解密 Saml 令牌时出错
Posted
技术标签:
【中文标题】解密 Saml 令牌时出错【英文标题】:Getting error while decryptition of Saml token 【发布时间】:2015-08-01 05:21:57 【问题描述】:解密 saml 令牌时出错。但是这个问题并不一致,它在重新启动服务器后工作。直到昨晚它都正常工作:(
DEBUG Decrypter:631 - Attempt to decrypt EncryptedKey using credential from KEK KeyInfo resolver failed:
org.opensaml.xml.encryption.DecryptionException: Probable runtime exception on decryption:unknown parameter type.
at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:705)
at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:628)
at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:783)
at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:524)
at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:442)
at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:403)
at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)
at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:199)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalArgumentException: unknown parameter type.
at org.bouncycastle.jce.provider.JCERSACipher.engineInit(Unknown Source)
at javax.crypto.Cipher.implInit(Cipher.java:791)
at javax.crypto.Cipher.chooseProvider(Cipher.java:849)
at javax.crypto.Cipher.init(Cipher.java:1348)
at javax.crypto.Cipher.init(Cipher.java:1282)
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1475)
at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:697)
... 41 more
09:21:51,120 ERROR Decrypter:639 - Failed to decrypt EncryptedKey, valid decryption key could not be resolved
09:21:51,120 DEBUG Decrypter:787 - Attempt to decrypt EncryptedData using key extracted from EncryptedKey faile
早些时候我遇到了无效的密钥大小错误,我在 Spring SAML ADFS: java.security.InvalidKeyException。但是我不确定它是否会对美国安全政策法产生任何影响。
但是这个解密异常没有得到解决并且它不一致。重新启动服务器后一段时间它开始工作。
我在过去 2-3 天内尝试了所有方法。我认为元数据刷新后会出现问题,所以我尝试将以下属性添加到 ResourceBackedMetadataProvider bean,但没有运气。
<property name="parserPool" ref="parserPool"/>
<property name="minRefreshDelay" value="120000"/>
<property name="maxRefreshDelay" value="300000"/>
然后我调试 WebSSOProfileConsumerImpl.java 代码,认为这可能是与 jira 相关的问题,所以我检查了最新代码并创建新 jar 并添加到我的项目中,但没有运气。
【问题讨论】:
【参考方案1】:在调试和谷歌搜索了一个星期后,我决定通过一些小技巧来解决这个问题。
我从 gitHub Repository 的 Master 分支中检查了 Spring-Saml 源代码,并构建了 jar 并将其导入到我的项目中。我认为这个SES-144 问题与我的类似,所以我尝试了最新的代码,但没有运气。
所以我决定调试 xmlTooling.jar 代码并找到确切的故障点,并用下面的代码覆盖 XMLCipher.java
中的以下方法 decryptKey(EncryptedKey encryptedKey, String algorithm)
。
Cipher c = constructCipher(encryptedKey.getEncryptionMethod()
.getAlgorithm(), encryptedKey.getEncryptionMethod()
.getDigestAlgorithm());
Instead of calling
c.init(4, key, oaepParameters);
used below code and removed if/else block
c.init(4, key);
您可以从github签出自定义罐子
您需要在 pom.xml 文件中使用以下行更新您的 saml 依赖项才能使用此自定义 jar
<dependency>
<groupId>org.springframework.security.extensions</groupId>
<artifactId>spring-security-saml2-core</artifactId>
<version>1.0.1.RELEASE</version>
<exclusions>
<exclusion>
<artifactId>xmlsec</artifactId>
<groupId>org.apache.santuario</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<artifactId>xmlsec</artifactId>
<groupId>org.apache.santuario</groupId>
<version>1.5.6-custom</version>
</dependency>
如果有人找到更好的解决方案,请告诉我。
【讨论】:
以上是关于解密 Saml 令牌时出错的主要内容,如果未能解决你的问题,请参考以下文章
如何将 SAML XML 令牌字符串转换为 SecurityToken 或 ClaimsPrincipal 实例?
在不使用 WIFI 的情况下在 WCF 服务调用中包含 SAML 2.0 令牌
到达 STS 后,没有 Fedauth cookie 被作为 SAML 令牌发回,似乎错过了 XML 标记。仅在 Firefox 上发生