Failure decrypting Data: RSA_padding_check_PKCS1_OAEP_mgf1:oaep decoding error

Question

I am trying to decrypt the SAMLResponse I get from a IdP called NemLogin but I get the error:

Failure decrypting Data (openssl private) - error:04099079:rsa routines:RSA_padding_check_PKCS1_OAEP_mgf1:oaep decoding error

I have a private key and a X509 certificate issued by the IdP owner and their modulus match. I have connected and authorized on the IdP and now returns to my site with a SAMLResponse.

I am using the PHP-Saml library and the padding are set by the robrichards/xmlseclibs library by the type:

case (self::RSA_OAEP):
  $this->cryptParams['library'] = 'openssl';
  $this->cryptParams['padding'] = OPENSSL_PKCS1_OAEP_PADDING;
  $this->cryptParams['method'] = 'http://www.w3.org/2009/xmlenc11#rsa-oaep';
  $this->cryptParams['hash'] = 'http://www.w3.org/2009/xmlenc11#mgf1sha1';

I can see it fails on the http://www.w3.org/2009/xmlenc11#rsa-oaep part. Here's the response:

<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" [...]>
  <Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">[...]</Issuer>
  <Status>
    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </Status>
  <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <xenc:EncryptedKey>
          <xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep">
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            <xenc11:MGF Algorithm="http://www.w3.org/2009/xmlenc11#mgf1sha256"
                        xmlns:xenc11="http://www.w3.org/2009/xmlenc11#"/>
          </xenc:EncryptionMethod>
          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <o:SecurityTokenReference
              xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
              <X509Data>
                <X509IssuerSerial>
                  <X509IssuerName>[...]</X509IssuerName>
                  <X509SerialNumber>[...]</X509SerialNumber>
                </X509IssuerSerial>
              </X509Data>
            </o:SecurityTokenReference>
          </KeyInfo>
          <xenc:CipherData>
            <xenc:CipherValue>[...]</xenc:CipherValue>
          </xenc:CipherData>
        </xenc:EncryptedKey>
      </ds:KeyInfo>
      <xenc:CipherData>
        <xenc:CipherValue>[...]</xenc:CipherValue>
      </xenc:CipherData>
    </xenc:EncryptedData>
  </EncryptedAssertion>
</Response>

I don't know whether my metadata is relevant but here it goes:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2023-09-18T19:22:04Z" cacheDuration="PT604800S" entityID="https://saml.my-site.dk">
  <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>[...]</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>[...]</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://my-site.localhost/saml/sls"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://my-site.localhost/saml/acs" index="1"/>
    <md:AttributeConsumingService index="1">
      <md:ServiceName xml:lang="en">Ignored</md:ServiceName>
      <md:RequestedAttribute Name="https://data.gov.dk/model/core/specVersion" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
      <md:RequestedAttribute Name="https://data.gov.dk/concept/core/nsis/loa" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
      <md:RequestedAttribute Name="https://data.gov.dk/model/core/eid/professional/orgName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
      <md:RequestedAttribute Name="https://data.gov.dk/model/core/eid/professional/cvr" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
    </md:AttributeConsumingService>
  </md:SPSSODescriptor>
</md:EntityDescriptor>

Answer 1

The SAML2 response is decrypted with your private key. Your corresponding public key is registered in NemLog-in.

NemLog-in defaults to a encryption method not supported by .NET maybe the same goes for the PHP-Saml library. In FoxIDs the supported encryption methods http://www.w3.org/2001/04/xmlenc#aes256-cbc and http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p is included in the metadata.

Like this:

<m:KeyDescriptor use="encryption">  
 <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <KeyName>pAK7Fykprg0K2mL2hkMpw13ClIM=</KeyName>
    <X509Data>
      <X509Certificate>MIIGOjCC ...xxx... oJu0i56xDA=</X509Certificate>
    </X509Data>
  </KeyInfo>
  <m:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
  <m:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
</m:KeyDescriptor>

Metadata eksample from a FoxIDs NemLog-in test configuration: https://foxids.com/test-corp/nemlogin-test/.nemlogin./saml/spmetadata