尝试使用SAML 2.0解密加密断言时遇到问题.我使用的库是OpenSAML
Java库2.5.2.
加密断言如下所示:
<EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> <enc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:enc="http://www.w3.org/2001/04/xmlenc#"> <enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> </e:EncryptionMethod> <KeyInfo> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext- 1.0.xsd"> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security- 1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap- message-security-1.0#Base64Binary"> 1H3mV/pJAlVZAst/Dt0rqbBd67g= </o:KeyIdentifier> </o:SecurityTokenReference> </KeyInfo> <e:CipherData> <e:CipherValue> ... ENCRYPTED KEY HERE ... </e:CipherValue> </e:CipherData> </e:EncryptedKey> </KeyInfo> <enc:CipherData> <enc:CipherValue> ... ENCRYPTED ASSERTIONS HERE ... </enc:CipherValue> </enc:CipherData> </enc:EncryptedData> </EncryptedAssertion>
我使用以下openssl命令将我的PEM格式的私钥转换为pkcs8格式:
openssl pkcs8 -topk8 -nocrypt -inform PEM -in rsa_private_key.key -outform DER -out rsa_private_key.pk8
然后我准备尝试解密加密的断言.这是我的Java代码:
...
// Load the XML file and parse it.
File xmlFile = new File("data\\token.xml");
InputStream inputStream = new FileInputStream(xmlFile);
Document document = parserPoolManager.parse(inputStream);
Element MetadaTaroot = document.getDocumentElement();
// Unmarshall
UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(MetadaTaroot);
EncryptedAssertion encryptedAssertion = (EncryptedAssertion)unmarshaller.unmarshall(MetadaTaroot);
// Load the private key file.
File privateKeyFile = new File("data\\rsa_private_key.pk8");
FileInputStream inputStreamPrivateKey = new FileInputStream(privateKeyFile);
byte[] encodedPrivateKey = new byte[(int)privateKeyFile.length()];
inputStreamPrivateKey.read(encodedPrivateKey);
inputStreamPrivateKey.close();
// Create the private key.
PKCS8EncodedKeySpec privateKeySpec = new PKCS8EncodedKeySpec(encodedPrivateKey);
RSAPrivateKey privateKey = (RSAPrivateKey)KeyFactory.getInstance("RSA").generatePrivate(privateKeySpec);
// Create the credentials.
BasicX509Credential decryptionCredential = new BasicX509Credential();
decryptionCredential.setPrivateKey(privateKey);
// Create a decrypter.
Decrypter decrypter = new Decrypter(null,new StaticKeyInfoCredentialResolver(decryptionCredential),new InlineEncryptedKeyResolver());
// Decrypt the assertion.
Assertion decryptedAssertion;
try
{
decryptedAssertion = decrypter.decrypt(encryptedAssertion);
}
...
5473 [main] ERROR org.opensaml.xml.encryption.Decrypter - Error decrypting encrypted key org.apache.xml.security.encryption.XMLEncryptionException: Key is too long for unwrapping Original Exception was java.security.InvalidKeyException: Key is too long for unwrapping at org.apache.xml.security.encryption.XMLCipher.decryptKey(UnkNown Source) at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:681) at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:612) at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:762) at org.opensaml.xml.encryption.Decrypter.decryptDataTodoM(Decrypter.java:513) at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:440) at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:401) at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141) at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69) at DecrypterTool.main(DecrypterTool.java:121) java.security.InvalidKeyException: Key is too long for unwrapping at com.sun.crypto.provider.RSACipher.engineUnwrap(DashoA13*..) at javax.crypto.Cipher.unwrap(DashoA13*..) at org.apache.xml.security.encryption.XMLCipher.decryptKey(UnkNown Source) at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:681) at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:612) at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:762) at org.opensaml.xml.encryption.Decrypter.decryptDataTodoM(Decrypter.java:513) at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:440) at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:401) at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141) at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69) at DecrypterTool.main(DecrypterTool.java:121) 5477 [main] ERROR org.opensaml.xml.encryption.Decrypter - Failed to decrypt EncryptedKey,valid decryption key Could not be resolved 5477 [main] ERROR org.opensaml.xml.encryption.Decrypter - Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver 5478 [main] ERROR org.opensaml.saml2.encryption.Decrypter - SAML Decrypter encountered an error decrypting element content org.opensaml.xml.encryption.DecryptionException: Failed to decrypt EncryptedData at org.opensaml.xml.encryption.Decrypter.decryptDataTodoM(Decrypter.java:524) at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:440) at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:401) at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141) at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69) at DecrypterTool.main(DecrypterTool.java:121)
在这种情况下,我真的不知道我做错了什么.我将私钥转换为pkcs8,我加载了我的SAML XML数据,并将其解组成有效类型(EncryptedAssertion),并根据我的私钥创建了一个解密.
它是否可能与RSA的oaep格式相关?我使用的是默认的java加密库.
谢谢!
