opensaml java加密的断言-无法使用EncryptedKeyResolver解密EncryptedData
[英]opensaml java encrypted assertion - Failed to decrypt EncryptedData using EncryptedKeyResolver
问题描述
I've setup a developer account on okta and I'm trying to decrypt an encrypted assertion from the test app I set up in there. 
我已经在okta上设置了一个开发人员帐户,并且试图从我在那里设置的测试应用中解密一个加密的断言。 So my local java Spring app has a controller that's receiving the HTTP POST of the SAML assertion - I've verified this with it not being encrypted. 因此,我的本地Java Spring应用程序具有一个控制器,该控制器正在接收SAML断言的HTTP POST-我已对此进行了验证,未对其进行加密。 Now with encryption turned on, I'm attempting to decrypt it with this method: 现在启用了加密,我正在尝试使用以下方法对其进行解密:
private Assertion decrypt(EncryptedAssertion encryptedAssertion) {//throws DecryptionException, KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, UnrecoverableEntryException {
StaticKeyInfoCredentialResolver keyInfoCredentialResolver = new StaticKeyInfoCredentialResolver(spConfig.getCredential());
Decrypter decrypter = new Decrypter(null, keyInfoCredentialResolver, new InlineEncryptedKeyResolver());
decrypter.setRootInNewDocument(true);
try {
return decrypter.decrypt(encryptedAssertion);
} catch (Exception e) {
log.debug("oops", e.getCause());
return null;
}
}
with this SP config code: 使用此SP配置代码:
private static final String KEY_STORE_PASSWORD = "mypassw";
private static final String KEY_STORE_ENTRY_PASSWORD = "mypassw";
private static final String KEY_STORE_PATH = "/keystore.p12";
private static final String KEY_ENTRY_ID = "http://www.okta.com/exkz............42p6";
private static Credential credential = null;
@PostConstruct
public void init() throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, ResolverException {
log.debug("doing init");
KeyStore keystore = readKeystoreFromFile(KEY_STORE_PATH, KEY_STORE_PASSWORD);
Map<String, String> passwordMap = new HashMap<String, String>();
passwordMap.put(KEY_ENTRY_ID, KEY_STORE_ENTRY_PASSWORD);
KeyStoreCredentialResolver resolver = new KeyStoreCredentialResolver(keystore, passwordMap);
EntityIdCriterion criteria = new EntityIdCriterion(KEY_ENTRY_ID);
CriteriaSet criteriaSet = new CriteriaSet(criteria);
credential = resolver.resolveSingle(criteriaSet);
}
private static KeyStore readKeystoreFromFile(String pathToKeyStore, String keyStorePassword) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
KeyStore keystore = KeyStore.getInstance("PKCS12");
InputStream inputStream = SpConfig.class.getResourceAsStream(pathToKeyStore);
keystore.load(inputStream, keyStorePassword.toCharArray());
inputStream.close();
return keystore;
}
public Credential getCredential() {
return credential;
}
I've tried a few things to purposely break the code -- bad keystore pw, missing keystore, incorrectly typed keyentry alias, and I do get errors that point to that. 我尝试了一些尝试来故意破坏代码的事情-密钥库密码错误,密钥库丢失,键入错误的密钥条目别名,我确实得到了指向该错误的信息。 But when it looks like it's set up correctly, all I get is this: 但是,当看起来设置正确时,我得到的只是:
2018-04-18 08:40:07.502 DEBUG 20655 --- [nio-8080-exec-1] o.o.core.xml.util.XMLObjectSupport : Parsing InputStream into DOM document
2018-04-18 08:40:07.503 DEBUG 20655 --- [nio-8080-exec-1] o.o.core.xml.util.XMLObjectSupport : Unmarshalling DOM parsed from InputStream
2018-04-18 08:40:07.574 DEBUG 20655 --- [nio-8080-exec-1] o.o.x.s.impl.SignatureUnmarshaller : Starting to unmarshall Apache XML-Security-based SignatureImpl element
2018-04-18 08:40:07.575 DEBUG 20655 --- [nio-8080-exec-1] o.o.x.s.impl.SignatureUnmarshaller : Constructing Apache XMLSignature object
2018-04-18 08:40:07.578 DEBUG 20655 --- [nio-8080-exec-1] o.a.xml.security.utils.ElementProxy : setElement("ds:Signature", "")
2018-04-18 08:40:07.580 DEBUG 20655 --- [nio-8080-exec-1] o.a.xml.security.utils.ElementProxy : setElement("ds:SignedInfo", "")
2018-04-18 08:40:07.580 DEBUG 20655 --- [nio-8080-exec-1] o.a.xml.security.utils.ElementProxy : setElement("ds:SignatureMethod", "")
2018-04-18 08:40:07.580 DEBUG 20655 --- [nio-8080-exec-1] o.a.x.s.algorithms.SignatureAlgorithm : Create URI "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" class "class org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA256"
2018-04-18 08:40:07.581 DEBUG 20655 --- [nio-8080-exec-1] o.a.xml.security.algorithms.JCEMapper : Request for URI http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
2018-04-18 08:40:07.581 DEBUG 20655 --- [nio-8080-exec-1] o.a.x.s.a.i.SignatureBaseRSA : Created SignatureRSA using SHA256withRSA
2018-04-18 08:40:07.585 DEBUG 20655 --- [nio-8080-exec-1] o.a.xml.security.utils.ElementProxy : setElement("ds:KeyInfo", "")
2018-04-18 08:40:07.585 DEBUG 20655 --- [nio-8080-exec-1] o.o.x.s.impl.SignatureUnmarshaller : Adding canonicalization and signing algorithms, and HMAC output length to Signature
2018-04-18 08:40:07.585 DEBUG 20655 --- [nio-8080-exec-1] o.o.x.s.impl.SignatureUnmarshaller : Adding KeyInfo to Signature
2018-04-18 08:40:07.597 DEBUG 20655 --- [nio-8080-exec-1] o.o.core.xml.util.XMLObjectSupport : InputStream succesfully unmarshalled
2018-04-18 08:40:07.618 DEBUG 20655 --- [nio-8080-exec-1] o.o.xmlsec.encryption.support.Decrypter : Failed to decrypt EncryptedData using EncryptedKeyResolver
2018-04-18 08:40:07.618 ERROR 20655 --- [nio-8080-exec-1] o.o.xmlsec.encryption.support.Decrypter : Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
2018-04-18 08:40:07.619 ERROR 20655 --- [nio-8080-exec-1] o.o.saml.saml2.encryption.Decrypter : SAML Decrypter encountered an error decrypting element content
org.opensaml.xmlsec.encryption.support.DecryptionException: Failed to decrypt EncryptedData
at org.opensaml.xmlsec.encryption.support.Decrypter.decryptDataToDOM(Decrypter.java:550) ~[opensaml-xmlsec-api-3.3.0.jar:na]
at org.opensaml.xmlsec.encryption.support.Decrypter.decryptDataToList(Decrypter.java:452) ~[opensaml-xmlsec-api-3.3.0.jar:na]
at org.opensaml.xmlsec.encryption.support.Decrypter.decryptData(Decrypter.java:412) ~[opensaml-xmlsec-api-3.3.0.jar:na]
at org.opensaml.saml.saml2.encryption.Decrypter.decryptData(Decrypter.java:176) [opensaml-saml-api-3.3.0.jar:na]
at org.opensaml.saml.saml2.encryption.Decrypter.decrypt(Decrypter.java:104) [opensaml-saml-api-3.3.0.jar:na]
I've been over so much github, source examples and such --- I think I've got the concise bit of code that should do this. 我已经遍历了很多github,源代码示例等等-我想我已经获得了应该执行此操作的简洁代码。 but obviously something is missing. 但显然缺少某些东西。 Unlike samples where Spring security is involved, I don't have a place for IDP or SP metadata. 与涉及Spring安全性的示例不同,我没有IDP或SP元数据的位置。 Should it be there somewhere? 应该在某处吗?
I've also seen various posts about illegal key size - I don't have that exception, but in case some try-catches or logging was changed or something, I installed the unlimited strength JCE jars. 我也看到过很多有关非法密钥大小的文章-我没有那个异常,但是如果某些try-catching或logging发生了变化,我安装了强度不受限制的JCE jars。
1 个解决方案
解决方案1
2 2018-04-19 13:13:35
got it working with by using a chaining resolver as per this sample - 通过使用此示例中的链接解析器来使其工作-
final List<EncryptedKeyResolver> list = new ArrayList<>();
list.add(new InlineEncryptedKeyResolver());
list.add(new EncryptedElementTypeEncryptedKeyResolver());
list.add(new SimpleRetrievalMethodEncryptedKeyResolver());
LOGGER.debug("Built a list of encrypted key resolvers: [{}]", list);
final ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(list);
from http://useof.org/java-open-source/org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver 来自http://useof.org/java-open-source/org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.