java saml2.0_使用OpenSAML在Java中使用SAML 2.0解密加密断言

公孙黎昕

2023-12-01

尝试使用SAML 2.0解密加密断言时遇到问题.我使用的库是OpenSAML

Java库2.5.2.

加密断言如下所示：

xmlns:enc="http://www.w3.org/2001/04/xmlenc#">

Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">

xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-

1.0.xsd">

ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-

1.1#ThumbprintSHA1"

EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-

message-security-1.0#Base64Binary">

1H3mV/pJAlVZAst/Dt0rqbBd67g=

... ENCRYPTED KEY HERE ...

... ENCRYPTED ASSERTIONS HERE ...

我使用以下openssl命令将我的PEM格式的私钥转换为pkcs8格式：

openssl pkcs8 -topk8 -nocrypt -inform PEM -in rsa_private_key.key -outform DER -out rsa_private_key.pk8

然后我准备尝试解密加密的断言.这是我的Java代码：

...

// Load the XML file and parse it.

File xmlFile = new File("data\\token.xml");

InputStream inputStream = new FileInputStream(xmlFile);

Document document = parserPoolManager.parse(inputStream);

Element metadataRoot = document.getDocumentElement();

// Unmarshall

UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();

Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(metadataRoot);

EncryptedAssertion encryptedAssertion = (EncryptedAssertion)unmarshaller.unmarshall(metadataRoot);

// Load the private key file.

File privateKeyFile = new File("data\\rsa_private_key.pk8");

FileInputStream inputStreamPrivateKey = new FileInputStream(privateKeyFile);

byte[] encodedPrivateKey = new byte[(int)privateKeyFile.length()];

inputStreamPrivateKey.read(encodedPrivateKey);

inputStreamPrivateKey.close();

// Create the private key.

PKCS8EncodedKeySpec privateKeySpec = new PKCS8EncodedKeySpec(encodedPrivateKey);

RSAPrivateKey privateKey = (RSAPrivateKey)KeyFactory.getInstance("RSA").generatePrivate(privateKeySpec);

// Create the credentials.

BasicX509Credential decryptionCredential = new BasicX509Credential();

decryptionCredential.setPrivateKey(privateKey);

// Create a decrypter.

Decrypter decrypter = new Decrypter(null, new StaticKeyInfoCredentialResolver(decryptionCredential), new InlineEncryptedKeyResolver());

// Decrypt the assertion.

Assertion decryptedAssertion;

try

{

decryptedAssertion = decrypter.decrypt(encryptedAssertion);

}

...

运行此代码总是导致无法解密断言.我得到以下错误：

5473 [main] ERROR org.opensaml.xml.encryption.Decrypter - Error decrypting encrypted key

org.apache.xml.security.encryption.XMLEncryptionException: Key is too long for unwrapping

Original Exception was java.security.InvalidKeyException: Key is too long for unwrapping

at org.apache.xml.security.encryption.XMLCipher.decryptKey(Unknown Source)

at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:681)

at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:612)

at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:762)

at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:513)

at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:440)

at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:401)

at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)

at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)

at DecrypterTool.main(DecrypterTool.java:121)

java.security.InvalidKeyException: Key is too long for unwrapping

at com.sun.crypto.provider.RSACipher.engineUnwrap(DashoA13*..)

at javax.crypto.Cipher.unwrap(DashoA13*..)