Geek Answers Handbook

Getting error decrypting Saml token

I get an error decrypting the saml token. However, this problem is not sequential; it works after the server is restarted. It worked fine until last night :(

DEBUG Decrypter:631 - Attempt to decrypt EncryptedKey using credential from KEK KeyInfo resolver failed: org.opensaml.xml.encryption.DecryptionException: Probable runtime exception on decryption:unknown parameter type. at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:705) at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:628) at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:783) at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:524) at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:442) at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:403) at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141) at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69) at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:199) at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.IllegalArgumentException: unknown parameter type. at org.bouncycastle.jce.provider.JCERSACipher.engineInit(Unknown Source) at javax.crypto.Cipher.implInit(Cipher.java:791) at javax.crypto.Cipher.chooseProvider(Cipher.java:849) at javax.crypto.Cipher.init(Cipher.java:1348) at javax.crypto.Cipher.init(Cipher.java:1282) at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1475) at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:697) ... 41 more 09:21:51,120 ERROR Decrypter:639 - Failed to decrypt EncryptedKey, valid decryption key could not be resolved 09:21:51,120 DEBUG Decrypter:787 - Attempt to decrypt EncryptedData using key extracted from EncryptedKey faile

I used to get an invalidide key size error that I fixed with Spring SAML ADFS: java.security.InvalidKeyException . However, I am not sure if this will have any impact on the US Security Policy Act.

But this exception for decryption is not resolved and its consistency. For some time, it starts to work after restarting the server.

I have tried everything in the last 2-3 days. I thought the problem occurs after updating the metadata, so I tried adding the property below to the ResourceBackedMetadataProvider bean, but no luck.

 <property name="parserPool" ref="parserPool"/> <property name="minRefreshDelay" value="120000"/> <property name="maxRefreshDelay" value="300000"/>

Then I debug the WebSSOProfileConsumerImpl.java code, thought it was a jira issue , so I check the latest code and create a new jar and added to my project, but no luck.

+7
java spring-security spring-saml
source share
1 answer

After spending one week debugging and searching on Google, I decided to fix this problem with a small hack.

I checked the Spring -Saml source code from the main branch of the gitHub repository and built a jar and imported it into my project. I thought this SES-144 question was similar to mine, so I tried with the latest code, but no luck.

So, I decided to debug the xmlTooling.jar code and find the exact point of failure and rewrite the decryptKey(EncryptedKey encryptedKey, String algorithm) method decryptKey(EncryptedKey encryptedKey, String algorithm) below in XMLCipher.java using the code below.

 Cipher c = constructCipher(encryptedKey.getEncryptionMethod() .getAlgorithm(), encryptedKey.getEncryptionMethod() .getDigestAlgorithm()); Instead of calling c.init(4, key, oaepParameters); used below code and removed if/else block c.init(4, key);

You can check custom banks from github

You need to update your saml dependency with the following lines in the pom.xml file to use this custom jar

 <dependency> <groupId>org.springframework.security.extensions</groupId> <artifactId>spring-security-saml2-core</artifactId> <version>1.0.1.RELEASE</version> <exclusions> <exclusion> <artifactId>xmlsec</artifactId> <groupId>org.apache.santuario</groupId> </exclusion> </exclusions> </dependency> <dependency> <artifactId>xmlsec</artifactId> <groupId>org.apache.santuario</groupId> <version>1.5.6-custom</version> </dependency>

If anyone finds a better solution, please let me know.

+2
source share

More articles:


All Articles