2

I have only one JDK installed in my machine and the code is pointing to the same JDK. I have installed unlimited strength cryptography library in both the folders(C:\Program Files\Java\jdk1.6.0_25\jre\lib\security and C:\Program Files\Java\jre6\lib\security).

I keep getting the same exception even after adding the above mentioned unlimited strength library. This is in continuation to other ticket link

Exception:

Caused by: java.security.InvalidKeyException: Key is too long for unwrapping
at com.sun.crypto.provider.RSACipher.engineUnwrap(DashoA13*..)
at javax.crypto.Cipher.unwrap(DashoA13*..)
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1477)
... 46 more
41   [http-8080-1] ERROR org.opensaml.xml.encryption.Decrypter  - Failed to decrypt   EncryptedKey, valid decryption key could not be resolved
42   [http-8080-1] ERROR org.opensaml.xml.encryption.Decrypter  - Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
42   [http-8080-1] ERROR org.opensaml.saml2.encryption.Decrypter  - SAML Decrypter encountered an error decrypting element content

SAML Encrypted assertion

<saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
  <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_b789fe1577b7a52846f0de3a53504b54" Type="http://www.w3.org/2001/04/xmlenc#Element">
     <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <xenc:EncryptedKey Id="_a55df022fc577a2523dea6dde1bb2d78" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
           <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
              <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
           </xenc:EncryptionMethod>
           <ds:KeyInfo>
              <ds:X509Data>
                 <ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UE
CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM
MAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcNMTMwMTAxMTEyODAxWhcNMjIxMjMwMTEy
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXqP0wqL2Ai1haeTj0alwsLafhrDtUt00E
5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13
F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7K
qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1iPQ/KSaal3R26pON
UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/R93vBA6lnl5nTctZIRsyg
0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAYUjso1VwjDc2kypK/RRcB8bMAUUIG0hLGL
82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNRttir6eyqwRFGOM6A
8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/dgixKb1Rvby/tBu
RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW
bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/GuHE=    </ds:X509Certificate>
              </ds:X509Data>
           </ds:KeyInfo>
           <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
              <xenc:CipherValue>CPKpuy59EbLdJxoWtOEXlVG7nJkn2B4wk7seQ0VVK4+DbMZWqW9F+GLPtqQPMbVS99nPON9YCiNbpLpUlqE8JvZOQ2tyf5H5d7+kAF/QqaTPJjYC9SzI6dbLkB6O+EJZY6981iUkJtuUvs+B0649BwnKf9ByNoHePEKZeN6Ws9YNB15xrc5aTGqLVzW/bUTgOGPpZDPyeHYoqWRhDg6/2uYfvglMnN5t/mlGzLxsGJbF8WMdfIf2tYbGoDUfs5SgXtsvZPEm81WEenPJz/iE4PR0ih//in/h9+RmpfEfLw3A==</xenc:CipherValue>
           </xenc:CipherData>
        </xenc:EncryptedKey>
     </ds:KeyInfo>
     <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
        <xenc:CipherValue>5MRv+ee2XjfYNJeLOiuBi+quq9Vz7fE60JRzvXODQ9w4Y/czcWM/vYVoyX8/+n/27UIw4IyP0+en7H8ylOpJwNJC62Ur4GM3pAWde6Q9t4ZrjCu0yN3oX9v+0TVCJ8NKBGoyoIIbW5WljQob2NArvJc6z53gKzNYwYdYwMz7pcdJ0d0qpb11cphpNzWOONmmV6OZxnUOrGVceY+KvIOqHWmkvhPLW0d5J2C2nua/EWIq7+MWCAIHBnCGacTF+gaz6zO10lSHpFIm6dXfhIivSf9ZYye+I3dDOIMDeFN2UtXCRpG1OjGc4QqZ3HiDQ1ownjNE6L6HRQYgyarLc4Jrb3ftXzPl6Q47/T4QYgeM+tuk7nTJV5sCDji4WzZ7fG5syAXOCI49GdAhlTpanqBE3pzl8eRaLQEfrgMtQngvJDk03DcgGYjtdsflZZpHVqo++uHmOjjB/vC7hBwpOZEARA8m0o+EmHVU2QRUjWEFMmu1flKr+tl1+AMcnAR8prNGjEYttwBJ06G/1Ad25xqE8N0NMFabJGgOn/MP3T0+ZvzuzFXR+m3peKvlwdlsRTBBQeUpmEFcBN6Ls1UlP576VN1XYWPYblZ3qjqO2Qkfrxx79TaN69X8gkcJ/WJ3Wzj3UTToSgd7oXF2kOMdKwg66aijs5ToqZQOJCCazS9YyZrIV8/TvVQSd5S01H660BsZMvJvKUM0GNWqD7QHjDrU0GLAYKQDE+QouMJkf1E1STXq8rkgD9A8o9bNaWZoM2TQnJ7AmOXw1Nms9+Old3HRhnXurC2+MgiRFy70iA50F/OtiWE08aQYGiHeGDyVEXGvrroVWmPYBKvEjycVGkVADe0ICVD41wZEw7F/FmaBkx/wHKYXu9DoN3SFdMSo7fouFBZMCqMNY2Sodo70ALad/uC72AVx20urKXIoXpPlzzXYtWYm9nG7pLHWnrPMxbDZPcJPLGBzOeqmqcbPU/MQ765soVHQ6TR3sZe5Go5Smaauump4PAP1bLeewh1RKKDN5jKjD01R9Wzl34ithvgToi5pUpSNBTsbFpdN4fsg1c78yxXC3qr051/VngWK4SdxqDjdvAMWMSNvIOOsKBYqHN0sabQD/zD0XclH2MarDe3udBULr+eCrU5qkGXClg+e7fvpAYV6yUXCnrn5Uq1WrpUMWffyzWwJnlgiWtIlCy8wV/YDXFQ0QR3hET02H4JiHRKABrHTx9/MTQJPqHdv7eNxmTQj8bEjZcTygMxec5RQLr06/ontMtktgZCjQopBs5Sg10N0Rc0foMxo42X2ceCdkxHGMTndMEEBsJEfTLSLX86InW2S+omXZkiUrmdQsgUzF04waiuYyYPufkgaFdH1n7lTGjpH6nZsbKYILQJemEdfSFqHoCIZqtVrLdiTP+b1doZjKGZ/Dha7syL3ctvrj1ingjpjYYXEfEQIod6+fr7DP/fN5GF/qYWoYDXW+tBDMatcEBy7v52f8vcKrnl6j3qqD9MoejOarS/LABdqVq7r0X8R3ApbDrK/UQFijAEgZi467CMk4pLjpsVTljehGEcyo55cRpyz6G7Nak1c35pNK4vFtC3QeIgjWs4JwCRWo8QFIBUqe5yiNlRhnh7uZ9fx9UNSeJ4zle0Ixtby/Az2TUJoBsbIN+Gj9eeQIhAIR7st6fLboRptE6zX/ZDWzii2z99rWLts5F0aatQsbToD7QQgDGKJIybt5bAKQh8cWQ2DaCDPKhxHCYlHn4p5xPHjU0MaXhpwcbWZlPJJed2ZrFY0klUoYSdse3vw0BmFv0xm3Z4IfGQ3M5ZbKpUEbGKugqgD9PSviQdRtj9tIQVylA+MVOimxnTcmr2j5k8RfEA1hN7I5oo5M/kmXttebED36mzpHaW7opGY7fgjLMdR3aebMX5eBI2TmtvAYbFM3ZLjHgFEtikl8ETzRwWZQAq/1wpYHyIJSf1KAZXnauo72allx+QhoYOSZ1W1dt2Y9ldr5DC9o+8BPrxWMUOtP1EE4J0d3lZ6Dxj0a1ae8NNpSOy1ARu78GE2uU0RKmUYo45VsxEJN91gNe53zVrlpjNPx2vlGDJi5YtFk3I/wXNHpz/rxml9mMjcy7gEC+KLX36LO0BuL1+lM1S2nWCEl1XYUQHKGX5pnBuFr5F9thZRmXFKcQbdA1o5tX1Pn6R4ffI27uxQSS5VHCcLl02EMDpafReouXDK6lk8k0GlUJHJPEqku0x3v1ijIuQpWb2tZ/LFgTD36WRhjK+Q1kxs0JyrpHSX+SRwEVbMZ6EDur6ijQBimvTMHkZo1jzfyfPqBJW41R5QomWxk5RPyfnY5Ew4+qgVRIb4bx+Oe9T9Z9DmlqEoBn/jb9GNDY3RnLxKpHD9k/0XEV71kzXye8LumiBFKsH7PIBBeNmt3QmvBPkTIf52s7giivaE77jw/I/lVdvay8BewHYALZnxtda+VcoVKVML+NAosdhLSFjbQY8I6vFK8YzcYRRw+fejPBOoSgE2OXnGQyD8VfHTSPUVKLqG91Ekn77D1rG5TUfHGY2RKAEqsxHeFIt4akXf1nSmItaRcMLGZbTN+PMVA7IlHCekgAoRhlCcemgFEQEc5zP5+mWuunLQM9qbw3U5aHiyuigdUqpZqYe/9Se6MIN1VHcR2Wrayz8Ut1j4sZKVYTgNpvfYaU63+HXYqSzKDLiBKm0dCmDTUwrUY3IGhX27jDUZj9BaNV3vCNZqXawDZky7ZAugRM5Be6lSOBaCDf2cgJPcL1E30FoCqER8Oi22ScXSFurzWf3rwC5V9nC++B163qQTZqKb5eurGYxPuo6CFps481DdxNfhpYAkHC4akoXpnJevuIXNF95EiZBIzzQ4KGZTgdVH97UrBNA9gmcJBu8jGSXl5bFRYPqIx9bpC8bHtMrU586TTl8sQbP95X76ZKcKb9YRaKsr3MMkxD4L45KJ+vqsYnLYBOUMj2dbp8c//rsSHP2WfWC+s/K58hLab7TqH/LE8vaJeg3PC8CMPbv1r2onUlWfG8fs7a5FRX67I5vbXrKn2ZYjGFrLLx8wWPhs1mQPqDzHn+CnOYqApW0ZhSFyAi7yEkyt+7AKS+0L0W2mYiEqq+iLuw6Vp3JuQ23Gx+jCbtBUq+VY7z7uGIrl+hmfYPRBj2HcTud0kfScOT6I4rmHxBvoCc5vHm+5cOzgzR6fpbN+PZzT3G2D35dSzAeDlrLaxSXiTDUAivR7i6ufxv7ma+IitCVxImbqSW0zI/RJrA6VcvOWG9CNq2jV65/mc4qmGcreihUeqHgpa9wcVrsGndA0C5EIS7F5LxOjZyrOCmyXG8MukF1KavD+y4RUKu8HMbPP1DO/10ZRmXARJKTdfG3npjnpy4QZc72tsfoY1XBZkceclVuNpQJrWfX3WPg5x9iEUSoRVg+hgGuQ2UQYeOVOvXgyMysz34du6HdDCl9n4gL3h57fkakZ1lIIVvrl6ZVGkfZEjp8vy2RY6cSNOIPUasDPoMuzsLG5yuw6yAPd7Xs3X15ezpncAk3fMphTFZ0WeL7sW66QVjvSMZa94DoeiqLjzFbr9upglWVOv8DA2hfkbpaLGVF8foAcLtvDsWFjpy5FoJrvZYEHOSLcY4KLU0YC7UFP/DkyxM9aBSa8A3NgONUvEm2jP02YhsCv1V1o/WJvQyJ9KZQUO+BrEA6h4MHZ+kWed8RoJ7NNIwIXQIYKtXC3c2UjpKBpWkRKhSukxOYfRvNonhV/LPT8xQuzBuoiybLCy5vfX/d8U24/it8vPZmnyoITWs5ask+K1ahOgChe2WFs0xuPmEXIAuu3FOsfEsFO8rqPe2pfUMCzU3ysN8lbznPWbN97RUOr8zXs4bmNbUB1nHiA0toP9VO/4h+XrZOF48c5mSYJ7+dATrHVOn3kOgD4cE7Z9qkJ86NzT5gLrpdjSTrHcJuOTwO/o7n9VLtohHMndAxlHuRHtF5g+pOXV2sMczfnPEpJydl1ehGWBoXXsccpeva6vRMiJH/vjECaY6Dou4UvF7yP7zc8X1k+F78LDfHkSnx6BBbdYmA47VhKDget+6xq3wcrWipnzZ5zQgbPD4FLU6ZWPotuQGIUE03SQ8LYmzvqXLPV48HGQKzjL3uJ6cpfYkw51VF4tQ9jDetTuYiwgQt8Qd3xycL8WmylgDR8fld9UQehfUZYx8hyVLLykBrsu0Z/c6il5QIqVORNk98bJiAvNGnQm8eL1yOBPtwa3mCHbiJ01HuhhSbc+pcWhSgJ1REwbWqerUGFuv4x/V4dJOLldXdCzFKjDIQO2Cc57le5WFjljeh8zPV40RIR4Y0JKPtTW70n3DRVH0JcxEk6cpjy/oF+oE1DaZYUODbwpXmQX4h80RkNrVumixEdaEerRrQ9Go80lNU/kXQ8oV86w86Xu0Ov9lLLuSwVVoB5nS3Py4cCGHfUTtLcZL/uNt9VGEIoM3UVOF7rdMZEbHpXh7HlQ2LFztZ1Z15xNQjIV/adpquS6HSduCXVo8VlRQIa3lXDB2w7/+tkCyBHrwFn2ZTLzxFLv9jTwJjg9sXWxs6zLg52zU9cYiRvPE/yCawOeE6wbihRPgjw7cnbmtZ/R95i13DRcxxWLWgpw4Y0xqNlHP830p/w/GivsPJ5QQ8nULbfKRjTBu8i6wFRuy/pfpZ3wkCUOk5iFtHqBZV/AaRZXIpw0MYbvmtbZwcIet6TOE/7xFnycwhh06sxMtpvAaEKghamCdLsiPnXnSJGGqAW1qd6u54TTrIdQdVzQ6TRLIfTOVcEe051971V41xZQQg8ROMhZCOn3di/FDHeYcTExzEAi04pQ9BmE6wGQHUkExDpxp4gveQLRKMTW3CQdE7kwFB6qAU2XOy+2n4CkHj8K8zVtnMWUHRuXYNGR9whN8lEyQgEAY0evcD0xlSjeEA7KcexkDWyYtWWRbYsPEQHmOj97926scdd+6HP3voPJeS6XAwnPbhNO9N3L77kLPmwo05W2dyfg9zdL1INblETfksDuCQ/P2RWU1BaLH9h18oi23g8n05K4XPdycle2UQcYf156AKBVVkhG++4TTD/xWqoHzffb8XtARGC7cdZphiSE58d/UfkrAqek7+Sd6Dqgu2JXlxR159xlULb92KLnKHMIPGJG9mYIzlk/H4BRSj/hAoIxPDMXfcM8r96iC/AKKaQmGx+FZ4HDj9O0xiBNlOBIorPrGhL+6WwSZW4LCQ3GOvxYOwYPd4gecThadR5+h7EF99O75X+HHyTLdzUveHOe5F9vKW9TYFRMtwA4lj7WTKFpEJf7FOeV3zG+U4juingOHxqK1RgqGDMnHaHLgKzm17iauw2deA1GL/bLiB5PR1BzPMJtgoOdBYHhv0fBioxrskwF6r6E+9rQ1jC35YIKNfPUehM6IVgobSqMFC47Q9+0j7NXlt6XYQ9Ys9gWr9g9G23WLzCKO97mTGmGXP2IOtfTfQx9NYGuYj1vtlcC+PY3KF9WVhxq1mtdx2e60obnzF5jqMx1GnZFyTM79AbJwpGCfMBbOkWopr3YynLdTBpm72kmg6biXWbb5KFckSSGKWqkHWn4LgwCoWjXr8TwcoMhLNpNlirXWZYyxFwR/n0MvT7Du44Rak+eNw+f7uATRInHoOp9gMukfzYoiMPcEeadlq+3cEYg/EGmiIbASEx/A3guJPI1Zh9mlXeDXr1W5UqyIAsMjwGoktd5LKJK56RNFCZeyOLurvd5/lHofxsM+7sxhkgBjng6+221BxsXDsjNe7b7xymRqGZmxnIBYl2DqDJx+gA+y51kfJvoz6z22hcfPEL6V7LOPu3V0JC04TbdnV71YVAbnmU2qWY8+YFoBYUX18R2qC8GESzXL01/CDM6owVFxJ6nKObZ/dwt93s2EYoMMquW2nc1cfqd6t1LvOzoPAo2FftTerCZmYOx4nAf6mEDsbarURsspmmGiN9WToPR5ee9YVOhpO7YZP7Wj11ZbfiFrsCEUPLqlS0FHz8oDgRGp8KEnFd6+H+saeMWSSZ8yJ/Klwaz1ATrIVAd2Bb0Hd3vq4ExaJ+RCfB+BfIJr+OwGJPOB5nNmcv/WQkZWKPnWOeMBoBvg8NMpsUDiglTCNy/kHKe7Ln9hHVdjH/ID0E4K7bDh5KG2GJcNP1P4Vb33Ed8db9vGy1lDRKZvtkABxjEsia2mpLAWcg4fMkS41QBzGffFf9qtljLUKoGa1EKJCl8+BclJp6JAe97dTNNg9LXfHsxQFSM7z9TsBD7Vmrjwv0QbQaEd/TdWntavFEeC1y7PLuJYg2fsYOkpRXXUW/YV9EDKgE5nQtRXywTEcyrKLQGlhecaGnRlUkKG0g7ORCb/vABeJRItazaXi2LVacRKMrzDHPWzElmok+dkPg6gDg8KTMOQiWZhLAXdMbc1M2iBjBl5uKsHBDFX86orZlRELSaXEbGKBUi2k8lnBW3WpLKdgY2+TUpDd+OxUK7v1zhOYw1zZtDdIgje84vJ2wQGHpNu7UNE2KcLKi7uG/0TKS9lkkGr9W1DHqvZ9irQmJ403ld+r5lrnSUbq6Yv+xYdi/aLsm+lagyt4XW6vaez7bGSaK3ESPBgmK47OiEUPHQbRlILCydalaWoZyU2fzI87ZAJ36fpRPWtBwe2tqJ4AE+koz3PBulsGlU7KUsR2ndGuzPc0gK1DSL5n+BW0Fs=</xenc:CipherValue>
     </xenc:CipherData>
  </xenc:EncryptedData>

Can anyone look into this issue which I am facing and provide a solution?

Community
  • 1
  • 1
SM KUMAR
  • 475
  • 2
  • 8
  • 13
  • Are you re-creating new SP metadata and updating it at IDP side whenever you generate a new SP private key? – Vladimír Schäfer Oct 08 '14 at 10:46
  • @vschafer I am new to this and I am sorry to say I did not understand what you are trying to tell? I have used the SP metadata which was provided by IDP with the unique URN. This metadata xml contains only the 509 cert. I downloaded this xml and created a local copy which was referenced in securityContext.xml. Once this is done, I have created a key pair which contains both the public key and private key. I am also not sure what do you mean by updating IDP when I generate a new private key? Sorry to trouble you now and then. – SM KUMAR Oct 08 '14 at 11:17
  • @vschafer In addition to the above comment when I changed my java environment from 1.6 to 1.7(unlimited strength installed), I am getting a different exception which is javax.crypto.BadPaddingException: Decryption error at sun.security.rsa.RSAPadding.unpadOAEP(Unknown Source) InvalidKeyException: Unwrapping failed – SM KUMAR Oct 08 '14 at 11:29
  • Can you please close/aceept the other two issues you've opened for this problem at http://stackoverflow.com/questions/26215301/spring-saml-error-decrypting-encrypted-key-no-installed-provider-supports-this and http://stackoverflow.com/questions/26164109/trusted-certificate-entries-are-not-password-protected-spring-saml – Vladimír Schäfer Oct 11 '14 at 07:15

2 Answers2

4

You are most likely trying to decrypt the encrypted content with wrong key. In other words, IDP is likely encrypting data with a public key which does not correspond to the private key in your SP. You can find details on these concepts in public key cryptography wikipedia article.

Once you generate private key + public key + certificate for your Service Provider instance (= Spring SAML installation), you must provide the generated public key to your IDP. This is typically done by creating metadata document describing your SP (which is by default auto-generated, download it from scheme://host:port/appcontext/saml/metadata, e.g. http://localhost:8080/spring_saml/saml/metadata) and providing it to the IDP. The metadata document contains the X509 certificate with public key for your SP and is used by IDP to encrypt data sent to your SP.

Vladimír Schäfer
  • 15,375
  • 2
  • 51
  • 71
  • @vschafer I am using the same configuration as you mentioned. The generated public key is provided to the IDP. How do I know if I am using the wrong key?? I am really getting confused with the stuff. Public key() which is mentioned in the above SAML encryption assertion is the public key of the SP. So, it corresponds to the private key of SP. Can you correct if the process of generating public key and private key is correct by using keytool.exe of JDK. – SM KUMAR Oct 08 '14 at 14:39
  • 1
    @vschafer It is working now. I was using the wrong JKS file. I know it is a silly mistake. Thanks a lot for the help. – SM KUMAR Oct 10 '14 at 10:45
0

@vschafer Can you please verify and let me know if the following steps followed are correct??

  1. I have created a JKS file with the following public keys and private keys

a. Public key of IDP 509 certificate using the crt file shared by IDP to validate their metadata XML

keytool -importcert -alias adfssigningIDP -keystore samlKeystore.jks -file IDP-metadata-signer-2012.crt (samplePrivateKeyPass is given as keystore password)

b. Public key of SP 509 certificate which is registered by us with the IDP

keytool -importcert -alias adfssigning -keystore samlKeystore.jks -file SP-Metadata.crt

c. private key of SP with RSA as signing algorithm

keytool -genkeypair -alias privatekeyalias -keypass samplePrivateKeyPass -keystore C:\Users\user\Desktop\samlKeystore.jks -keyalg RSA -sigalg SHA1WithRSA

(SP-Metadata.crt is retrieved from IDP website where the service provider is registered.)

IMPORTED CREATED JKS FILE USING KEY MANAGER CONFIGURATION

<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
    <constructor-arg value="classpath:security/samlKeystore.jks"/>
    <constructor-arg type="java.lang.String" value="samplePrivateKeyPass"/>
    <constructor-arg>
        <map>
            <entry key="privatekeyalias" value="samplePrivateKeyPass"/>
        </map>
    </constructor-arg>
    <constructor-arg type="java.lang.String" value="privatekeyalias"/>
</bean>

SP METADATA CONFIGURATION

<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
    <property name="local" value="true"/>
   <property name="securityProfile" value="metaiop"/>
   <property name="sslSecurityProfile" value="pkix"/>
   <property name="sslHostnameVerification" value="default"/>
   <property name="signMetadata" value="true"/>
   <property name="signingKey" value="privatekeyalias"/>
   <property name="encryptionKey" value="privatekeyalias"/>
   <property name="requireArtifactResolveSigned" value="false"/>
   <property name="requireLogoutRequestSigned" value="false"/>
   <property name="requireLogoutResponseSigned" value="false"/>
   <property name="idpDiscoveryEnabled" value="true"/>
   <property name="idpDiscoveryURL" value="http://localhost:8080/app/saml/discovery"/>
   <property name="idpDiscoveryResponseURL" value="http://localhost:8080/app/saml/login?disco=true"/>
</bean>

Apart from the above mentioned steps, I have even installed unlimited strength cryptography for JRE7 as well.

Inspite, I keep getting the following exception

org.apache.xml.security.encryption.XMLEncryptionException: Unwrapping failed
Original Exception was java.security.InvalidKeyException: Unwrapping failed
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1479)
at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:697)
at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:628)
at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:783)
at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:524)
at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:442)
at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:403)
at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)
at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:199)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.mobile.device.DeviceResolverRequestFilter.doFilterInternal(DeviceResolverRequestFilter.java:60)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:563)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Unknown Source)

Caused by: java.security.InvalidKeyException: Unwrapping failed
at com.sun.crypto.provider.RSACipher.engineUnwrap(RSACipher.java:431)
at javax.crypto.Cipher.unwrap(Cipher.java:2466)
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1477)
... 46 more

Caused by: javax.crypto.BadPaddingException: Decryption error
at sun.security.rsa.RSAPadding.unpadOAEP(Unknown Source)
at sun.security.rsa.RSAPadding.unpad(Unknown Source)
at com.sun.crypto.provider.RSACipher.doFinal(RSACipher.java:356)
at com.sun.crypto.provider.RSACipher.engineUnwrap(RSACipher.java:427)
SM KUMAR
  • 475
  • 2
  • 8
  • 13
  • There shouldn't be any need to import SP-Metadata.crt. The SP-Metadata.crt key got to be the same as the key you generate with "keytool -genkeypair -alias privatekeyalias -keypass samplePrivateKeyPass -keystore C:\Users\user\Desktop\samlKeystore.jks -keyalg RSA -sigalg SHA1WithRSA", but it's not supposed to be provided by IDP to you, it must be provided by you to IDP. – Vladimír Schäfer Oct 08 '14 at 14:48
  • @vschafer I generated SP metadata using the url http://localhost:8080/spring_saml/saml/metadata and provided it to IDP. They registered it with the unique URN which is configured as the entityID. Hope this is correct?? More over did you mean to say that step b is not required and step a,c are enough to generate JKS keystore??? If the answers to the both are YES, then I am still at the same position where I am getting the same BadPaddingException – SM KUMAR Oct 08 '14 at 16:00
  • The answers are yes to both. And your configuration and key generation seems ok. Sorry, but I don't think I can help you further without access to the environment. – Vladimír Schäfer Oct 08 '14 at 16:13
  • @vschafer Thanks a lot for your time. Do you know what could be the problem if the exception is **BadPaddingException:message is larger than modulus** – SM KUMAR Oct 08 '14 at 16:19