Subject: Decryption of SAML Token Fails: Failed to decrypt xml
Date: 2020-08-27 13:10:00
From: sstewart
Source: decryption-saml-token-fails-failed-decrypt-xml
----------------------------------------------------------------------

Hi.  I'm trying to integrate the SAML tools into my project but I've run into a case where the decrypt of an assertion fails every time.  If I encrypt tokens with ComponentPro, then it works.  But when I use the same key with th encrypter at SAMLTools.com, ComponentPro will not decrypt.  

So here's the SAML token:

    
	https://fakeurl:443
	
		
		
	
	
		https://fakeurl:443
		
			xxxxxxx
			
				
			
		
		
			
				https://sso.example.com/client/cust
			
		
		
			
				urn:oasis:names:tc:SAML:2.0:ac:classes:Password
			
		
		
			
				55555555555
			
		
	


Here Are the public and private keys for my Cert(This is a self-signed cert):

    -----BEGIN PRIVATE KEY-----
    MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANZMEJ43RE4R2P+v
    BVQsjFHTbyuCEQgssCTRdoYR670ocHtMIQo9yMbAVhRw2P9Yz90SLH0ui158VNog
    kBDDlYr5dnZ36bxZPCYebgJYp4EcMw5wEn3DwVqBTSWJg4GkytWgnQbDzFlyg6pl
    a/8mRzVdp2r3Z55thhA6S+VPOP/PAgMBAAECgYEAxuY61l69iyiNnGM6MvJWGux/
    1oYWgNvZcZLoy29+ukb6f7YdRIAsBi0muDo1bmtkIvBnUpkMylnj98EZdjXSaUMO
    Od/1yYtChOpPljCx/z/EpgHtoj/QCE8s/mgJCSE558JzDYb4Ss8YMAnSS3RGZ7W2
    XpfbfzbNMd6ubt24xoECQQD9nclN8KvpvzyZbq1tLO+/1Lis7orJYCnXqnGMFX4N
    y9xFzUMQyu71A6rTvxHENXnXWVtLQIEpMclxkfktWWwfAkEA2E+srvLp0CaIzXvn
    YKUkYnaEvHEd94ZpC1Hf7FyvwxbXTB7EpnkeGTjTiewADvNDLOOQ2ZR1FQGRBiud
    dvj2UQJAD8rwiyLugZq/+knzELZYo5hqe5JLICkV0fEyKuf3toI4UDxs7bHFWYqF
    67OdNpuh37AXyELXCCqqgaD2ZEWKPwJAErbh88jkXbPXxh9gJ0ZiXXpvhXYr54xj
    bi1JOEPUmQZS3i0TSmvUJM57zsTyRFjbiPivQYPMlWKrT2Nanj5v4QJBAM8Ej1EB
    1tMOtP1P9BGkgogJpajEBg2ZIJyom94MfdfiCxJWFX0MxO2A+02eiuJy71UbAKmy
    Mzf/hwQRvIY+kZE=
    -----END PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    MIICzjCCAjegAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBgzELMAkGA1UEBhMCdXMx
    EDAOBgNVBAgMB0dlb3JnaWExGDAWBgNVBAoMD1BheUdvIFV0aWxpdGllczEdMBsG
    A1UEAwwUcWEucGF5Z29lbGVjdHJpYy5jb20xEzARBgNVBAcMCkFscGhhcmV0dGEx
    FDASBgNVBAsMC0RldmVsb3BtZW50MB4XDTE5MDMyMjE3MzczMVoXDTI5MDMxOTE3
    MzczMVowgYMxCzAJBgNVBAYTAnVzMRAwDgYDVQQIDAdHZW9yZ2lhMRgwFgYDVQQK
    DA9QYXlHbyBVdGlsaXRpZXMxHTAbBgNVBAMMFHFhLnBheWdvZWxlY3RyaWMuY29t
    MRMwEQYDVQQHDApBbHBoYXJldHRhMRQwEgYDVQQLDAtEZXZlbG9wbWVudDCBnzAN
    BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1kwQnjdEThHY/68FVCyMUdNvK4IRCCyw
    JNF2hhHrvShwe0whCj3IxsBWFHDY/1jP3RIsfS6LXnxU2iCQEMOVivl2dnfpvFk8
    Jh5uAlingRwzDnASfcPBWoFNJYmDgaTK1aCdBsPMWXKDqmVr/yZHNV2navdnnm2G
    EDpL5U84/88CAwEAAaNQME4wHQYDVR0OBBYEFL6UL/tUmVHoOa22gVifuiIzslh3
    MB8GA1UdIwQYMBaAFL6UL/tUmVHoOa22gVifuiIzslh3MAwGA1UdEwQFMAMBAf8w
    DQYJKoZIhvcNAQENBQADgYEAeL7FRJDmO3N70R6T0sLiBOE/Xn1iu7DI/+T8s2A0
    4D6zGgzNzcq54NJhKzU3jW52ZfF9GcA8vLTsaZ0AjE/3Yc8c3Av5eqvm1HlpzTiE
    XtO2tEHCCqJ7D8Bw0T+pqpVYeLfXZcxf8+Lew6wNDD1DcJOdjU8tTDbKfTB+ine4
    0vE=
    -----END CERTIFICATE-----

I go to https://www.samltool.com/encrypt.php , Plug in the above SAML Token, Use the PublicCert as posted above, and select RSA_OAEP_MGF1P for Key Encryption, and select AES128_CBC for the data encryption, Tag to replace: saml:Assertion, Tag with Encrypted data: saml:EncryptedAssertion


When I encrypt I get the following result:

    
    	https://fakeurl:443
    	
    		
    		
    	
    	
    hbB4l9B2ULwMJ3huXbcHfAZrq8J6Vn8FH17p1ujLSA4MrFpQvBgLCx8JvDiWR7SFLJo7DRImXGsZB+JfacU4hG45E1q7ghjjADgCXAXGdESVrtc3/7YAkHaVtagXGlGjUAVXs74LAHaMuZT2p0L3JvaT08BTTrMgdd9c2Mei8Rc=
       
          7c+UcndH26vz2S+s+mSE2sJ+JOdTtE0mK+lP++kNKMJBz+K5X0J7EOzh3bx2zTTZIcrH5Lox0T9W+y+c7eeUbH5gugoK/BI2HbXLt05NLSCQCgO5xLyCffjKsiPFlf7TO/iOL9S+dONvuNIFfxRawoA5bvNWJU1D1B4QkVUcXOPzXxZXrMEjOka7ol6wRQxhaVOg7yCPGfej6bIaaySEFl2PhorQUsG+YLrCl0ZUlNttp/B3cHP1MSwqbiLbuEDClSfxrXS+/IbiGIAzpIk7MBhOoD2RXRcNCZ8YMIHss47rQL5lkKFSxpuJ4yGvx4a8EVRhvmsoTKKim6ItoUAJbhNXoEkzLS6iKe3LO0SwhsOtN5L/y/5ilYN5aso4u1tK3Q9AIu8fPyIudd7DEXLzndiyxDTBfBTwgEh34v4+5Bpts5/COmuyiSdMDJZfWZ/s2Zx23BIX1gXq5PQcD9KmuNvQ2Mw4rhX8RLkhEZHALxtEItFBcvxHVMdmzS2SWVFA1sNUUC074mZpCQnVfbnombjt+vnDoDxjx1WoO5mqVAumUJ8zmFGNmrhKaALMOCKyQ/3Z57DEnoQIt0I8pU5I9u9a/Kon/EF+quFiuW5YUl/5J7LIu5JXac3Pa9F1cS4aUgcVqZz19JIPXxGf7AwYywsXtl2AUmWN7qPd1buL8HvWj5b3GGxghw2oBogWt64JZb5evRCaBGsTLUa8OL7qWGCjARDfujthVhm/AvwErPiwpVLllMtJyK1WrNSCrUCyFeazAjtmX+cdwDn2YQYrSVV+yJVsZEtXOEJS/HZuLtHjQnPWqnCjX2Rin2FNfLPJ80zDboNEE4xgCYWLhnF8Xp4L0/dt3+MB81LZX1lb8c6H40QsHYZSg9jNT71SUm0wf2JvT91NutiJGvBrJEmvFVY1IL7zDsaDfZMm3wZ+8uUEIwYJz3s/jkBwk9HDtV5YJSJJgEN5HTxNhec+/Gboy8LP61yBOlQHXisJjANAweYQiDvnG+0NLsYKJhsZbze8TFukR7/3lJvvPi4M5Z1DUHuWjL466o09k8okoQRax7hiXNCMj895sJBgwG7rQqukfJJaZOc3zEouyWvdXqQ6/G+OhaxIJCOVfwbVDwW0tw0XQP0YVLz5LOv04FJh+Lck+fdGVXJ1oqz39Ygy05a1bVWwpBbnZ77QOsiHhO3EVVpIKW+s+jXCEY3LoH/fB4uNQty34BJG5EDqOZcixvFxpavuNHNkElSZD8FVMZkR7OruBca37xCRiZr22f6curJg8v7RV/Ps0T/h2JAPJd511UlyfqBz49QnMAqOAMLfaOXLgGwd5fZhdn2gv0nfQ0nw8aRVLyb/YAUhRcvjhLCtCNxwwvhIxTiuE1HUSuPXYakdJ1u+Ks16Hgb13qCAx38bnpGlotvRzo6yVylWgUGF/UUBxIj5UdrstVN8YNu/BhYItm7grn5KRfdXwsNPVOB+GrP/c0cgsYFCxw3pQ9syjKsKGmpt6Jg3CDbuCXCnre4hfK20SYW4JYeV8Cq6CW4057p53Qfl2DjhfUdxQdMZKPqacXpz/WpK8Z/0hyyO/tlJiYy4Q3KEGv8mA4a/0kCifEAzWar6r26UbWdfRZvJLLh9sVrKbfEWaO1EoTnQ5DAQ+rJ4y3rXwstWlGhpLqXcWshNsgkzb0Vn5RUsYorv6f9mzs1Yr25g9SbnlLrymSxS2oWc5i59suaYr907rhd+RuXnvjxAmuJ+xrw/J5Tg6t14KNH+7Ecu5HmEXLkEqYqALRy5S9YRa6yr2lX5CSD4YzzbAwJyJGNqqpmCfPDKMwNdUg6ps3A7cUAylQ1cuI7M3oiWETqkAvjmka5gt0XAfpLpCb0KXdoBtcJwI9ej09WMzyIWlwh37rjvrcNWy3r7WLG1hPaIa4OVP0RMy082AHzqSt1LrjwEr39e/zBRSgtBVGxKrHBoag29HzhDB65beIcolWL3K0ReOxVK2Sg/tMfpSW0JeBa1JS2iYyATjBv7ITYN6wuljMG9JVeUm+0=
       
    

When I take that result and run the following code:

                var samlResponse = new ComponentPro.Saml2.Response(doc.DocumentElement);
                EncryptedAssertion encryptedAssertion = samlResponse.GetEncryptedAssertions()[0];

                var myCert = new X509Certificate2("qa.pfx");//Same cert as used above, just in pfx format

                // Decrypt the encrypted assertion.
                var assertion = encryptedAssertion.Decrypt(myCert);




That throws an exception:

    Type: ComponentPro.Saml.SamlException
    Message: Failed to decrypt xml.
    Inner Exception: NULL
    StackTrace:
     at ComponentPro.Saml.SamlUtil.Decrypt(XmlElement encryptedElement, XmlNodeList encryptedKeysNodeList, AsymmetricAlgorithm keyDecryptingKey, EncryptionMethod keyEncryptionMethod, EncryptionMethod dataEncryptionMethod)
       at ComponentPro.Saml.SamlUtil.Decrypt(XmlElement encryptedElement, XmlNodeList encryptedKeysNodeList, X509Certificate2 x509Certificate, EncryptionMethod keyEncryptionMethod, EncryptionMethod dataEncryptionMethod)
       at ComponentPro.Saml2.EncryptedAssertion.DecryptToXmlElement(X509Certificate2 x509Certificate, EncryptionMethod keyEncryptionMethod, EncryptionMethod dataEncryptionMethod)
       at ComponentPro.Saml2.EncryptedAssertion.Decrypt(X509Certificate2 x509Certificate, EncryptionMethod keyEncryptionMethod, EncryptionMethod dataEncryptionMethod)
       at ComponentPro.Saml2.EncryptedAssertion.Decrypt(X509Certificate2 x509Certificate)
       at XMLEncrypt.TestComponentPro.DecryptXMLFile(String xml, String certCN) in C:\\Users\\...


How do I coerce the SAML tool to decrypt this Assertion?  

For the record, https://www.samltool.com/decrypt.php is fully capable of decrypting the pasted encrypted assertion only needing the private key.

What am I missing? What can I do?  Thank you.

----------------------------------------------------------------------

Note: This question has been asked on the Q&A forum of Thang Dang's fraudulent ComponentPro brand
If you purchased anything from ComponentPro, you have been scammed. Contact the payment processor
who sold you the license and ask for your money back.

Back to ComponentPro Q&A Forum Index