我在okta上设置了一个开发者帐户,我正在尝试从我在那里设置的测试应用程序解密加密的断言。所以我的本地java Spring应用程序有一个控制器正在接收SAML断言的HTTP POST - 我已经验证了它没有加密。现在打开加密,我试图用这种方法解密它:
private Assertion decrypt(EncryptedAssertion encryptedAssertion) {//throws DecryptionException, KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, UnrecoverableEntryException {
StaticKeyInfoCredentialResolver keyInfoCredentialResolver = new StaticKeyInfoCredentialResolver(spConfig.getCredential());
Decrypter decrypter = new Decrypter(null, keyInfoCredentialResolver, new InlineEncryptedKeyResolver());
decrypter.setRootInNewDocument(true);
try {
return decrypter.decrypt(encryptedAssertion);
} catch (Exception e) {
log.debug("oops", e.getCause());
return null;
}
}
使用此SP配置代码:
private static final String KEY_STORE_PASSWORD = "mypassw";
private static final String KEY_STORE_ENTRY_PASSWORD = "mypassw";
private static final String KEY_STORE_PATH = "/keystore.p12";
private static final String KEY_ENTRY_ID = "http://www.okta.com/exkz............42p6";
private static Credential credential = null;
@PostConstruct
public void init() throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, ResolverException {
log.debug("doing init");
KeyStore keystore = readKeystoreFromFile(KEY_STORE_PATH, KEY_STORE_PASSWORD);
Map<String, String> passwordMap = new HashMap<String, String>();
passwordMap.put(KEY_ENTRY_ID, KEY_STORE_ENTRY_PASSWORD);
KeyStoreCredentialResolver resolver = new KeyStoreCredentialResolver(keystore, passwordMap);
EntityIdCriterion criteria = new EntityIdCriterion(KEY_ENTRY_ID);
CriteriaSet criteriaSet = new CriteriaSet(criteria);
credential = resolver.resolveSingle(criteriaSet);
}
private static KeyStore readKeystoreFromFile(String pathToKeyStore, String keyStorePassword) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
KeyStore keystore = KeyStore.getInstance("PKCS12");
InputStream inputStream = SpConfig.class.getResourceAsStream(pathToKeyStore);
keystore.load(inputStream, keyStorePassword.toCharArray());
inputStream.close();
return keystore;
}
public Credential getCredential() {
return credential;
}
我已经尝试了一些故意破坏代码的东西 - 糟糕的密钥库pw,缺少密钥库,错误键入的密钥条别名,我确实得到了指向它的错误。但是当它看起来设置正确时,我得到的只是:
2018-04-18 08:40:07.502 DEBUG 20655 --- [nio-8080-exec-1] o.o.core.xml.util.XMLObjectSupport : Parsing InputStream into DOM document
2018-04-18 08:40:07.503 DEBUG 20655 --- [nio-8080-exec-1] o.o.core.xml.util.XMLObjectSupport : Unmarshalling DOM parsed from InputStream
2018-04-18 08:40:07.574 DEBUG 20655 --- [nio-8080-exec-1] o.o.x.s.impl.SignatureUnmarshaller : Starting to unmarshall Apache XML-Security-based SignatureImpl element
2018-04-18 08:40:07.575 DEBUG 20655 --- [nio-8080-exec-1] o.o.x.s.impl.SignatureUnmarshaller : Constructing Apache XMLSignature object
2018-04-18 08:40:07.578 DEBUG 20655 --- [nio-8080-exec-1] o.a.xml.security.utils.ElementProxy : setElement("ds:Signature", "")
2018-04-18 08:40:07.580 DEBUG 20655 --- [nio-8080-exec-1] o.a.xml.security.utils.ElementProxy : setElement("ds:SignedInfo", "")
2018-04-18 08:40:07.580 DEBUG 20655 --- [nio-8080-exec-1] o.a.xml.security.utils.ElementProxy : setElement("ds:SignatureMethod", "")
2018-04-18 08:40:07.580 DEBUG 20655 --- [nio-8080-exec-1] o.a.x.s.algorithms.SignatureAlgorithm : Create URI "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" class "class org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA256"
2018-04-18 08:40:07.581 DEBUG 20655 --- [nio-8080-exec-1] o.a.xml.security.algorithms.JCEMapper : Request for URI http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
2018-04-18 08:40:07.581 DEBUG 20655 --- [nio-8080-exec-1] o.a.x.s.a.i.SignatureBaseRSA : Created SignatureRSA using SHA256withRSA
2018-04-18 08:40:07.585 DEBUG 20655 --- [nio-8080-exec-1] o.a.xml.security.utils.ElementProxy : setElement("ds:KeyInfo", "")
2018-04-18 08:40:07.585 DEBUG 20655 --- [nio-8080-exec-1] o.o.x.s.impl.SignatureUnmarshaller : Adding canonicalization and signing algorithms, and HMAC output length to Signature
2018-04-18 08:40:07.585 DEBUG 20655 --- [nio-8080-exec-1] o.o.x.s.impl.SignatureUnmarshaller : Adding KeyInfo to Signature
2018-04-18 08:40:07.597 DEBUG 20655 --- [nio-8080-exec-1] o.o.core.xml.util.XMLObjectSupport : InputStream succesfully unmarshalled
2018-04-18 08:40:07.618 DEBUG 20655 --- [nio-8080-exec-1] o.o.xmlsec.encryption.support.Decrypter : Failed to decrypt EncryptedData using EncryptedKeyResolver
2018-04-18 08:40:07.618 ERROR 20655 --- [nio-8080-exec-1] o.o.xmlsec.encryption.support.Decrypter : Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
2018-04-18 08:40:07.619 ERROR 20655 --- [nio-8080-exec-1] o.o.saml.saml2.encryption.Decrypter : SAML Decrypter encountered an error decrypting element content
org.opensaml.xmlsec.encryption.support.DecryptionException: Failed to decrypt EncryptedData
at org.opensaml.xmlsec.encryption.support.Decrypter.decryptDataToDOM(Decrypter.java:550) ~[opensaml-xmlsec-api-3.3.0.jar:na]
at org.opensaml.xmlsec.encryption.support.Decrypter.decryptDataToList(Decrypter.java:452) ~[opensaml-xmlsec-api-3.3.0.jar:na]
at org.opensaml.xmlsec.encryption.support.Decrypter.decryptData(Decrypter.java:412) ~[opensaml-xmlsec-api-3.3.0.jar:na]
at org.opensaml.saml.saml2.encryption.Decrypter.decryptData(Decrypter.java:176) [opensaml-saml-api-3.3.0.jar:na]
at org.opensaml.saml.saml2.encryption.Decrypter.decrypt(Decrypter.java:104) [opensaml-saml-api-3.3.0.jar:na]
我已经过了很多github,源代码示例等等 - 我想我已经有了应该这样做的简洁代码。但显然缺少一些东西。与涉及Spring安全性的示例不同,我没有IDP或SP元数据的位置。它应该在某个地方吗?
我也看过各种关于非法密钥大小的帖子 - 我没有那个例外,但是如果一些尝试捕获或日志改变了什么,我安装了无限强度的JCE罐子。
按照此示例使用链接解析器进行操作 -
final List<EncryptedKeyResolver> list = new ArrayList<>();
list.add(new InlineEncryptedKeyResolver());
list.add(new EncryptedElementTypeEncryptedKeyResolver());
list.add(new SimpleRetrievalMethodEncryptedKeyResolver());
LOGGER.debug("Built a list of encrypted key resolvers: [{}]", list);
final ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(list);