Spring SAML:解密加密密钥时出错,没有安装的提供者支持此密钥
问题描述:
我已经提到了Spring SAML手册来创建私钥并导入公共证书。但我仍然面临加密/解密方面的问题。Spring SAML:解密加密密钥时出错,没有安装的提供者支持此密钥
我已经创建了下面的命令一个JKS文件,内容如下
命令用于导入IDP的公证书
keytool -importcert -alias adfssigning -keystore samlKeystore.jks -file testIdp.cer
命令用于私钥
手册中提到的keytool -genkeypair -alias myprivatealias -keypass changeit -keystore samlKeystore.jks
私钥和密钥库的密码定义为'changeit'
我已经配置SecurityContext的如下
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg value="classpath:security/samlKeystore.jks"/>
<constructor-arg type="java.lang.String" value="changeit"/>
<constructor-arg>
<map>
<entry key="myprivatealias" value="changeit"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="myprivatealias"/>
</bean>
我能看到idpDiscovery页面,在这里我可以选择IDP。我也可以查看IDP的登录页面。但是,当我提供用户凭据时,我收到以下异常。
当saml2:EncryptedAssertion与SAML响应中的saml2p:Status一起发送时,会发生此异常。 (类:WebSSOProfileConsumerImpl的弹簧罐)
ERROR org.opensaml.xml.encryption.Decrypter - Error decrypting encrypted key
org.apache.xml.security.encryption.XMLEncryptionException: No installed provider supports this key: sun.security.provider.DSAPrivateKey
Original Exception was java.security.InvalidKeyException: No installed provider supports this key: sun.security.provider.DSAPrivateKey
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1479)
at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:697)
at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:628)
at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:783)
Caused by: java.security.InvalidKeyException: No installed provider supports this key: sun.security.provider.DSAPrivateKey
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1475)
... 46 more
740323 [http-8080-2] ERROR org.opensaml.xml.encryption.Decrypter - Failed to decrypt EncryptedKey, valid decryption key could not be resolved
740324 [http-8080-2] ERROR org.opensaml.xml.encryption.Decrypter - Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
740325 [http-8080-2] ERROR org.opensaml.saml2.encryption.Decrypter - SAML Decrypter encountered an error decrypting element content
任何人都可以让我知道我要去哪里错?
备用命令来代替上述
keytool -genkey -alias privatekeyalias -keyalg RSA -keystore samlKeystore.jks
如果我用这个命令和更新JKS文件,然后我得到的InvalidKeyException将提到一个不同的异常私钥生成:关键是展开太长。
Caused by: java.security.InvalidKeyException: Key is too long for unwrapping
at com.sun.crypto.provider.RSACipher.engineUnwrap(DashoA13*..)
at javax.crypto.Cipher.unwrap(DashoA13*..)
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1477)
... 46 more
41 [http-8080-1] ERROR org.opensaml.xml.encryption.Decrypter - Failed to decrypt EncryptedKey, valid decryption key could not be resolved
42 [http-8080-1] ERROR org.opensaml.xml.encryption.Decrypter - Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
42 [http-8080-1] ERROR org.opensaml.saml2.encryption.Decrypter - SAML Decrypter encountered an error decrypting element content
任何人都可以帮我解决这个问题吗?
答
问题是由应用程序比产生的一个使用不同的密钥库导致的:
keytool -genkeypair -alias privatekeyalias -keypass samplePrivateKeyPass -keystore samlKeystore.jks -keyalg RSA -sigalg SHA1WithRSA
是否安装了无限强度加密库(http://docs.spring.io/autorepo/docs /spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/#quick-start-prerequisites)? – 2014-10-06 17:31:10
@vschafer Ya我已经通过将两个jar(US_export_policy和local_policy)复制到C:\ Program Files \ Java \ jdk1.6.0_25 \ jre \ lib \ security和C:\ Program Files \ Java \ jre6 \ lib \ security 。 **仍然收到相同的错误。**从(http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html)下载Jars。生成私钥是否存在其他问题(** keytool -genkey -alias privatekeyalias -keyalg RSA -keystore samlKeystore.jks **)? – 2014-10-07 09:32:57
@vschafer作为对上述评论的继续,我也尝试了各种各样的关键代。我使用** keytool -genkeypair **和** keytool -genkey **提到** - keyalg RSA **。对于这两个键,我得到的错误是** java.security.InvalidKeyException:Key对于解包**太长。我甚至尝试安装上述评论中提到的无限强度加密库。你能让我知道我要去哪里吗? – 2014-10-07 11:45:38