使用OpenSAM解密SAML声明时出错:

时间:2018-11-29 16:54:33

标签: java encryption single-sign-on saml-2.0 opensaml

我有一个使用SAML与另一个应用程序集成的应用程序。我正在使用OpenSAML2,并向IDP发送了我们的元数据,以便他们可以加密其数据。我们得到了一个响应,并且我能够对其进行解码,并且它似乎是有效的响应:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="<DESTINATION>" ID="_e344fa7e-59b4-480a-9d89-998abf933b4f" InResponseTo="_60f946e65b26d30b69857e8718dca1ca" IssueInstant="2018-10-30T22:14:46.943Z" Version="2.0">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">ISSUER</Issuer>
<samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                </e:EncryptionMethod>
                <KeyInfo>
                    <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                        <ds:X509IssuerSerial>
                            <ds:X509IssuerName>ISSUER</ds:X509IssuerName>
                            <ds:X509SerialNumber>355107170</ds:X509SerialNumber>
                        </ds:X509IssuerSerial>
                    </ds:X509Data>
                </KeyInfo>
                <e:CipherData>
                    <e:CipherValue>CIPHER VALUE</e:CipherValue>
                </e:CipherData>
            </e:EncryptedKey>
        </KeyInfo>
        <xenc:CipherData>
            <xenc:CipherValue>CIPHER VALUE</xenc:CipherValue>
        </xenc:CipherData>
    </xenc:EncryptedData>
</EncryptedAssertion>

这就是我的解密方式

public Assertion decryptAssertion(EncryptedAssertion encryptedAssertion) throws RondoSsoException {
    try {
        //Security.insertProviderAt(new BouncyCastleProvider(), 1);

        final List<EncryptedKeyResolver> list = new ArrayList<>();
        list.add(new InlineEncryptedKeyResolver());
        list.add(new EncryptedElementTypeEncryptedKeyResolver());
        list.add(new SimpleRetrievalMethodEncryptedKeyResolver());
        ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(list);
        Credential credential = generateCredentialFromKeystore();


        KeyInfoCredentialResolver resolver = new StaticKeyInfoCredentialResolver(credential);
        Decrypter decrypter = new Decrypter(null, resolver, encryptedKeyResolver);
        decrypter.setRootInNewDocument(true);

        return decrypter.decrypt(encryptedAssertion);
    } catch (RondoSsoException | DecryptionException e) {
        throw new RondoSsoException("Error decrypting assertion", e);
    }
}

通过JKS密钥库以这种方式生成凭证:

public BasicX509Credential generateX509CredentialFromJKS() throws SecurityException, ResolverException {
    Map<String, String> passwordMap = new HashMap<String, String>();
    passwordMap.put(ssoProperties.getProperty(CERT_NAME), ssoProperties.getProperty(CERT_PASSWORD));
    KeyStoreCredentialResolver resolver = new KeyStoreCredentialResolver(getKeyStore(), passwordMap);

    EntityIdCriterion criterion = new EntityIdCriterion(ssoProperties.getProperty(CERT_NAME));
    CriteriaSet criteriaSet = new CriteriaSet();
    criteriaSet.add(criterion);

    return (BasicX509Credential) resolver.resolveSingle(criteriaSet);
}

哪个会生成此错误。 

java.security.InvalidKeyException: Unwrapping failed
    at com.sun.crypto.provider.RSACipher.engineUnwrap(RSACipher.java:445)
    at javax.crypto.Cipher.unwrap(Cipher.java:2549)
    at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1466)
    at org.opensaml.xmlsec.encryption.support.Decrypter.decryptKey(Decrypter.java:711)
    at org.opensaml.xmlsec.encryption.support.Decrypter.decryptKey(Decrypter.java:643)
    at org.opensaml.xmlsec.encryption.support.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:781)
    at org.opensaml.xmlsec.encryption.support.Decrypter.decryptDataToDOM(Decrypter.java:539)
    at org.opensaml.xmlsec.encryption.support.Decrypter.decryptDataToList(Decrypter.java:452)
    at org.opensaml.xmlsec.encryption.support.Decrypter.decryptData(Decrypter.java:412)
    at org.opensaml.saml.saml2.encryption.Decrypter.decryptData(Decrypter.java:176)
    at org.opensaml.saml.saml2.encryption.Decrypter.decrypt(Decrypter.java:104)
    at com.casebank.rondo.sso.service.saml2.Saml2SecurityAndEncryptionManager.decryptAssertion(Saml2SecurityAndEncryptionManager.java:436)
    at com.casebank.rondo.sso.service.saml2.Saml2SSOProcessor.parseSAMLAssertion(Saml2SSOProcessor.java:483)
    at com.casebank.rondo.sso.service.saml2.Saml2SSOProcessor.processLogon(Saml2SSOProcessor.java:501)
    at com.casebank.rondo.sso.service.Saml2SSOProcessorTest.testProcessResponse(Saml2SSOProcessorTest.java:42)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
    at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
    at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
    at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
    at org.springframework.test.context.junit4.statements.RunBeforeTestMethodCallbacks.evaluate(RunBeforeTestMethodCallbacks.java:75)
    at org.springframework.test.context.junit4.statements.RunAfterTestMethodCallbacks.evaluate(RunAfterTestMethodCallbacks.java:86)
    at org.springframework.test.context.junit4.statements.SpringRepeat.evaluate(SpringRepeat.java:84)
    at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
    at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:252)
    at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:94)
    at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
    at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
    at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
    at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
    at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
    at org.springframework.test.context.junit4.statements.RunBeforeTestClassCallbacks.evaluate(RunBeforeTestClassCallbacks.java:61)
    at org.springframework.test.context.junit4.statements.RunAfterTestClassCallbacks.evaluate(RunAfterTestClassCallbacks.java:70)
    at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
    at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.run(SpringJUnit4ClassRunner.java:191)
    at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:86)
    at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
    at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:538)
    at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:760)
    at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:460)
    at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:206)
Caused by: javax.crypto.BadPaddingException: Decryption error
    at sun.security.rsa.RSAPadding.unpadOAEP(Unknown Source)
    at sun.security.rsa.RSAPadding.unpad(Unknown Source)
    at com.sun.crypto.provider.RSACipher.doFinal(RSACipher.java:363)
    at com.sun.crypto.provider.RSACipher.engineUnwrap(RSACipher.java:440)
    ... 43 more

我尝试在这里找到解决方案,并找到了其他帖子,例如this one regarding cryptography strength, that was addressed alreadythis one, but this assertion was missing the namespace, which is not my case

我的主要问题是该异常未确切说明出了什么问题(键大小,填充或其他问题)。我什至验证了加密数据的大小,正如预期的那样是256。我已经进行了一段时间的研究,没有任何可能的解决方案。任何帮助将不胜感激。

0 个答案:

没有答案
相关问题
最新问题