Unable to decrypt assertion in OpenSAML3

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Unable to decrypt assertion in OpenSAML3

DD K
Hi All,

I'm having a test to encrypt and then decrypt a saml assertion. The assertion gets encrypted but when you try to decrypt I'm getting an error. The error is as follows:

Error

[main] ERROR org.opensaml.core.xml.io.AbstractXMLObjectMarshaller - Unable to root namespaces of cached DOM element, {http://www.w3.org/2001/04/xmlenc#}EncryptionMethod
org.w3c.dom.DOMException: Unable to resolve namespace prefix ds found on element {http://www.w3.org/2000/09/xmldsig#}DigestMethod
at net.shibboleth.utilities.java.support.xml.NamespaceSupport.rootNamespaces(NamespaceSupport.java:247)
at net.shibboleth.utilities.java.support.xml.NamespaceSupport.rootNamespaces(NamespaceSupport.java:295)
at net.shibboleth.utilities.java.support.xml.NamespaceSupport.rootNamespaces(NamespaceSupport.java:200)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.prepareForAdoption(AbstractXMLObjectMarshaller.java:422)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshall(AbstractXMLObjectMarshaller.java:144)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshallChildElements(AbstractXMLObjectMarshaller.java:271)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshallInto(AbstractXMLObjectMarshaller.java:212)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshall(AbstractXMLObjectMarshaller.java:118)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshall(AbstractXMLObjectMarshaller.java:75)
at org.opensaml.xmlsec.encryption.support.Decrypter.checkAndMarshall(Decrypter.java:963)
at org.opensaml.xmlsec.encryption.support.Decrypter.decryptKey(Decrypter.java:681)
at org.opensaml.xmlsec.encryption.support.Decrypter.decryptKey(Decrypter.java:643)
at org.wso2.carbon.identity.sso.saml.TestUtils.getDecryptedAssertion(TestUtils.java:141)
at org.wso2.carbon.identity.sso.saml.util.EncryptionTests.testSetEncryptedAssertionWithKeyEncryptionAlgorithm(EncryptionTests.java:77)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:86)
at org.testng.internal.Invoker.invokeMethod(Invoker.java:643)
at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:820)
at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1128)
at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:129)
at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:112)
at org.testng.TestRunner.privateRun(TestRunner.java:782)
at org.testng.TestRunner.run(TestRunner.java:632)
at org.testng.SuiteRunner.runTest(SuiteRunner.java:366)
at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:361)
at org.testng.SuiteRunner.privateRun(SuiteRunner.java:319)
at org.testng.SuiteRunner.run(SuiteRunner.java:268)
at org.testng.SuiteRunnerWorker.runSuite(SuiteRunnerWorker.java:52)
at org.testng.SuiteRunnerWorker.run(SuiteRunnerWorker.java:86)
at org.testng.TestNG.runSuitesSequentially(TestNG.java:1244)
at org.testng.TestNG.runSuitesLocally(TestNG.java:1169)
at org.testng.TestNG.run(TestNG.java:1064)
at org.testng.IDEARemoteTestNG.run(IDEARemoteTestNG.java:72)
at org.testng.RemoteTestNGStarter.main(RemoteTestNGStarter.java:123)
[main] ERROR org.opensaml.xmlsec.encryption.support.Decrypter - Error marshalling target XMLObject
org.opensaml.core.xml.io.MarshallingException: Unable to root namespaces of cached DOM element, {http://www.w3.org/2001/04/xmlenc#}EncryptionMethod
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.prepareForAdoption(AbstractXMLObjectMarshaller.java:427)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshall(AbstractXMLObjectMarshaller.java:144)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshallChildElements(AbstractXMLObjectMarshaller.java:271)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshallInto(AbstractXMLObjectMarshaller.java:212)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshall(AbstractXMLObjectMarshaller.java:118)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshall(AbstractXMLObjectMarshaller.java:75)
at org.opensaml.xmlsec.encryption.support.Decrypter.checkAndMarshall(Decrypter.java:963)
at org.opensaml.xmlsec.encryption.support.Decrypter.decryptKey(Decrypter.java:681)
at org.opensaml.xmlsec.encryption.support.Decrypter.decryptKey(Decrypter.java:643)
at org.wso2.carbon.identity.sso.saml.TestUtils.getDecryptedAssertion(TestUtils.java:141)
at org.wso2.carbon.identity.sso.saml.util.EncryptionTests.testSetEncryptedAssertionWithKeyEncryptionAlgorithm(EncryptionTests.java:77)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:86)
at org.testng.internal.Invoker.invokeMethod(Invoker.java:643)
at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:820)
at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1128)
at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:129)
at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:112)
at org.testng.TestRunner.privateRun(TestRunner.java:782)
at org.testng.TestRunner.run(TestRunner.java:632)
at org.testng.SuiteRunner.runTest(SuiteRunner.java:366)
at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:361)
at org.testng.SuiteRunner.privateRun(SuiteRunner.java:319)
at org.testng.SuiteRunner.run(SuiteRunner.java:268)
at org.testng.SuiteRunnerWorker.runSuite(SuiteRunnerWorker.java:52)
at org.testng.SuiteRunnerWorker.run(SuiteRunnerWorker.java:86)
at org.testng.TestNG.runSuitesSequentially(TestNG.java:1244)
at org.testng.TestNG.runSuitesLocally(TestNG.java:1169)
at org.testng.TestNG.run(TestNG.java:1064)
at org.testng.IDEARemoteTestNG.run(IDEARemoteTestNG.java:72)
at org.testng.RemoteTestNGStarter.main(RemoteTestNGStarter.java:123)
Caused by: org.w3c.dom.DOMException: Unable to resolve namespace prefix ds found on element {http://www.w3.org/2000/09/xmldsig#}DigestMethod
at net.shibboleth.utilities.java.support.xml.NamespaceSupport.rootNamespaces(NamespaceSupport.java:247)
at net.shibboleth.utilities.java.support.xml.NamespaceSupport.rootNamespaces(NamespaceSupport.java:295)
at net.shibboleth.utilities.java.support.xml.NamespaceSupport.rootNamespaces(NamespaceSupport.java:200)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.prepareForAdoption(AbstractXMLObjectMarshaller.java:422)
... 33 more
[main] ERROR org.opensaml.xmlsec.encryption.support.Decrypter - Error marshalling EncryptedKey for decryption
org.opensaml.xmlsec.encryption.support.DecryptionException: Error marshalling target XMLObject
at org.opensaml.xmlsec.encryption.support.Decrypter.checkAndMarshall(Decrypter.java:966)
at org.opensaml.xmlsec.encryption.support.Decrypter.decryptKey(Decrypter.java:681)
at org.opensaml.xmlsec.encryption.support.Decrypter.decryptKey(Decrypter.java:643)
at org.wso2.carbon.identity.sso.saml.TestUtils.getDecryptedAssertion(TestUtils.java:141)
at org.wso2.carbon.identity.sso.saml.util.EncryptionTests.testSetEncryptedAssertionWithKeyEncryptionAlgorithm(EncryptionTests.java:77)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:86)
at org.testng.internal.Invoker.invokeMethod(Invoker.java:643)
at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:820)
at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1128)
at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:129)
at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:112)
at org.testng.TestRunner.privateRun(TestRunner.java:782)
at org.testng.TestRunner.run(TestRunner.java:632)
at org.testng.SuiteRunner.runTest(SuiteRunner.java:366)
at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:361)
at org.testng.SuiteRunner.privateRun(SuiteRunner.java:319)
at org.testng.SuiteRunner.run(SuiteRunner.java:268)
at org.testng.SuiteRunnerWorker.runSuite(SuiteRunnerWorker.java:52)
at org.testng.SuiteRunnerWorker.run(SuiteRunnerWorker.java:86)
at org.testng.TestNG.runSuitesSequentially(TestNG.java:1244)
at org.testng.TestNG.runSuitesLocally(TestNG.java:1169)
at org.testng.TestNG.run(TestNG.java:1064)
at org.testng.IDEARemoteTestNG.run(IDEARemoteTestNG.java:72)
at org.testng.RemoteTestNGStarter.main(RemoteTestNGStarter.java:123)
Caused by: org.opensaml.core.xml.io.MarshallingException: Unable to root namespaces of cached DOM element, {http://www.w3.org/2001/04/xmlenc#}EncryptionMethod
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.prepareForAdoption(AbstractXMLObjectMarshaller.java:427)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshall(AbstractXMLObjectMarshaller.java:144)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshallChildElements(AbstractXMLObjectMarshaller.java:271)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshallInto(AbstractXMLObjectMarshaller.java:212)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshall(AbstractXMLObjectMarshaller.java:118)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshall(AbstractXMLObjectMarshaller.java:75)
at org.opensaml.xmlsec.encryption.support.Decrypter.checkAndMarshall(Decrypter.java:963)
... 27 more
Caused by: org.w3c.dom.DOMException: Unable to resolve namespace prefix ds found on element {http://www.w3.org/2000/09/xmldsig#}DigestMethod
at net.shibboleth.utilities.java.support.xml.NamespaceSupport.rootNamespaces(NamespaceSupport.java:247)
at net.shibboleth.utilities.java.support.xml.NamespaceSupport.rootNamespaces(NamespaceSupport.java:295)
at net.shibboleth.utilities.java.support.xml.NamespaceSupport.rootNamespaces(NamespaceSupport.java:200)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.prepareForAdoption(AbstractXMLObjectMarshaller.java:422)
... 33 more
[main] ERROR org.opensaml.xmlsec.encryption.support.Decrypter - Failed to decrypt EncryptedKey, valid decryption key could not be resolved

org.opensaml.xmlsec.encryption.support.DecryptionException: Valid decryption key for EncryptedKey could not be resolved

at org.opensaml.xmlsec.encryption.support.Decrypter.decryptKey(Decrypter.java:655)
at org.wso2.carbon.identity.sso.saml.TestUtils.getDecryptedAssertion(TestUtils.java:141)
at org.wso2.carbon.identity.sso.saml.util.EncryptionTests.testSetEncryptedAssertionWithKeyEncryptionAlgorithm(EncryptionTests.java:77)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:86)
at org.testng.internal.Invoker.invokeMethod(Invoker.java:643)
at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:820)
at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1128)
at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:129)
at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:112)
at org.testng.TestRunner.privateRun(TestRunner.java:782)
at org.testng.TestRunner.run(TestRunner.java:632)
at org.testng.SuiteRunner.runTest(SuiteRunner.java:366)
at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:361)
at org.testng.SuiteRunner.privateRun(SuiteRunner.java:319)
at org.testng.SuiteRunner.run(SuiteRunner.java:268)
at org.testng.SuiteRunnerWorker.runSuite(SuiteRunnerWorker.java:52)
at org.testng.SuiteRunnerWorker.run(SuiteRunnerWorker.java:86)
at org.testng.TestNG.runSuitesSequentially(TestNG.java:1244)
at org.testng.TestNG.runSuitesLocally(TestNG.java:1169)
at org.testng.TestNG.run(TestNG.java:1064)
at org.testng.IDEARemoteTestNG.run(IDEARemoteTestNG.java:72)
at org.testng.RemoteTestNGStarter.main(RemoteTestNGStarter.java:123)

Error sources:

public void testSetEncryptedAssertionWithKeyEncryptionAlgorithm() throws Exception {

Security.addProvider(new BouncyCastleProvider());
Assertion assertion = SAMLTestAssertionBuilder.buildDefaultSAMLAssertion();
SAMLSSOUtil.doBootstrap();

prepareForAssertionEncryption();
EncryptedAssertion encryptedAssertion = SAMLSSOUtil.setEncryptedAssertion(assertion,
TestConstants.ASSERTION_ENCRYPTION_ALGO, TestConstants.KEY_ENCRYPTION_ALGO, TestConstants.WSO2_CARBON,
"carbon.super");

TestUtils.prepareCredentials(x509Credential);
Assertion decryptedAssertion = TestUtils.getDecryptedAssertion(encryptedAssertion, x509Credential); // Error caused here

assertEncryptedSAMLAssertion(assertion, encryptedAssertion, decryptedAssertion);
}

public static Assertion getDecryptedAssertion(EncryptedAssertion encryptedAssertion, X509Credential x509Credential)
throws DecryptionException, KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException {

KeyInfoCredentialResolver keyResolver = new StaticKeyInfoCredentialResolver(x509Credential);
Decrypter decrypter = new Decrypter(null, keyResolver, null);

EncryptedKey key = encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys().get(0);
SecretKey dkey = (SecretKey) decrypter.decryptKey(key, encryptedAssertion.getEncryptedData().
getEncryptionMethod().getAlgorithm()); // Error caused here
Credential shared = CredentialSupport.getSimpleCredential(dkey);

decrypter = new Decrypter(new StaticKeyInfoCredentialResolver(shared), null, null);
decrypter.setRootInNewDocument(true);
return decrypter.decrypt(encryptedAssertion);
}

Useful links found were as below :
  1. https://shibboleth.1660669.n2.nabble.com/Error-on-signing-outbound-SAML-message-td7621620.html
  2. https://shibboleth.1660669.n2.nabble.com/OpenSAML-V3-Problems-while-marshaling-encrypted-assertion-td7632834.html
These links pointed out that there is a clash between xmlsec-1.5.6 and xmlsec-2.0.5. but the thing is when i check the dependency tree I can only find xmlsec-2.0.5.
Can anyone point out what this issue really is?

Any answers would be appreciated,
Deshan Koswatte

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Unable to decrypt assertion in OpenSAML3

Brent Putman


On 9/2/19 2:46 AM, DD K wrote:

public static Assertion getDecryptedAssertion(EncryptedAssertion encryptedAssertion, X509Credential x509Credential)
        throws DecryptionException, KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException {

    KeyInfoCredentialResolver keyResolver = new StaticKeyInfoCredentialResolver(x509Credential);
    Decrypter decrypter = new Decrypter(null, keyResolver, null);

    EncryptedKey key = encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys().get(0);
    SecretKey dkey = (SecretKey) decrypter.decryptKey(key, encryptedAssertion.getEncryptedData().
            getEncryptionMethod().getAlgorithm()); // Error caused here
    Credential shared = CredentialSupport.getSimpleCredential(dkey);

    decrypter = new Decrypter(new StaticKeyInfoCredentialResolver(shared), null, null);
    decrypter.setRootInNewDocument(true);
    return decrypter.decrypt(encryptedAssertion);
}


I think your main issue is that you are using 2 different Decrypter instances, and you aren't invoking setRootInNewDocument on the first one, which (I think) is required by how you are using the output of it.  Try that and see how it goes.

A secondary issue is that you don't really need to do all that.  The code above is needlessly complicated.  You really just want 1 Decrypter, with appropriate ctor args of:
    - arg 0 as null
    - arg 1 as the static KeyInfo cred resolver containing the X509 cred with private key (assuming you don't want a more realistic resolution strategy)
    - arg 2 as an EncryptedKeyResolver covering how you are placing the EncryptedKey relative to the EncryptedData.

Then it handles internally all of what you are doing  - locating and decrypting the EncryptedKey to SecretKey, then using that to decrypt the EncryptedData.

It's also artificial to encrypt and then immediately decrypt in that fashion.  To fully test a round trip you really ought to at least marshall the EncryptedAssertion to DOM and then unmarshall a new EncryptedAssertion around it. Or even marshall and then serialize it to something (e.g. byte[]) and then parse it again and unmarshall.


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Unable to decrypt assertion in OpenSAML3

DD K
Hi Brent,

As you said I figured out that I was doing to much with the two decrypters during the process of looking after some code examples and cleaned up the process iin the way you've mentioned. But the thing is still the error persists. And I've debugged to see whats going on internally and I found that at class net.shibboleth.utilities.java.support.xml.NameSupport on the code snippet :

namespaceURI = lookupNamespaceURI(upperNamespaceSearchBound, null, namespacePrefix);
if (namespaceURI != null) {
// Namespace resolved outside the subtree where namespaces must be declared so declare the namespace
// on this element (within the subtree).
appendNamespaceDeclaration(domElement, namespaceURI, namespacePrefix);
} else {
// Namespace couldn't be resolved from any ancestor. If the namespace prefix is null then the
// element is simply in the undeclared default document namespace, which is fine. If it isn't null
// then a namespace prefix, that hasn't properly been declared, is being used.
if (namespacePrefix != null) {
throw new DOMException(DOMException.NAMESPACE_ERR, "Unable to resolve namespace prefix "
+ namespacePrefix + " found on element " + QNameSupport.getNodeQName(domElement));
}
}

The namespaceURI for namespacePrefix ds is null. During debug I've manually set it to "http://www.w3.org/2000/09/xmldsig#" then there won't be any errors thrown and it runs fine. Any idea whats happening?

Any answers would be appreciated,
Thanks,
Deshan Koswatte

On Thu, Sep 5, 2019 at 4:04 AM Brent Putman <[hidden email]> wrote:


On 9/2/19 2:46 AM, DD K wrote:

public static Assertion getDecryptedAssertion(EncryptedAssertion encryptedAssertion, X509Credential x509Credential)
        throws DecryptionException, KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException {

    KeyInfoCredentialResolver keyResolver = new StaticKeyInfoCredentialResolver(x509Credential);
    Decrypter decrypter = new Decrypter(null, keyResolver, null);

    EncryptedKey key = encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys().get(0);
    SecretKey dkey = (SecretKey) decrypter.decryptKey(key, encryptedAssertion.getEncryptedData().
            getEncryptionMethod().getAlgorithm()); // Error caused here
    Credential shared = CredentialSupport.getSimpleCredential(dkey);

    decrypter = new Decrypter(new StaticKeyInfoCredentialResolver(shared), null, null);
    decrypter.setRootInNewDocument(true);
    return decrypter.decrypt(encryptedAssertion);
}


I think your main issue is that you are using 2 different Decrypter instances, and you aren't invoking setRootInNewDocument on the first one, which (I think) is required by how you are using the output of it.  Try that and see how it goes.

A secondary issue is that you don't really need to do all that.  The code above is needlessly complicated.  You really just want 1 Decrypter, with appropriate ctor args of:
    - arg 0 as null
    - arg 1 as the static KeyInfo cred resolver containing the X509 cred with private key (assuming you don't want a more realistic resolution strategy)
    - arg 2 as an EncryptedKeyResolver covering how you are placing the EncryptedKey relative to the EncryptedData.

Then it handles internally all of what you are doing  - locating and decrypting the EncryptedKey to SecretKey, then using that to decrypt the EncryptedData.

It's also artificial to encrypt and then immediately decrypt in that fashion.  To fully test a round trip you really ought to at least marshall the EncryptedAssertion to DOM and then unmarshall a new EncryptedAssertion around it. Or even marshall and then serialize it to something (e.g. byte[]) and then parse it again and unmarshall.

--
To unsubscribe from this list send an email to [hidden email]

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Unable to decrypt assertion in OpenSAML3

Brent Putman


On 9/5/19 5:03 AM, DD K wrote:
 But the thing is still the error persists. And I've debugged to see whats going on internally and I found that at class net.shibboleth.utilities.java.support.xml.NameSupport on the code snippet :

The namespaceURI for namespacePrefix ds is null. During debug I've manually set it to "http://www.w3.org/2000/09/xmldsig#" then there won't be any errors thrown and it runs fine. Any idea whats happening?

I'm not 100% sure, but I suspect it might be related to the round tripping you're doing in your testing.  Probably something related to the DOM being re-used is causing a problem with all the complex namespace handling we have to do.  The 'ds' prefix for XML Signature is a common one and ought to be in the EncryptedAssertion in the correct place.  We know it is in real world use cases, this code has been in production use for over 12 years or so.

For this kind of artificial testing, I'd try my earlier suggestion: After encryption, completely marshall and serialize the EncryptedAssertion to something, like a temp File or byte[]; then parse the File/byte[]/etc and unmarshall to get a fresh new EncryptedAssertion, and then decrypt that.


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Unable to decrypt assertion in OpenSAML3

DD K
Hi Brent,

I've tried to marshall the encrypted assertion but the same error persists. I've debugged by comparing the OpenSAML2 project with the current OpenSAML3 project. In OpenSAML2 project, the encrypted Assertion had a dom and the encryptedData had the element [ds:KeyInfo:null] but in OpenSAML3 I don't see those. I currently have no idea what is happening in the process.

Encrypting Logic after the update
public EncryptedAssertion doEncryptedAssertion(Assertion assertion, X509Credential cred, String alias, String
assertionEncryptionAlgorithm, String keyEncryptionAlgorithm) throws IdentityException {
try {
DataEncryptionParameters encParams = new DataEncryptionParameters();
encParams.setAlgorithm(assertionEncryptionAlgorithm);

KeyEncryptionParameters keyEncryptionParameters = new KeyEncryptionParameters();
keyEncryptionParameters.setAlgorithm(keyEncryptionAlgorithm);
keyEncryptionParameters.setEncryptionCredential(cred);

Encrypter encrypter = new Encrypter(encParams, keyEncryptionParameters);
encrypter.setKeyPlacement(Encrypter.KeyPlacement.INLINE);

EncryptedAssertion encrypted = encrypter.encrypt(assertion);
return encrypted;
} catch (Exception e) {
throw IdentityException.error("Error while Encrypting Assertion", e);
}
}

Decrypting Logic after the update
public static Assertion getDecryptedAssertion(EncryptedAssertion encryptedAssertion, X509Credential x509Credential)
throws DecryptionException {

KeyInfoCredentialResolver keyResolver = new StaticKeyInfoCredentialResolver(x509Credential);
Decrypter decrypter = new Decrypter(null, keyResolver, new InlineEncryptedKeyResolver());

decrypter.setRootInNewDocument(true);
return decrypter.decrypt(encryptedAssertion);
}

Any answers would be appreciated,
Thanks,
Deshan Koswatte


On Fri, Sep 6, 2019 at 6:42 AM Brent Putman <[hidden email]> wrote:


On 9/5/19 5:03 AM, DD K wrote:
 But the thing is still the error persists. And I've debugged to see whats going on internally and I found that at class net.shibboleth.utilities.java.support.xml.NameSupport on the code snippet :

The namespaceURI for namespacePrefix ds is null. During debug I've manually set it to "http://www.w3.org/2000/09/xmldsig#" then there won't be any errors thrown and it runs fine. Any idea whats happening?

I'm not 100% sure, but I suspect it might be related to the round tripping you're doing in your testing.  Probably something related to the DOM being re-used is causing a problem with all the complex namespace handling we have to do.  The 'ds' prefix for XML Signature is a common one and ought to be in the EncryptedAssertion in the correct place.  We know it is in real world use cases, this code has been in production use for over 12 years or so.

For this kind of artificial testing, I'd try my earlier suggestion: After encryption, completely marshall and serialize the EncryptedAssertion to something, like a temp File or byte[]; then parse the File/byte[]/etc and unmarshall to get a fresh new EncryptedAssertion, and then decrypt that.


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Unable to decrypt assertion in OpenSAML3

DD K
Hi Brent,

My bad the OpenSAML2 version had the round about coding snippets and when I changed it both look more like the same but I was not able to debug it in deep. on the outer it looks more over the same

Any answers would be appreciated,
Thanks,
Deshan Koswatte

On Sun, Sep 8, 2019 at 1:24 PM DD K <[hidden email]> wrote:
Hi Brent,

I've tried to marshall the encrypted assertion but the same error persists. I've debugged by comparing the OpenSAML2 project with the current OpenSAML3 project. In OpenSAML2 project, the encrypted Assertion had a dom and the encryptedData had the element [ds:KeyInfo:null] but in OpenSAML3 I don't see those. I currently have no idea what is happening in the process.

Encrypting Logic after the update
public EncryptedAssertion doEncryptedAssertion(Assertion assertion, X509Credential cred, String alias, String
assertionEncryptionAlgorithm, String keyEncryptionAlgorithm) throws IdentityException {
try {
DataEncryptionParameters encParams = new DataEncryptionParameters();
encParams.setAlgorithm(assertionEncryptionAlgorithm);

KeyEncryptionParameters keyEncryptionParameters = new KeyEncryptionParameters();
keyEncryptionParameters.setAlgorithm(keyEncryptionAlgorithm);
keyEncryptionParameters.setEncryptionCredential(cred);

Encrypter encrypter = new Encrypter(encParams, keyEncryptionParameters);
encrypter.setKeyPlacement(Encrypter.KeyPlacement.INLINE);

EncryptedAssertion encrypted = encrypter.encrypt(assertion);
return encrypted;
} catch (Exception e) {
throw IdentityException.error("Error while Encrypting Assertion", e);
}
}

Decrypting Logic after the update
public static Assertion getDecryptedAssertion(EncryptedAssertion encryptedAssertion, X509Credential x509Credential)
throws DecryptionException {

KeyInfoCredentialResolver keyResolver = new StaticKeyInfoCredentialResolver(x509Credential);
Decrypter decrypter = new Decrypter(null, keyResolver, new InlineEncryptedKeyResolver());

decrypter.setRootInNewDocument(true);
return decrypter.decrypt(encryptedAssertion);
}

Any answers would be appreciated,
Thanks,
Deshan Koswatte


On Fri, Sep 6, 2019 at 6:42 AM Brent Putman <[hidden email]> wrote:


On 9/5/19 5:03 AM, DD K wrote:
 But the thing is still the error persists. And I've debugged to see whats going on internally and I found that at class net.shibboleth.utilities.java.support.xml.NameSupport on the code snippet :

The namespaceURI for namespacePrefix ds is null. During debug I've manually set it to "http://www.w3.org/2000/09/xmldsig#" then there won't be any errors thrown and it runs fine. Any idea whats happening?

I'm not 100% sure, but I suspect it might be related to the round tripping you're doing in your testing.  Probably something related to the DOM being re-used is causing a problem with all the complex namespace handling we have to do.  The 'ds' prefix for XML Signature is a common one and ought to be in the EncryptedAssertion in the correct place.  We know it is in real world use cases, this code has been in production use for over 12 years or so.

For this kind of artificial testing, I'd try my earlier suggestion: After encryption, completely marshall and serialize the EncryptedAssertion to something, like a temp File or byte[]; then parse the File/byte[]/etc and unmarshall to get a fresh new EncryptedAssertion, and then decrypt that.


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Unable to decrypt assertion in OpenSAML3

Brent Putman
In reply to this post by DD K


On 9/8/19 3:54 AM, DD K wrote:
Hi Brent,

I've tried to marshall the encrypted assertion but the same error persists.


As I suggested, are you completely marshalling and serializing it all the way to say a byte[] or File, then then parsing and unmarshalling it to a completely fresh EncryptedAssertion?

If not: There are some helper methods in XMLObjectSupport which will allow doing this in just a few lines of code:

    - marshallToOutputStream(final XMLObject xmlObject, final OutputStream outputStream)
    - unmarshallFromInputStream(final ParserPool parserPool, final InputStream inputStream)

Just use say a ByteArrayOutputStream and then the byte[] from that into a ByteArrayInputStream.  Or the equivalent File- ones for a temp file path, etc.

If you do that, and you still get the same namespace error, then I have no idea what's going on.  I would suspect the issue is in something environmental, local to you, and lies in something that you're not mentioning.  The encryption and decryption code snippets themselves you posted are correct and won't in general result in that error.  It's something else.



--
To unsubscribe from this list send an email to [hidden email]