[OpenSAML] Encrypt/Decrypt assertion
iva...@citromail.hu
I'm new to opensaml, and I was able to solve most everything, but now I cannot encrypt an assertion and later decrypt it. The decrypter keeps telling me "Data encryption key may not be null".
The xml I've created (the binary parts are replaced by ellipses):
<?xml version="1.0" encoding="UTF-8"?>
<saml:EncryptedAssertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_ced59e212c89d4fb43e8593d3fb61258" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey Id="_4d7506f0f0ae1541b84048c600d5f9d8" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/></xenc:EncryptionMethod><ds:KeyInfo><ds:X509Data><ds:X509Certificate>.....</ds:X509Certificate></ds:X509Data></ds:KeyInfo><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">...</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></ds:KeyInfo><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
.....</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></saml:EncryptedAssertion>
It seems to me a correct encrypted assertion with inline key info.
When I read it back, I have the encryptedAssertion. This is how I try to decrypt:
KeyStore.PrivateKeyEntry keyEntry = (KeyStore.PrivateKeyEntry)keyStore.getEntry(alias, new KeyStore.PasswordProtection(privatePassword.toCharArray()));
X509Certificate certificate = (X509Certificate)keyEntry.getCertificate();
BasicX509Credential credential = new BasicX509Credential();
credential.setEntityCertificate(certificate);
KeyInfoCredentialResolver keyResolver = new StaticKeyInfoCredentialResolver(credential);
InlineEncryptedKeyResolver encryptionKeyResolver = new InlineEncryptedKeyResolver();
Decrypter decrypter = new Decrypter(null, keyResolver, encryptionKeyResolver);
decrypter.setRootInNewDocument(true);
Assertion assertion = decrypter.decrypt(encryptedAssertion);
I must do something wrong, but I cannot find out what. For testing, I use the very same java keystore for both the encrypt and decrypt keys, and that's how I generate the data encryption parameters:
String algoURI = EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128;
Credential dataCredential = SecurityTestHelper.generateKeyAndCredential(algoURI);
EncryptionParameters encryptParams = new EncryptionParameters();
encryptParams.setAlgorithm(algoURI);
encryptParams.setEncryptionCredential(dataCredential);
The key encryption parameters are generated by using the certificate from the java key store:
BasicX509Credential credential = new BasicX509Credential();
credential.setEntityCertificate(certificate);
String kekURIRSA = EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP;
KeyEncryptionParameters keyEncryptParams = new KeyEncryptionParameters();
keyEncryptParams.setAlgorithm(kekURIRSA);
keyEncryptParams.setEncryptionCredential(credential);
keyEncryptParams.setKeyInfoGenerator(kig);
Could someone tell me what I have missed? Thanks in advance.
Best Regards,
Ivan
Brent Putman
iva...@citromail.hu wrote:
> Hi,
>
> I'm new to opensaml, and I was able to solve most everything, but now I cannot encrypt an assertion and later decrypt it. The decrypter keeps telling me "Data encryption key may not be null".
>
>
>
Yeah, that means it can't successfully resolve the data decryption key,
and since you're using an encrypted key transported via an EncryptedKey,
ultimately it means it can't decrypt the EncryptedKey.
> BasicX509Credential credential = new BasicX509Credential();
> credential.setEntityCertificate(certificate);
>
> KeyInfoCredentialResolver keyResolver = new StaticKeyInfoCredentialResolver(credential);
>
> InlineEncryptedKeyResolver encryptionKeyResolver = new InlineEncryptedKeyResolver();
>
> Decrypter decrypter = new Decrypter(null, keyResolver, encryptionKeyResolver);
>
>
>
Remember that you decrypt with the recipient's private key. So you need
to also set the PrivateKey object on the Credential above with which you
are going to encrypt (the one that gets resolved and used by the Decrypter)
Offhand, everything else looks right, as far as I can tell.
--Brent
Brent Putman
Brent Putman wrote:
Remember that you decrypt with the recipient's private key. So you need to also set the PrivateKey object on the Credential above with which you are going to encrypt (the one that gets resolved and used by the Decrypter)
Wang, Shengke
Some documents say that oepnsaml2 is comtatible with opensaml1
that the when properly setup the MessageContext should be able to decode
a SAMLResponse from opensmal1. But I have not been able to get it to
work. Can someone give me a hint? Thanks.
Shengke
Chad La Joie
you replied.
Second, none four documentation should say that. OpenSAML 2 will work
with valud SAML 1 but it is not compatible with OpenSAML 1.
Finally, what do you mean by decoding? if you're talking about creating
the Java objects that represent the XML that's unmarshalling and it's
documented on the opensaml site. Decoding is the process of pulling the
message off of some stream-based transport. Is that what you're trying
to do?
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad....@switch.ch, http://www.switch.ch
Wang, Shengke
First I was simply using the reply to send a message to the group. I thought I had changed the title but it still showed a reply. I appolagize for that.
Second, I was not saying that the official documentation but I was pointed out that opensaml2 implementation should be able to handle an SAML1 XML
Documentation.
An finally you are right about what I was asking. I will use the code example below:
***********************************************************
HTTPPostDecoder decode = new HTTPPostDecoder( new BasicParserPool() );
HttpServletRequestAdapter adapter = new HttpServletRequestAdapter(request);
BasicSAMLMessageContext context = new BasicSAMLMessageContext();
context.setInboundMessageTransport(adapter);
decode.decode(context);
************************************************************
This works fine with a saml2 XML response but cannot decode a SAML1 XML response. I tried to set the protocol for saml1 but it did not work. I would appreciate if you can help me.
Shengke
Chad La Joie
Wang, Shengke wrote:
> An finally you are right about what I was asking. I will use the code example below:
> ***********************************************************
> HTTPPostDecoder decode = new HTTPPostDecoder( new BasicParserPool() );
> HttpServletRequestAdapter adapter = new HttpServletRequestAdapter(request);
> BasicSAMLMessageContext context = new BasicSAMLMessageContext();
> context.setInboundMessageTransport(adapter);
> decode.decode(context);
> ************************************************************
> This works fine with a saml2 XML response but cannot decode a SAML1 XML response. I tried to set the protocol for saml1 but it did not work. I would appreciate if you can help me.
Are you using the correct objec ts? There are SAML 1 and SAML 2
decoders. If the code you have is working for SAML 2 then I would
assume you're using the SAML 2 decoders. If you want to work with SAML
1 you need to use the SAML 1 decoders. The method signatures are
identical, on purpose. So probably the only thing you have to change is
your import statement.
Wang, Shengke
Thanks. This really answers my question.
Shengke
-----Original Message-----
From: Chad La Joie [mailto:chad....@switch.ch]
Sent: Monday, December 15, 2008 9:30 AM
To: mace-open...@internet2.edu
Subject: Re: [OpenSAML] Read saml1 response
Wang, Shengke
Does anyone know if WSS4j provides opensaml2 support now? If
not, when is it coming? Thanks.
Shengke Wang
Brent Putman
Wang, Shengke wrote:
> Does anyone know if WSS4j provides opensaml2 support now?
I have not heard anything to that effect, and a quick look at their
latest binary dist (the otherjars zip actually) shows that they're
stilling including opensaml-1.0.1.jar. So I'd say no, they don't.
> If
> not, when is it coming?
Probably best to ask them. I haven't heard anything about it. Someone
else can share if they know more.
--Brent
George Stanchev
going to be resolved.
https://issues.apache.org/jira/browse/WSS-146
Its better to ask on the wss4j developer list.
I, for one, am waiting for them to start consuming latest openSAML2
release.
George
-----Original Message-----
From: Brent Putman [mailto:put...@georgetown.edu]
Sent: Tuesday, December 16, 2008 3:32 PM
To: mace-open...@internet2.edu
--Brent
**********************************************************************
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
**********************************************************************
Wang, Shengke
Shengke
Scott Cantor
> release.
I think that would be a mistake, just like the original dependency was.
WSS is token agnostic, and that means any WSS library worth anything also
needs to be. I don't think it makes sense to hard code assumptions about
tokens, since that will practically guarantee the API is both brittle, but
also too rigid to handle additional token profiles in the future.
Now, can they be composed efficiently without prior arrangement? Probably
not, but my guess is they can't be composed now, since that's generally true
of any XML libraries not written to be composed. At best, maybe you can
overlap via DOM, and hope for some cases that's fast enough.
But that's a separate problem that argues XML is a mess (which it is), not
that the solution for WSS is to hard code anything.
WSS4J ought to have a layer into which you plugin token profile code, in
which case that would be done as a glue layer between the two, allowing both
to evolve.
-- Scott