无法解密 EncryptedData (SAML2)
Posted
技术标签:
【中文标题】无法解密 EncryptedData (SAML2)【英文标题】:Failed to decrypt EncryptedData (SAML2) 【发布时间】:2021-12-10 23:03:21 【问题描述】:自从我将 Spring Boot 版本从 2.2.5.RELEASE 升级到 2.5.x 后,我遇到了 ADFS 身份验证问题
在新版本中我收到以下错误消息:无法解密 EncryptedData
依赖:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-saml2-service-provider</artifactId>
</dependency>
配置(2.2.5.RELEASE)
spring:
security:
allowed-groups: "xxx,yyy"
saml2:
relyingparty:
registration:
ospa:
signing:
credentials:
- private-key-location: file:/applications/tls/file.key
certificate-location: file:/applications/tls/file.cer
identityprovider:
entity-id: http://ospa.corp.com/adfs/services/trust
sso-url: https://ospa.corp.com/adfs/ls
verification:
credentials:
- certificate-location: file:/applications/tls/adfs-certificate.crt
配置(2.5.x)
spring:
security:
allowed-groups: "xxx,yyy"
saml2:
relyingparty:
registration:
ospa:
signing.credentials:
- private-key-location: file:/applications/tls/file.key
certificate-location: file:/applications/tls/file.cer
identityprovider:
entity-id: http://ospa.corp.com/adfs/services/trust
verification.credentials:
- certificate-location: file:/applications/tls/adfs-certificate.crt
singlesignon.url: https://ospa.corp.com/adfs/ls
singlesignon.sign-request: true
请求(2.2.5.RELEASE)
SAML 请求<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://intranet.corp.com/login/saml2/sso/ospa"
Destination="https://ospa.corp.com/adfs/ls"
ForceAuthn="false"
ID="XXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
IsPassive="false"
IssueInstant="2021-10-25T11:40:01.954Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://intranet.corp.com/saml2/service-provider-metadata/ospa
</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#ARQeg3e48e-6b33-236d-b000-b5000000d000d">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>xxxejYgwFdH+jEjBnAZpDgrOh5epA0puLYmthxhYxa=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
gZfewwevtIxxxxxwefvQ6xxx3/wJePlwPqIPOdCfI0sefffJ2Krqjwkuzkzukzuefw/YbaptteFT
TbpX+Lhtrhrthrthhjmbbttt7hVxvNzukzukxxxxuzuOfKitXG4qewZspJj74ucqOOzukzukzuJy
lAttYztjztjztxxxxliztbrthrthhhMwFjWgmp7jxJAl3z+Ub2cANjw77rLATvRnh+oh6DaujF0w
mqT+Pxrthxxx834jh1238387f1238fh37437f12f7812fh8offeeddT2PJgoePuVk+Dw3r/Bz2rs
BrtfqijP9bs1kfKOtRXLdKfofof/xb2AgKtrxw==
</ds:SignatureValue>
</ds:Signature>
</saml2p:AuthnRequest>
请求 (2.5.x)
SAML 请求:<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://intranet.corp.com/login/saml2/sso/ospa"
Destination="https://ospa.corp.com/adfs/ls"
ID="XXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
IssueInstant="2021-10-22T11:21:47.075Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://intranet.corp.com/saml2/service-provider-metadata/ospa</saml2:Issuer>
</saml2p:AuthnRequest>
响应(2.2.5.RELEASE)
Saml 响应:<samlp:Response ID="_XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
Version="2.0"
IssueInstant="2021-10-21T12:28:24.104Z"
Destination="https://intranet.corp.com/login/saml2/sso/ospa"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="ARQxxxb0fd-xxxx-xxxx-xxxx-9da0cxxx0a37"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://ospa.intranet.com/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<Assertion ID="_dea92497-1dcb-4ecf-a856-42c90ad39541"
IssueInstant="2021-10-21T12:28:24.104Z"
Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>http://ospa.intranet.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_dea9xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>xxxxHGxxx/LbGx+QddCxxxxGbfYxxxxhn0v0Ldrxxxx=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>xxxxJimmzRM+xyQNddwOSeJdddvda851gTVgnheMDxA52ZbYWcVO2DYqdQo7Px40p/K3xmsi03GiibeqZXsI0vHUBZdde0CZEddsB0SjW00bNsqhPD0zYEt0r0g1Zq5PFA6IaZdd+ddUi+lVq3sGZqCmiMjiVIHmr7dhOR4FvIGP8X/tggXDDO/JxA1b000MYbWr5XPddR0y00JrBE5FjN/IfJcAvA1uvpF0iirPUriShqqQAhvXgCo0JIxAODDIyCgNCHdY22tOktQtSgqZAgYHy0inz0kOWqFsXDsKEOm0r0Owz0/0RfwBgr/wR00t0FePaI0L0YnfAI00hcxxxx==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">GROUP\Account</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="ARQ12bc7bv-xxxx-xxxx-xxxx-0ra0c00000a01"
NotOnOrAfter="2021-10-21T12:33:24.104Z"
Recipient="https://intranet.corp.com/login/saml2/sso/ospa" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2021-10-21T12:28:24.104Z"
NotOnOrAfter="2021-10-21T13:28:24.104Z">
<AudienceRestriction>
<Audience>https://intranet.corp.com/saml2/service-provider-metadata/ospa</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://corp.com/ad/memberOf">
<AttributeValue>CN=xxx,OU=xxx,OU=xxx,DC=CENTER,DC=CORP</AttributeValue>
<AttributeValue>CN=xxx-users,OU=xxx,OU=xxx,DC=CENTER,DC=CORP</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2021-10-21T12:28:24.042Z"
SessionIndex="_dea92497-xxxx-xxxx-xxxx-42c90ad3xxxx">
<AuthnContext>
<AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
响应 (2.5.x)
<samlp:Response ID="_853bf633-xxxx-xxxx-xxxx-xxxx9962c9ba"
Version="2.0"
IssueInstant="2021-10-21T14:31:45.743Z"
Destination="https://intranet.corp.com/login/saml2/sso/ospa"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="ARQ0b0f598-xxxf-xxxx-xxxx-xxxxf3b9b1xx"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://ospa.intranet.com/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
</e:EncryptionMethod>
<KeyInfo>
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=CORP CERT, OU=KIR, O=CORP, DC=CORP, C=COM</ds:X509IssuerName>
<ds:X509SerialNumber>1000104020028032808734893034101106804152633690</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</KeyInfo>
<e:CipherData>
<e:CipherValue>xxxxvgWtSD0rPTkT+XzClVWRLGlRgWNbumeoXJqHsYWluXe1qqDmzRjn3WX2xxxxxXs6E7AhbC5hUMFuCZ2FUM9QR9h6jSpHDZRaYOnomAvReog58EclxxxxMox+Wvfxi/Tg9mm/Xnfvvh4nxxxxDki+lXSSJhQ2hMHphUhKhd4ZiV/XCQyhUdOXzJ3QOJDD94HI2OkquW+7GHrGH0prCHFYfMQxxxOTYYBDSez8VxxxxmR6li/PWBVxvuAKZgRO0JaMjnmwHBCxxxxZcOBsRPmVzjMk5Z6HaF2xB8DNwW7lpPcAQAIYQ0SUR8uIGk4angoi00ppIBzqn1WJMuExxxx==</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>qyw+ccS8PD4xxxxZPMTrFabX6OFrdxxxxKds4PgIngwduLKf+82L4k3NNlhvwTMHccxRxxxxr69cFXg6E2OSK2pWXhTMwcNdydoA1cFxxxxsoDEmoKUy3ZhZnOgkSUzePtBikxxxx0V8PTl9iakjJxxxxbXlr0m2MXMTZPDNzcK4KxxxxDuvLUBWmo4p2XE2e85wunBWYgHW4YSDnUuy0MP3+z6PxxxxM5vEEkADxD5IDQxjVDxxxxr0hgjpchLAysHr+yL4N4VSFCtxd1CQbJpu18rxTZPZsY0qaGUQwm8cSq/3+3LCQctKTqyxFvZCdC6Ni8S6Ldh1wHdu6sX0C2F7kmxrjcWPi2h8g8t6XYj9SnqeAfMZcZ/r//whbrBQzGR76x2OolZr15JQw53yYCd...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</EncryptedAssertion>
</samlp:Response>
我错过了什么吗?我不明白为什么请求和响应发生了变化,设置几乎相同。我还需要显式配置吗?
【问题讨论】:
【参考方案1】:您确定您没有更改 ADFS 配置吗?在您来自 ADFS 的第一个响应中,断言未加密,但在第二个响应中是加密的。这不应该因为 Spring 中 SP sode 的更新而改变。
查看 ADFS 端,看看是否有人启用了加密断言。
可能是 ADFS 使用不同的密钥进行签名和加密。如果您在 spring 中没有从 ADFS 配置加密凭据,那么您将收到此错误。
【讨论】:
ADFS 端没有任何变化。对于 2.2.5.RELEASE 版本,它可以工作,而对于 2.5.x 版本,它不能在同一台服务器上工作。我认为新版本有一个默认设置加密什么的。 如果您现在再次使用旧版本。您能否查看 SAML 响应并确认在您使用该版本时断言未加密? 你是对的!刚升级版本时就改了。但是,现在旧版本也可以在没有任何更改的情况下使用加密(所以现在我可以在响应中看到 EncryptedAssertion 标记),但新版本没有。 这是错误:xmlsec.encryption.support.Decrypter|Failed to decrypt EncryptedKey, valid decryption key could not be resolved xmlsec.encryption.support.Decrypter|Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver aml.saml.saml2.encryption.Decrypter|SAML Decrypter encountered an error decrypting element content org.opensaml.xmlsec.encryption.support.DecryptionException: Failed to decrypt EncryptedData以上是关于无法解密 EncryptedData (SAML2)的主要内容,如果未能解决你的问题,请参考以下文章
小程序Openid 获取,服务器 encryptedData 解密 遇到的坑