Getting error while decryptition of Saml token

Question

I am getting error while decryption of saml token. However this issue is not consistent it works after restarting server. It was working properly till last night :(

DEBUG Decrypter:631 - Attempt to decrypt EncryptedKey using credential from KEK KeyInfo resolver failed:
        org.opensaml.xml.encryption.DecryptionException: Probable runtime exception on decryption:unknown parameter type.
            at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:705)
            at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:628)
            at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:783)
            at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:524)
            at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:442)
            at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:403)
            at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)
            at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)
            at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:199)
            at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
            at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
            at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84)
            at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
            at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
            at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
            at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
            at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
            at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
            at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
            at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
            at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
            at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
            at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
            at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
            at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
            at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
            at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
            at java.lang.Thread.run(Thread.java:745)
        Caused by: java.lang.IllegalArgumentException: unknown parameter type.
            at org.bouncycastle.jce.provider.JCERSACipher.engineInit(Unknown Source)
            at javax.crypto.Cipher.implInit(Cipher.java:791)
            at javax.crypto.Cipher.chooseProvider(Cipher.java:849)
            at javax.crypto.Cipher.init(Cipher.java:1348)
            at javax.crypto.Cipher.init(Cipher.java:1282)
            at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1475)
            at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:697)
            ... 41 more
        09:21:51,120 ERROR Decrypter:639 - Failed to decrypt EncryptedKey, valid decryption key could not be resolved
        09:21:51,120 DEBUG Decrypter:787 - Attempt to decrypt EncryptedData using key extracted from EncryptedKey faile

Earlier I was getting invalide key size error which I fixed with the help of Spring SAML ADFS: java.security.InvalidKeyException. However I am not sure whether it will have any impact on US security policy law.

But this decrypt exception is not getting resolved and its not consistent. Some time it starts working after restarting server.

I tried each and everything in last 2-3 days. I thought issue occurs after metadata refresh so I tried adding below property to ResourceBackedMetadataProvider bean but no luck.

<property name="parserPool" ref="parserPool"/>
<property name="minRefreshDelay" value="120000"/>
<property name="maxRefreshDelay" value="300000"/>

Then i debug WebSSOProfileConsumerImpl.java code thought this mught be the issue related to jira so I checkout the latest code and create new jar and added to my project but no luck.

Answer 1

After spending one week in debugging and googling, I have decide to fix this issue with a little hack.

I checked out Spring-Saml source code from Master branch of gitHub Repository and build jar and import it into my project. I thought this SES-144 issue is similar to mine, so I tried with latest code but no luck.

So I decided to to debug xmlTooling.jar code and find the exact point of failure and overwrote the below method decryptKey(EncryptedKey encryptedKey, String algorithm) in XMLCipher.java with below code.

Cipher c = constructCipher(encryptedKey.getEncryptionMethod()
                    .getAlgorithm(), encryptedKey.getEncryptionMethod()
                    .getDigestAlgorithm());

Instead of calling 
    c.init(4, key, oaepParameters);
used below code and removed if/else block
    c.init(4, key);

You can checkout the custom jars from github

You need to update your saml dependency with below lines in pom.xml file to use this custom jar

<dependency>
    <groupId>org.springframework.security.extensions</groupId>
    <artifactId>spring-security-saml2-core</artifactId>
    <version>1.0.1.RELEASE</version>

    <exclusions>
            <exclusion>
                    <artifactId>xmlsec</artifactId>
                    <groupId>org.apache.santuario</groupId>
            </exclusion>
    </exclusions>
</dependency>

<dependency>
    <artifactId>xmlsec</artifactId>
    <groupId>org.apache.santuario</groupId>
    <version>1.5.6-custom</version>
</dependency>

If anyone find better solution please let me know.