受信任的证书条目不受密码保护 Spring SAML [英] trusted certificate entries are not password-protected Spring SAML

问题描述

我通过复制我计划连接的 IDP 的 509 条目生成了 testIdp.cer 文件.然后我通过执行以下命令创建了 JKS 文件

I have generated testIdp.cer file by copying 509 entry of the IDP I am planning to connect. Then I created JKS file by executing the following command

keytool -importcert -alias adfssigning -keystore C:UsersuserDesktopsamlKeystore.jks -file    C:UsersuserDesktop	estIdp.cer

执行时，它要求输入密码，我已为其提供密码.对于信任这个证书?[否]:"这个问题，我已经给出了y"作为输入.消息显示为证书已添加到密钥库".

When executed it has asked to enter a password for which I have given a password. For the question "Trust this certificate? [no]:", I have given "y" as input. Message came out as "Certificate was added to keystore".

然后我在securityContext.xml中配置了以下细节

Then I have configured the following details in securityContext.xml

<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
    <constructor-arg value="classpath:security/samlKeystore.jks"/>
    <constructor-arg type="java.lang.String" value="mypassword"/>
    <constructor-arg>
        <map>
            <entry key="adfssigning" value="mypassword"/>
        </map>
    </constructor-arg>
    <constructor-arg type="java.lang.String" value="adfssigning"/>
</bean>

<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
  <property name="alias" value="adfssigning" />
  <property name="signingKey" value="adfssigning"/>     
</bean>

但是当我运行应用程序时，我在服务器启动和加载应用程序主页时出现以下两个异常.任何人都可以让我知道我是否缺少其他任何东西.

But when I run the application, I get the following two exceptions when the server is starting and when I load the homepage of the application. Can anyone let me know if I am missing anything else.

当我启动服务器时发生此异常

This exception is occuring when I start the server

Caused by: org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry
at org.opensaml.saml2.metadata.provider.SignatureValidationFilter.verifySignature(SignatureValidationFilter.java:327)
at org.opensaml.saml2.metadata.provider.SignatureValidationFilter.processEntityGroup(SignatureValidationFilter.java:240)
at org.opensaml.saml2.metadata.provider.SignatureValidationFilter.doFilter(SignatureValidationFilter.java:158)
at org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.filterMetadata(AbstractMetadataProvider.java:493)
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.processNonExpiredMetadata(AbstractReloadingMetadataProvider.java:395)

当我运行我的应用程序的主页时发生这个异常

This exception is occuring when I run the homepage of my application

java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected
at java.security.KeyStoreSpi.engineGetEntry(Unknown Source)
at java.security.KeyStore.getEntry(Unknown Source)
at org.opensaml.xml.security.credential.KeyStoreCredentialResolver.resolveFromSource(KeyStoreCredentialResolver.java:132)

推荐答案

你的 .cer 证书只包含一个公钥，你不能定义 <entry key="adfssigning"value="mypassword"/> 用于公钥；它只能用于私人.只需取出 adfssigning 条目并确保包含私钥 - 就像在 Spring SAML 示例应用程序中一样.

Your .cer certificate contains only a public key, you mustn't define <entry key="adfssigning" value="mypassword"/> for public keys; it can only be used for private ones. Simply take out the adfssigning entry and make sure to include a private key instead - just like in the Spring SAML sample application.

SAML 密钥库可以包含两种基本类型的密钥 - 公共密钥和私有密钥(以及它们的证书).每个键都有一个别名，用于引用它.密钥库本身可以由密码保护(在第二个构造函数参数中提供)，另外每个私钥也可以由附加密码保护(这些在别名->密码映射中的构造函数的第三个参数中定义).您导入到密钥库的公钥(就像您使用上面的命令所做的一样)不得在此映射中定义.它们将在导入后自动可用，无需额外声明.为了使 Spring SAML 能够工作，密钥库必须至少包含一个私钥(示例应用程序包含别名为 apollo 的私钥)，并且其别名需要在构造函数的第三个参数中提供.

The SAML keystore can contain two basic types of keys - public and private ones (plus their certificates). Each key has an alias which is used to refer to it. The keystore itself can be protected by a password (provided in the second constructor parameter), plus each private key can be also protected by an additional password (these are defined in third parameter of the constructor in a map of alias->password). The public keys which you import to the keystore (just like you did with the command above) mustn't be defined in this map. They will be automatically available after being imported without additional declarations. For Spring SAML to work, the keystore must contain at least one private key (the sample application contains private key with alias apollo) and its alias needs to be provided in the third parameter of the constructor.

您上面的示例失败了，因为您导入了一个公钥，但将其包含在只能用于私钥的映射中.

Your example above fails, because you have imported a public key, but included it in the map which can only be used for private keys.

这篇关于受信任的证书条目不受密码保护 Spring SAML的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！