Error/Exception while marshalling signed and encrypted response OpenSAML v3

Question

I have been using OpenSaml V2 for a while, which has been working well, and I recently started the migration. Due to the lack of information, even from the OpenSaml V3 book I have recently purchase, I am having some issues with a few things that were working fine with V2.

I have been using the following method to encrypt the Assertion. This method seems to be working fine.

    private EncryptedAssertion createEncryptedAssertion(Assertion assertion) throws SamlException {

    try {
        Credential keyEncryptionCredential = CredentialSupport.getSimpleCredential(this.encryptingCertificate, this.encryptingPrivateKey);

        DataEncryptionParameters encryptionParameters = new DataEncryptionParameters();
        encryptionParameters.setAlgorithm(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128);

        KeyEncryptionParameters keyEncryptionParameters = new KeyEncryptionParameters();
        keyEncryptionParameters.setEncryptionCredential(keyEncryptionCredential);
        keyEncryptionParameters.setAlgorithm(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);

        Encrypter samlEncrypter = new Encrypter(encryptionParameters, keyEncryptionParameters);
        samlEncrypter.setKeyPlacement(Encrypter.KeyPlacement.INLINE);

        return samlEncrypter.encrypt(assertion);
    }
    catch(Exception e) {
        throw new SamlException(e);
    }
}

The problem I am having happens when I try to marshall my response with the encrypted assertion, using the following method:

    public String marshall(XMLObject xmlObject, boolean encode) throws SamlException {

    try {

        ParserPool parserPool = XMLObjectProviderRegistrySupport.getParserPool();
        MarshallerFactory marshallerFactory = XMLObjectProviderRegistrySupport.getMarshallerFactory();
        Marshaller marshaller = marshallerFactory.getMarshaller(xmlObject);
        if(marshaller == null) {
            throw new SamlException("Unable to locate marshaller for " + xmlObject.getElementQName()
                                 + " can not perform marshalling operation");
        }

        Element element = marshallerFactory.getMarshaller(xmlObject).marshall(xmlObject, parserPool.newDocument());

        Transformer transformer = TransformerFactory.newInstance().newTransformer();
        transformer.setOutputProperty(OutputKeys.INDENT, "yes");
        transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "3");

        StreamResult result = new StreamResult(new StringWriter());
        DOMSource source = new DOMSource(element);

        transformer.transform(source, result);
        String xmlString = result.getWriter().toString();

        if(encode) {
            //return Util.base64EncodeMessage(xmlString);
        }
        return xmlString;
    }
    catch(Exception e) {
        throw new SamlException(e);
    }
}

When I try to marshall my response with encrypted assertion, I get the following exception:

Caused by: org.opensaml.core.xml.io.MarshallingException: Unable to root namespaces of cached DOM element, {http://www.w3.org/2001/04/xmlenc#}EncryptionMethod
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.prepareForAdoption(AbstractXMLObjectMarshaller.java:427)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshall(AbstractXMLObjectMarshaller.java:144)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshallChildElements(AbstractXMLObjectMarshaller.java:271)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshallInto(AbstractXMLObjectMarshaller.java:212)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshall(AbstractXMLObjectMarshaller.java:162)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshallChildElements(AbstractXMLObjectMarshaller.java:271)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshallInto(AbstractXMLObjectMarshaller.java:212)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshall(AbstractXMLObjectMarshaller.java:162)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshallChildElements(AbstractXMLObjectMarshaller.java:271)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshallInto(AbstractXMLObjectMarshaller.java:212)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshall(AbstractXMLObjectMarshaller.java:162)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshallChildElements(AbstractXMLObjectMarshaller.java:271)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshallInto(AbstractXMLObjectMarshaller.java:212)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshall(AbstractXMLObjectMarshaller.java:162)
at org.opensaml.saml.common.AbstractSAMLObjectMarshaller.marshall(AbstractSAMLObjectMarshaller.java:65)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshallChildElements(AbstractXMLObjectMarshaller.java:271)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshallInto(AbstractXMLObjectMarshaller.java:212)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.marshall(AbstractXMLObjectMarshaller.java:118)
at org.opensaml.saml.common.AbstractSAMLObjectMarshaller.marshall(AbstractSAMLObjectMarshaller.java:57)
at com.divinvest.sso.opensaml.SamlAssertionProducerV2.marshall(SamlAssertionProducerV2.java:171)
... 25 more
Caused by: org.w3c.dom.DOMException: Unable to resolve namespace prefix ds found on element {http://www.w3.org/2000/09/xmldsig#}DigestMethod
at net.shibboleth.utilities.java.support.xml.NamespaceSupport.rootNamespaces(NamespaceSupport.java:247)
at net.shibboleth.utilities.java.support.xml.NamespaceSupport.rootNamespaces(NamespaceSupport.java:295)
at net.shibboleth.utilities.java.support.xml.NamespaceSupport.rootNamespaces(NamespaceSupport.java:200)
at org.opensaml.core.xml.io.AbstractXMLObjectMarshaller.prepareForAdoption(AbstractXMLObjectMarshaller.java:422)
... 44 more

Am I missing anything in the unmarshall method? I am marshall my response objects with signed assertion, signed response but when the assertion is encrypted, I am not able to.

Thank you

Answer 1

The issue was that xmltooling was bringing the wrong xmlsec version (1.5.7), I had to include an exclusing in order to use xmlsec 2.0.5 that is using by opensaml-security-api.