2 Replies Latest reply on Jul 13, 2015 4:41 AM by Michael Hauke

    Saml2-Authentication-Handler cannot handle encrypted Response because name space "xenc" is not bound

    Michael Hauke Newbie

      With Picketlink 2.7.0.Final on Wildfly 8.0.2.Final or 9.0.0.Final my service provider cannot handle encrypted responses.

       

      Root cause is a SAXParseException because of missing name space "xenc" for an element "xenc:EnrcryptedData".

       

      According to Firefox-SAML-Plugin my Service-Provider receives a response like, where name space "xenc" is declared in the root element, and with elements using this name space. When I look into SAML2Response.convert(StatusResponseType) from package "org.picketlink.identity.federation.api.saml.v2.response", it creates a document without the declaration of name space "xenc" and thus parsing this document fails.

       

      What can I do?

       

      Below first the response as shown by Firefox-SAML-Plugin, second the content of the ByteArrayOutputStream in SAMLResponse.convert (content specific to my environment replaced with "...").

       

      Response according to Firefox-SAML-Plugin:

       

      <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"

        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

        xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"

        Destination="..."  ID="..."

        InResponseTo="..."

        IssueInstant="..."

        Version="2.0"

        >

        <saml:Issuer>...</saml:Issuer>

        <samlp:Status>

        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />

        </samlp:Status>

        <saml:EncryptedAssertion>

        <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"

        xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"

        >

        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"

        xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"

        />

        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

        <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">

        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"

        xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"

        />

        <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">

        <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">...</xenc:CipherValue>

        </xenc:CipherData>

        </xenc:EncryptedKey>

        </ds:KeyInfo>

        <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">

        <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">...</xenc:CipherValue>

        </xenc:CipherData>

        </xenc:EncryptedData>

        </saml:EncryptedAssertion>

        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

        <SignedInfo>

        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />

        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

        <Reference URI="...">

        <Transforms>

        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />

        </Transforms>

        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />

        <DigestValue>...</DigestValue>

        </Reference>

        </SignedInfo>

        <SignatureValue>..</SignatureValue>

        <KeyInfo>

        <KeyValue>

        <RSAKeyValue>

        <Modulus>...</Modulus>

        <Exponent>...</Exponent>

        </RSAKeyValue>

        </KeyValue>

        </KeyInfo>

        </Signature>

      </samlp:Response>

       

      Response according to SAMLResponse.convert:

       

      <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

          xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="..."

          Version="2.0" IssueInstant="..."

          Destination="..."

          InResponseTo="...">

          <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">...</saml:Issuer>

          <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

              <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

                  <CanonicalizationMethod xmlns="http://www.w3.org/2000/09/xmldsig#"

                      Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"></CanonicalizationMethod>

                  <SignatureMethod xmlns="http://www.w3.org/2000/09/xmldsig#"

                      Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>

                  <Reference xmlns="http://www.w3.org/2000/09/xmldsig#" URI="...">

                      <Transforms xmlns="http://www.w3.org/2000/09/xmldsig#">

                          <Transform xmlns="http://www.w3.org/2000/09/xmldsig#"

                              Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>

                          <Transform xmlns="http://www.w3.org/2000/09/xmldsig#"

                              Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"></Transform>

                      </Transforms>

                      <DigestMethod xmlns="http://www.w3.org/2000/09/xmldsig#"

                          Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod>

                      <DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">...</DigestValue>

                  </Reference>

              </SignedInfo>

              <SignatureValue xmlns="http://www.w3.org/2000/09/xmldsig#">...</SignatureValue>

              <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

                  <KeyValue xmlns="http://www.w3.org/2000/09/xmldsig#">

                      <RSAKeyValue xmlns="http://www.w3.org/2000/09/xmldsig#">

                          <Modulus xmlns="http://www.w3.org/2000/09/xmldsig#">...</Modulus>

                          <Exponent xmlns="http://www.w3.org/2000/09/xmldsig#">...</Exponent>

                      </RSAKeyValue>

                  </KeyValue>

              </KeyInfo>

          </Signature>

          <samlp:Status>

              <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode>

          </samlp:Status>

          <saml:EncryptedAssertion>

              <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element">

                  <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>

                  <ds:KeyInfo>

                      <xenc:EncryptedKey>

                          <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"></xenc:EncryptionMethod>

                          <xenc:CipherData>

                              <xenc:CipherValue>...</xenc:CipherValue>

                          </xenc:CipherData>

                      </xenc:EncryptedKey>

                  </ds:KeyInfo>

                  <xenc:CipherData>

                      <xenc:CipherValue></xenc:CipherValue>

                  </xenc:CipherData>

              </xenc:EncryptedData>

          </saml:EncryptedAssertion>

      </samlp:Response>