Sample code for 30+ languages & platforms
PureBasic

Decrypt a SAML Response

See more Encryption Examples

Demonstrates how to decrypt a SAML response.

Chilkat PureBasic Downloads

PureBasic
IncludeFile "CkBinData.pb"
IncludeFile "CkPrivateKey.pb"
IncludeFile "CkHttp.pb"
IncludeFile "CkXml.pb"
IncludeFile "CkCrypt2.pb"
IncludeFile "CkStringBuilder.pb"
IncludeFile "CkRsa.pb"

Procedure ChilkatExample()

    success.i = 0

    ; This example requires the Chilkat API to have been previously unlocked.
    ; See Global Unlock Sample for sample code.

    ; This example decrypts this SAML response:

    ; <?xml version="1.0" encoding="UTF-8" ?>
    ; <saml2p:Response Destination="https://deskflow-asp2.com/ubc/ubcdfe.dll/cwlacs" ID="_e4585eaeedbcaf7c24dff7f1ee2499f5" IssueInstant="2018-10-11T17:46:20.727Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    ;     <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://authentication.stg.id.ubc.ca</saml2:Issuer>
    ;     <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    ;         <ds:SignedInfo>
    ;             <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    ;             <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
    ;             <ds:Reference URI="#_e4585eaeedbcaf7c24dff7f1ee2499f5">
    ;                 <ds:Transforms>
    ;                     <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
    ;                     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    ;                 </ds:Transforms>
    ;                 <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
    ;                 <ds:DigestValue>1ui22tqFyYEOoWI19CMwz4n+ynxNjLDGdTeRMdi60EU=</ds:DigestValue>
    ;             </ds:Reference>
    ;         </ds:SignedInfo>
    ;         <ds:SignatureValue>ROg7FXV6vsp8socVhdo76/i7cRHGGKIveAiScKdujZT0QrHVqIvvbZ/RnwvEMJ9H9i/kJFAQA171
    ; 		Eo2kDjSdvNFQ/YcKaJUwMtAwT05yVatGV42RZKEf7ME+vpcCTR1LWZdrhat1FWCg1MNQwNWB0EL5
    ; 		fEP2a4jAcSTB8tFbjTAHsv7IWC39E5RVv99mACYXLa7iGZLtORANZxgYu5qQgmH6pUkI6Z1cpmf+
    ; 		m9mIjKM6LF0EvLfWOBWL6udZ+GsHPOLjVTJg+1S0xb9FQCYDVW1QhbjSS0icKHKTNNbrsaxllVDY
    ; 		m4q27YQjRh+XxugPgvsZ61Pxlto8Jbg+6jUlMQ==</ds:SignatureValue>
    ;         <ds:KeyInfo>
    ;             <ds:X509Data>
    ;                 <ds:X509Certificate>MIIDTTCCAjWgAwIBAgIVAJccYyIV6wly8XyddumpgnHMJ2JLMA0GCSqGSIb3DQEBCwUAMCcxJTAj
    ; 			BgNVBAMMHGF1dGhlbnRpY2F0aW9uLnN0Zy5pZC51YmMuY2EwHhcNMTcwMzAxMTk1NDM0WhcNMzcw
    ; 			...
    ; 			xUuh6HuHKIwQqHBz7udxbH3Zbb6jXGDJjiDHt1LRJ8xbVisFIcDlIwsGQQi0HeEJfx4P</ds:X509Certificate>
    ;             </ds:X509Data>
    ;         </ds:KeyInfo>
    ;     </ds:Signature>
    ;     <saml2p:Status>
    ;         <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    ;     </saml2p:Status>
    ;     <saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    ;         <xenc:EncryptedData Id="_314d80b9cf02d8eda8d686a6ffd626cf" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    ;             <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
    ;             <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    ;                 <xenc:EncryptedKey Id="_d7b6da6fb59a627ebb4a96928441ab79" Recipient="https://ubcdfe.deskflow-asp2.com" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    ;                     <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    ;                         <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
    ;                     </xenc:EncryptionMethod>
    ;                     <ds:KeyInfo>
    ;                         <ds:X509Data>
    ;                             <ds:X509Certificate>MIICuzCCAiQCCQD3bpigRnKMSzANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCQ0ExEDAOBgNV
    ; 				BAgMB09udGFyaW8xEDAOBgNVBAcMB1Rvcm9udG8xJjAkBgNVBAoMHVRhY3RpY2FsIEJ1c2luZXNz
    ; 				...
    ; 				kVRcHd1UK3q7G8FoykWjdQz/0EoMTfEZ+Md56mLOe48eMUZV2ONZuL1kDCEKw1UwkaDQI4Pf8pzx
    ; 				82b9rgw9wBDtvu5eFPlUGEGIBw==</ds:X509Certificate>
    ;                         </ds:X509Data>
    ;                     </ds:KeyInfo>
    ;                     <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    ;                         <xenc:CipherValue>BNHfUOpgdPE5BgpN2VIZIDthMAv1rxk91qVnWyCZOG9bmUKChJtTUqMpndot7VJwYuyKFshkAdnT
    ; 				D79KGdlSA1xHKcVeZXXzDWglqSyYjzhDCsyOhPaI4HelMFgCLwyFz89uEpUpqlvfl8ol3Am/XnzQ
    ; 				Vp7V7oS76hocjUI51Qs=</xenc:CipherValue>
    ;                     </xenc:CipherData>
    ;                 </xenc:EncryptedKey>
    ;             </ds:KeyInfo>
    ;             <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    ;                 <xenc:CipherValue>R6l7tmbnXrOfBgB8lA3KnwLYsLH5ZO5omQ7Hp5K05atzw2o55xmCXVMYhNneFxMtxUh6raEyHeZX
    ; 			PTZNgWrvdqc4GYND/R7MhRrJzk9OAq1WyoOXwbtRpwNDwWA4N2IuprPQJbvjVxaw/PesZMZwZqlp
    ; 			...
    ; 			zm9zAxahyu8Ooe8M4r3HN2cY0JxxxkZtDiulbnyA+rRtXfBRJtangvFQ4iFAnzM/Yg9hMyW9jcu0
    ; 			S7FzuRB9ONMxi+nh0IFWgqp+</xenc:CipherValue>
    ;             </xenc:CipherData>
    ;         </xenc:EncryptedData>
    ;     </saml2:EncryptedAssertion>
    ; </saml2p:Response>

    ; The sample encrypted SAML response and RSA private key are available online:
    http.i = CkHttp::ckCreate()
    If http.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    sbSamlResponse.i = CkStringBuilder::ckCreate()
    If sbSamlResponse.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    sbPrivateKeyPem.i = CkStringBuilder::ckCreate()
    If sbPrivateKeyPem.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    success = CkHttp::ckQuickGetSb(http,"https://chilkatdownload.com/data/samlresponse.xml",sbSamlResponse)
    If success = 1
        success = CkHttp::ckQuickGetSb(http,"https://chilkatdownload.com/data/samlresponse_privkey.pem",sbPrivateKeyPem)
    EndIf

    If success = 0
        Debug CkHttp::ckLastErrorText(http)
        CkHttp::ckDispose(http)
        CkStringBuilder::ckDispose(sbSamlResponse)
        CkStringBuilder::ckDispose(sbPrivateKeyPem)
        ProcedureReturn
    EndIf

    xml.i = CkXml::ckCreate()
    If xml.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    CkXml::ckLoadSb(xml,sbSamlResponse,1)

    ; Load the RSA private key..
    privkey.i = CkPrivateKey::ckCreate()
    If privkey.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    success = CkPrivateKey::ckLoadPem(privkey,CkStringBuilder::ckGetAsString(sbPrivateKeyPem))
    If success = 0
        Debug CkPrivateKey::ckLastErrorText(privkey)
        CkHttp::ckDispose(http)
        CkStringBuilder::ckDispose(sbSamlResponse)
        CkStringBuilder::ckDispose(sbPrivateKeyPem)
        CkXml::ckDispose(xml)
        CkPrivateKey::ckDispose(privkey)
        ProcedureReturn
    EndIf

    ; Prepare an RSA object w/ the private key...
    rsa.i = CkRsa::ckCreate()
    If rsa.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    success = CkRsa::ckUsePrivateKey(rsa,privkey)
    If success = 0
        Debug CkRsa::ckLastErrorText(rsa)
        CkHttp::ckDispose(http)
        CkStringBuilder::ckDispose(sbSamlResponse)
        CkStringBuilder::ckDispose(sbPrivateKeyPem)
        CkXml::ckDispose(xml)
        CkPrivateKey::ckDispose(privkey)
        CkRsa::ckDispose(rsa)
        ProcedureReturn
    EndIf

    ; RSA will be used to decrypt the xenc:EncryptedKey
    ; The bytes to be decrypted are in xenc:CipherValue (in base64 format)
    encryptedAesKey.s = CkXml::ckGetChildContent(xml,"saml2:EncryptedAssertion|xenc:EncryptedData|ds:KeyInfo|xenc:EncryptedKey|xenc:CipherData|xenc:CipherValue")
    If CkXml::ckLastMethodSuccess(xml) <> 1
        Debug "Encrypted AES key not found."
        CkHttp::ckDispose(http)
        CkStringBuilder::ckDispose(sbSamlResponse)
        CkStringBuilder::ckDispose(sbPrivateKeyPem)
        CkXml::ckDispose(xml)
        CkPrivateKey::ckDispose(privkey)
        CkRsa::ckDispose(rsa)
        ProcedureReturn
    EndIf

    Debug "Encrypted AES key (base64) = " + encryptedAesKey

    bdAesKey.i = CkBinData::ckCreate()
    If bdAesKey.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    CkBinData::ckAppendEncoded(bdAesKey,encryptedAesKey,"base64")

    sbRsaAlg.i = CkStringBuilder::ckCreate()
    If sbRsaAlg.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    CkStringBuilder::ckAppend(sbRsaAlg,CkXml::ckChilkatPath(xml,"saml2:EncryptedAssertion|xenc:EncryptedData|ds:KeyInfo|xenc:EncryptedKey|xenc:EncryptionMethod|(Algorithm)"))
    Debug "sbRsaAlg contains: " + CkStringBuilder::ckGetAsString(sbRsaAlg)
    If CkStringBuilder::ckContains(sbRsaAlg,"rsa-oaep",1) = 1
        CkRsa::setCkPkcsPadding(rsa, 0)
    EndIf

    success = CkRsa::ckDecryptBd(rsa,bdAesKey,1)
    If success = 0
        Debug CkRsa::ckLastErrorText(rsa)
        CkHttp::ckDispose(http)
        CkStringBuilder::ckDispose(sbSamlResponse)
        CkStringBuilder::ckDispose(sbPrivateKeyPem)
        CkXml::ckDispose(xml)
        CkPrivateKey::ckDispose(privkey)
        CkRsa::ckDispose(rsa)
        CkBinData::ckDispose(bdAesKey)
        CkStringBuilder::ckDispose(sbRsaAlg)
        ProcedureReturn
    EndIf

    Debug "Decrypted AES key (hex) = " + CkBinData::ckGetEncoded(bdAesKey,"hex")

    ; Get the encrypted XML (in base64) to be decrypted w/ the AES key.
    encrypted64.s = CkXml::ckGetChildContent(xml,"saml2:EncryptedAssertion|xenc:EncryptedData|xenc:CipherData|xenc:CipherValue")
    If CkXml::ckLastMethodSuccess(xml) <> 1
        Debug "Encrypted data not found."
        CkHttp::ckDispose(http)
        CkStringBuilder::ckDispose(sbSamlResponse)
        CkStringBuilder::ckDispose(sbPrivateKeyPem)
        CkXml::ckDispose(xml)
        CkPrivateKey::ckDispose(privkey)
        CkRsa::ckDispose(rsa)
        CkBinData::ckDispose(bdAesKey)
        CkStringBuilder::ckDispose(sbRsaAlg)
        ProcedureReturn
    EndIf

    bdEncrypted.i = CkBinData::ckCreate()
    If bdEncrypted.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    CkBinData::ckAppendEncoded(bdEncrypted,encrypted64,"base64")

    ; Get the symmetric algorithm:  "http://www.w3.org/2001/04/xmlenc#aes128-cbc"
    ; and set the symmetric decrypt properties.
    crypt.i = CkCrypt2::ckCreate()
    If crypt.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    sbAlg.i = CkStringBuilder::ckCreate()
    If sbAlg.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    CkStringBuilder::ckAppend(sbAlg,CkXml::ckChilkatPath(xml,"saml2:EncryptedAssertion|xenc:EncryptedData|xenc:EncryptionMethod|(Algorithm)"))
    If CkStringBuilder::ckContains(sbAlg,"aes128-cbc",1) = 1
        CkCrypt2::setCkCryptAlgorithm(crypt, "aes")
        CkCrypt2::setCkKeyLength(crypt, 128)
        CkCrypt2::setCkCipherMode(crypt, "cbc")
        ; The 1st 16 bytes of the encrypted data are the AES IV.
        CkCrypt2::ckSetEncodedIV(crypt,CkBinData::ckGetEncodedChunk(bdEncrypted,0,16,"hex"),"hex")
        CkBinData::ckRemoveChunk(bdEncrypted,0,16)
    EndIf

    ; Other algorithms, key lengths, etc, can be supported by checking for different Algorithm attribute values..

    CkCrypt2::ckSetEncodedKey(crypt,CkBinData::ckGetEncoded(bdAesKey,"hex"),"hex")

    ; AES decrypt...
    success = CkCrypt2::ckDecryptBd(crypt,bdEncrypted)
    If success = 0
        Debug CkCrypt2::ckLastErrorText(crypt)
        CkHttp::ckDispose(http)
        CkStringBuilder::ckDispose(sbSamlResponse)
        CkStringBuilder::ckDispose(sbPrivateKeyPem)
        CkXml::ckDispose(xml)
        CkPrivateKey::ckDispose(privkey)
        CkRsa::ckDispose(rsa)
        CkBinData::ckDispose(bdAesKey)
        CkStringBuilder::ckDispose(sbRsaAlg)
        CkBinData::ckDispose(bdEncrypted)
        CkCrypt2::ckDispose(crypt)
        CkStringBuilder::ckDispose(sbAlg)
        ProcedureReturn
    EndIf

    ; Get the decrypted XML
    decryptedXml.s = CkBinData::ckGetString(bdEncrypted,"utf-8")
    Debug "Decrypted XML:"
    Debug decryptedXml

    ; The decrypted XML looks like this:

    ; <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_226e565c548db7986d165d7d969b48b4" IssueInstant="2018-10-11T17:46:20.727Z" Version="2.0">
    ; ...
    ; ...
    ; ...
    ; </saml2:Assertion>

    xmlAssertion.i = CkXml::ckCreate()
    If xmlAssertion.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    CkXml::ckLoadXml(xmlAssertion,decryptedXml)

    ; Replace the saml2:EncryptedAssertion XML subtree with the saml2:Assertion XML.
    xmlEncryptedAssertion.i = CkXml::ckFindChild(xml,"saml2:EncryptedAssertion")
    CkXml::ckSwapTree(xmlEncryptedAssertion,xmlAssertion)
    CkXml::ckDispose(xmlEncryptedAssertion)

    ; The decrypted XML assertion has now replaced the encrypted XML assertion.
    ; Examine the fully decrypted XML document:
    Debug "Full XML SAML document with decrypted assertion:"
    Debug CkXml::ckGetXml(xml)


    CkHttp::ckDispose(http)
    CkStringBuilder::ckDispose(sbSamlResponse)
    CkStringBuilder::ckDispose(sbPrivateKeyPem)
    CkXml::ckDispose(xml)
    CkPrivateKey::ckDispose(privkey)
    CkRsa::ckDispose(rsa)
    CkBinData::ckDispose(bdAesKey)
    CkStringBuilder::ckDispose(sbRsaAlg)
    CkBinData::ckDispose(bdEncrypted)
    CkCrypt2::ckDispose(crypt)
    CkStringBuilder::ckDispose(sbAlg)
    CkXml::ckDispose(xmlAssertion)


    ProcedureReturn
EndProcedure