2

I have refered the Spring SAML manual to create private key and import public certificate. But I am still facing issues with the encryption/decryption.

I have created a JKS file with the following commands as mentioned in the manual which are as follows

Command used to Import public certificate of IDP

keytool -importcert -alias adfssigning -keystore samlKeystore.jks -file testIdp.cer

Command used for Private Key

keytool -genkeypair -alias myprivatealias -keypass changeit -keystore samlKeystore.jks

Passwords of both private key and keystore is defined as 'changeit'

I have configured the securityContext as follows

<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
    <constructor-arg value="classpath:security/samlKeystore.jks"/>
    <constructor-arg type="java.lang.String" value="changeit"/>
    <constructor-arg>
        <map>
            <entry key="myprivatealias" value="changeit"/>
        </map>
    </constructor-arg>
    <constructor-arg type="java.lang.String" value="myprivatealias"/>
</bean>

I am able to see the idpDiscovery page where I can select the IDP. I am able to view the login page of the IDP as well. But when I provide the user credentials, I am getting the following exception.

This exception is occuring when saml2:EncryptedAssertion is sent along with the saml2p:Status in the SAML response. (Class: WebSSOProfileConsumerImpl of spring-saml jar)

ERROR org.opensaml.xml.encryption.Decrypter  - Error decrypting encrypted key
org.apache.xml.security.encryption.XMLEncryptionException: No installed provider supports this key: sun.security.provider.DSAPrivateKey
Original Exception was java.security.InvalidKeyException: No installed provider supports this key: sun.security.provider.DSAPrivateKey
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1479)
at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:697)
at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:628)
at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:783)

Caused by: java.security.InvalidKeyException: No installed provider supports this key: sun.security.provider.DSAPrivateKey
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1475)
... 46 more
740323 [http-8080-2] ERROR org.opensaml.xml.encryption.Decrypter  - Failed to decrypt EncryptedKey, valid decryption key could not be resolved
740324 [http-8080-2] ERROR org.opensaml.xml.encryption.Decrypter  - Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
740325 [http-8080-2] ERROR org.opensaml.saml2.encryption.Decrypter  - SAML Decrypter encountered an error decrypting element content

Can anyone let me know where I am going wrong??

Alternate command used Private Key generation instead of the above mentioned

keytool -genkey -alias privatekeyalias -keyalg RSA -keystore samlKeystore.jks

If I use this command and update JKS file, then I get a different exception mentioned as InvalidKeyException: Key is too long for unwrapping.

Caused by: java.security.InvalidKeyException: Key is too long for unwrapping
at com.sun.crypto.provider.RSACipher.engineUnwrap(DashoA13*..)
at javax.crypto.Cipher.unwrap(DashoA13*..)
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1477)
... 46 more
41   [http-8080-1] ERROR org.opensaml.xml.encryption.Decrypter  - Failed to decrypt EncryptedKey, valid decryption key could not be resolved
42   [http-8080-1] ERROR org.opensaml.xml.encryption.Decrypter  - Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
42   [http-8080-1] ERROR org.opensaml.saml2.encryption.Decrypter  - SAML Decrypter encountered an error decrypting element content

Can anyone help me out in this problem??

SM KUMAR
  • 475
  • 2
  • 8
  • 13
  • Have you installed the unlimited strength cryptography library (http://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/#quick-start-prerequisites)? – Vladimír Schäfer Oct 06 '14 at 17:31
  • @vschafer Ya I have installed by copying both the jars(US_export_policy and local_policy) into C:\Program Files\Java\jdk1.6.0_25\jre\lib\security and C:\Program Files\Java\jre6\lib\security. **Still getting the same error.** Jars downloaded from (http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html). Is there any other problem in generating the private key(**keytool -genkey -alias privatekeyalias -keyalg RSA -keystore samlKeystore.jks**)?? – SM KUMAR Oct 07 '14 at 09:32
  • @vschafer In continuation to the above comment, I have tried all sorts of key generations as well. I have used **keytool -genkeypair** and **keytool -genkey** by mentioning **-keyalg RSA**. For both these keys, I am getting the same error which is **java.security.InvalidKeyException: Key is too long for unwrapping**. I have even tried installing unlimited strength cryptography library as mentioned in the above comment. Can you please let me know where I am going wrong? – SM KUMAR Oct 07 '14 at 11:45
  • Perhaps your installation is using a different JDK than you think. The error you're encountering is usually caused by the missing unlimited crypto library. See http://stackoverflow.com/questions/9422545/decrypting-encrypted-assertion-using-saml-2-0-in-java-using-opensaml, you can try to post the whole assertion so one can see how's the key encoded in the XML. – Vladimír Schäfer Oct 07 '14 at 12:14
  • @vschafer As I could not paste the entire assertion here in comments, I have posted the whole assertion in the below mentioned link. Your help in this regard is much appreciated. http://stackoverflow.com/questions/26237273/spring-saml-key-is-too-long-for-unwrapping-invalidkeyexception – SM KUMAR Oct 07 '14 at 13:33
  • @vschafer As suggested, I have posted the whole security assertion at http://stackoverflow.com/questions/9422545/decrypting-encrypted-assertion-using-saml-2-0-in-java-using-opensaml Could you please let me know where did I go wrong. Thanks for your time – SM KUMAR Oct 08 '14 at 08:43

1 Answers1

3

The problem was caused by using a different keystore in the application than the one generated with:

keytool -genkeypair -alias privatekeyalias -keypass samplePrivateKeyPass -keystore samlKeystore.jks -keyalg RSA -sigalg SHA1WithRSA
Vladimír Schäfer
  • 15,375
  • 2
  • 51
  • 71