解密 Saml 令牌时出错

Posted

技术标签:

【中文标题】解密 Saml 令牌时出错【英文标题】:Getting error while decryptition of Saml token 【发布时间】:2015-08-01 05:21:57 【问题描述】:

解密 saml 令牌时出错。但是这个问题并不一致,它在重新启动服务器后工作。直到昨晚它都正常工作:(

DEBUG Decrypter:631 - Attempt to decrypt EncryptedKey using credential from KEK KeyInfo resolver failed:
        org.opensaml.xml.encryption.DecryptionException: Probable runtime exception on decryption:unknown parameter type.
            at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:705)
            at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:628)
            at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:783)
            at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:524)
            at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:442)
            at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:403)
            at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)
            at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)
            at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:199)
            at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
            at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
            at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84)
            at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
            at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
            at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
            at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
            at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
            at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
            at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
            at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
            at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
            at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
            at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
            at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
            at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
            at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
            at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
            at java.lang.Thread.run(Thread.java:745)
        Caused by: java.lang.IllegalArgumentException: unknown parameter type.
            at org.bouncycastle.jce.provider.JCERSACipher.engineInit(Unknown Source)
            at javax.crypto.Cipher.implInit(Cipher.java:791)
            at javax.crypto.Cipher.chooseProvider(Cipher.java:849)
            at javax.crypto.Cipher.init(Cipher.java:1348)
            at javax.crypto.Cipher.init(Cipher.java:1282)
            at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1475)
            at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:697)
            ... 41 more
        09:21:51,120 ERROR Decrypter:639 - Failed to decrypt EncryptedKey, valid decryption key could not be resolved
        09:21:51,120 DEBUG Decrypter:787 - Attempt to decrypt EncryptedData using key extracted from EncryptedKey faile

早些时候我遇到了无效的密钥大小错误,我在 Spring SAML ADFS: java.security.InvalidKeyException。但是我不确定它是否会对美国安全政策法产生任何影响。

但是这个解密异常没有得到解决并且它不一致。重新启动服务器后一段时间它开始工作。

我在过去 2-3 天内尝试了所有方法。我认为元数据刷新后会出现问题,所以我尝试将以下属性添加到 ResourceBackedMetadataProvider bean,但没有运气。

<property name="parserPool" ref="parserPool"/>
<property name="minRefreshDelay" value="120000"/>
<property name="maxRefreshDelay" value="300000"/>

然后我调试 WebSSOProfileConsumerImpl.java 代码,认为这可能是与 jira 相关的问题,所以我检查了最新代码并创建新 jar 并添加到我的项目中,但没有运气。

【问题讨论】:

【参考方案1】:

在调试和谷歌搜索了一个星期后,我决定通过一些小技巧来解决这个问题。

我从 gitHub Repository 的 Master 分支中检查了 Spring-Saml 源代码,并构建了 jar 并将其导入到我的项目中。我认为这个SES-144 问题与我的类似,所以我尝试了最新的代码,但没有运气。

所以我决定调试 xmlTooling.jar 代码并找到确切的故障点,并用下面的代码覆盖 XMLCipher.java 中的以下方法 decryptKey(EncryptedKey encryptedKey, String algorithm)

Cipher c = constructCipher(encryptedKey.getEncryptionMethod()
                    .getAlgorithm(), encryptedKey.getEncryptionMethod()
                    .getDigestAlgorithm());

Instead of calling 
    c.init(4, key, oaepParameters);
used below code and removed if/else block
    c.init(4, key);

您可以从github签出自定义罐子

您需要在 pom.xml 文件中使用以下行更新您的 saml 依赖项才能使用此自定义 jar

<dependency>
    <groupId>org.springframework.security.extensions</groupId>
    <artifactId>spring-security-saml2-core</artifactId>
    <version>1.0.1.RELEASE</version>

    <exclusions>
            <exclusion>
                    <artifactId>xmlsec</artifactId>
                    <groupId>org.apache.santuario</groupId>
            </exclusion>
    </exclusions>
</dependency>

<dependency>
    <artifactId>xmlsec</artifactId>
    <groupId>org.apache.santuario</groupId>
    <version>1.5.6-custom</version>
</dependency>

如果有人找到更好的解决方案,请告诉我。

【讨论】:

以上是关于解密 Saml 令牌时出错的主要内容,如果未能解决你的问题,请参考以下文章

不同的 SAML 令牌验证调用具体有啥作用?

如何将 SAML XML 令牌字符串转换为 SecurityToken 或 ClaimsPrincipal 实例?

在不使用 WIFI 的情况下在 WCF 服务调用中包含 SAML 2.0 令牌

在 MVC 的 Idp 发起的 SSO 环境中使用 WIF

到达 STS 后,没有 Fedauth cookie 被作为 SAML 令牌发回,似乎错过了 XML 标记。仅在 Firefox 上发生

使用授权代码流获取具有有效刷新令牌的新令牌时出错