在解密Saml令牌时获取错误

Question

我在解密saml令牌时遇到错误.但是,重新启动服务器后,此问题不一致.它工作正常,直到昨晚:(

DEBUG Decrypter:631 - Attempt to decrypt EncryptedKey using credential from KEK KeyInfo resolver failed:
        org.opensaml.xml.encryption.DecryptionException: Probable runtime exception on decryption:unknown parameter type.
            at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:705)
            at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:628)
            at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:783)
            at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:524)
            at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:442)
            at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:403)
            at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)
            at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)
            at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:199)
            at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
            at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
            at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84)
            at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
            at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
            at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
            at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
            at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
            at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
            at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
            at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
            at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
            at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
            at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
            at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
            at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
            at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
            at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
            at java.lang.Thread.run(Thread.java:745)
        Caused by: java.lang.IllegalArgumentException: unknown parameter type.
            at org.bouncycastle.jce.provider.JCERSACipher.engineInit(Unknown Source)
            at javax.crypto.Cipher.implInit(Cipher.java:791)
            at javax.crypto.Cipher.chooseProvider(Cipher.java:849)
            at javax.crypto.Cipher.init(Cipher.java:1348)
            at javax.crypto.Cipher.init(Cipher.java:1282)
            at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1475)
            at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:697)
            ... 41 more
        09:21:51,120 ERROR Decrypter:639 - Failed to decrypt EncryptedKey, valid decryption key could not be resolved
        09:21:51,120 DEBUG Decrypter:787 - Attempt to decrypt EncryptedData using key extracted from EncryptedKey faile

早些时候我得到了invalide密钥大小错误,我在Spring SAML ADFS的帮助下修复了这个错误 :java.security.InvalidKeyException.但我不确定它是否会对美国的安全政策法产生任何影响.

但是这个解密异常没有得到解决而且不一致.有一段时间它在重启服务器后开始工作.

我在最后2-3天尝试了每一件事.我认为问题发生在元数据刷新之后,所以我尝试将下面的属性添加到R​​esourceBackedMetadataProvider bean但没有运气.

<property name="parserPool" ref="parserPool"/>
<property name="minRefreshDelay" value="120000"/>
<property name="maxRefreshDelay" value="300000"/>

然后我调试WebSSOProfileConsumerImpl.java代码认为这是与jira相关的问题所以我签出最新的代码并创建新的jar并添加到我的项目但没有运气.

Answer 1

经过一周的调试和谷歌搜索后，我决定通过一些小技巧来解决这个问题。

我从 gitHub 存储库的 Master 分支查看了 Spring-Saml 源代码，并构建 jar 并将其导入到我的项目中。我认为这个SES-144问题与我的类似，所以我尝试使用最新的代码，但没有运气。

因此，我决定调试 xmlTooling.jar 代码并找到确切的故障点，并用下面的代码覆盖下面的decryptKey(EncryptedKey encryptedKey, String algorithm)方法XMLCipher.java。

Cipher c = constructCipher(encryptedKey.getEncryptionMethod()
                    .getAlgorithm(), encryptedKey.getEncryptionMethod()
                    .getDigestAlgorithm());

Instead of calling 
    c.init(4, key, oaepParameters);
used below code and removed if/else block
    c.init(4, key);

您可以从github上查看自定义 jar

您需要在 pom.xml 文件中使用以下行更新 saml 依赖项才能使用此自定义 jar

<dependency>
    <groupId>org.springframework.security.extensions</groupId>
    <artifactId>spring-security-saml2-core</artifactId>
    <version>1.0.1.RELEASE</version>

    <exclusions>
            <exclusion>
                    <artifactId>xmlsec</artifactId>
                    <groupId>org.apache.santuario</groupId>
            </exclusion>
    </exclusions>
</dependency>

<dependency>
    <artifactId>xmlsec</artifactId>
    <groupId>org.apache.santuario</groupId>
    <version>1.5.6-custom</version>
</dependency>

如果有人找到更好的解决方案，请告诉我。