SAML2 EncryptedAssertion decryption fails with "The SecurityKeyIdentifier has no key identifier clauses to write."

Question

I have a saml2 EncryptedAssertion with the following mark-up

<saml:EncryptedAssertion>
	<xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element">
	<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
	<ds:KeyInfo>
		<xenc:EncryptedKey>
		<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
			<xenc:CipherData>
			<xenc:CipherValue>sEP1lA5SAYkeqEEAH8myFjsPcfzEbWiHZbDnpCg6kCipnItK7BtnBDD4B7acgpBxOBFkvmnroEYT
			qS3UVkQcraHbwE6zoWCHDs6HBIaY3O2R9jMEVgf2B7EgRU5r0qpGOYYH9SLFoFBEMLy/g/XiiD8j
			kgA6b77QAT+QfywIvjM=</xenc:CipherValue>
		</xenc:CipherData>
		</xenc:EncryptedKey>
	</ds:KeyInfo>
	<xenc:CipherData>
		<xenc:CipherValue>qzPCrcoMu2MuUaANP90xKSZ9hhdY7G25cZqvi2l4AWL1IZOMK/aMgnWsX6jsjat6KbJwGYlStI68
		t6qX6vuWfCqxd9wxz5os8OawwI/wns+4dQXthquRX7wliXN1F8nlkQLBXCQ5biETgDNcarbfl47S.....

The issue I am getting is that when I try to decrypt the data I get as far as the bold line in the code below found in System.IdentityModel.Selectors.SecurityTokenResolver

 protected override bool TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key)
            {
                if (keyIdentifierClause == null)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifierClause");
                }
                key = null;
                for (int i = 0; i < this.tokens.Count; i++)
                {
                    SecurityKey key2 = this.tokens[i].ResolveKeyIdentifierClause(keyIdentifierClause);
                    if (key2 != null)
                    {
                        key = key2;
                        return true;
                    }
                }
                if (keyIdentifierClause is EncryptedKeyIdentifierClause)
                {
                    EncryptedKeyIdentifierClause clause = (EncryptedKeyIdentifierClause) keyIdentifierClause;
                    SecurityKeyIdentifier encryptingKeyIdentifier = clause.EncryptingKeyIdentifier;
                    if ((encryptingKeyIdentifier != null) && (encryptingKeyIdentifier.Count > 0))
                    {

and this fails with an eventual "The SecurityKeyIdentifier has no key identifier clauses to write." because

encryptingKeyIdentifier.Count = 0

When I run this up using my own WIF generated token it works fine and I can see that encryptingKeyIdentifier has a 'clause'.

I note that the EncryptedAssertion markup for the WIF generated Assertion is somewhat different and has more namespaces so I tried adding them to this sample above but that didn't help.

Can anyone point me in the right direction to get past this point and ensure that this EncryptedAssertion allows me to access  and decrypt it's KeyInfo please?  

Brian

Answer 1

Actually I found this was a logic problem related to a flag that indicates if a token is encrypted or not.

Please regard this as closed.