Category Archives: Misc

Design Pattern: Re-accommodate

WHAT

Forcefully evict a random entity from the system due to overcapacity problem caused by own fault. Then, spend countless of hours cleaning up the mess.

USAGE

Let’s assume your system has heap size problems and it is about to run out of memory because you implemented endless recursions or have too many running threads.

  1. Randomly select 4 entities (running processes) from the system.
  2. Ask each selected entity to voluntarily quit.
  3. If the chosen entity does not comply, forcefully evict it from the system.
  4. Clean up any data corruption.

WHEN TO USE IT

Only use this design pattern when building any software systems for United Airlines.

Java + SAML: Illegal Key Size

PROBLEM

When attempting to decrypt the SAML response from IdP, the following exception occurs:-

org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size
Original Exception was java.security.InvalidKeyException: Illegal key size
	at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1822)
	at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:596)
	at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:795)
	at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:535)
	at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:453)
	at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:414)
	at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)
	at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)
	at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:199)
	at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)

SOLUTION

When inspecting the SAML response payload below, the data is encrypted with AES-256:-

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response
        Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
        Destination="https://server/my-app/saml/SSO"
        ID="_370d6ba5-177c-494b-9147-2eafd9ecb6c9"
        InResponseTo="a5c5dja1i5fgb2bf2e66f6g9g5398gj"
        IssueInstant="2016-02-18T15:28:43.473Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs-server/adfs/services/trust</Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                    <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    </e:EncryptionMethod>
                    <KeyInfo>
                        <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                            <ds:X509IssuerSerial>
                                <ds:X509IssuerName>CN=server</ds:X509IssuerName>
                                <ds:X509SerialNumber>1822784706</ds:X509SerialNumber>
                            </ds:X509IssuerSerial>
                        </ds:X509Data>
                    </KeyInfo>
                    <e:CipherData>
                        <e:CipherValue>isG83fVk50fJRIcg...</e:CipherValue>
                    </e:CipherData>
                </e:EncryptedKey>
            </KeyInfo>
            <xenc:CipherData>
                <xenc:CipherValue>+b2o6HNxaxsse7rkB...</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </EncryptedAssertion>
</samlp:Response>

By default, Java’s keysize is limited to 128-bit key due to US export laws and a few countries’ import laws.

To fix this…

  • Determine the Java version.
  • Download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files – Java 7 or Java 8.
  • Inflate the zip file.
  • Copy local_policy.jar and US_export_policy.jar to [JAVA_HOME]/jre/lib/security.

There are no Limits…

Bruce had me up to three miles a day, really at a good pace. We’d run the three miles in twenty-one or twenty-two minutes. Just under eight minutes a mile [Note: when running on his own in 1968, Lee would get his time down to six-and-a-half minutes per mile].

So this morning he said to me “We’re going to go five.”

I said, “Bruce, I can’t go five. I’m a helluva lot older than you are, and I can’t do five.”

He said, “When we get to three, we’ll shift gears and it’s only two more and you’ll do it.”

I said “Okay, hell, I’ll go for it.”

So we get to three, we go into the fourth mile and I’m okay for three or four minutes, and then I really begin to give out.

I’m tired, my heart’s pounding, I can’t go any more and so I say to him, “Bruce if I run any more,” — and we’re still running — “if I run any more I’m liable to have a heart attack and die.” He said, “Then die.” It made me so mad that I went the full five miles.

Afterward I went to the shower and then I wanted to talk to him about it. I said, you know, “Why did you say that?” He said, “Because you might as well be dead. Seriously, if you always put limits on what you can do, physical or anything else, it’ll spread over into the rest of your life. It’ll spread into your work, into your morality, into your entire being. There are no limits. There are plateaus, but you must not stay there, you must go beyond them. If it kills you, it kills you. A man must constantly exceed his level.

– The Art of Expressing the Human Body by Bruce Lee and John Little