如何使用OpenSAML2和Java测试/调试解密的加密断言?

我正试图与OpenSAML2(2.6.6)一起编写一个Java应用程序来解密加密的断言,但我得到了:

[main] ERROR org.opensaml.xml.encryption.Decrypter - Failed to decrypt EncryptedKey, valid decryption key could not be resolved
[main] ERROR org.opensaml.xml.encryption.Decrypter - Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
[main] ERROR org.opensaml.saml2.encryption.Decrypter - SAML Decrypter encountered an error decrypting element content

这是我的Java代码(抱歉,它仍然有很多调试输出):

/*
 * ****************************************************************************************************
 * Original source from: https://stackoverflow.com/questions/9422545/decrypting-encrypted-assertion-using-saml-2-0-in-java-using-opensaml
 * And hint about needed to add DefaultBootstrap.bootstrap() for OpenSAML 2.x: https://stackoverflow.com/questions/25066183/opensaml-error-receiving-correct-unmarshaller
 * And hing about chain resolvers: https://www.programcreek.com/java-api-examples/index.php?api=org.opensaml.saml2.encryption.Decrypter
 * ****************************************************************************************************
 * ****************************************************************************************************
 * ****************************************************************************************************
 * ****************************************************************************************************
 */
import java.io.File;
import java.io.FileInputStream;
import java.io.InputStream;
import java.security.KeyFactory;
import java.security.interfaces.RSAPrivateKey;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.ArrayList;
import java.util.List;

import org.opensaml.DefaultBootstrap;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.EncryptedAssertion;
import org.opensaml.saml2.encryption.Decrypter;
import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
import org.opensaml.xml.Configuration;
import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver;
import org.opensaml.xml.encryption.EncryptedKeyResolver;
import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver;
import org.opensaml.xml.io.Unmarshaller;
import org.opensaml.xml.io.UnmarshallerFactory;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
import org.opensaml.xml.security.x509.BasicX509Credential;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class test_opensaml {


    public static void main(String[] args) {
        String PROGVERSION = "V1.00";

        String xmlFileName = "";
        String privateKeyFileName = "";

        System.out.println("test_opensaml " + PROGVERSION);

        if(args.length < 2) {
            System.out.println("Command line is: java test_opensaml <signed_samlassertion_xml> <private_key_der>");
            System.exit(0);
        }

        xmlFileName = args[0];
        privateKeyFileName = args[1];

        Logger logger = LoggerFactory.getLogger(test_opensaml.class);
        logger.info("xmlFileName=[" + xmlFileName + "]");
        logger.info("privateKeyFileName=[" + privateKeyFileName + "]
");

        try {
            // Initialize the library
            DefaultBootstrap.bootstrap();
        } catch (Exception e) {
            System.out.println("** ERROR ** - ERROR WHILE Executing DefaultBootstrap.bootstrap() - e=[" + e + "]");
            System.exit(-1);
        }

        InputStream inputStream = null;

        // Load the XML file and parse it.
        File xmlFile = new File(xmlFileName);
        try {
            inputStream = new FileInputStream(xmlFile);
        } catch (Exception e) {
            System.out.println("** ERROR ** - ERROR WHILE LOADING ASSERTION XML FILE - e=[" + e + "]");
            System.exit(-1);
        }


        BasicParserPool parserPoolManager = new BasicParserPool();

        Document document = null;
        Element metadataRoot = null;
        try {
            document = parserPoolManager.parse(inputStream);
            metadataRoot = document.getDocumentElement();
            System.out.println("metadataRoot.getNodeName()=[" + metadataRoot.getNodeName() + "]");
        } catch (Exception e) {
            System.out.println("** ERROR ** - ERROR WHILE CREATING DOCUMENT FROM XML FILE - e=[" + e + "]");
            System.exit(-1);
        }

        UnmarshallerFactory unmarshallerFactory = null;
        Unmarshaller unmarshaller = null;
        EncryptedAssertion encryptedAssertion = null;

        try {
            // Unmarshall
            unmarshallerFactory = Configuration.getUnmarshallerFactory();
        } catch (Exception e) {
            System.out.println("** ERROR ** - ERROR WHILE CREATING UNMARSHALLFACTORY - e=[" + e + "]");
            System.exit(-1);
        }

        if (unmarshallerFactory == null) {
            System.out.println("unmarshallerFactory is null");
        } else {
            System.out.println("unmarshallerFactory is OK/NOT-null");
        }

        try {
            // Unmarshall
            unmarshaller = unmarshallerFactory.getUnmarshaller(metadataRoot);
            if (unmarshaller == null) {
                System.out.println("unmarshaller is null");
            } else {
                System.out.println("unmarshaller is OK/NOT-null");
            }

            System.out.println("unmarshaller.getClass().getname=[" + unmarshaller.getClass().getName() + "]");
        } catch (Exception e) {
            System.out.println("** ERROR ** - ERROR WHILE CREATING UNMARSHALLER - e=[" + e + "]");
            System.exit(-1);
        }


        try {
            // Unmarshall
            encryptedAssertion = (EncryptedAssertion)unmarshaller.unmarshall(metadataRoot);
        } catch (Exception e) {
            System.out.println("** ERROR ** - ERROR CREATING ENCRYPTEDASSERTION BY UNMARSHALLING - e=[" + e + "]");
            e.printStackTrace();
            System.exit(-1);
        }
        System.out.println("SUCCESS - CREATED ENCRYPTEDASSERTION BY UNMARSHALLING!!");
        System.out.println("Will now try to load the PRIVATE KEY FILE...");

        // Load the private key file.
        File privateKeyFile = new File(privateKeyFileName);
        FileInputStream inputStreamPrivateKey = null;
        byte[] encodedPrivateKey = null;
        try {
            inputStreamPrivateKey = new FileInputStream(privateKeyFile);
            encodedPrivateKey = new byte[(int)privateKeyFile.length()];
            inputStreamPrivateKey.read(encodedPrivateKey);
            inputStreamPrivateKey.close();
        } catch (Exception e) {
            System.out.println("** ERROR ** - ERROR WHILE READING PRIVATE KEY FROM FILE - e=[" + e + "]");
            System.exit(-1);
        }
        System.out.println("SUCCESS - READ/INPUT THE PRIVATE KEY FILE!!");

        PKCS8EncodedKeySpec privateKeySpec = null;
        RSAPrivateKey privateKey = null;
        try {
            // Create the private key.
            privateKeySpec = new PKCS8EncodedKeySpec(encodedPrivateKey);
            privateKey = (RSAPrivateKey)KeyFactory.getInstance("RSA").generatePrivate(privateKeySpec);
        } catch (Exception e) {
            System.out.println("** ERROR ** - ERROR WHILE CREATING PRIVATE KEY - e=[" + e + "]");
            System.exit(-1);
        }
        System.out.println("SUCCESS - CREATING THE PRIVATE KEY INSTANCE!!");



        ChainingEncryptedKeyResolver keyResolver = new ChainingEncryptedKeyResolver();
        keyResolver.getResolverChain().add(new InlineEncryptedKeyResolver());
        keyResolver.getResolverChain().add(new EncryptedElementTypeEncryptedKeyResolver());
        keyResolver.getResolverChain().add(new SimpleRetrievalMethodEncryptedKeyResolver());
        System.out.println("Built a list of encrypted key resolvers...");

        boolean successfulDecryption = false;

        // Create the credentials.
        BasicX509Credential decryptionCredential = new BasicX509Credential();
        decryptionCredential.setPrivateKey(privateKey);

        StaticKeyInfoCredentialResolver resolver = new StaticKeyInfoCredentialResolver(decryptionCredential);

        // Create a decrypter.
        Decrypter decrypter = new Decrypter(null, resolver, keyResolver);
        decrypter.setRootInNewDocument(true);
        // Decrypt the assertion.
        Assertion decryptedAssertion = null;
        System.out.println("WILL NOW TRY TO DECRYPT THE ENCRYPTED ASSERTION...");
        try
        {
            decryptedAssertion = decrypter.decrypt(encryptedAssertion);
        } catch (Exception e) {
            System.out.println("** ERROR ** - ERROR WHILE DECRYPTING THE ASSERTION - e=[" + e + "]");
            System.exit(-1);
        }

        System.out.println("SUCCESS - DECRYPTED THE ENCRYPTED ASSERTION - will now dump out the decrypted assertion...!!");
        System.out.println("decryptedAssertion.toString=[" + decryptedAssertion.toString() + "]");
        System.out.println("Finished...");
        System.exit(0);
    } // end main()

}

当我使用测试签名的断言(XML)和私钥运行它时,我得到以下输出。这是在Eclipse下运行,并使用Java 1.8内部版本201:

test_opensaml V1.00
[main] INFO test_opensaml - xmlFileName=[E:ECLIPSE-WORKSPACESopensamlopensamldataencrypted_assertion.xml]
[main] INFO test_opensaml - privateKeyFileName=[E:ECLIPSE-WORKSPACESopensamlopensamldatageoaxis-gxaccess.com.private-key.der]

metadataRoot.getNodeName()=[saml:EncryptedAssertion]
unmarshallerFactory is OK/NOT-null
unmarshaller is OK/NOT-null
unmarshaller.getClass().getname=[org.opensaml.saml2.core.impl.EncryptedAssertionUnmarshaller]
SUCCESS - CREATED ENCRYPTEDASSERTION BY UNMARSHALLING!!
Will now try to load the PRIVATE KEY FILE...
SUCCESS - READ/INPUT THE PRIVATE KEY FILE!!
SUCCESS - CREATING THE PRIVATE KEY INSTANCE!!
Built a list of encrypted key resolvers...
WILL NOW TRY TO DECRYPT THE ENCRYPTED ASSERTION...
[main] ERROR org.opensaml.xml.encryption.Decrypter - Error decrypting encrypted key
org.apache.xml.security.encryption.XMLEncryptionException: Unwrapping failed
Original Exception was java.security.InvalidKeyException: Unwrapping failed
    at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1539)
    at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:708)
    at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:639)
    at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:794)
    at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:535)
    at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:453)
    at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:414)
    at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)
    at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)
    at test_opensaml.main(test_opensaml.java:193)
Caused by: java.security.InvalidKeyException: Unwrapping failed
    at com.sun.crypto.provider.RSACipher.engineUnwrap(RSACipher.java:445)
    at javax.crypto.Cipher.unwrap(Cipher.java:2549)
    at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1537)
    ... 9 more
Caused by: javax.crypto.BadPaddingException: Decryption error
    at sun.security.rsa.RSAPadding.unpadOAEP(Unknown Source)
    at sun.security.rsa.RSAPadding.unpad(Unknown Source)
    at com.sun.crypto.provider.RSACipher.doFinal(RSACipher.java:363)
    at com.sun.crypto.provider.RSACipher.engineUnwrap(RSACipher.java:440)
    ... 11 more
[main] ERROR org.opensaml.xml.encryption.Decrypter - Failed to decrypt EncryptedKey, valid decryption key could not be resolved
[main] ERROR org.opensaml.xml.encryption.Decrypter - Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
[main] ERROR org.opensaml.saml2.encryption.Decrypter - SAML Decrypter encountered an error decrypting element content
org.opensaml.xml.encryption.DecryptionException: Failed to decrypt EncryptedData
    at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:546)
    at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:453)
    at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:414)
    at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)
    at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)
    at test_opensaml.main(test_opensaml.java:193)
** ERROR ** - ERROR WHILE DECRYPTING THE ASSERTION - e=[org.opensaml.xml.encryption.DecryptionException: Failed to decrypt EncryptedData]

由于这是(至少对我而言)新的未经测试的代码,我想知道如何才能进一步诊断此问题?

是否有其他日志记录或其他内容可以帮助找出问题所在或找出问题所在?

我知道这听起来有点不寻常,但仅供参考,第三方给了我现在用来测试的签名断言和私钥,所以我实际上不能100%确定它们是否正确,所以我想知道是否有什么地方可以获得/下载已知良好的加密断言示例和相应的私钥,以便我可以尝试使用已知良好的数据来测试上面的代码?

谢谢, 吉姆

编辑:对不起,我忘了包括我用来测试的加密断言的片段:

<?xml version="1.0"?>
<saml:EncryptedAssertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" Id="_332ec9de74ee4a8b97b84694edb58ba9" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey Type="http://www.w3.org/2001/04/xmlenc#Element" Id="_d32f036453ed438b84783a21a2e2cca7">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
<xenc:CipherData>
<xenc:CipherValue>Rfn5PDApVSF3wTBgsiQsFn5rybj...EZoHpGvxDPv5kAhVw==</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>FTk8D8nGOTuZsunGifMEHtj...xiAvwSQ=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml:EncryptedAssertion>

编辑2:对于熟悉OpenSAML和SAML的人:上面签名的断言有问题吗?我已经做了一些额外的测试,似乎没有一个解析器能够找到加密密钥,我注意到ds:KeyInfo嵌入到Xenc:EncryptedData中,与Xenc:CipherData处于同一级别。这是正常的结构吗?哪个链式解析器应该找到ds:KeyInfo?


解决方案

仅供参考,一旦我找到了与示例加密断言匹配的正确私钥,我终于让它按原样工作。

相关文章