堆棧內存溢出
  簡體   English   中英

使用OpenSAML在Java中使用SAML 2.0解密加密的斷言

[英]Decrypting encrypted assertion using SAML 2.0 in java using OpenSAML

 原文  2012-02-23 22:39:15       java/ cryptography/ rsa/ saml-2.0/ opensaml

問題描述

嘗試使用SAML 2.0解密加密斷言時遇到問題。 我使用的庫是OpenSAML Java庫2.5.2。

加密的斷言如下所示: 

<EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<enc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" 
    xmlns:enc="http://www.w3.org/2001/04/xmlenc#">
  <enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
      <e:EncryptionMethod 
       Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
      </e:EncryptionMethod>
      <KeyInfo>
        <o:SecurityTokenReference 
           xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-
                    1.0.xsd">
          <o:KeyIdentifier 
            ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-
                      1.1#ThumbprintSHA1"
            EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-
                      message-security-1.0#Base64Binary">
          1H3mV/pJAlVZAst/Dt0rqbBd67g=
          </o:KeyIdentifier>
        </o:SecurityTokenReference>
      </KeyInfo>
      <e:CipherData>
        <e:CipherValue>
   ... ENCRYPTED KEY HERE ...
        </e:CipherValue>
      </e:CipherData>
    </e:EncryptedKey>
  </KeyInfo>
  <enc:CipherData>
    <enc:CipherValue>
    ... ENCRYPTED ASSERTIONS HERE ...
    </enc:CipherValue>
  </enc:CipherData>
</enc:EncryptedData>
</EncryptedAssertion>

我確實使用以下openssl命令將PEM格式的私鑰轉換為pkcs8格式: 

openssl pkcs8 -topk8 -nocrypt -inform PEM -in rsa_private_key.key -outform DER -out rsa_private_key.pk8

然后我准備嘗試解密加密的斷言。 這是我的Java代碼: 

...
// Load the XML file and parse it.
File xmlFile = new File("data\\token.xml");
InputStream inputStream = new FileInputStream(xmlFile);
Document document = parserPoolManager.parse(inputStream);
Element metadataRoot = document.getDocumentElement();

// Unmarshall
UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(metadataRoot);
EncryptedAssertion encryptedAssertion = (EncryptedAssertion)unmarshaller.unmarshall(metadataRoot);

// Load the private key file.
File privateKeyFile = new File("data\\rsa_private_key.pk8");
FileInputStream inputStreamPrivateKey = new FileInputStream(privateKeyFile);
byte[] encodedPrivateKey = new byte[(int)privateKeyFile.length()];
inputStreamPrivateKey.read(encodedPrivateKey);
inputStreamPrivateKey.close();

// Create the private key.
PKCS8EncodedKeySpec privateKeySpec = new PKCS8EncodedKeySpec(encodedPrivateKey);
RSAPrivateKey privateKey = (RSAPrivateKey)KeyFactory.getInstance("RSA").generatePrivate(privateKeySpec);

// Create the credentials.
BasicX509Credential decryptionCredential = new BasicX509Credential();
decryptionCredential.setPrivateKey(privateKey);

// Create a decrypter.
Decrypter decrypter = new Decrypter(null, new StaticKeyInfoCredentialResolver(decryptionCredential), new InlineEncryptedKeyResolver());

// Decrypt the assertion.
Assertion decryptedAssertion;

try
{
    decryptedAssertion = decrypter.decrypt(encryptedAssertion);
}
...

運行此代碼總是導致無法解密斷言。 我確實收到以下錯誤: 

5473 [main] ERROR org.opensaml.xml.encryption.Decrypter - Error decrypting encrypted key
org.apache.xml.security.encryption.XMLEncryptionException: Key is too long for unwrapping
Original Exception was java.security.InvalidKeyException: Key is too long for unwrapping
    at org.apache.xml.security.encryption.XMLCipher.decryptKey(Unknown Source)
    at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:681)
    at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:612)
    at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:762)
    at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:513)
    at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:440)
    at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:401)
    at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)
    at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)
    at DecrypterTool.main(DecrypterTool.java:121)
java.security.InvalidKeyException: Key is too long for unwrapping
    at com.sun.crypto.provider.RSACipher.engineUnwrap(DashoA13*..)
    at javax.crypto.Cipher.unwrap(DashoA13*..)
    at org.apache.xml.security.encryption.XMLCipher.decryptKey(Unknown Source)
    at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:681)
    at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:612)
    at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:762)
    at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:513)
    at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:440)
    at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:401)
    at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)
    at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)
    at DecrypterTool.main(DecrypterTool.java:121)
5477 [main] ERROR org.opensaml.xml.encryption.Decrypter - Failed to decrypt EncryptedKey, valid decryption key could not be resolved
5477 [main] ERROR org.opensaml.xml.encryption.Decrypter - Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
5478 [main] ERROR org.opensaml.saml2.encryption.Decrypter - SAML Decrypter encountered an error decrypting element content
org.opensaml.xml.encryption.DecryptionException: Failed to decrypt EncryptedData
    at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:524)
    at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:440)
    at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:401)
    at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)
    at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)
    at DecrypterTool.main(DecrypterTool.java:121)

在這種情況下,我真的不知道我做錯了什么。 我將我的私鑰轉換為pkcs8,我加載了我的SAML XML數據並將其解組為有效類型(EncryptedAssertion),並根據我的私鑰創建了一個解密。

是否可能與RSA的oaep格式有關? 我正在使用默認的java加密庫。

謝謝!

2 個解決方案

解決方案1
 19 已采納  2012-02-29 14:17:16

對於那些會遇到這個問題的人來說,這與Java Cryptography Extension(JCE)Unlimited Strength Jurisdiction Policy Files沒有安裝這一事實有關,並且它不允許我使用加密比AES-128更好。 使用JCE策略文件替換策略文件,我能夠成功解密我的加密斷言。

解決方案2
 2  2017-02-01 06:13:35

同意@thwalrusnp。 只是想添加下載策略jar的確切位置。

在解密IDP發送的斷言時找到了Error答案

這是由於Java Runtime Environment的默認分發中的加密強度限制而發生的。

  1. 下載Java密碼術擴展(JCE)無限強度管轄權政策文件( 適用於Java 7 )( 適用於Java 8

  2. 提取zip存檔並找到local_policy.jarUS_export_policy.jar

  3. 將$ JAVA_HOME / jre {version_number} / lib / security /下的這些文件的JRE版本替換為已下載的文件。

  4. 重啟JRE進程,如果有的話。 現在你可以使用更長的鍵。

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 如何使用 OpenSAML 2 和 Java 測試/調試解密加密斷言? 使用 OpenSAML 3 的 SAML 斷言驗證 opensaml java加密的斷言-無法使用EncryptedKeyResolver解密EncryptedData 如何在 Java 中使用 OpenSAML 庫創建有效的 SAML 2.0 斷言 在opensaml中使用saml2.0的SSO 通過OpenSAML中的現有元素創建SAML 2.0斷言 使用Java的SAML斷言 如何使用 Java“漂亮打印”或“轉儲”opensaml 斷言對象? 用Java解密Rijndael,使用.NET加密 在Java中使用加密文件而不解密到磁盤
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM