opensaml java encrypted assertion - 无法使用EncryptedKeyResolver解密EncryptedData

时间:2018-04-18 15:05:38

标签: java spring saml okta opensaml

我已经在okta上设置了一个开发者帐户,并且我试图从我在那里设置的测试应用程序解密加密的断言。所以我的本地java Spring应用程序有一个控制器,它接收SAML断言的HTTP POST - 我已经验证了它没有被加密。现在打开加密,我试图用这种方法解密它:

private Assertion decrypt(EncryptedAssertion encryptedAssertion) {//throws DecryptionException, KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, UnrecoverableEntryException {
    StaticKeyInfoCredentialResolver keyInfoCredentialResolver = new StaticKeyInfoCredentialResolver(spConfig.getCredential());
    Decrypter decrypter = new Decrypter(null, keyInfoCredentialResolver, new InlineEncryptedKeyResolver());
    decrypter.setRootInNewDocument(true);
    try {
        return decrypter.decrypt(encryptedAssertion);
    } catch (Exception e) {
        log.debug("oops", e.getCause());
        return null;
    }
}

使用此SP配置代码:

private static final String KEY_STORE_PASSWORD = "mypassw";
private static final String KEY_STORE_ENTRY_PASSWORD = "mypassw";
private static final String KEY_STORE_PATH = "/keystore.p12";
private static final String KEY_ENTRY_ID = "http://www.okta.com/exkz............42p6";

private static Credential credential = null;

@PostConstruct
public void init() throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, ResolverException {
    log.debug("doing init");
    KeyStore keystore = readKeystoreFromFile(KEY_STORE_PATH, KEY_STORE_PASSWORD);
    Map<String, String> passwordMap = new HashMap<String, String>();
    passwordMap.put(KEY_ENTRY_ID, KEY_STORE_ENTRY_PASSWORD);
    KeyStoreCredentialResolver resolver = new KeyStoreCredentialResolver(keystore, passwordMap);

    EntityIdCriterion criteria = new EntityIdCriterion(KEY_ENTRY_ID);
    CriteriaSet criteriaSet = new CriteriaSet(criteria);

    credential = resolver.resolveSingle(criteriaSet);
}

private static KeyStore readKeystoreFromFile(String pathToKeyStore, String keyStorePassword) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
    KeyStore keystore = KeyStore.getInstance("PKCS12");
    InputStream inputStream = SpConfig.class.getResourceAsStream(pathToKeyStore);
    keystore.load(inputStream, keyStorePassword.toCharArray());
    inputStream.close();
    return keystore;
}

public Credential getCredential() {
    return credential;
}

我已经尝试了一些故意破坏代码的东西 - 糟糕的密钥库pw,缺少密钥库,错误输入的密钥条别名,我确实得到了指向它的错误。但是当它看起来设置正确时,我得到的就是:

2018-04-18 08:40:07.502 DEBUG 20655 --- [nio-8080-exec-1] o.o.core.xml.util.XMLObjectSupport       : Parsing InputStream into DOM document
2018-04-18 08:40:07.503 DEBUG 20655 --- [nio-8080-exec-1] o.o.core.xml.util.XMLObjectSupport       : Unmarshalling DOM parsed from InputStream
2018-04-18 08:40:07.574 DEBUG 20655 --- [nio-8080-exec-1] o.o.x.s.impl.SignatureUnmarshaller       : Starting to unmarshall Apache XML-Security-based SignatureImpl element
2018-04-18 08:40:07.575 DEBUG 20655 --- [nio-8080-exec-1] o.o.x.s.impl.SignatureUnmarshaller       : Constructing Apache XMLSignature object
2018-04-18 08:40:07.578 DEBUG 20655 --- [nio-8080-exec-1] o.a.xml.security.utils.ElementProxy      : setElement("ds:Signature", "")
2018-04-18 08:40:07.580 DEBUG 20655 --- [nio-8080-exec-1] o.a.xml.security.utils.ElementProxy      : setElement("ds:SignedInfo", "")
2018-04-18 08:40:07.580 DEBUG 20655 --- [nio-8080-exec-1] o.a.xml.security.utils.ElementProxy      : setElement("ds:SignatureMethod", "")
2018-04-18 08:40:07.580 DEBUG 20655 --- [nio-8080-exec-1] o.a.x.s.algorithms.SignatureAlgorithm    : Create URI "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" class "class org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA256"
2018-04-18 08:40:07.581 DEBUG 20655 --- [nio-8080-exec-1] o.a.xml.security.algorithms.JCEMapper    : Request for URI http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
2018-04-18 08:40:07.581 DEBUG 20655 --- [nio-8080-exec-1] o.a.x.s.a.i.SignatureBaseRSA             : Created SignatureRSA using SHA256withRSA
2018-04-18 08:40:07.585 DEBUG 20655 --- [nio-8080-exec-1] o.a.xml.security.utils.ElementProxy      : setElement("ds:KeyInfo", "")
2018-04-18 08:40:07.585 DEBUG 20655 --- [nio-8080-exec-1] o.o.x.s.impl.SignatureUnmarshaller       : Adding canonicalization and signing algorithms, and HMAC output length to Signature
2018-04-18 08:40:07.585 DEBUG 20655 --- [nio-8080-exec-1] o.o.x.s.impl.SignatureUnmarshaller       : Adding KeyInfo to Signature
2018-04-18 08:40:07.597 DEBUG 20655 --- [nio-8080-exec-1] o.o.core.xml.util.XMLObjectSupport       : InputStream succesfully unmarshalled
2018-04-18 08:40:07.618 DEBUG 20655 --- [nio-8080-exec-1] o.o.xmlsec.encryption.support.Decrypter  : Failed to decrypt EncryptedData using EncryptedKeyResolver
2018-04-18 08:40:07.618 ERROR 20655 --- [nio-8080-exec-1] o.o.xmlsec.encryption.support.Decrypter  : Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
2018-04-18 08:40:07.619 ERROR 20655 --- [nio-8080-exec-1] o.o.saml.saml2.encryption.Decrypter      : SAML Decrypter encountered an error decrypting element content

org.opensaml.xmlsec.encryption.support.DecryptionException: Failed to decrypt EncryptedData
        at org.opensaml.xmlsec.encryption.support.Decrypter.decryptDataToDOM(Decrypter.java:550) ~[opensaml-xmlsec-api-3.3.0.jar:na]
        at org.opensaml.xmlsec.encryption.support.Decrypter.decryptDataToList(Decrypter.java:452) ~[opensaml-xmlsec-api-3.3.0.jar:na]
        at org.opensaml.xmlsec.encryption.support.Decrypter.decryptData(Decrypter.java:412) ~[opensaml-xmlsec-api-3.3.0.jar:na]
        at org.opensaml.saml.saml2.encryption.Decrypter.decryptData(Decrypter.java:176) [opensaml-saml-api-3.3.0.jar:na]
        at org.opensaml.saml.saml2.encryption.Decrypter.decrypt(Decrypter.java:104) [opensaml-saml-api-3.3.0.jar:na]

我已经过了很多github,源代码示例等等 - 我想我已经得到了应该这样做的简洁代码。但显然缺少一些东西。与涉及Spring安全性的示例不同,我没有IDP或SP元数据的位置。它应该在某个地方吗?

我还看过各种关于非法密钥大小的帖子 - 我没有这个例外,但是如果一些尝试捕获或日志改变了什么,我安装了无限强度的JCE罐子。< / p>

1 个答案:

答案 0 :(得分:2)

按照此示例使用链接解析器进行操作 -

final List<EncryptedKeyResolver> list = new ArrayList<>();
list.add(new InlineEncryptedKeyResolver());
list.add(new EncryptedElementTypeEncryptedKeyResolver());
list.add(new SimpleRetrievalMethodEncryptedKeyResolver());
LOGGER.debug("Built a list of encrypted key resolvers: [{}]", list);
final ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(list);

来自http://useof.org/java-open-source/org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver