问题
I have refered the Spring SAML manual to create private key and import public certificate. But I am still facing issues with the encryption/decryption.
I have created a JKS file with the following commands as mentioned in the manual which are as follows
Command used to Import public certificate of IDP
keytool -importcert -alias adfssigning -keystore samlKeystore.jks -file testIdp.cer
Command used for Private Key
keytool -genkeypair -alias myprivatealias -keypass changeit -keystore samlKeystore.jks
Passwords of both private key and keystore is defined as 'changeit'
I have configured the securityContext as follows
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg value="classpath:security/samlKeystore.jks"/>
<constructor-arg type="java.lang.String" value="changeit"/>
<constructor-arg>
<map>
<entry key="myprivatealias" value="changeit"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="myprivatealias"/>
</bean>
I am able to see the idpDiscovery page where I can select the IDP. I am able to view the login page of the IDP as well. But when I provide the user credentials, I am getting the following exception.
This exception is occuring when saml2:EncryptedAssertion is sent along with the saml2p:Status in the SAML response. (Class: WebSSOProfileConsumerImpl of spring-saml jar)
ERROR org.opensaml.xml.encryption.Decrypter - Error decrypting encrypted key
org.apache.xml.security.encryption.XMLEncryptionException: No installed provider supports this key: sun.security.provider.DSAPrivateKey
Original Exception was java.security.InvalidKeyException: No installed provider supports this key: sun.security.provider.DSAPrivateKey
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1479)
at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:697)
at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:628)
at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:783)
Caused by: java.security.InvalidKeyException: No installed provider supports this key: sun.security.provider.DSAPrivateKey
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1475)
... 46 more
740323 [http-8080-2] ERROR org.opensaml.xml.encryption.Decrypter - Failed to decrypt EncryptedKey, valid decryption key could not be resolved
740324 [http-8080-2] ERROR org.opensaml.xml.encryption.Decrypter - Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
740325 [http-8080-2] ERROR org.opensaml.saml2.encryption.Decrypter - SAML Decrypter encountered an error decrypting element content
Can anyone let me know where I am going wrong??
Alternate command used Private Key generation instead of the above mentioned
keytool -genkey -alias privatekeyalias -keyalg RSA -keystore samlKeystore.jks
If I use this command and update JKS file, then I get a different exception mentioned as InvalidKeyException: Key is too long for unwrapping.
Caused by: java.security.InvalidKeyException: Key is too long for unwrapping
at com.sun.crypto.provider.RSACipher.engineUnwrap(DashoA13*..)
at javax.crypto.Cipher.unwrap(DashoA13*..)
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1477)
... 46 more
41 [http-8080-1] ERROR org.opensaml.xml.encryption.Decrypter - Failed to decrypt EncryptedKey, valid decryption key could not be resolved
42 [http-8080-1] ERROR org.opensaml.xml.encryption.Decrypter - Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
42 [http-8080-1] ERROR org.opensaml.saml2.encryption.Decrypter - SAML Decrypter encountered an error decrypting element content
Can anyone help me out in this problem??
回答1:
The problem was caused by using a different keystore in the application than the one generated with:
keytool -genkeypair -alias privatekeyalias -keypass samplePrivateKeyPass -keystore samlKeystore.jks -keyalg RSA -sigalg SHA1WithRSA
来源:https://stackoverflow.com/questions/26215301/spring-saml-error-decrypting-encrypted-key-no-installed-provider-supports-this