We’re having problems decrypting an encrypted assertion. While searching, everything I’ve found on this topic suggest:
1) the public and private key don’t match
2) we’re trying to decrypt with a public key
Neither of those things are true. We’ve verified with our client that our public key is being used to encrypt the assertion. The keys match and the private key is being used to decrypt the assertion.
Other things we’ve tried:
1) made sure the x509certificate2 is using the machine key storage flag: X509KeyStorageFlags.MachineKeySet
2) given full rights to the IIS user account on the machines for the Machine Keys directory in Windows
Are there any other things we should be checking?
Heres the relevant code:
…
string key = {path to private key};
X509Certificate2 decryptionKey = new X509Certificate2(key, _samlPrivateKeyPassword, X509KeyStorageFlags.MachineKeySet);
encryptedSamlAssertion = samlResponse.GetEncryptedAssertions()[0];
samlAssertion = encryptedSamlAssertion.Decrypt(decryptionKey.PrivateKey, null); // fails here
The code looks fine.
Typically padding errors occur when the wrong public key/certificate is used to encrypt the randomly generated symmetric key.
If the matching private and public keys are being used then this will require more investigation.
As an experiment, are you able to switch to use the sp.cer/sp.pfx test certificate and private key that we ship?
It would be good to check whether the issue still occurs with these.
Have you tried encrypting a SAML assertion using our component and then decrypting it using your current .cer/.pfx certificate/private key?
This will check that there’s no issues with the certificate and private key.
If there’s still an issue please contact support@componentspace.com mentioning this post.
We will need to get you to enable SAML trace so we can debug this further.
I was able to verify that the public and private keys are matching by manually encrypting the assertion then decrypting using our .cer and .pfx files.
I’ve attached a saml trace from a failed decryption attempt.
Let’s continue via email.
What was the resolution in the end? I am facing the same problem.
Frankly, we haven’t resolved the issue yet. The client is using software called Ping Federate for their SSO needs, and their only assertion encryption alorithm option is RSA-OAEP (or whatever the exact name is). I’ve been able to encrypt the assertion using the same algorithm then decrypt it without any issue. We believe something on their end is throwing a wrench into this process.
I’d be curious to know what your setup is.
FYI We have integrated with Ping Federate here but we weren’t using encryption so we didn’t run into any problems.
My problem is integrating with Shibboleth InCommon. I have created a self-signed certificate with a private key (of type ‘exchange’). Our client is encrypting with our public key but we can’t decrypt. Getting the same error as you. I am using the high level API though i.e.
SAMLServiceProvider.ReceiveSSO(request, out isInResponseTo, out partnerIdP, out userName, out attributes, out urlUserTriedToAccess);
I guess my next step is to use the certificates issued by ComponentSpace.
The error thrown is:
ComponentSpace.SAML2.Exceptions.SAMLEncryptionException: Failed to decrypt XML. —> System.Security.Cryptography.CryptographicException: Error occurred while decoding OAEP padding.
at System.Security.Cryptography.RSACryptoServiceProvider.DecryptKey(SafeKeyHandle pKeyContext, Byte[] pbEncryptedKey, Int32 cbEncryptedKey, Boolean fOAEP, ObjectHandleOnStack ohRetDecryptedKey)
at System.Security.Cryptography.RSACryptoServiceProvider.Decrypt(Byte[] rgb, Boolean fOAEP)
at System.Security.Cryptography.RSAOAEPKeyExchangeDeformatter.DecryptKeyExchange(Byte[] rgbData)
at ComponentSpace.SAML2.Utility.XmlEncryption.Decrypt(XmlElement encryptedElement, XmlNodeList encryptedKeysNodeList, AsymmetricAlgorithm keyDecryptingKey, EncryptionMethod keyEncryptionMethod, EncryptionMethod dataEncryptionMethod) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\Utility\XmlEncryption.cs:line 365
— End of inner exception stack trace —
at ComponentSpace.SAML2.Utility.XmlEncryption.Decrypt(XmlElement encryptedElement, XmlNodeList encryptedKeysNodeList, AsymmetricAlgorithm keyDecryptingKey, EncryptionMethod keyEncryptionMethod, EncryptionMethod dataEncryptionMethod) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\Utility\XmlEncryption.cs:line 400
at ComponentSpace.SAML2.Assertions.EncryptedAssertion.DecryptToXml(AsymmetricAlgorithm keyDecryptingKey, EncryptionMethod keyEncryptionMethod, EncryptionMethod dataEncryptionMethod) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\Assertions\EncryptedAssertion.cs:line 733
at ComponentSpace.SAML2.InternalSAMLServiceProvider.DecryptSAMLAssertion(Object samlAssertion) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLServiceProvider.cs:line 230
at ComponentSpace.SAML2.InternalSAMLServiceProvider.GetSAMLAssertion(SAMLResponse samlResponse, XmlElement samlResponseElement) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLServiceProvider.cs:line 267
at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& userName, SAMLAttribute[]& attributes) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLServiceProvider.cs:line 409
at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequest httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& userName, SAMLAttribute[]& attributes, String& relayState) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLServiceProvider.cs:line 684
at ComponentSpace.SAML2.SAMLServiceProvider.ReceiveSSO(HttpRequest httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& userName, SAMLAttribute[]& attributes, String& relayState) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\SAMLServiceProvider.cs:line 402
Would you mind emailing the following to support@componentspace.com mentioning this topic?
I’d like the SAML trace as an email attachment as well as your self-signed certificate and private key, assuming this is for test purposes and you don’t mind sharing. If you could send me the .cer and .pfx files zipped up as well as the password for the pfx file that would be great.
I can then do some testing here. Thanks.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
After much stuffing around my issue has been resolved.
It turned out that the certificate the customer was using was not the same as me. The private key was obviously different.
I’m glad the issue has been resolved and thanks for posting. In the majority of cases the cause is mismatching public and private keys.