Dan*_*ley 1 java spring saml opensaml okta
我已经在 okta 上设置了一个开发人员帐户,并且正在尝试从我在那里设置的测试应用程序中解密加密的断言。所以我的本地 java Spring 应用程序有一个控制器正在接收 SAML 断言的 HTTP POST - 我已经验证了这一点,它没有被加密。现在打开加密后,我尝试用以下方法解密它:
private Assertion decrypt(EncryptedAssertion encryptedAssertion) {//throws DecryptionException, KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, UnrecoverableEntryException {
StaticKeyInfoCredentialResolver keyInfoCredentialResolver = new StaticKeyInfoCredentialResolver(spConfig.getCredential());
Decrypter decrypter = new Decrypter(null, keyInfoCredentialResolver, new InlineEncryptedKeyResolver());
decrypter.setRootInNewDocument(true);
try {
return decrypter.decrypt(encryptedAssertion);
} catch (Exception e) {
log.debug("oops", e.getCause());
return null;
}
}
使用此 SP 配置代码:
private static final String KEY_STORE_PASSWORD = "mypassw";
private static final String KEY_STORE_ENTRY_PASSWORD = "mypassw";
private static final String KEY_STORE_PATH = "/keystore.p12";
private static final String KEY_ENTRY_ID = "http://www.okta.com/exkz............42p6";
private static Credential credential = null;
@PostConstruct
public void init() throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, ResolverException {
log.debug("doing init");
KeyStore keystore = readKeystoreFromFile(KEY_STORE_PATH, KEY_STORE_PASSWORD);
Map<String, String> passwordMap = new HashMap<String, String>();
passwordMap.put(KEY_ENTRY_ID, KEY_STORE_ENTRY_PASSWORD);
KeyStoreCredentialResolver resolver = new KeyStoreCredentialResolver(keystore, passwordMap);
EntityIdCriterion criteria = new EntityIdCriterion(KEY_ENTRY_ID);
CriteriaSet criteriaSet = new CriteriaSet(criteria);
credential = resolver.resolveSingle(criteriaSet);
}
private static KeyStore readKeystoreFromFile(String pathToKeyStore, String keyStorePassword) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
KeyStore keystore = KeyStore.getInstance("PKCS12");
InputStream inputStream = SpConfig.class.getResourceAsStream(pathToKeyStore);
keystore.load(inputStream, keyStorePassword.toCharArray());
inputStream.close();
return keystore;
}
public Credential getCredential() {
return credential;
}
我尝试了一些方法来故意破坏代码——错误的密钥库密码、丢失密钥库、错误键入的密钥条目别名,并且我确实收到了指向该问题的错误。但是当它看起来设置正确时,我得到的只是:
2018-04-18 08:40:07.502 DEBUG 20655 --- [nio-8080-exec-1] o.o.core.xml.util.XMLObjectSupport : Parsing InputStream into DOM document
2018-04-18 08:40:07.503 DEBUG 20655 --- [nio-8080-exec-1] o.o.core.xml.util.XMLObjectSupport : Unmarshalling DOM parsed from InputStream
2018-04-18 08:40:07.574 DEBUG 20655 --- [nio-8080-exec-1] o.o.x.s.impl.SignatureUnmarshaller : Starting to unmarshall Apache XML-Security-based SignatureImpl element
2018-04-18 08:40:07.575 DEBUG 20655 --- [nio-8080-exec-1] o.o.x.s.impl.SignatureUnmarshaller : Constructing Apache XMLSignature object
2018-04-18 08:40:07.578 DEBUG 20655 --- [nio-8080-exec-1] o.a.xml.security.utils.ElementProxy : setElement("ds:Signature", "")
2018-04-18 08:40:07.580 DEBUG 20655 --- [nio-8080-exec-1] o.a.xml.security.utils.ElementProxy : setElement("ds:SignedInfo", "")
2018-04-18 08:40:07.580 DEBUG 20655 --- [nio-8080-exec-1] o.a.xml.security.utils.ElementProxy : setElement("ds:SignatureMethod", "")
2018-04-18 08:40:07.580 DEBUG 20655 --- [nio-8080-exec-1] o.a.x.s.algorithms.SignatureAlgorithm : Create URI "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" class "class org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA256"
2018-04-18 08:40:07.581 DEBUG 20655 --- [nio-8080-exec-1] o.a.xml.security.algorithms.JCEMapper : Request for URI http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
2018-04-18 08:40:07.581 DEBUG 20655 --- [nio-8080-exec-1] o.a.x.s.a.i.SignatureBaseRSA : Created SignatureRSA using SHA256withRSA
2018-04-18 08:40:07.585 DEBUG 20655 --- [nio-8080-exec-1] o.a.xml.security.utils.ElementProxy : setElement("ds:KeyInfo", "")
2018-04-18 08:40:07.585 DEBUG 20655 --- [nio-8080-exec-1] o.o.x.s.impl.SignatureUnmarshaller : Adding canonicalization and signing algorithms, and HMAC output length to Signature
2018-04-18 08:40:07.585 DEBUG 20655 --- [nio-8080-exec-1] o.o.x.s.impl.SignatureUnmarshaller : Adding KeyInfo to Signature
2018-04-18 08:40:07.597 DEBUG 20655 --- [nio-8080-exec-1] o.o.core.xml.util.XMLObjectSupport : InputStream succesfully unmarshalled
2018-04-18 08:40:07.618 DEBUG 20655 --- [nio-8080-exec-1] o.o.xmlsec.encryption.support.Decrypter : Failed to decrypt EncryptedData using EncryptedKeyResolver
2018-04-18 08:40:07.618 ERROR 20655 --- [nio-8080-exec-1] o.o.xmlsec.encryption.support.Decrypter : Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
2018-04-18 08:40:07.619 ERROR 20655 --- [nio-8080-exec-1] o.o.saml.saml2.encryption.Decrypter : SAML Decrypter encountered an error decrypting element content
org.opensaml.xmlsec.encryption.support.DecryptionException: Failed to decrypt EncryptedData
at org.opensaml.xmlsec.encryption.support.Decrypter.decryptDataToDOM(Decrypter.java:550) ~[opensaml-xmlsec-api-3.3.0.jar:na]
at org.opensaml.xmlsec.encryption.support.Decrypter.decryptDataToList(Decrypter.java:452) ~[opensaml-xmlsec-api-3.3.0.jar:na]
at org.opensaml.xmlsec.encryption.support.Decrypter.decryptData(Decrypter.java:412) ~[opensaml-xmlsec-api-3.3.0.jar:na]
at org.opensaml.saml.saml2.encryption.Decrypter.decryptData(Decrypter.java:176) [opensaml-saml-api-3.3.0.jar:na]
at org.opensaml.saml.saml2.encryption.Decrypter.decrypt(Decrypter.java:104) [opensaml-saml-api-3.3.0.jar:na]
我已经浏览了很多 github、源代码示例等等 --- 我想我已经得到了应该执行此操作的简洁代码。但显然缺少一些东西。与涉及 Spring 安全性的示例不同,我没有放置 IDP 或 SP 元数据的位置。它应该在某个地方吗?
我还看到了各种关于非法密钥大小的帖子 - 我没有这个例外,但如果某些 try-catch 或日志记录被更改或其他什么,我安装了无限强度的 JCE jar。
根据此示例,通过使用链接解析器使其正常工作 -
final List<EncryptedKeyResolver> list = new ArrayList<>();
list.add(new InlineEncryptedKeyResolver());
list.add(new EncryptedElementTypeEncryptedKeyResolver());
list.add(new SimpleRetrievalMethodEncryptedKeyResolver());
LOGGER.debug("Built a list of encrypted key resolvers: [{}]", list);
final ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(list);
| 归档时间: |
|
| 查看次数: |
2980 次 |
| 最近记录: |