After upgrading the Policy Server from 12.7 to 12.8.5, the Policy Server is failing to decrypt the encrypted assertions from one external federation partner:
[520de310-59e1920c-2485d649-bbddfb97-257e6411-4][11/05/2021][decryptAssertionInResponse][Exception has occured: Error in SAML2EncryptDecrypt decrypt - failed to decrypt Assertion. encrypt: Error decrypting XML Document. Error setting private key. .java.security.InvalidKeyException: unwrapping failed at org.bouncycastle.jcajce.provider.BaseSingleBlockCipher.engineUnwrap(Unknown Source) at javax.crypto.Cipher.unwrap(Cipher.java:2553) at com.netegrity.smkeydatabase.api.EncryptedKeyResolver.engineCanResolve(EncryptedKeyResolver.java:123) at com.netegrity.smkeydatabase.api.XMLEncryptDecryptApacheImpl.decrypt(XMLEncryptDecryptApacheImpl.java:442)
Release : 12.8.x
Component : SITEMINDER -POLICY SERVER
12.7.x used different libraries for assertion decryption and these libraries were allowing a digest algorithm to be used that should have been rejected.
The 12.8.5 release is working by design. The 12.7 release used older libraries for decryption and those libraries were behaving less strictly than the newer libraries in 12.8.5.
In 12.8.x, when key transport algorithm i.e is rsa-oaep-mgf1p (http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p) is used then the Digest Method must always be sha1.