Spring SAML:解密加密密钥时出错，没有安装的提供程序支持此密钥 [英] Spring SAML: Error decrypting encrypted key, No installed provider supports this key

问题描述

我参考了 Spring SAML 手册来创建私钥和导入公共证书.但我仍然面临加密/解密的问题.

I have refered the Spring SAML manual to create private key and import public certificate. But I am still facing issues with the encryption/decryption.

我使用手册中提到的以下命令创建了一个JKS文件，如下

I have created a JKS file with the following commands as mentioned in the manual which are as follows

用于导入 IDP 公共证书的命令

Command used to Import public certificate of IDP

keytool -importcert -alias adfssigning -keystore samlKeystore.jks -file testIdp.cer

用于私钥的命令

keytool -genkeypair -alias myprivatealias -keypass changeit -keystore samlKeystore.jks

私钥和密钥库的密码都定义为'changeit'

Passwords of both private key and keystore is defined as 'changeit'

我已经按如下方式配置了 securityContext

I have configured the securityContext as follows

<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
    <constructor-arg value="classpath:security/samlKeystore.jks"/>
    <constructor-arg type="java.lang.String" value="changeit"/>
    <constructor-arg>
        <map>
            <entry key="myprivatealias" value="changeit"/>
        </map>
    </constructor-arg>
    <constructor-arg type="java.lang.String" value="myprivatealias"/>
</bean>

我可以看到 idpDiscovery 页面，我可以在其中选择 IDP.我也可以查看 IDP 的登录页面.但是当我提供用户凭据时，出现以下异常.

I am able to see the idpDiscovery page where I can select the IDP. I am able to view the login page of the IDP as well. But when I provide the user credentials, I am getting the following exception.

当 saml2:EncryptedAssertion 与 SAML 响应中的 saml2p:Status 一起发送时，会发生此异常.(类:spring-saml jar 的 WebSSOProfileConsumerImpl)

This exception is occuring when saml2:EncryptedAssertion is sent along with the saml2p:Status in the SAML response. (Class: WebSSOProfileConsumerImpl of spring-saml jar)

ERROR org.opensaml.xml.encryption.Decrypter  - Error decrypting encrypted key
org.apache.xml.security.encryption.XMLEncryptionException: No installed provider supports this key: sun.security.provider.DSAPrivateKey
Original Exception was java.security.InvalidKeyException: No installed provider supports this key: sun.security.provider.DSAPrivateKey
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1479)
at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:697)
at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:628)
at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:783)

Caused by: java.security.InvalidKeyException: No installed provider supports this key: sun.security.provider.DSAPrivateKey
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1475)
... 46 more
740323 [http-8080-2] ERROR org.opensaml.xml.encryption.Decrypter  - Failed to decrypt EncryptedKey, valid decryption key could not be resolved
740324 [http-8080-2] ERROR org.opensaml.xml.encryption.Decrypter  - Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
740325 [http-8080-2] ERROR org.opensaml.saml2.encryption.Decrypter  - SAML Decrypter encountered an error decrypting element content

谁能告诉我我哪里出错了??

Can anyone let me know where I am going wrong??

替代命令使用私钥生成代替上面提到的

Alternate command used Private Key generation instead of the above mentioned

keytool -genkey -alias privatekeyalias -keyalg RSA -keystore samlKeystore.jks

如果我使用此命令并更新 JKS 文件，则会收到一个不同的异常，如 InvalidKeyException: Key is too long for unwrapping.

If I use this command and update JKS file, then I get a different exception mentioned as InvalidKeyException: Key is too long for unwrapping.

Caused by: java.security.InvalidKeyException: Key is too long for unwrapping
at com.sun.crypto.provider.RSACipher.engineUnwrap(DashoA13*..)
at javax.crypto.Cipher.unwrap(DashoA13*..)
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1477)
... 46 more
41   [http-8080-1] ERROR org.opensaml.xml.encryption.Decrypter  - Failed to decrypt EncryptedKey, valid decryption key could not be resolved
42   [http-8080-1] ERROR org.opensaml.xml.encryption.Decrypter  - Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
42   [http-8080-1] ERROR org.opensaml.saml2.encryption.Decrypter  - SAML Decrypter encountered an error decrypting element content

谁能帮我解决这个问题??

Can anyone help me out in this problem??

推荐答案

问题是由于在应用程序中使用的密钥库与生成的密钥库不同造成的:

The problem was caused by using a different keystore in the application than the one generated with:

keytool -genkeypair -alias privatekeyalias -keypass samplePrivateKeyPass -keystore samlKeystore.jks -keyalg RSA -sigalg SHA1WithRSA

这篇关于Spring SAML:解密加密密钥时出错，没有安装的提供程序支持此密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！