opensaml java encrypted assertion - Failed to decrypt EncryptedData using EncryptedKeyResolver

Question

I've setup a developer account on okta and I'm trying to decrypt an encrypted assertion from the test app I set up in there. So my local java Spring app has a controller that's receiving the HTTP POST of the SAML assertion - I've verified this with it not being encrypted. Now with encryption turned on, I'm attempting to decrypt it with this method:

private Assertion decrypt(EncryptedAssertion encryptedAssertion) {//throws DecryptionException, KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, UnrecoverableEntryException {
    StaticKeyInfoCredentialResolver keyInfoCredentialResolver = new StaticKeyInfoCredentialResolver(spConfig.getCredential());
    Decrypter decrypter = new Decrypter(null, keyInfoCredentialResolver, new InlineEncryptedKeyResolver());
    decrypter.setRootInNewDocument(true);
    try {
        return decrypter.decrypt(encryptedAssertion);
    } catch (Exception e) {
        log.debug("oops", e.getCause());
        return null;
    }
}

with this SP config code:

private static final String KEY_STORE_PASSWORD = "mypassw";
private static final String KEY_STORE_ENTRY_PASSWORD = "mypassw";
private static final String KEY_STORE_PATH = "/keystore.p12";
private static final String KEY_ENTRY_ID = "http://www.okta.com/exkz............42p6";

private static Credential credential = null;

@PostConstruct
public void init() throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, ResolverException {
    log.debug("doing init");
    KeyStore keystore = readKeystoreFromFile(KEY_STORE_PATH, KEY_STORE_PASSWORD);
    Map<String, String> passwordMap = new HashMap<String, String>();
    passwordMap.put(KEY_ENTRY_ID, KEY_STORE_ENTRY_PASSWORD);
    KeyStoreCredentialResolver resolver = new KeyStoreCredentialResolver(keystore, passwordMap);

    EntityIdCriterion criteria = new EntityIdCriterion(KEY_ENTRY_ID);
    CriteriaSet criteriaSet = new CriteriaSet(criteria);

    credential = resolver.resolveSingle(criteriaSet);
}

private static KeyStore readKeystoreFromFile(String pathToKeyStore, String keyStorePassword) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
    KeyStore keystore = KeyStore.getInstance("PKCS12");
    InputStream inputStream = SpConfig.class.getResourceAsStream(pathToKeyStore);
    keystore.load(inputStream, keyStorePassword.toCharArray());
    inputStream.close();
    return keystore;
}

public Credential getCredential() {
    return credential;
}

I've tried a few things to purposely break the code -- bad keystore pw, missing keystore, incorrectly typed keyentry alias, and I do get errors that point to that. But when it looks like it's set up correctly, all I get is this:

2018-04-18 08:40:07.502 DEBUG 20655 --- [nio-8080-exec-1] o.o.core.xml.util.XMLObjectSupport       : Parsing InputStream into DOM document
2018-04-18 08:40:07.503 DEBUG 20655 --- [nio-8080-exec-1] o.o.core.xml.util.XMLObjectSupport       : Unmarshalling DOM parsed from InputStream
2018-04-18 08:40:07.574 DEBUG 20655 --- [nio-8080-exec-1] o.o.x.s.impl.SignatureUnmarshaller       : Starting to unmarshall Apache XML-Security-based SignatureImpl element
2018-04-18 08:40:07.575 DEBUG 20655 --- [nio-8080-exec-1] o.o.x.s.impl.SignatureUnmarshaller       : Constructing Apache XMLSignature object
2018-04-18 08:40:07.578 DEBUG 20655 --- [nio-8080-exec-1] o.a.xml.security.utils.ElementProxy      : setElement("ds:Signature", "")
2018-04-18 08:40:07.580 DEBUG 20655 --- [nio-8080-exec-1] o.a.xml.security.utils.ElementProxy      : setElement("ds:SignedInfo", "")
2018-04-18 08:40:07.580 DEBUG 20655 --- [nio-8080-exec-1] o.a.xml.security.utils.ElementProxy      : setElement("ds:SignatureMethod", "")
2018-04-18 08:40:07.580 DEBUG 20655 --- [nio-8080-exec-1] o.a.x.s.algorithms.SignatureAlgorithm    : Create URI "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" class "class org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA256"
2018-04-18 08:40:07.581 DEBUG 20655 --- [nio-8080-exec-1] o.a.xml.security.algorithms.JCEMapper    : Request for URI http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
2018-04-18 08:40:07.581 DEBUG 20655 --- [nio-8080-exec-1] o.a.x.s.a.i.SignatureBaseRSA             : Created SignatureRSA using SHA256withRSA
2018-04-18 08:40:07.585 DEBUG 20655 --- [nio-8080-exec-1] o.a.xml.security.utils.ElementProxy      : setElement("ds:KeyInfo", "")
2018-04-18 08:40:07.585 DEBUG 20655 --- [nio-8080-exec-1] o.o.x.s.impl.SignatureUnmarshaller       : Adding canonicalization and signing algorithms, and HMAC output length to Signature
2018-04-18 08:40:07.585 DEBUG 20655 --- [nio-8080-exec-1] o.o.x.s.impl.SignatureUnmarshaller       : Adding KeyInfo to Signature
2018-04-18 08:40:07.597 DEBUG 20655 --- [nio-8080-exec-1] o.o.core.xml.util.XMLObjectSupport       : InputStream succesfully unmarshalled
2018-04-18 08:40:07.618 DEBUG 20655 --- [nio-8080-exec-1] o.o.xmlsec.encryption.support.Decrypter  : Failed to decrypt EncryptedData using EncryptedKeyResolver
2018-04-18 08:40:07.618 ERROR 20655 --- [nio-8080-exec-1] o.o.xmlsec.encryption.support.Decrypter  : Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
2018-04-18 08:40:07.619 ERROR 20655 --- [nio-8080-exec-1] o.o.saml.saml2.encryption.Decrypter      : SAML Decrypter encountered an error decrypting element content

org.opensaml.xmlsec.encryption.support.DecryptionException: Failed to decrypt EncryptedData
        at org.opensaml.xmlsec.encryption.support.Decrypter.decryptDataToDOM(Decrypter.java:550) ~[opensaml-xmlsec-api-3.3.0.jar:na]
        at org.opensaml.xmlsec.encryption.support.Decrypter.decryptDataToList(Decrypter.java:452) ~[opensaml-xmlsec-api-3.3.0.jar:na]
        at org.opensaml.xmlsec.encryption.support.Decrypter.decryptData(Decrypter.java:412) ~[opensaml-xmlsec-api-3.3.0.jar:na]
        at org.opensaml.saml.saml2.encryption.Decrypter.decryptData(Decrypter.java:176) [opensaml-saml-api-3.3.0.jar:na]
        at org.opensaml.saml.saml2.encryption.Decrypter.decrypt(Decrypter.java:104) [opensaml-saml-api-3.3.0.jar:na]

I've been over so much github, source examples and such --- I think I've got the concise bit of code that should do this. but obviously something is missing. Unlike samples where Spring security is involved, I don't have a place for IDP or SP metadata. Should it be there somewhere?

I've also seen various posts about illegal key size - I don't have that exception, but in case some try-catches or logging was changed or something, I installed the unlimited strength JCE jars.

Answer 1

got it working with by using a chaining resolver as per this sample -

final List<EncryptedKeyResolver> list = new ArrayList<>();
list.add(new InlineEncryptedKeyResolver());
list.add(new EncryptedElementTypeEncryptedKeyResolver());
list.add(new SimpleRetrievalMethodEncryptedKeyResolver());
LOGGER.debug("Built a list of encrypted key resolvers: [{}]", list);
final ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(list);

from http://useof.org/java-open-source/org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver