Error with decryption of assertion

[Bjarke Alling]

Hi,

I'm trying to make Simplesamlphp work as a SP against a new national Danish IDM (nemlog-in3)

Everything works fine beside when I recive the reply data from the IDP Simplesaml can not decrypt the assertion in the message.

Sep 26 16:46:54 simplesamlphp DEBUG [74b14f7cba] Loading state: '_fb3d2bd26460b51ad1f074af6d67f62df3b9dccee6'
Sep 26 16:46:54 simplesamlphp DEBUG [74b14f7cba] Received SAML2 Response from 'https://saml.test-devtest4-nemlog-in.dk'.
Sep 26 16:46:54 simplesamlphp DEBUG [74b14f7cba] Has 1 candidate keys for validation.
Sep 26 16:46:54 simplesamlphp DEBUG [74b14f7cba] Validation with key #0 failed without exception.
Sep 26 16:46:54 simplesamlphp ERROR [74b14f7cba] Decryption failed: Algorithm mismatch between input key and key used to encrypt the symmetric key for the message. Key was: 'http://www.w3.org/2001/04/xmlenc#rsa-1_5'; message was: 'http://www.w3.org/2009/xmlenc11#rsa-oaep'
Sep 26 16:46:54 simplesamlphp DEBUG [74b14f7cba] Decryption with key #0 failed with exception: Failed to decrypt XML element.
Sep 26 16:46:54 simplesamlphp ERROR [74b14f7cba] SimpleSAML\Error\Error: UNHANDLEDEXCEPTION
Sep 26 16:46:54 simplesamlphp ERROR [74b14f7cba] Backtrace:
Sep 26 16:46:54 simplesamlphp ERROR [74b14f7cba] 1 /srv/www/htdocs/simplesaml/www/_include.php:17 (SimpleSAML_exception_handler)
Sep 26 16:46:54 simplesamlphp ERROR [74b14f7cba] 0 [builtin] (N/A)
Sep 26 16:46:54 simplesamlphp ERROR [74b14f7cba] Caused by: Exception: Failed to decrypt XML element.
Sep 26 16:46:54 simplesamlphp ERROR [74b14f7cba] Backtrace:
Sep 26 16:46:54 simplesamlphp ERROR [74b14f7cba] 7 /srv/www/htdocs/simplesaml/vendor/simplesamlphp/saml2/src/SAML2/Utils.php:538 (SAML2\Utils::decryptElement)
Sep 26 16:46:54 simplesamlphp ERROR [74b14f7cba] 6 /srv/www/htdocs/simplesaml/vendor/simplesamlphp/saml2/src/SAML2/EncryptedAssertion.php:123 (SAML2\EncryptedAssertion::getAssertion)
Sep 26 16:46:54 simplesamlphp ERROR [74b14f7cba] 5 /srv/www/htdocs/simplesaml/modules/saml/lib/Message.php:430 (SimpleSAML\Module\saml\Message::decryptAssertion)
Sep 26 16:46:54 simplesamlphp ERROR [74b14f7cba] 4 /srv/www/htdocs/simplesaml/modules/saml/lib/Message.php:691 (SimpleSAML\Module\saml\Message::processAssertion)
Sep 26 16:46:54 simplesamlphp ERROR [74b14f7cba] 3 /srv/www/htdocs/simplesaml/modules/saml/lib/Message.php:659 (SimpleSAML\Module\saml\Message::processResponse)
Sep 26 16:46:54 simplesamlphp ERROR [74b14f7cba] 2 /srv/www/htdocs/simplesaml/modules/saml/www/sp/saml2-acs.php:141 (require)
Sep 26 16:46:54 simplesamlphp ERROR [74b14f7cba] 1 /srv/www/htdocs/simplesaml/lib/SimpleSAML/Module.php:266 (SimpleSAML\Module::process)
Sep 26 16:46:54 simplesamlphp ERROR [74b14f7cba] 0 /srv/www/htdocs/simplesaml/www/module.php:10 (N/A)

Specifically the error

" Sep 26 16:46:54 simplesamlphp ERROR [74b14f7cba] Decryption failed: Algorithm mismatch between input key and key used to encrypt the symmetric key for the message. Key was: 'http://www.w3.org/2001/04/xmlenc#rsa-1_5'; message was: 'http://www.w3.org/2009/xmlenc11#rsa-oaep'"

Thsi is what I recive in the message from the IDP

                <xenc:EncryptedKey>
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep">
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                        <xenc11:MGF Algorithm="http://www.w3.org/2009/xmlenc11#mgf1sha256"
                                    xmlns:xenc11="http://www.w3.org/2009/xmlenc11#"
                                    />
                    </xenc:EncryptionMethod>

My own SAML certificate is well working. I just can't spot what I'm doing wrong. Any suggestions?

Thank you in advance

/Bjarke

[Tim van Dijen]

Hi Bjarke,

It seems it's trying to decrypt as if you were using a symmetric key, but the algorithm suggests asymmetric keys were used.

Have you accidentally set the `sharedkey` and/or `sharedkey_algorithm` keys in your config?

If the answer is 'no', then I think you've hit a bug.. In this case I would like to ask you to open a bug-report on Github for us.

Thanks!

- Tim

Op maandag 26 september 2022 om 17:16:35 UTC+2 schreef bjarke...@gmail.com:

[Bjarke Alling]

Hi Tim,

Thank you for replying.

I did actually had the keys set. Probably in some of the many tries to make it work.

Unfortunately it did not change the outcome.

Based upon my below config setting is there anything else I could add that would change the outcome?

Thanks

/Bjarke

    'nl3-sp' => [
        'saml:SP',

         'entityID' => 'https://XXXXX/simplesaml',

         'privatekey' => 'key.pem',
         'privatekey_pass' => 'xxxx',
         'certificate' => 'cert.cer' ,

         'ForceAuthn' => TRUE,
         'discoURL' => NULL,

        'acs.Binding' => array(
                'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
        ),

        'idp' => 'https://saml.test-devtest4-nemlog-in.dk',

        'AuthnContextComparison' => 'minimum',

        'AuthnContextClassRef' => array(
                'https://data.gov.dk/concept/core/nsis/loa/Substantial',
                ),

     'name' => array(
         'en' => 'NL3 SP OIOSAML3',
     ),

     'attributes' => array(
        'https://data.gov.dk/model/core/specVersion',
        'https://data.gov.dk/model/core/eid/bootstrapToken',
        'https://data.gov.dk/model/core/eid/privilegesIntermediate',
        'https://data.gov.dk/concept/core/nsis/loa',
        'https://data.gov.dk/concept/core/nsis/ial',
        'https://data.gov.dk/concept/core/nsis/aal',
        'https://data.gov.dk/model/core/eid/fullName',
        'https://data.gov.dk/model/core/eid/firstName',
        'https://data.gov.dk/model/core/eid/lastName',
        'https://data.gov.dk/model/core/eid/email',
        'https://data.gov.dk/model/core/eid/cprNumber',
        'https://data.gov.dk/model/core/eid/age',
        'https://data.gov.dk/model/core/eid/cprUuid',
        'https://data.gov.dk/model/core/eid/dateOfBirth',
        'https://data.gov.dk/model/core/eid/person/pid',
        'https://data.gov.dk/model/core/eid/professional/uuid/persistent',
        'https://data.gov.dk/model/core/eid/professional/rid',
        'https://data.gov.dk/model/core/eid/professional/cvr',
        'https://data.gov.dk/model/core/eid/professional/orgName',
        'https://data.gov.dk/model/core/eid/professional/productionUnit',
        'https://data.gov.dk/model/core/eid/professional/seNumber',
    ),

     'attributes.required' => array(
        'https://data.gov.dk/model/core/specVersion',
        'https://data.gov.dk/concept/core/nsis/loa',
        'https://data.gov.dk/model/core/eid/professional/cvr',
        'https://data.gov.dk/model/core/eid/professional/orgName',
    ),


     'description' => array(
        'en' => 'Nemlog-In3 OIOSAML 3 integration with Simplesamlphp - ligasw.net',
     ),

        'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
   ],

[Tim van Dijen]

Hi Bjarke,

This must be a bug then.. If you could file a bug report, then we can thoroughly investigate this during our October hackathon.

- Tim

Op donderdag 29 september 2022 om 12:09:36 UTC+2 schreef bjarke...@gmail.com:

[Bjarke Alling]

Hi Tim,

Thanks for prompt reply. 

I will file a bug later today or tomorrow. 

Whould you - while the posible bug being investigated- have any suggestions to a workaround. I notice the decryption function uses multiple libraries, but for someone not knowing the code it’s kind of hard doing reverse engineering. 

I thought about simply hard coding the correct algorithm until a new release is ready 

Thank 😀

Den 29. sep. 2022 kl. 12.22 skrev Tim van Dijen <tvd...@gmail.com>:



--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
 
https://simplesamlphp.org/support
 
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
 
Make sure to read the documentation:
 
https://simplesamlphp.org/docs/stable/
 
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
 
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/simplesamlphp/8821824c-42ef-4524-8d87-29c6ca3b7fc5n%40googlegroups.com.

[Radu Onescu]

Hi Bjarke,

I came across your question and I am currently encountering the same issue.

Have you found a solution? :)