堆栈内存溢出
  简体   繁体   English

别名为mykey的SAML-Key没有私钥

[英]SAML-Key with alias mykey doesn't have a private key

 原文  2016-05-25 03:53:10       ssl/ java-ee/ spring-security/ spring-boot/ spring-saml

问题描述

I am trying to modifying a sample program of spring-boot security with saml. 我正在尝试使用saml修改spring-boot安全性的示例程序。 https://github.com/vdenotaris/spring-boot-security-saml-sample . https://github.com/vdenotaris/spring-boot-security-saml-sample I got the certificate(.crt) from my Identity provider and I tried to create a sample keystore(.jks) to test my connectivity before integrating to my application. 我从身份提供者那里获得了证书(.crt),并尝试创建一个示例密钥库(.jks),以在集成到应用程序之前测试连接性。 I followed below steps to create the certificate. 我按照以下步骤创建证书。

Create Key store 创建密钥库 

keytool -keystore mykeystore.jks -genkey -alias saml

When I try to list my keystore I have one private Key 当我尝试列出我的密钥库时,我有一个私钥

Listing the Keystore 列出密钥库 

keytool -list -V -storepass changeit -keystore mykeystore.jks

The I imported the certificate provided by the IDP team using below command. 我使用以下命令导入了IDP团队提供的证书。

keytool -import -file myidp.crt -storepass changeit -keystore mykeystore.jks

Now my when I list my jks file I have two entries one private. 现在,当我列出我的jks文件时,我有两个条目,一个为私有。 

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: saml
Creation date: May 24, 2016
Entry type: PrivateKeyEntry
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXX
*******************************************
*******************************************
Alias name: mykey
Creation date: May 24, 2016
Entry type: trustedCertEntry
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
*******************************************
*******************************************

I modified the WebSecurityConfi.java class, I did not give any pass phrase while importing the crt to key store. 我修改了WebSecurityConfi.java类,在将crt导入密钥存储区时未提供任何密码。 I have tried to keep the alias name as same, but then I was getting below error. 我试图使别名保持不变,但是随后出现错误提示。

keytool error: java.lang.Exception: **Public keys in reply and keystore don't match 

  @Bean
    public KeyManager keyManager() {
        DefaultResourceLoader loader = new DefaultResourceLoader();
        Resource storeFile =   loader.getResource("classpath:/saml/myKeystore.jks");

        String storePass = "changeit";
        Map<String, String> passwords = new HashMap<>();
        passwords.put("changeit", "changeit");
        String defaultKey = "mykey";
        return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
    }

Now I am getting below exception, I know it is some issue with my JKS creation. 现在我处于异常之下,我知道这与我的JKS创建有关。 Could you please suggest how to add private key for my trusted store. 您能否建议如何为我信任的商店添加私钥。 I only received the .crt file from IDP provider. 我只从IDP提供商那里收到了.crt文件。 Do I have to do any other steps to add the private key for my trusted store? 我是否还需要执行其他步骤来为我的受信任商店添加私钥? I checked couple of post like Key with alias xxx doesn't have a private key with Spring SAML similar to my issue but I am not able to figure out the issue with certificate creation. 我检查了几则帖子,例如别名为XXX的Key与我的问题没有类似的Spring SAML私钥,但我无法找出创建证书的问题。

ERROR [http-nio-8080-exec-4] (DirectJDKLog.java:182) - Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception java.lang.RuntimeException: Key with alias mykey doesn't have a private key at org.springframework.security.saml.metadata.MetadataGenerator.getServerKeyInfo(MetadataGenerator.java:209) at org.springframework.security.saml.metadata.MetadataGenerator.buildSPSSODescriptor(MetadataGenerator.java:329) at org.springframework.security.saml.metadata.MetadataGenerator.generateMetadata(MetadataGenerator.java:189) at org.springframework.security.saml.metadata.MetadataGeneratorFilter.processMetadataInitialization(MetadataGeneratorFilter.java:127) at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:86) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:21 错误[http-nio-8080-exec-4](DirectJDKLog.java:182)-具有路径[]的上下文中Servlet [dispatcherServlet]的Servlet.service()抛出异常java.lang.RuntimeException: 别名为mykey的键不存在在org.org.springframework.security.saml.metadata.MetadataGenerator.buildSPSSODescriptor(MetadataGenerator.java:329)处的org.springframework.security.saml.metadata.MetadataGenerator.getServerKeyInfo(MetadataGenerator.java:209)处具有私钥 org.springframework.security.saml.metadata.MetadataGenerator.generateMetadata(MetadataGenerator.java:189)位于org.springframework.security.saml.metadata.MetadataGeneratorFilter.processMetadataInitialization(MetadataGeneratorFilter.java:127)位于org.springframework.security.saml.metadata。 org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:21)上的MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:86)在org.springframework.security.web.FilterChainProxy $ VirtualFilterChain.doFilter(FilterChainProxy.java:330) 3) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:87) at org.spring 3)在org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)在org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)在org.springframework.web.filter.DelegatingFilterProxy org.org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)处的org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)处的.doFilter(DelegatingFilterProxy.java:262) org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain)上的org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)上的springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) org.spring.org.java.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)(org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:87)org.java) framework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.c org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain)上的org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)上的framework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)处org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)处org.apache.catalina.core位于org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)位于org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121)的.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)位于org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)的org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)在org.apache.catalina.c ore.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:521) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run( org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)上的org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)上的ore.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)在org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)在org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)在org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:79)在org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)在org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:521)在org.apache。位于org.apache.coyote.AbstractProtocol $ AbstractConnectionHandler.process(AbstractProtocol.java:674)的coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096)在org.apache.tomcat.util.net.NioEndpoint $ SocketProcessor.doRun( NioEndpoint.java:1500)在org.apache.tomcat.util.net.NioEndpoint $ SocketProcessor.run( NioEndpoint.java:1456) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) DEBUG [http-nio-8080-exec-4] (DispatcherServlet.java:861) - DispatcherServlet with name 'dispatcherServlet' processing GET request for [/error] DEBUG [http-nio-8080-exec-4] (AbstractHandlerMethodMapping.java:318) - Looking up handler method for path /error DEBUG [http-nio-8080-exec-4] (AbstractHandlerMethodMapping.java:325) - Returning handler method [public org.springframework.http.ResponseEntity> org.springframework.boot.autoconfigure.web.BasicErrorController.error(javax.servlet.http.HttpServletRequest)] DEBUG [http-nio-8080-exec-4] (AbstractBeanFactory.java:251) - Returning cached instance of singleton bean 'basicErrorController' DEBUG [http-nio-8080-exec-4] (DispatcherSer NioEndpoint.java:1456),位于org.apache.tomcat.util,java.util.concurrent.ThreadPoolExecutor.java:1142,位于java.util.concurrent.ThreadPoolExecutor $ Worker.run(ThreadPoolExecutor.java:617) .threads.TaskThread $ WrappingRunnable.run(TaskThread.java:61)at java.lang.Thread.run(Thread.java:745)调试[http-nio-8080-exec-4](DispatcherServlet.java:861)-名称为'dispatcherServlet'的DispatcherServlet处理[/错误] DEBUG的GET请求[http-nio-8080-exec-4](AbstractHandlerMethodMapping.java:318)-查找路径/错误DEBUG的处理程序方法[http-nio-8080- exec-4](AbstractHandlerMethodMapping.java:325)-返回处理程序方法[公共org.springframework.http.ResponseEntity> org.springframework.boot.autoconfigure.web.BasicErrorController.error(javax.servlet.http.HttpServletRequest)] DEBUG [ http-nio-8080-exec-4](AbstractBeanFactory.java:251)-返回单例bean'basicErrorController'DEBUG的缓存实例[http-nio-8080-exec-4](DispatcherSer vlet.java:947) - Last-Modified value for [/error] is: -1 DEBUG [http-nio-8080-exec-4] (AbstractMessageConverterMethodProcessor.java:225) - Written [{timestamp=Tue May 24 19:12:00 IST 2016, status=500, error=Internal Server Error, exception=java.lang.RuntimeException, message=Key with alias mykey doesn't have a private key, path=/favicon.ico}] as "application/json;charset=UTF-8" using [org.springframework.http.converter.json.MappingJackson2HttpMessageConverter@380682cd] DEBUG [http-nio-8080-exec-4] (DispatcherServlet.java:1034) - Null ModelAndView returned to DispatcherServlet with name 'dispatcherServlet': assuming HandlerAdapter completed request handling vlet.java:947)-[/ error]的最后修改值为:-1 DEBUG [http-nio-8080-exec-4](AbstractMessageConverterMethodProcessor.java:225)-书面[{timestamp = Tue May 24 19: IST 2016 12:00,状态= 500,错误=内部服务器错误,异常= java.lang.RuntimeException,消息=别名为mykey的密钥没有私钥,path = / favicon.ico}]作为“ application / json; charset = UTF-8”,使用[org.springframework.http.converter.json.MappingJackson2HttpMessageConverter@380682cd] DEBUG [http-nio-8080-exec-4](DispatcherServlet.java:1034)-空的ModelAndView返回到具有以下内容的DispatcherServlet名称“ dispatcherServlet”:假设HandlerAdapter完成请求处理

2 个解决方案

解决方案1
 0  2016-05-25 04:12:01

You need to import the signed certificate using the same alias as the private key. 您需要使用与私钥相同的别名导入签名证书。

Now my when I list my jks file I have two entries, one private 现在,当我列出我的jks文件时,我有两个条目,一个为私有

You should only have one, private. 您只能拥有一个私人的。

解决方案2
 -1  2016-05-25 09:30:31

You can have any number of private key entries in your keystore... but you can configure only one private key to spring saml... you private key should be of type Entry type: PrivateKeyEntry .. and update your spring-security.xml to have alias of the private key. 您可以在密钥库中拥有任意数量的私钥条目...但是您只能配置一个私钥来使用spring saml ...您的私钥应为Entry type: PrivateKeyEntry ..并更新您的spring-security.xml具有私钥的别名。 Eg 例如 

<!-- Central storage of cryptographic keys -->
            <bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
                <constructor-arg value="classpath:keycloak.jks"/>
                <constructor-arg type="java.lang.String" value="password"/>
                <constructor-arg>
                    <map>
                        <entry key="YOUR_ALIAS" value="password"/>
                    </map>
                </constructor-arg>
                <constructor-arg type="java.lang.String" value="YOUR_ALIAS"/>
            </bean>

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 私钥与证书不匹配 - Private Key doesn't Match Certificate 如果我没有私钥,如何将 pki 转换为 jks? - how to convert a pki to jks if I don't have the private key? Powershell 生成的自签名证书不包含私钥 - Powershell Generated Self Signed Certificate Doesn't Include Private Key 使用keytool删除密钥库中的别名是否会删除私钥? - Does deleting an alias in a key store using keytool delete the private key? 中级证书与Go的私钥不匹配 - Intermediate certificate doesn't match private key with Go 从证书别名到带有Java的包含私钥的PEM文件 - From certificate Alias to PEM File with private key included using Java IIS 要求证书具有可导出的私钥 - IIS requires certificate to have exportable private key 重新颁发 SSL 证书但没有 .key 文件 - Reissued SSL certificate but doesn't have .key file 带有ssl证书的付款服务器cUrl http发布要求输入我没有的私钥 - payment server cUrl http post with ssl certificate asks for private key I don't have WCF中自签名证书的问题 - 必须有私钥 - Issue with Self Signed Cert in WCF - Must have Private Key
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM