Spring saml:密钥太长,无法展开:invalidkeyexception
Posted
技术标签:
【中文标题】Spring saml:密钥太长,无法展开:invalidkeyexception【英文标题】:Spring saml: Key is too long for unwrapping: invalidkeyexception 【发布时间】:2014-12-01 22:55:00 【问题描述】:我的机器上只安装了一个 JDK,并且代码指向同一个 JDK。我在两个文件夹(C:\Program Files\Java\jdk1.6.0_25\jre\lib\security 和 C:\Program Files\Java\jre6\lib\security)中都安装了无限强度加密库。
即使在添加了上述无限强度库后,我仍然会遇到同样的异常。这是其他票的延续link
例外:
Caused by: java.security.InvalidKeyException: Key is too long for unwrapping
at com.sun.crypto.provider.RSACipher.engineUnwrap(DashoA13*..)
at javax.crypto.Cipher.unwrap(DashoA13*..)
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1477)
... 46 more
41 [http-8080-1] ERROR org.opensaml.xml.encryption.Decrypter - Failed to decrypt EncryptedKey, valid decryption key could not be resolved
42 [http-8080-1] ERROR org.opensaml.xml.encryption.Decrypter - Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
42 [http-8080-1] ERROR org.opensaml.saml2.encryption.Decrypter - SAML Decrypter encountered an error decrypting element content
SAML 加密断言
<saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_b789fe1577b7a52846f0de3a53504b54" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey Id="_a55df022fc577a2523dea6dde1bb2d78" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</xenc:EncryptionMethod>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UE
CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM
MAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcNMTMwMTAxMTEyODAxWhcNMjIxMjMwMTEy
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXqP0wqL2Ai1haeTj0alwsLafhrDtUt00E
5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13
F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7K
qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1iPQ/KSaal3R26pON
UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/R93vBA6lnl5nTctZIRsyg
0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAYUjso1VwjDc2kypK/RRcB8bMAUUIG0hLGL
82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNRttir6eyqwRFGOM6A
8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/dgixKb1Rvby/tBu
RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW
bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/GuHE= </ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue>CPKpuy59EbLdJxoWtOEXlVG7nJkn2B4wk7seQ0VVK4+DbMZWqW9F+GLPtqQPMbVS99nPON9YCiNbpLpUlqE8JvZOQ2tyf5H5d7+kAF/QqaTPJjYC9SzI6dbLkB6O+EJZY6981iUkJtuUvs+B0649BwnKf9ByNoHePEKZeN6Ws9YNB15xrc5aTGqLVzW/bUTgOGPpZDPyeHYoqWRhDg6/2uYfvglMnN5t/mlGzLxsGJbF8WMdfIf2tYbGoDUfs5SgXtsvZPEm81WEenPJz/iE4PR0ih//in/h9+RmpfEfLw3A==</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue>5MRv+ee2XjfYNJeLOiuBi+quq9Vz7fE60JRzvXODQ9w4Y/czcWM/vYVoyX8/+n/27UIw4IyP0+en7H8ylOpJwNJC62Ur4GM3pAWde6Q9t4ZrjCu0yN3oX9v+0TVCJ8NKBGoyoIIbW5WljQob2NArvJc6z53gKzNYwYdYwMz7pcdJ0d0qpb11cphpNzWOONmmV6OZxnUOrGVceY+KvIOqHWmkvhPLW0d5J2C2nua/EWIq7+MWCAIHBnCGacTF+gaz6zO10lSHpFIm6dXfhIivSf9ZYye+I3dDOIMDeFN2UtXCRpG1OjGc4QqZ3HiDQ1ownjNE6L6HRQYgyarLc4Jrb3ftXzPl6Q47/T4QYgeM+tuk7nTJV5sCDji4WzZ7fG5syAXOCI49GdAhlTpanqBE3pzl8eRaLQEfrgMtQngvJDk03DcgGYjtdsflZZpHVqo++uHmOjjB/vC7hBwpOZEARA8m0o+EmHVU2QRUjWEFMmu1flKr+tl1+AMcnAR8prNGjEYttwBJ06G/1Ad25xqE8N0NMFabJGgOn/MP3T0+ZvzuzFXR+m3peKvlwdlsRTBBQeUpmEFcBN6Ls1UlP576VN1XYWPYblZ3qjqO2Qkfrxx79TaN69X8gkcJ/WJ3Wzj3UTToSgd7oXF2kOMdKwg66aijs5ToqZQOJCCazS9YyZrIV8/TvVQSd5S01H660BsZMvJvKUM0GNWqD7QHjDrU0GLAYKQDE+QouMJkf1E1STXq8rkgD9A8o9bNaWZoM2TQnJ7AmOXw1Nms9+Old3HRhnXurC2+MgiRFy70iA50F/OtiWE08aQYGiHeGDyVEXGvrroVWmPYBKvEjycVGkVADe0ICVD41wZEw7F/FmaBkx/wHKYXu9DoN3SFdMSo7fouFBZMCqMNY2Sodo70ALad/uC72AVx20urKXIoXpPlzzXYtWYm9nG7pLHWnrPMxbDZPcJPLGBzOeqmqcbPU/MQ765soVHQ6TR3sZe5Go5Smaauump4PAP1bLeewh1RKKDN5jKjD01R9Wzl34ithvgToi5pUpSNBTsbFpdN4fsg1c78yxXC3qr051/VngWK4SdxqDjdvAMWMSNvIOOsKBYqHN0sabQD/zD0XclH2MarDe3udBULr+eCrU5qkGXClg+e7fvpAYV6yUXCnrn5Uq1WrpUMWffyzWwJnlgiWtIlCy8wV/YDXFQ0QR3hET02H4JiHRKABrHTx9/MTQJPqHdv7eNxmTQj8bEjZcTygMxec5RQLr06/ontMtktgZCjQopBs5Sg10N0Rc0foMxo42X2ceCdkxHGMTndMEEBsJEfTLSLX86InW2S+omXZkiUrmdQsgUzF04waiuYyYPufkgaFdH1n7lTGjpH6nZsbKYILQJemEdfSFqHoCIZqtVrLdiTP+b1doZjKGZ/Dha7syL3ctvrj1ingjpjYYXEfEQIod6+fr7DP/fN5GF/qYWoYDXW+tBDMatcEBy7v52f8vcKrnl6j3qqD9MoejOarS/LABdqVq7r0X8R3ApbDrK/UQFijAEgZi467CMk4pLjpsVTljehGEcyo55cRpyz6G7Nak1c35pNK4vFtC3QeIgjWs4JwCRWo8QFIBUqe5yiNlRhnh7uZ9fx9UNSeJ4zle0Ixtby/Az2TUJoBsbIN+Gj9eeQIhAIR7st6fLboRptE6zX/ZDWzii2z99rWLts5F0aatQsbToD7QQgDGKJIybt5bAKQh8cWQ2DaCDPKhxHCYlHn4p5xPHjU0MaXhpwcbWZlPJJed2ZrFY0klUoYSdse3vw0BmFv0xm3Z4IfGQ3M5ZbKpUEbGKugqgD9PSviQdRtj9tIQVylA+MVOimxnTcmr2j5k8RfEA1hN7I5oo5M/kmXttebED36mzpHaW7opGY7fgjLMdR3aebMX5eBI2TmtvAYbFM3ZLjHgFEtikl8ETzRwWZQAq/1wpYHyIJSf1KAZXnauo72allx+QhoYOSZ1W1dt2Y9ldr5DC9o+8BPrxWMUOtP1EE4J0d3lZ6Dxj0a1ae8NNpSOy1ARu78GE2uU0RKmUYo45VsxEJN91gNe53zVrlpjNPx2vlGDJi5YtFk3I/wXNHpz/rxml9mMjcy7gEC+KLX36LO0BuL1+lM1S2nWCEl1XYUQHKGX5pnBuFr5F9thZRmXFKcQbdA1o5tX1Pn6R4ffI27uxQSS5VHCcLl02EMDpafReouXDK6lk8k0GlUJHJPEqku0x3v1ijIuQpWb2tZ/LFgTD36WRhjK+Q1kxs0JyrpHSX+SRwEVbMZ6EDur6ijQBimvTMHkZo1jzfyfPqBJW41R5QomWxk5RPyfnY5Ew4+qgVRIb4bx+Oe9T9Z9DmlqEoBn/jb9GNDY3RnLxKpHD9k/0XEV71kzXye8LumiBFKsH7PIBBeNmt3QmvBPkTIf52s7giivaE77jw/I/lVdvay8BewHYALZnxtda+VcoVKVML+NAosdhLSFjbQY8I6vFK8YzcYRRw+fejPBOoSgE2OXnGQyD8VfHTSPUVKLqG91Ekn77D1rG5TUfHGY2RKAEqsxHeFIt4akXf1nSmItaRcMLGZbTN+PMVA7IlHCekgAoRhlCcemgFEQEc5zP5+mWuunLQM9qbw3U5aHiyuigdUqpZqYe/9Se6MIN1VHcR2Wrayz8Ut1j4sZKVYTgNpvfYaU63+HXYqSzKDLiBKm0dCmDTUwrUY3IGhX27jDUZj9BaNV3vCNZqXawDZky7ZAugRM5Be6lSOBaCDf2cgJPcL1E30FoCqER8Oi22ScXSFurzWf3rwC5V9nC++B163qQTZqKb5eurGYxPuo6CFps481DdxNfhpYAkHC4akoXpnJevuIXNF95EiZBIzzQ4KGZTgdVH97UrBNA9gmcJBu8jGSXl5bFRYPqIx9bpC8bHtMrU586TTl8sQbP95X76ZKcKb9YRaKsr3MMkxD4L45KJ+vqsYnLYBOUMj2dbp8c//rsSHP2WfWC+s/K58hLab7TqH/LE8vaJeg3PC8CMPbv1r2onUlWfG8fs7a5FRX67I5vbXrKn2ZYjGFrLLx8wWPhs1mQPqDzHn+CnOYqApW0ZhSFyAi7yEkyt+7AKS+0L0W2mYiEqq+iLuw6Vp3JuQ23Gx+jCbtBUq+VY7z7uGIrl+hmfYPRBj2HcTud0kfScOT6I4rmHxBvoCc5vHm+5cOzgzR6fpbN+PZzT3G2D35dSzAeDlrLaxSXiTDUAivR7i6ufxv7ma+IitCVxImbqSW0zI/RJrA6VcvOWG9CNq2jV65/mc4qmGcreihUeqHgpa9wcVrsGndA0C5EIS7F5LxOjZyrOCmyXG8MukF1KavD+y4RUKu8HMbPP1DO/10ZRmXARJKTdfG3npjnpy4QZc72tsfoY1XBZkceclVuNpQJrWfX3WPg5x9iEUSoRVg+hgGuQ2UQYeOVOvXgyMysz34du6HdDCl9n4gL3h57fkakZ1lIIVvrl6ZVGkfZEjp8vy2RY6cSNOIPUasDPoMuzsLG5yuw6yAPd7Xs3X15ezpncAk3fMphTFZ0WeL7sW66QVjvSMZa94DoeiqLjzFbr9upglWVOv8DA2hfkbpaLGVF8foAcLtvDsWFjpy5FoJrvZYEHOSLcY4KLU0YC7UFP/DkyxM9aBSa8A3NgONUvEm2jP02YhsCv1V1o/WJvQyJ9KZQUO+BrEA6h4MHZ+kWed8RoJ7NNIwIXQIYKtXC3c2UjpKBpWkRKhSukxOYfRvNonhV/LPT8xQuzBuoiybLCy5vfX/d8U24/it8vPZmnyoITWs5ask+K1ahOgChe2WFs0xuPmEXIAuu3FOsfEsFO8rqPe2pfUMCzU3ysN8lbznPWbN97RUOr8zXs4bmNbUB1nHiA0toP9VO/4h+XrZOF48c5mSYJ7+dATrHVOn3kOgD4cE7Z9qkJ86NzT5gLrpdjSTrHcJuOTwO/o7n9VLtohHMndAxlHuRHtF5g+pOXV2sMczfnPEpJydl1ehGWBoXXsccpeva6vRMiJH/vjECaY6Dou4UvF7yP7zc8X1k+F78LDfHkSnx6BBbdYmA47VhKDget+6xq3wcrWipnzZ5zQgbPD4FLU6ZWPotuQGIUE03SQ8LYmzvqXLPV48HGQKzjL3uJ6cpfYkw51VF4tQ9jDetTuYiwgQt8Qd3xycL8WmylgDR8fld9UQehfUZYx8hyVLLykBrsu0Z/c6il5QIqVORNk98bJiAvNGnQm8eL1yOBPtwa3mCHbiJ01HuhhSbc+pcWhSgJ1REwbWqerUGFuv4x/V4dJOLldXdCzFKjDIQO2Cc57le5WFjljeh8zPV40RIR4Y0JKPtTW70n3DRVH0JcxEk6cpjy/oF+oE1DaZYUODbwpXmQX4h80RkNrVumixEdaEerRrQ9Go80lNU/kXQ8oV86w86Xu0Ov9lLLuSwVVoB5nS3Py4cCGHfUTtLcZL/uNt9VGEIoM3UVOF7rdMZEbHpXh7HlQ2LFztZ1Z15xNQjIV/adpquS6HSduCXVo8VlRQIa3lXDB2w7/+tkCyBHrwFn2ZTLzxFLv9jTwJjg9sXWxs6zLg52zU9cYiRvPE/yCawOeE6wbihRPgjw7cnbmtZ/R95i13DRcxxWLWgpw4Y0xqNlHP830p/w/GivsPJ5QQ8nULbfKRjTBu8i6wFRuy/pfpZ3wkCUOk5iFtHqBZV/AaRZXIpw0MYbvmtbZwcIet6TOE/7xFnycwhh06sxMtpvAaEKghamCdLsiPnXnSJGGqAW1qd6u54TTrIdQdVzQ6TRLIfTOVcEe051971V41xZQQg8ROMhZCOn3di/FDHeYcTExzEAi04pQ9BmE6wGQHUkExDpxp4gveQLRKMTW3CQdE7kwFB6qAU2XOy+2n4CkHj8K8zVtnMWUHRuXYNGR9whN8lEyQgEAY0evcD0xlSjeEA7KcexkDWyYtWWRbYsPEQHmOj97926scdd+6HP3voPJeS6XAwnPbhNO9N3L77kLPmwo05W2dyfg9zdL1INblETfksDuCQ/P2RWU1BaLH9h18oi23g8n05K4XPdycle2UQcYf156AKBVVkhG++4TTD/xWqoHzffb8XtARGC7cdZphiSE58d/UfkrAqek7+Sd6Dqgu2JXlxR159xlULb92KLnKHMIPGJG9mYIzlk/H4BRSj/hAoIxPDMXfcM8r96iC/AKKaQmGx+FZ4HDj9O0xiBNlOBIorPrGhL+6WwSZW4LCQ3GOvxYOwYPd4gecThadR5+h7EF99O75X+HHyTLdzUveHOe5F9vKW9TYFRMtwA4lj7WTKFpEJf7FOeV3zG+U4juingOHxqK1RgqGDMnHaHLgKzm17iauw2deA1GL/bLiB5PR1BzPMJtgoOdBYHhv0fBioxrskwF6r6E+9rQ1jC35YIKNfPUehM6IVgobSqMFC47Q9+0j7NXlt6XYQ9Ys9gWr9g9G23WLzCKO97mTGmGXP2IOtfTfQx9NYGuYj1vtlcC+PY3KF9WVhxq1mtdx2e60obnzF5jqMx1GnZFyTM79AbJwpGCfMBbOkWopr3YynLdTBpm72kmg6biXWbb5KFckSSGKWqkHWn4LgwCoWjXr8TwcoMhLNpNlirXWZYyxFwR/n0MvT7Du44Rak+eNw+f7uATRInHoOp9gMukfzYoiMPcEeadlq+3cEYg/EGmiIbASEx/A3guJPI1Zh9mlXeDXr1W5UqyIAsMjwGoktd5LKJK56RNFCZeyOLurvd5/lHofxsM+7sxhkgBjng6+221BxsXDsjNe7b7xymRqGZmxnIBYl2DqDJx+gA+y51kfJvoz6z22hcfPEL6V7LOPu3V0JC04TbdnV71YVAbnmU2qWY8+YFoBYUX18R2qC8GESzXL01/CDM6owVFxJ6nKObZ/dwt93s2EYoMMquW2nc1cfqd6t1LvOzoPAo2FftTerCZmYOx4nAf6mEDsbarURsspmmGiN9WToPR5ee9YVOhpO7YZP7Wj11ZbfiFrsCEUPLqlS0FHz8oDgRGp8KEnFd6+H+saeMWSSZ8yJ/Klwaz1ATrIVAd2Bb0Hd3vq4ExaJ+RCfB+BfIJr+OwGJPOB5nNmcv/WQkZWKPnWOeMBoBvg8NMpsUDiglTCNy/kHKe7Ln9hHVdjH/ID0E4K7bDh5KG2GJcNP1P4Vb33Ed8db9vGy1lDRKZvtkABxjEsia2mpLAWcg4fMkS41QBzGffFf9qtljLUKoGa1EKJCl8+BclJp6JAe97dTNNg9LXfHsxQFSM7z9TsBD7Vmrjwv0QbQaEd/TdWntavFEeC1y7PLuJYg2fsYOkpRXXUW/YV9EDKgE5nQtRXywTEcyrKLQGlhecaGnRlUkKG0g7ORCb/vABeJRItazaXi2LVacRKMrzDHPWzElmok+dkPg6gDg8KTMOQiWZhLAXdMbc1M2iBjBl5uKsHBDFX86orZlRELSaXEbGKBUi2k8lnBW3WpLKdgY2+TUpDd+OxUK7v1zhOYw1zZtDdIgje84vJ2wQGHpNu7UNE2KcLKi7uG/0TKS9lkkGr9W1DHqvZ9irQmJ403ld+r5lrnSUbq6Yv+xYdi/aLsm+lagyt4XW6vaez7bGSaK3ESPBgmK47OiEUPHQbRlILCydalaWoZyU2fzI87ZAJ36fpRPWtBwe2tqJ4AE+koz3PBulsGlU7KUsR2ndGuzPc0gK1DSL5n+BW0Fs=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
任何人都可以研究我面临的这个问题并提供解决方案吗?
【问题讨论】:
是否在生成新的 SP 私钥时重新创建新的 SP 元数据并在 IDP 端更新它? @vschafer 我是新手,很抱歉我不明白你想说什么?我使用了 IDP 提供的带有唯一 URN 的 SP 元数据。此元数据 xml 仅包含 509 证书。我下载了这个 xml 并创建了一个在 securityContext.xml 中引用的本地副本。完成后,我创建了一个包含公钥和私钥的密钥对。我也不确定当我生成新的私钥时更新 IDP 是什么意思?很抱歉偶尔给您添麻烦。 @vschafer 除了上述评论,当我将我的 java 环境从 1.6 更改为 1.7(安装了无限强度)时,我得到了一个不同的异常,即 javax.crypto.BadPaddingException: Decryption error at sun .security.rsa.RSAPadding.unpadOAEP(Unknown Source) InvalidKeyException: Unwrapping failed 能否请您关闭/接受您在***.com/questions/26215301/… 和***.com/questions/26164109/… 为这个问题打开的另外两个问题 【参考方案1】:@vschafer 您能否验证并告诉我以下步骤是否正确?
-
我创建了一个包含以下公钥和私钥的 JKS 文件
一个。 IDP 509 证书的公钥使用 IDP 共享的 crt 文件来验证其元数据 XML
keytool -importcert -alias adfssigningIDP -keystore samlKeystore.jks -file IDP-metadata-signer-2012.crt (samplePrivateKeyPass 作为密钥库密码给出)
b.我们向 IDP 注册的 SP 509 证书的公钥
keytool -importcert -alias adfssigning -keystore samlKeystore.jks -file SP-Metadata.crt
c。以RSA为签名算法的SP私钥
keytool -genkeypair -alias privatekeyalias -keypass samplePrivateKeyPass -keystore C:\Users\user\Desktop\samlKeystore.jks -keyalg RSA -sigalg SHA1WithRSA
(SP-Metadata.crt 是从服务提供商注册的 IDP 网站获取的。)
使用密钥管理器配置导入创建的 JKS 文件
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg value="classpath:security/samlKeystore.jks"/>
<constructor-arg type="java.lang.String" value="samplePrivateKeyPass"/>
<constructor-arg>
<map>
<entry key="privatekeyalias" value="samplePrivateKeyPass"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="privatekeyalias"/>
</bean>
SP 元数据配置
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="local" value="true"/>
<property name="securityProfile" value="metaiop"/>
<property name="sslSecurityProfile" value="pkix"/>
<property name="sslHostnameVerification" value="default"/>
<property name="signMetadata" value="true"/>
<property name="signingKey" value="privatekeyalias"/>
<property name="encryptionKey" value="privatekeyalias"/>
<property name="requireArtifactResolveSigned" value="false"/>
<property name="requireLogoutRequestSigned" value="false"/>
<property name="requireLogoutResponseSigned" value="false"/>
<property name="idpDiscoveryEnabled" value="true"/>
<property name="idpDiscoveryURL" value="http://localhost:8080/app/saml/discovery"/>
<property name="idpDiscoveryResponseURL" value="http://localhost:8080/app/saml/login?disco=true"/>
</bean>
除了上述步骤之外,我什至还为 JRE7 安装了无限强度加密。
尽管如此,我不断收到以下异常
org.apache.xml.security.encryption.XMLEncryptionException: Unwrapping failed
Original Exception was java.security.InvalidKeyException: Unwrapping failed
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1479)
at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:697)
at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:628)
at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:783)
at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:524)
at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:442)
at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:403)
at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)
at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:199)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.mobile.device.DeviceResolverRequestFilter.doFilterInternal(DeviceResolverRequestFilter.java:60)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:563)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Unknown Source)
Caused by: java.security.InvalidKeyException: Unwrapping failed
at com.sun.crypto.provider.RSACipher.engineUnwrap(RSACipher.java:431)
at javax.crypto.Cipher.unwrap(Cipher.java:2466)
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1477)
... 46 more
Caused by: javax.crypto.BadPaddingException: Decryption error
at sun.security.rsa.RSAPadding.unpadOAEP(Unknown Source)
at sun.security.rsa.RSAPadding.unpad(Unknown Source)
at com.sun.crypto.provider.RSACipher.doFinal(RSACipher.java:356)
at com.sun.crypto.provider.RSACipher.engineUnwrap(RSACipher.java:427)
【讨论】:
应该不需要导入 SP-Metadata.crt。 SP-Metadata.crt 密钥必须与您使用“keytool -genkeypair -alias privatekeyalias -keypass samplePrivateKeyPass -keystore C:\Users\user\Desktop\samlKeystore.jks -keyalg RSA -sigalg SHA1WithRSA”生成的密钥相同,但它不应该由 IDP 提供给您,它必须由您提供给 IDP。 @vschafer 我使用 URL localhost:8080/spring_saml/saml/metadata 生成了 SP 元数据并将其提供给 IDP。他们使用配置为 entityID 的唯一 URN 注册它。希望这是正确的??你的意思是说步骤 b 不是必需的,步骤 a、c 足以生成 JKS 密钥库?如果两者的答案都是肯定的,那么我仍然处于相同的位置,我得到相同的 BadPaddingException 两者的答案都是肯定的。而且您的配置和密钥生成似乎没问题。抱歉,如果不访问环境,我认为我无法为您提供进一步的帮助。 @vschafer 非常感谢您抽出宝贵的时间。你知道如果异常是 BadPaddingException:message is large than modules 可能是什么问题吗?【参考方案2】:您很可能尝试使用错误的密钥解密加密内容。换句话说,IDP 很可能使用与您的 SP 中的私钥不对应的公钥来加密数据。您可以在public key cryptography wikipedia article 中找到有关这些概念的详细信息。
为您的服务提供者实例生成私钥 + 公钥 + 证书(= Spring SAML 安装)后,您必须将生成的公钥提供给您的 IDP。这通常通过创建描述您的 SP 的元数据文档(默认情况下自动生成,从 scheme://host:port/appcontext/saml/metadata
下载,例如 http://localhost:8080/spring_saml/saml/metadata
)并将其提供给 IDP 来完成。元数据文档包含您的 SP 的带有公钥的 X509 证书,IDP 使用它来加密发送到您的 SP 的数据。
【讨论】:
@vschafer 我使用的配置与您提到的相同。生成的公钥将提供给 IDP。我怎么知道我是否使用了错误的密钥?我真的对这些东西感到困惑。上述 SAML 加密断言中提到的公钥(以上是关于Spring saml:密钥太长,无法展开:invalidkeyexception的主要内容,如果未能解决你的问题,请参考以下文章
Spring SAML:解密加密密钥时出错,没有安装的提供程序支持此密钥
如何为密钥持有者配置文件配置 Spring Security SAML 扩展