajan Khadga]

It absolutely makes sense now.  Thank you Nate.  Have a wonderful weekend.

You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/krAo-Lrs5KQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.

[Khaled Boussoffara]

Hello, it seems an old discussion but i should ask here coz i didn't find a solution for the same error :  Uncaught Exception: Missing decrypted element or it was not actually a DOMElement

I added IDP and SP certifications in cert folder of simplesamlphp tools .  can someone tell me if i should use a signed certification ? 

For more details about my probleme i share the link for testing :  https://lab44.inno.hpmetier.sf.intra.laposte.fr/

I will be really grateful if someone can help me 

[Md Mesbah Uddin Waheed]

It seems an old conversation but I couldn't find any solution. Please help me out.

I created a custom authentication module and try to connect it with mysql database for testing.

I followed this documentation.
https://simplesamlphp.org/docs/1.19/simplesamlphp-customauth.html

Thanks in advance.

[Tim van Dijen]

Hi!

This seems like a bug in the fabricModule.. Can you share this source with me/us?

- Tim

Op donderdag 18 augustus 2022 om 15:56:24 UTC+2 schreef mesbah....@gmail.com:

[Md Mesbah Uddin Waheed]

yes, this is my fabricModule

[Tim van Dijen]

Just add a 'use Exception;' line to the file, right above the class-definition and you should be fine.     Another solution would be to prefix every 'throw new Exception' with a backslash;  'throw new \Exception' ... This has nothing to do with SimpleSAMLphp and is basic PHP knowledge

Op donderdag 18 augustus 2022 om 17:22:10 UTC+2 schreef mesbah....@gmail.com:

[Md Mesbah Uddin Waheed]

Thank you for your suggestion. I am a beginner in PHP. It works for me.