解密从IDP发送的断言时出错 [英] Error while decrypting assertion sent from IDP

问题描述

我正在尝试解密由IDP发送的加密断言。但是我收到一个错误：

  17：01：55.734 [http-8443-2]错误ooxeDecrypter  - 解密加密数据元素
 org.apache.xml.security.encryption.XMLEncryptionException：非法密钥大小
在org.apache.xml.security.encryption.XMLCipher.decryptToByteArray（XMLCipher.java:1756）〜[xmlsec -1.5.4.jar：1.5.4] 
在org.opensaml.xml.encryption.Decrypter.decryptDataToDOM（Decrypter.java:585）[xmltooling-1.4.0.jar：na] 
 at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey（Decrypter.java:774）[xmltooling-1.4.0.jar：na] 
在org.opensaml.xml.encryption.Decrypter.decryptDataToDOM（Decrypter.java： X-45454545 X-454545 X- 20045 X-45454545新新新子：200新新新新新新旗新新新新旗新新新旗新新新旗新新新新旗新新新旗新新新旗新新旗新新新旗新新新旗新新200新旗新新旗新新旗2001-新新新新新新旗新新旗2001-新新新新新新新新旗新新旗2001-新新新新新旗新新旗新新旗新新旗新新旗新新旗新旗新新旗新新新新旗新新新新旗新新旗新旗旗目新旗新新旗新新旗新新旗新新旗新新旗新新旗新新旗新新款： b在org.opensaml.xml.encryption.Decrypter.decryptData（Decrypter.java:403）[xmltooling-1.4.0.jar：na] 
在org.opensaml.saml2.encryption.Decrypter.decryptData（解密er.java:141）[opensaml-2.6.0.jar：na] 
在org.opensaml.saml2.encryption.Decrypter.decrypt（Decrypter.java:69）[opensaml-2.6.0.jar：na 200新X-45旗新新新新新新新新新旗新新新新新新旗新新新新新新新旗新新新新旗200新新新新旗200新新新新旗200新新新新旗200新新新新旗200新新新新旗200新新新新旗200新新新新旗200新新新新旗新1992新新旗新1992新新旗新1992新新旗新1992新新旗新新旗2001-新新新新旗新1992 X-454545454545 X-454545 X-454545 X- 20045 X-454545 X-454545 X- 20045 X-454545 X- 20045 X-454545 X- 20045 X-454545 X- 20045 X-454545 X-新新新新新旗新新新新旗新新新旗新新旗200新新新新旗新新旗200新新新新旗新新旗200新新新新旗新新旗200新新新新旗新新旗200新新新新名：200 200新新新新旗新新旗新1992：醒旗200 200 200 200 200 200 200 200 200CEololololololе。 org.apache.catalina.core.ApplicationFilterChain.doFilter（ApplicationFilterChain.java:206）[catalina.jar：6.0.44] 
在org.apache.catalina.core.StandardWrapperValve.invoke（StandardWrapperValve.java:233） [catalina.jar：6.0.44] 
在org.apache.catalina.core.StandardContextValve.invoke（StandardContextVa laf.java:191）[catalina.jar：6.0.44] 
在org.apache.catalina.authenticator.AuthenticatorBase.invoke（AuthenticatorBase.java:563）[catalina.jar：6.0.44] $ b $在org.apache.catalina.valves.ErrorReportValve.invoke（ErrorReportValve.java）中的103）[catalina.jar：6.0.44] 
在org.apache.catalina.core.StandardEngineValve.invoke（StandardEngineValve.java:109）[catalina.jar：6.0.44] 
在org。 apache.catalina.connector.CoyoteAdapter.service（CoyoteAdapter.java:293）[catalina.jar：6.0.44] 
在org.apache.coyote.http11.Http11Processor.process（Http11Processor.java:861）[tomcat新X-4545454545新新新新新新新新旗新新新新新旗新新新新旗新新旗新新旗200新新200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 CE 200 X- java.lang.Thread.run中的
 （Thread.java:745）[na：1.7.0_55] 
导致：java.security.InvalidKeyException：javax.crypto.Cipher.checkCryptoPerm（Cipher.java:1024）中的非法密钥大小
〜 [na：1.7.0_51] 
 javax.crypto.Cipher.init（Cipher.java:1345）〜[na：1.7.0_51] 
 javax.crypto.Cipher.init（Cipher.java ：1282）〜[na：1.7.0_51] 
在org.apache.xml.security.encryption.XMLCipher.decryptToByteArray（XMLCipher.java:1754）〜[xmlsec-1.5.4.jar：1.5.4] 
 ... 24个公共帧省略
 17：01：55.734 [http-8443-2]错误ooxeDecrypter  - 使用EncryptedData KeyInfoCredentialResolver或EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver解密EncryptedData失败
 17： 01：55.734 [http-8443-2]错误ooseDecrypter  -  SAML解密器遇到解密元素内容错误
 org.opensaml.xml.encryption.DecryptionException：无法解密EncryptedData 
在org.opensaml.xml .encryption.Decrypter.decryptDataToDOM（Decrypter.java:535）〜[xmltooling-1.4在。org.opensaml中的.xml.encryption.Decrypter.decryptData（Decrypter.java:403）〜[xmltooling-1.4.0.jar：na] 
在org.opensaml.saml2.encryption.Decrypter.decryptData（Decrypter.java:141） [opensaml-2.6.0.jar：na] 
在org.opensaml.saml2.encryption.Decrypter.decrypt（Decrypter.java:69）[opensaml-2.6.0.jar：na] 
在opensamlbook.sp.ConsumerServlet.decryptAssertion（ConsumerServlet.java:119）[ConsumerServlet.class：na] 
在opensamlbook.sp.ConsumerServlet.doGet（ConsumerServlet.java:85）[ConsumerServlet.class：na] 
在javax.servlet.http.HttpServlet.service（HttpServlet.java:617）[servlet-api.jar：na] 
在javax.servlet.http.HttpServlet.service（HttpServlet.java:723）[servlet -api.jar：na] 
在org.apache.catalina.core.ApplicationFilterChain.internalDoFilter（ApplicationFilterChain.java:290）[catalina.jar：6.0.44] 
在org.ap ache.catalina.core.ApplicationFilterChain.doFilter（ApplicationFilterChain.java:206）[catalina.jar：6.0.44] 
在org.apache.catalina.core.StandardWrapperValve.invoke（StandardWrapperValve.java:233）[catalina .jar：6.0.44] 
在org.apache.catalina.core.StandardContextValve.invoke（StandardContextValve.java:191）[catalina.jar：6.0.44] 
在org.apache.catalina。 authentator.AuthenticatorBase.invoke（AuthenticatorBase.java:563）[catalina.jar：6.0.44] 
在org.apache.catalina.core.StandardHostValve.invoke（StandardHostValve.java:127）[catalina.jar：6.0 X-45454545454545 X-45454545 X- 20045 X-454545 X-454545 X- 20045 X-454545 X- 20045 X-454545 X- 20045 X-454545 X- invoke（StandardEngineValve.java:109）[catalina.jar：6.0.44] 
在org.apache.catalina.connector.CoyoteAdapter.service（CoyoteAdapter.java:293）[catalina.jar：6.0.44] 
在org.apache.coyote.http11.Http11Processor.process（Http11Processor.java:861） [tomcat-coyote.jar：6.0.44] 
在org.apache.coyote.http11.Http11Protocol $ Http11ConnectionHandler.process（Http11Protocol.java:620）[tomcat-coyote.jar：6.0.44] 
在org.apache.tomcat.util.net.JIoEndpoint $ Worker.run（JIoEndpoint.java:489）[tomcat-coyote.jar：6.0.44] 
在java.lang.Thread.run（Thread。 java：745）[na：1.7.0_55] 
  

解密断言代码：

  private Assertion decryptAssertion（EncryptedAssertion encryptedAssertion）{
 StaticKeyInfoCredentialResolver keyInfoCredentialResolver = new StaticKeyInfoCredentialResolver（SPCredentials.getCredential（））; 
 Decrypter decrypter = new Decrypter（null，keyInfoCredentialResolver，new InlineEncryptedKeyResolver（））; 
 decrypter.setRootInNewDocument（true）; 
 try {
 return decrypter.decrypt（encryptedAssertion）; 
} catch（DecryptionException e）{
 throw new RuntimeException（e）; 
} 
} 
  

我在线上收到错误：

  return decrypter.decrypt（encryptedAssertion）; 
  

请帮我解决这个问题。这个错误已经被困在过去3天了。

解决方案

这是由于Java的默认分发中加密强度的限制运行环境。

1. 下载Java加密扩展（JCE）无限强度管辖权策略文件（ for Java 7 ）（ for Java 8 ）




2. 提取zip存档并在那里找到 local_policy.jar 和 US_export_policy.jar 。




3. 将$ JVA版本的这些文件替换为$ JAVA_HOME / jre {version_number} / lib / security /下载的文件。



4. p>重新启动JRE进程，如果有运行。现在您可以使用较长的密钥。

I am trying to decrypt the encrypted assertion sent by IDP within artifact resolve. But I get an error as :

17:01:55.734 [http-8443-2] ERROR o.o.x.e.Decrypter - Error decrypting the encrypted data element
org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size
    at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1756) ~[xmlsec-1.5.4.jar:1.5.4]
    at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:585) [xmltooling-1.4.0.jar:na]
    at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:774) [xmltooling-1.4.0.jar:na]
    at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:524) [xmltooling-1.4.0.jar:na]
    at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:442) [xmltooling-1.4.0.jar:na]
    at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:403) [xmltooling-1.4.0.jar:na]
    at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141) [opensaml-2.6.0.jar:na]
    at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69) [opensaml-2.6.0.jar:na]
    at opensamlbook.sp.ConsumerServlet.decryptAssertion(ConsumerServlet.java:119) [ConsumerServlet.class:na]
    at opensamlbook.sp.ConsumerServlet.doGet(ConsumerServlet.java:85) [ConsumerServlet.class:na]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:617) [servlet-api.jar:na]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:723) [servlet-api.jar:na]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:6.0.44]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.44]
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) [catalina.jar:6.0.44]
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.44]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:563) [catalina.jar:6.0.44]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.44]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) [catalina.jar:6.0.44]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.44]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) [catalina.jar:6.0.44]
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861) [tomcat-coyote.jar:6.0.44]
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:620) [tomcat-coyote.jar:6.0.44]
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) [tomcat-coyote.jar:6.0.44]
    at java.lang.Thread.run(Thread.java:745) [na:1.7.0_55]
Caused by: java.security.InvalidKeyException: Illegal key size
    at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1024) ~[na:1.7.0_51]
    at javax.crypto.Cipher.init(Cipher.java:1345) ~[na:1.7.0_51]
    at javax.crypto.Cipher.init(Cipher.java:1282) ~[na:1.7.0_51]
    at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1754) ~[xmlsec-1.5.4.jar:1.5.4]
    ... 24 common frames omitted
17:01:55.734 [http-8443-2] ERROR o.o.x.e.Decrypter - Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
17:01:55.734 [http-8443-2] ERROR o.o.s.e.Decrypter - SAML Decrypter encountered an error decrypting element content
org.opensaml.xml.encryption.DecryptionException: Failed to decrypt EncryptedData
    at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:535) ~[xmltooling-1.4.0.jar:na]
    at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:442) ~[xmltooling-1.4.0.jar:na]
    at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:403) ~[xmltooling-1.4.0.jar:na]
    at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141) [opensaml-2.6.0.jar:na]
    at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69) [opensaml-2.6.0.jar:na]
    at opensamlbook.sp.ConsumerServlet.decryptAssertion(ConsumerServlet.java:119) [ConsumerServlet.class:na]
    at opensamlbook.sp.ConsumerServlet.doGet(ConsumerServlet.java:85) [ConsumerServlet.class:na]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:617) [servlet-api.jar:na]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:723) [servlet-api.jar:na]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:6.0.44]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.44]
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) [catalina.jar:6.0.44]
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.44]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:563) [catalina.jar:6.0.44]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.44]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) [catalina.jar:6.0.44]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.44]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) [catalina.jar:6.0.44]
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861) [tomcat-coyote.jar:6.0.44]
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:620) [tomcat-coyote.jar:6.0.44]
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) [tomcat-coyote.jar:6.0.44]
    at java.lang.Thread.run(Thread.java:745) [na:1.7.0_55]

Code for Decrypting assertion:

private Assertion decryptAssertion(EncryptedAssertion encryptedAssertion) {
        StaticKeyInfoCredentialResolver keyInfoCredentialResolver = new StaticKeyInfoCredentialResolver(SPCredentials.getCredential());
        Decrypter decrypter = new Decrypter(null, keyInfoCredentialResolver, new InlineEncryptedKeyResolver());
        decrypter.setRootInNewDocument(true);
        try {
            return decrypter.decrypt(encryptedAssertion);
        } catch (DecryptionException e) {
            throw new RuntimeException(e);
        }
    }

I am getting error at line:

 return decrypter.decrypt(encryptedAssertion);

Guys please help me to resolve this issue. I have been stuck from past 3 days on this error.

解决方案

This happens due to limitation of cryptography strength in default distribution of Java Runtime Environment.

1. Download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files (for Java 7) (for Java 8)

2. Extract zip archive and find there local_policy.jar and US_export_policy.jar.

3. Replace your JRE version of these files under $JAVA_HOME/jre{version_number}/lib/security/ with downloaded ones.

4. Restart JRE process, if any running. Now you can use longer keys.

这篇关于解密从IDP发送的断言时出错的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！