Java + SAML: Illegal Key Size

PROBLEM

When attempting to decrypt the SAML response from IdP, the following exception occurs:-

org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size
Original Exception was java.security.InvalidKeyException: Illegal key size
	at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1822)
	at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:596)
	at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:795)
	at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:535)
	at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:453)
	at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:414)
	at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)
	at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)
	at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:199)
	at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)

SOLUTION

When inspecting the SAML response payload below, the data is encrypted with AES-256:-

<!--?xml version="1.0" encoding="UTF-8"?-->
<samlp:response consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" destination="https://server/my-app/saml/SSO" id="_370d6ba5-177c-494b-9147-2eafd9ecb6c9" inresponseto="a5c5dja1i5fgb2bf2e66f6g9g5398gj" issueinstant="2016-02-18T15:28:43.473Z" version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs-server/adfs/services/trust</issuer>
    <samlp:status>
        <samlp:statuscode value="urn:oasis:names:tc:SAML:2.0:status:Success">
    </samlp:statuscode></samlp:status>
    <encryptedassertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:encrypteddata type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
            <xenc:encryptionmethod algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc">
            <keyinfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <e:encryptedkey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                    <e:encryptionmethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                        <digestmethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1">
                    </digestmethod></e:encryptionmethod>
                    <keyinfo>
                        <ds:x509data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                            <ds:x509issuerserial>
                                <ds:x509issuername>CN=server</ds:x509issuername>
                                <ds:x509serialnumber>1822784706</ds:x509serialnumber>
                            </ds:x509issuerserial>
                        </ds:x509data>
                    </keyinfo>
                    <e:cipherdata>
                        <e:ciphervalue>isG83fVk50fJRIcg...</e:ciphervalue>
                    </e:cipherdata>
                </e:encryptedkey>
            </keyinfo>
            <xenc:cipherdata>
                <xenc:ciphervalue>+b2o6HNxaxsse7rkB...</xenc:ciphervalue>
            </xenc:cipherdata>
        </xenc:encryptionmethod></xenc:encrypteddata>
    </encryptedassertion>
</samlp:response>

By default, Java’s keysize is limited to 128-bit key due to US export laws and a few countries’ import laws.

To fix this…

  • Determine the Java version.
  • Download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files – Java 7 or Java 8.
  • Inflate the zip file.
  • Copy local_policy.jar and US_export_policy.jar to [JAVA_HOME]/jre/lib/security.

Comments

  1. Type Writer says:

    Thanks for the help; this post was the first result when I searched on the exception in question, and your suggestion was exactly what I needed to do to solve my problem. Plus I like your blog name 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *