如何使用 OpenSAML 2 和 Java 测试/调试解密加密断言?
[英]How to test/debug Decrypting Encrypted Assertion using OpenSAML 2 and Java?
问题描述
I am trying to write a Java app together with OpenSAML2 (2.6.6) to decrypt an encrypted assertion, but I am getting:
我正在尝试与 OpenSAML2 (2.6.6) 一起编写 Java 应用程序来解密加密断言,但我得到:
[main] ERROR org.opensaml.xml.encryption.Decrypter - Failed to decrypt EncryptedKey, valid decryption key could not be resolved
[main] ERROR org.opensaml.xml.encryption.Decrypter - Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
[main] ERROR org.opensaml.saml2.encryption.Decrypter - SAML Decrypter encountered an error decrypting element content
Here's my Java code (sorry it still has lots of debug output):这是我的 Java 代码(很抱歉它仍然有很多调试输出):
/*
* ****************************************************************************************************
* Original source from: https://stackoverflow.com/questions/9422545/decrypting-encrypted-assertion-using-saml-2-0-in-java-using-opensaml
* And hint about needed to add DefaultBootstrap.bootstrap() for OpenSAML 2.x: https://stackoverflow.com/questions/25066183/opensaml-error-receiving-correct-unmarshaller
* And hing about chain resolvers: https://www.programcreek.com/java-api-examples/index.php?api=org.opensaml.saml2.encryption.Decrypter
* ****************************************************************************************************
* ****************************************************************************************************
* ****************************************************************************************************
* ****************************************************************************************************
*/
import java.io.File;
import java.io.FileInputStream;
import java.io.InputStream;
import java.security.KeyFactory;
import java.security.interfaces.RSAPrivateKey;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.ArrayList;
import java.util.List;
import org.opensaml.DefaultBootstrap;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.EncryptedAssertion;
import org.opensaml.saml2.encryption.Decrypter;
import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
import org.opensaml.xml.Configuration;
import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver;
import org.opensaml.xml.encryption.EncryptedKeyResolver;
import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver;
import org.opensaml.xml.io.Unmarshaller;
import org.opensaml.xml.io.UnmarshallerFactory;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
import org.opensaml.xml.security.x509.BasicX509Credential;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class test_opensaml {
public static void main(String[] args) {
String PROGVERSION = "V1.00";
String xmlFileName = "";
String privateKeyFileName = "";
System.out.println("test_opensaml " + PROGVERSION);
if(args.length < 2) {
System.out.println("Command line is: java test_opensaml <signed_samlassertion_xml> <private_key_der>");
System.exit(0);
}
xmlFileName = args[0];
privateKeyFileName = args[1];
Logger logger = LoggerFactory.getLogger(test_opensaml.class);
logger.info("xmlFileName=[" + xmlFileName + "]");
logger.info("privateKeyFileName=[" + privateKeyFileName + "]\n");
try {
// Initialize the library
DefaultBootstrap.bootstrap();
} catch (Exception e) {
System.out.println("** ERROR ** - ERROR WHILE Executing DefaultBootstrap.bootstrap() - e=[" + e + "]");
System.exit(-1);
}
InputStream inputStream = null;
// Load the XML file and parse it.
File xmlFile = new File(xmlFileName);
try {
inputStream = new FileInputStream(xmlFile);
} catch (Exception e) {
System.out.println("** ERROR ** - ERROR WHILE LOADING ASSERTION XML FILE - e=[" + e + "]");
System.exit(-1);
}
BasicParserPool parserPoolManager = new BasicParserPool();
Document document = null;
Element metadataRoot = null;
try {
document = parserPoolManager.parse(inputStream);
metadataRoot = document.getDocumentElement();
System.out.println("metadataRoot.getNodeName()=[" + metadataRoot.getNodeName() + "]");
} catch (Exception e) {
System.out.println("** ERROR ** - ERROR WHILE CREATING DOCUMENT FROM XML FILE - e=[" + e + "]");
System.exit(-1);
}
UnmarshallerFactory unmarshallerFactory = null;
Unmarshaller unmarshaller = null;
EncryptedAssertion encryptedAssertion = null;
try {
// Unmarshall
unmarshallerFactory = Configuration.getUnmarshallerFactory();
} catch (Exception e) {
System.out.println("** ERROR ** - ERROR WHILE CREATING UNMARSHALLFACTORY - e=[" + e + "]");
System.exit(-1);
}
if (unmarshallerFactory == null) {
System.out.println("unmarshallerFactory is null");
} else {
System.out.println("unmarshallerFactory is OK/NOT-null");
}
try {
// Unmarshall
unmarshaller = unmarshallerFactory.getUnmarshaller(metadataRoot);
if (unmarshaller == null) {
System.out.println("unmarshaller is null");
} else {
System.out.println("unmarshaller is OK/NOT-null");
}
System.out.println("unmarshaller.getClass().getname=[" + unmarshaller.getClass().getName() + "]");
} catch (Exception e) {
System.out.println("** ERROR ** - ERROR WHILE CREATING UNMARSHALLER - e=[" + e + "]");
System.exit(-1);
}
try {
// Unmarshall
encryptedAssertion = (EncryptedAssertion)unmarshaller.unmarshall(metadataRoot);
} catch (Exception e) {
System.out.println("** ERROR ** - ERROR CREATING ENCRYPTEDASSERTION BY UNMARSHALLING - e=[" + e + "]");
e.printStackTrace();
System.exit(-1);
}
System.out.println("SUCCESS - CREATED ENCRYPTEDASSERTION BY UNMARSHALLING!!");
System.out.println("Will now try to load the PRIVATE KEY FILE...");
// Load the private key file.
File privateKeyFile = new File(privateKeyFileName);
FileInputStream inputStreamPrivateKey = null;
byte[] encodedPrivateKey = null;
try {
inputStreamPrivateKey = new FileInputStream(privateKeyFile);
encodedPrivateKey = new byte[(int)privateKeyFile.length()];
inputStreamPrivateKey.read(encodedPrivateKey);
inputStreamPrivateKey.close();
} catch (Exception e) {
System.out.println("** ERROR ** - ERROR WHILE READING PRIVATE KEY FROM FILE - e=[" + e + "]");
System.exit(-1);
}
System.out.println("SUCCESS - READ/INPUT THE PRIVATE KEY FILE!!");
PKCS8EncodedKeySpec privateKeySpec = null;
RSAPrivateKey privateKey = null;
try {
// Create the private key.
privateKeySpec = new PKCS8EncodedKeySpec(encodedPrivateKey);
privateKey = (RSAPrivateKey)KeyFactory.getInstance("RSA").generatePrivate(privateKeySpec);
} catch (Exception e) {
System.out.println("** ERROR ** - ERROR WHILE CREATING PRIVATE KEY - e=[" + e + "]");
System.exit(-1);
}
System.out.println("SUCCESS - CREATING THE PRIVATE KEY INSTANCE!!");
ChainingEncryptedKeyResolver keyResolver = new ChainingEncryptedKeyResolver();
keyResolver.getResolverChain().add(new InlineEncryptedKeyResolver());
keyResolver.getResolverChain().add(new EncryptedElementTypeEncryptedKeyResolver());
keyResolver.getResolverChain().add(new SimpleRetrievalMethodEncryptedKeyResolver());
System.out.println("Built a list of encrypted key resolvers...");
boolean successfulDecryption = false;
// Create the credentials.
BasicX509Credential decryptionCredential = new BasicX509Credential();
decryptionCredential.setPrivateKey(privateKey);
StaticKeyInfoCredentialResolver resolver = new StaticKeyInfoCredentialResolver(decryptionCredential);
// Create a decrypter.
Decrypter decrypter = new Decrypter(null, resolver, keyResolver);
decrypter.setRootInNewDocument(true);
// Decrypt the assertion.
Assertion decryptedAssertion = null;
System.out.println("WILL NOW TRY TO DECRYPT THE ENCRYPTED ASSERTION...");
try
{
decryptedAssertion = decrypter.decrypt(encryptedAssertion);
} catch (Exception e) {
System.out.println("** ERROR ** - ERROR WHILE DECRYPTING THE ASSERTION - e=[" + e + "]");
System.exit(-1);
}
System.out.println("SUCCESS - DECRYPTED THE ENCRYPTED ASSERTION - will now dump out the decrypted assertion...!!");
System.out.println("decryptedAssertion.toString=[" + decryptedAssertion.toString() + "]");
System.out.println("Finished...");
System.exit(0);
} // end main()
}
When I run that with a test signed assertion (XML) and the private key, I am getting the following output.当我使用测试签名断言 (XML) 和私钥运行它时,我得到以下输出。 This is being run under Eclipse and using Java 1.8 build 201:这是在 Eclipse 下运行并使用 Java 1.8 build 201:
test_opensaml V1.00
[main] INFO test_opensaml - xmlFileName=[E:\ECLIPSE-WORKSPACES\opensaml\opensaml\data\encrypted_assertion.xml]
[main] INFO test_opensaml - privateKeyFileName=[E:\ECLIPSE-WORKSPACES\opensaml\opensaml\data\geoaxis-gxaccess.com.private-key.der]
metadataRoot.getNodeName()=[saml:EncryptedAssertion]
unmarshallerFactory is OK/NOT-null
unmarshaller is OK/NOT-null
unmarshaller.getClass().getname=[org.opensaml.saml2.core.impl.EncryptedAssertionUnmarshaller]
SUCCESS - CREATED ENCRYPTEDASSERTION BY UNMARSHALLING!!
Will now try to load the PRIVATE KEY FILE...
SUCCESS - READ/INPUT THE PRIVATE KEY FILE!!
SUCCESS - CREATING THE PRIVATE KEY INSTANCE!!
Built a list of encrypted key resolvers...
WILL NOW TRY TO DECRYPT THE ENCRYPTED ASSERTION...
[main] ERROR org.opensaml.xml.encryption.Decrypter - Error decrypting encrypted key
org.apache.xml.security.encryption.XMLEncryptionException: Unwrapping failed
Original Exception was java.security.InvalidKeyException: Unwrapping failed
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1539)
at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:708)
at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:639)
at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:794)
at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:535)
at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:453)
at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:414)
at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)
at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)
at test_opensaml.main(test_opensaml.java:193)
Caused by: java.security.InvalidKeyException: Unwrapping failed
at com.sun.crypto.provider.RSACipher.engineUnwrap(RSACipher.java:445)
at javax.crypto.Cipher.unwrap(Cipher.java:2549)
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1537)
... 9 more
Caused by: javax.crypto.BadPaddingException: Decryption error
at sun.security.rsa.RSAPadding.unpadOAEP(Unknown Source)
at sun.security.rsa.RSAPadding.unpad(Unknown Source)
at com.sun.crypto.provider.RSACipher.doFinal(RSACipher.java:363)
at com.sun.crypto.provider.RSACipher.engineUnwrap(RSACipher.java:440)
... 11 more
[main] ERROR org.opensaml.xml.encryption.Decrypter - Failed to decrypt EncryptedKey, valid decryption key could not be resolved
[main] ERROR org.opensaml.xml.encryption.Decrypter - Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
[main] ERROR org.opensaml.saml2.encryption.Decrypter - SAML Decrypter encountered an error decrypting element content
org.opensaml.xml.encryption.DecryptionException: Failed to decrypt EncryptedData
at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:546)
at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:453)
at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:414)
at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)
at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)
at test_opensaml.main(test_opensaml.java:193)
** ERROR ** - ERROR WHILE DECRYPTING THE ASSERTION - e=[org.opensaml.xml.encryption.DecryptionException: Failed to decrypt EncryptedData]
Since this is (for me, at least) new and untested code, I was wondering how I can diagnose this problem further?由于这是(至少对我而言)新的和未经测试的代码,我想知道如何进一步诊断这个问题?
Is there some additional logging or something that might help to find out what is wrong or pinpoint the problem?是否有一些额外的日志记录或可能有助于找出问题或查明问题的东西?
I know that this is going to sound a little unusual, but also, FYI, I was given the signed assertion and private key that I am using to test right now, by a third party, so I am actually not 100% sure if they are good, so I was wondering if maybe there is somewhere I could get/download a known-good encrypted assertion example together with the corresponding private key, so that I could try to test my code above with known-good data?我知道这听起来有点不寻常,但仅供参考,我得到了我现在用来测试的签名断言和私钥,由第三方提供,所以我实际上并不能 100% 确定他们是否很好,所以我想知道是否可以在某个地方获取/下载已知良好的加密断言示例以及相应的私钥,以便我可以尝试使用已知良好的数据测试上面的代码?
Thanks, Jim谢谢,吉姆
EDIT: Sorry I forgot to include a snippet of the encrypted assertion that I have been using to test:编辑:对不起,我忘了包含我一直用来测试的加密断言的片段:
<?xml version="1.0"?>
<saml:EncryptedAssertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" Id="_332ec9de74ee4a8b97b84694edb58ba9" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey Type="http://www.w3.org/2001/04/xmlenc#Element" Id="_d32f036453ed438b84783a21a2e2cca7">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
<xenc:CipherData>
<xenc:CipherValue>Rfn5PDApVSF3wTBgsiQsFn5rybj...EZoHpGvxDPv5kAhVw==</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>FTk8D8nGOTuZsunGifMEHtj...xiAvwSQ=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml:EncryptedAssertion>
EDIT 2: For someone who is familiar with OpenSAML and SAML: Is there something wrong with the signed assertion above?编辑 2:对于熟悉 OpenSAML 和 SAML 的人:上面的签名断言有什么问题吗? I've been doing some additional testing, and it seems like none of the resolvers are able to find the encryption key and I noticed that the ds:Keyinfo is embedded inside xenc:EncryptedData, at the same level as the xenc:CipherData.我一直在做一些额外的测试,似乎没有一个解析器能够找到加密密钥,我注意到 ds:Keyinfo 嵌入在 xenc:EncryptedData 中,与 xenc:CipherData 处于同一级别。 Is that a normal structure, and which of the chained resolvers is supposed to find that ds:Keyinfo?这是一个正常的结构,哪个链式解析器应该找到 ds:Keyinfo?
2 个解决方案
解决方案1
0 2019-02-11 21:24:14
仅供参考,一旦我找到与样本加密断言匹配的正确私钥,我终于可以按原样工作。
解决方案2
0 2021-07-05 19:02:08
With your changes, I got KEY LENGTH known errors, issue resolved after following the below link通过您的更改,我收到了 KEY LENGTH 已知错误,在点击以下链接后问题已解决
org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size Original Exception was java.security.InvalidKeyException: Illegal key size org.apache.xml.security.encryption.XMLEncryptionException:非法密钥大小原始异常是 java.security.InvalidKeyException:非法密钥大小
https://faq.miniorange.com/knowledgebase/i-am-getting-org-apache-xml-security-encryption-xmlencryptionexception-illegal-key-size-exception-sso/ https://faq.miniorange.com/knowledgebase/i-am-getting-org-apache-xml-security-encryption-xmlencryptionexception-illegal-key-size-exception-sso/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
使用OpenSAML在Java中使用SAML 2.0解密加密的断言 - Decrypting encrypted assertion using SAML 2.0 in java using OpenSAML
opensaml java加密的断言-无法使用EncryptedKeyResolver解密EncryptedData - opensaml java encrypted assertion - Failed to decrypt EncryptedData using EncryptedKeyResolver
如何使用 Java“漂亮打印”或“转储”opensaml 断言对象? - How to "pretty print" or "dump" an opensaml assertion object using Java?
如何在 Java 中使用 OpenSAML 库创建有效的 SAML 2.0 断言 - How to create a valid SAML 2.0 Assertion with OpenSAML library in Java
使用 OpenSAML 3 的 SAML 断言验证 - SAML Assertion Validation using OpenSAML 3
在Java中使用加密文件而不解密到磁盘 - Using Encrypted Files Without Decrypting To Disk in java
用Java解密Rijndael,使用.NET加密 - Decrypting Rijndael in Java , Encrypted using .NET
从Java中的给定XML创建OpenSAML断言 - Creating OpenSAML Assertion from given XML in Java
解密由.NET的RijndaelManaged使用Java加密的字节 - Decrypting bytes encrypted by .NET's RijndaelManaged using Java
解密加密文件并用Java执行 - Decrypting an encrypted file and executing in Java
相关标签