Category Archives: Misc

Design Pattern: Re-accommodate

WHAT

Forcefully evict a random entity from the system due to overcapacity problem caused by own fault. Then, spend countless of hours cleaning up the mess.

USAGE

Let’s assume your system has heap size problems and it is about to run out of memory because you implemented endless recursions or have too many running threads.

  1. Randomly select 4 entities (running processes) from the system.
  2. Ask each selected entity to voluntarily quit.
  3. If the chosen entity does not comply, forcefully evict it from the system.
  4. Clean up any data corruption.

WHEN TO USE IT

Only use this design pattern when building any software systems for United Airlines.

Advertisements

Java + SAML: Illegal Key Size

PROBLEM

When attempting to decrypt the SAML response from IdP, the following exception occurs:-

org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size
Original Exception was java.security.InvalidKeyException: Illegal key size
	at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1822)
	at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:596)
	at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:795)
	at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:535)
	at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:453)
	at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:414)
	at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)
	at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)
	at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:199)
	at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)

SOLUTION

When inspecting the SAML response payload below, the data is encrypted with AES-256:-

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response
        Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
        Destination="https://server/my-app/saml/SSO"
        ID="_370d6ba5-177c-494b-9147-2eafd9ecb6c9"
        InResponseTo="a5c5dja1i5fgb2bf2e66f6g9g5398gj"
        IssueInstant="2016-02-18T15:28:43.473Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs-server/adfs/services/trust</Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                    <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    </e:EncryptionMethod>
                    <KeyInfo>
                        <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                            <ds:X509IssuerSerial>
                                <ds:X509IssuerName>CN=server</ds:X509IssuerName>
                                <ds:X509SerialNumber>1822784706</ds:X509SerialNumber>
                            </ds:X509IssuerSerial>
                        </ds:X509Data>
                    </KeyInfo>
                    <e:CipherData>
                        <e:CipherValue>isG83fVk50fJRIcg...</e:CipherValue>
                    </e:CipherData>
                </e:EncryptedKey>
            </KeyInfo>
            <xenc:CipherData>
                <xenc:CipherValue>+b2o6HNxaxsse7rkB...</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </EncryptedAssertion>
</samlp:Response>

By default, Java’s keysize is limited to 128-bit key due to US export laws and a few countries’ import laws.

To fix this…

  • Determine the Java version.
  • Download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files – Java 7 or Java 8.
  • Inflate the zip file.
  • Copy local_policy.jar and US_export_policy.jar to [JAVA_HOME]/jre/lib/security.

TurboTax… FAIL

As I was filing my taxes today, I stumbled upon this bug in TurboTax.

turbotax-error

Although this may not be a fatal bug, as a consumer of the product, I can only wonder how many more bugs that are left uncovered and whether or not my taxes are done correctly this year.

turbotax-morpheus

The moral of the story is… always write test cases and automate the test executions.

Yes, single-page apps are getting very popular these days, but that doesn’t give you the excuse for not testing your client-side code.

If you write code, whether it is server-side code or client-side code, you have to write test cases… end of story.