PROBLEM
When attempting to decrypt the SAML response from IdP, the following exception occurs:-
org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size Original Exception was java.security.InvalidKeyException: Illegal key size at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1822) at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:596) at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:795) at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:535) at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:453) at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:414) at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141) at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69) at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:199) at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
SOLUTION
When inspecting the SAML response payload below, the data is encrypted with AES-256:-
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
Destination="https://server/my-app/saml/SSO"
ID="_370d6ba5-177c-494b-9147-2eafd9ecb6c9"
InResponseTo="a5c5dja1i5fgb2bf2e66f6g9g5398gj"
IssueInstant="2016-02-18T15:28:43.473Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs-server/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
</e:EncryptionMethod>
<KeyInfo>
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=server</ds:X509IssuerName>
<ds:X509SerialNumber>1822784706</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</KeyInfo>
<e:CipherData>
<e:CipherValue>isG83fVk50fJRIcg...</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>+b2o6HNxaxsse7rkB...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</EncryptedAssertion>
</samlp:Response>
By default, Java’s keysize is limited to 128-bit key due to US export laws and a few countries’ import laws.
To fix this…
- Determine the Java version.
- Download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files – Java 7 or Java 8.
- Inflate the zip file.
- Copy
local_policy.jarandUS_export_policy.jarto[JAVA_HOME]/jre/lib/security.
Advertisements
Thanks for the help; this post was the first result when I searched on the exception in question, and your suggestion was exactly what I needed to do to solve my problem. Plus I like your blog name 🙂