Recently I had a task to parse a SAML Response and extract necessary parameter to make a decision. I used OpenSaml for this task.
The parsing portion was easy. You will be receiving SAML Response in XML format. The XML might be Base64 Encoded, in which case, you will need to
decode using the same Base64 to get plain XML Response.
public String decodeBase64(String base64EncodedInput) {
// its safe to URL Decode first
URLCodec encoder = new URLCodec();
String urlDecoded = encoder.decode(base64EncodedInput);
byte[] bytes = Base64.getDecoder().decode(urlDecoded);
return new String(bytes);
}
Once we have the plain XML SAML Response, we can construct
org.oopensaml2.saml.core.Response object from the following code snippet:
public Response parse(String samlXml) throws IOException, SAXException, ParserConfigurationException {
Response response;
Element root;
StringReader reader = new StringReader(samlXml);
InputSource is = new InputSource(reader);
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true);
DocumentBuilder documentBuilder = null;
documentBuilder = factory.newDocumentBuilder();
Document doc = documentBuilder.parse(is);
root = doc.getDocumentElement();
response = unmarshall(root);
return response;
}
public T unmarshall(Element element) {
try {
UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
return (T) unmarshallerFactory.getUnmarshaller(element).unmarshall(element);
} catch (UnmarshallingException ux) {
throw new RuntimeException(ux);
}
}
After we have Response object, we can access parameters which are normally stored as Assertions. An Assertion in turn contains
a list of AttributeStatements. In the AttributeStatement, we can see list of Attributes, which we can use for making required decision.
Assertion assertion = response.getAssertions().get(0);
AttributeStatement statement = assertion.getAttributeStatements().get(0);
Attribute attribute = statement.getAttributes().get(0);
Problem
The problem is, you cannot expect to get Unencrypted Assertions every time. They will be encrypted most of the times. To extract the actual data from encrypted Assertions, we first need to decrypt it.
Public and Private Key
A public certificate is required to encrypt an Asssertion and a private key is required to decypt.
SAML Tool is great tool for testing with SAML Responses. There you can generate test Public and Private keys for testing.
Decrypt Encrypted Assertion
Following method can be used for the Decryption.
private Assertion decryptEncryptedAssertion(EncryptedAssertion encryptedAssertion) throws IOException, NoSuchPaddingException,
NoSuchAlgorithmException, InvalidKeyException, BadPaddingException, IllegalBlockSizeException,
DecryptionException, InvalidKeySpecException, CertificateException {
File privateKeyFile = new File(FORMATTED_PRIVATE_KEY_FILE_PATH);
InputStream privateKeyStream = new FileInputStream(privateKeyFile);
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(IOUtils.toByteArray(privateKeyStream));
KeyFactory factory = KeyFactory.getInstance("RSA"); // Algorithm as "RSA" here can differ based on your actual encryption
PrivateKey privateKey = factory.generatePrivate(spec);
BasicX509Credential cred = new BasicX509Credential();
cred.setPrivateKey(privateKey);
StaticKeyInfoCredentialResolver resolver = new StaticKeyInfoCredentialResolver(cred);
Decrypter decrypter = new Decrypter(null, resolver, new InlineEncryptedKeyResolver());
decrypter.setRootInNewDocument(true);
Assertion decrypted = decrypter.decrypt(encryptedAssertion);
return decrypted;
} // decryptEncryptedAssertion
Issue 1 : Formatted Private Key File
In the above code snippet, if you set the path
FORMATTED_PRIVATE_KEY_FILE_PATH to point to the actual private key file you have generated, then you will have following exception:
java.security.InvalidKeyException: invalid key format
Solution
The problem is, you cannot directly use the private key you have generated. You need to convert it into a Java readable format and can be done using the following Commandlint Command:
openssl pkcs8 -topk8 -inform PEM -outform DER -in <PRIVATE_KEY_FILE_NAME> -nocrypt > pkcs8_key
Then
FORMATTED_PRIVATE_KEY_FILE_PATH should point to this generated file
pkcs8_key
Issue 2 : saml:Assertion is not bound
At some time I also had a issue where the encrypted assertion could not be decrypted. Upone debugging, I found the following message:
invalid xml, prefix saml in saml:Assertion is not bound
This was a minor error because of namespace for the prefix
saml. This was fixed using a proper namespace declaration in the element saml:Assertion before encryption.
<saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
....
</saml:Assertion>
Issue 3: Issue During JUnit Test Using Mockito
This issue was particularly nasty one. Nasty because it was hard for me to pin point the real cause (Although it turned out to be very simple.)
So my implementation was working fine when running in server mode. I fell into problem when I wrote JUnit test for it. I wrote JUnit test using Mockito. I got the following exception when running the test.
ERROR [main] encryption.Decrypter - Failed to decrypt EncryptedKey, valid decryption key could not be resolved
[2018-03-02 15:05:16,478] ERROR [main] encryption.Decrypter - Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
[2018-03-02 15:05:16,482] ERROR [main] encryption.Decrypter - SAML Decrypter encountered an error decrypting element content
org.opensaml.xml.encryption.DecryptionException: Failed to decrypt EncryptedData
The exception message
valid decryption key could not be resolved was misleading the key was working in server mode and was placed in proper location.
I had to debug deep down into the library class itself to finally find the following:
java.lang.ClassCastException: com.sun.crypto.provider.AESCipher cannot be cast to javax.crypto.CipherSpi
com.sun.crypto.provider.RSACipher cannot be cast to javax.crypto.CipherSpi
Solution
This exception message led me to
HERE and found the solution was to include the following in the test class.
@PowerMockIgnore({"com.sun.net.ssl.internal.ssl.Provider", "javax.crypto.*"})
Issue 4: Issue due to AES256 and AES128 Compatibility
I encountered this error after long time the solution was deployed. What happened was, all our PCs joined company network, so that we could log into our PCs through company credentials. So new profiles were created.
When I tried to run this already deployed, it didn't run. Actually a JUnit test failed (Thanks to JUnit test that I encountered this error). The JUnit test was showing an error message
org.opensaml.xml.encryption.DecryptionException: Failed to decrypt EncryptedData. My initial idea was, during the import of the project, the test private key file might have changed. I was completely wrong. I went on to run the whole server and tried to log in using a sample response. It failed!! Then I checked log files where I found this error message.
org.opensaml.xml.validation.ValidationException: Unable to evaluate key against signature
at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:74)
at com.worldlingo.servlet.SamlServlet.verifySignature(SamlServlet.java:447)
at com.worldlingo.servlet.SamlServlet.validateResponse(SamlServlet.java:315)
...........
...........
Caused by: org.apache.xml.security.signature.XMLSignatureException: Signature length not correct: got 256 but was expecting 128
Original Exception was java.security.SignatureException: Signature length not correct: got 256 but was expecting 128
at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.engineVerify(SignatureBaseRSA.java:93)
at org.apache.xml.security.algorithms.SignatureAlgorithm.verify(SignatureAlgorithm.java:301)
at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(XMLSignature.java:723)
at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:69)
This exception reminded me of JVM jar file changes that I had made during the development. By default Java can handle only upto AES128. In order to handle AES256, I had to replace,
- jdk/jre/lib/security/local_policy.jar
- jdk/jre/lib/security/US_export_policy.jar
From the site
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
