SAML encrypted response - how to get the private key?

Question

I am trying to implement an SP initiated web browser SAML SSO profile in JBOSS.

My application is the SP.

I understood that I need to create a certificate for my server and send it to the IDP in the metadata file.

I have used the Microsoft Active Directory Certificate Services to install the certificate.

Now, when I get the SAML response from the IDP it is encrypted:

<saml:EncryptedAssertion> ...
    <ds:X509Certificate> ... 
        <xenc:CipherData> ... 
            <xenc:CipherValue> .. SOME ENCRYPTED VALUE ... </xenc:CipherValue>

Now, I understand that in order to get the decrypted value I need something like:

File keyStoreFile = new File(MY_KEY_STORE_FILE);
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(new FileInputStream(keyStoreFile),MY_PASSWORD));

The question is: what is it the key store file? How do I get it and what format should it have?
I found the following folder:

C:\Users\MyUser\AppData\Roaming\Microsoft\SystemCertificates\My\Keys
Which contains a system file with no extension. Is this the private key? How do I use it in the code?

Answer 1

It depends on how you exported the certificate from AD. Is the file you found in the systemCertificates directory something you exported? Here's how to export the cert with a private key.

This will create a PKCS 12 or PKCS 8 (DER) certificate you should be able to load in Java using KeyStore.getInstance("PKCS12") or KeyStore.getInstance("RSA"). Once you have the keystore loaded, for XML encryption, you will need a KeyInfo object, created like this:

PrivateKeyEntry entry = ((PrivateKeyEntry) keyStore.getEntry(certAlias, new KeyStore.PasswordProtection(password)));

KeyInfoFactory keyFactory = KeyInfoFactory.getInstance();

KeyInfo keyInfo = keyFactory.newKeyInfo(Collections.singletonList(keyFactory.newX509Data(Collections.singletonList(entry.getCertificate()))));