1. 首頁
  2. 問答
  3. 在Java中使用SAML 2.0解密使用SAML 2.0的加密斷言使用OpenSAML

在Java中使用SAML 2.0解密使用SAML 2.0的加密斷言使用OpenSAML

2012-02-23 393 views
10

嘗試使用SAML 2.0解密加密斷言時遇到問題。我使用的庫是OpenSAML Java庫2.5.2。在Java中使用SAML 2.0解密使用SAML 2.0的加密斷言使用OpenSAML

加密的說法是這樣的:

<EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> 
<enc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" 
    xmlns:enc="http://www.w3.org/2001/04/xmlenc#"> 
    <enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /> 
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> 
    <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"> 
     <e:EncryptionMethod 
     Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> 
     <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
     </e:EncryptionMethod> 
     <KeyInfo> 
     <o:SecurityTokenReference 
      xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext- 
        1.0.xsd"> 
      <o:KeyIdentifier 
      ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security- 
         1.1#ThumbprintSHA1" 
      EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap- 
         message-security-1.0#Base64Binary"> 
      1H3mV/pJAlVZAst/Dt0rqbBd67g= 
      </o:KeyIdentifier> 
     </o:SecurityTokenReference> 
     </KeyInfo> 
     <e:CipherData> 
     <e:CipherValue> 
    ... ENCRYPTED KEY HERE ... 
     </e:CipherValue> 
     </e:CipherData> 
    </e:EncryptedKey> 
    </KeyInfo> 
    <enc:CipherData> 
    <enc:CipherValue> 
    ... ENCRYPTED ASSERTIONS HERE ... 
    </enc:CipherValue> 
    </enc:CipherData> 
</enc:EncryptedData> 
</EncryptedAssertion>

我也將我的私鑰是PEM格式使用下面的OpenSSL命令PKCS8格式:

openssl pkcs8 -topk8 -nocrypt -inform PEM -in rsa_private_key.key -outform DER -out rsa_private_key.pk8

我就準備好嘗試解密加密的斷言。這是我的Java代碼:

... 
// Load the XML file and parse it. 
File xmlFile = new File("data\\token.xml"); 
InputStream inputStream = new FileInputStream(xmlFile); 
Document document = parserPoolManager.parse(inputStream); 
Element metadataRoot = document.getDocumentElement(); 

// Unmarshall 
UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory(); 
Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(metadataRoot); 
EncryptedAssertion encryptedAssertion = (EncryptedAssertion)unmarshaller.unmarshall(metadataRoot); 

// Load the private key file. 
File privateKeyFile = new File("data\\rsa_private_key.pk8"); 
FileInputStream inputStreamPrivateKey = new FileInputStream(privateKeyFile); 
byte[] encodedPrivateKey = new byte[(int)privateKeyFile.length()]; 
inputStreamPrivateKey.read(encodedPrivateKey); 
inputStreamPrivateKey.close(); 

// Create the private key. 
PKCS8EncodedKeySpec privateKeySpec = new PKCS8EncodedKeySpec(encodedPrivateKey); 
RSAPrivateKey privateKey = (RSAPrivateKey)KeyFactory.getInstance("RSA").generatePrivate(privateKeySpec); 

// Create the credentials. 
BasicX509Credential decryptionCredential = new BasicX509Credential(); 
decryptionCredential.setPrivateKey(privateKey); 

// Create a decrypter. 
Decrypter decrypter = new Decrypter(null, new StaticKeyInfoCredentialResolver(decryptionCredential), new InlineEncryptedKeyResolver()); 

// Decrypt the assertion. 
Assertion decryptedAssertion; 

try 
{ 
    decryptedAssertion = decrypter.decrypt(encryptedAssertion); 
} 
...

運行此代碼總是導致無法解密斷言。我確實收到以下錯誤:

5473 [main] ERROR org.opensaml.xml.encryption.Decrypter - Error decrypting encrypted key 
org.apache.xml.security.encryption.XMLEncryptionException: Key is too long for unwrapping 
Original Exception was java.security.InvalidKeyException: Key is too long for unwrapping 
    at org.apache.xml.security.encryption.XMLCipher.decryptKey(Unknown Source) 
    at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:681) 
    at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:612) 
    at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:762) 
    at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:513) 
    at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:440) 
    at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:401) 
    at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141) 
    at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69) 
    at DecrypterTool.main(DecrypterTool.java:121) 
java.security.InvalidKeyException: Key is too long for unwrapping 
    at com.sun.crypto.provider.RSACipher.engineUnwrap(DashoA13*..) 
    at javax.crypto.Cipher.unwrap(DashoA13*..) 
    at org.apache.xml.security.encryption.XMLCipher.decryptKey(Unknown Source) 
    at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:681) 
    at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:612) 
    at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:762) 
    at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:513) 
    at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:440) 
    at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:401) 
    at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141) 
    at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69) 
    at DecrypterTool.main(DecrypterTool.java:121) 
5477 [main] ERROR org.opensaml.xml.encryption.Decrypter - Failed to decrypt EncryptedKey, valid decryption key could not be resolved 
5477 [main] ERROR org.opensaml.xml.encryption.Decrypter - Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver 
5478 [main] ERROR org.opensaml.saml2.encryption.Decrypter - SAML Decrypter encountered an error decrypting element content 
org.opensaml.xml.encryption.DecryptionException: Failed to decrypt EncryptedData 
    at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:524) 
    at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:440) 
    at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:401) 
    at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141) 
    at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69) 
    at DecrypterTool.main(DecrypterTool.java:121)

我真的不知道我在做什麼錯在這種情況下。我將我的私鑰轉換爲pkcs8,我加載了我的SAML XML數據並將其解組爲有效類型(EncryptedAssertion),並基於我的私鑰創建瞭解密。

是否有可能與RSA的oaep格式有關?我正在使用默認的Java加密庫。

謝謝!

來源

2012-02-23 thewalrusnp

+0

我不知道您的具體問題,但我有我的爆炸頭,同時處理[標籤:SAML]我用'阿帕奇camel'發現非常容易。 – Shahzeb 2012-02-23 22:46:04

+0

@Shahzeb我很樂意使用別的東西,但我的客戶使用saml,我無法真正改變它。:( – thewalrusnp 2012-02-23 22:54:59

回答

17

對於那些你會遇到這個問題的人來說,這與Java密碼術擴展(JCE)無限強度管轄權策略文件沒有安裝並且它不會讓我比AES-128更好地使用加密有關。用JCE策略文件替換策略文件,我能夠成功解密我的加密斷言。

來源

2012-02-29 14:17:16 thewalrusnp

+1

分享你是如何到達這個發現的? – Zoomzoom 2015-03-18 03:28:26

2

同意@thwalrusnp。只是想添加從哪裏可以下載策略罐的確切位置。

發現它的answerError while decrypting assertion sent from IDP

出現這種情況是由於Java運行時環境的默認 分配的加密強度限制。

  1. 下載Java加密擴展(JCE)無限強度權限策略文件(for Java 7)(for Java 8

  2. 提取的ZIP檔案,發現有local_policy.jarUS_export_policy.jar

  3. 將您的JRE版本的這些文件替換爲$ JAVA_HOME/jre {version_number}/lib/security /下載的文件。

  4. 重新啓動JRE進程,如果有的話正在運行。現在你可以使用更長的鍵。

來源

2017-02-01 06:13:35

+0

除此之外,它看起來像默認情況下隨Java 9一起發佈的無限強度策略文件。 – 2018-01-25 13:42:03

相關問題

 相關問題