受信任的证书条目不受密码保护 Spring SAML
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/26164109/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
trusted certificate entries are not password-protected Spring SAML
提问by SM KUMAR
I have generated testIdp.cer file by copying 509 entry of the IDP I am planning to connect. Then I created JKS file by executing the following command
我通过复制我计划连接的 IDP 的 509 条目生成了 testIdp.cer 文件。然后我通过执行以下命令创建了 JKS 文件
keytool -importcert -alias adfssigning -keystore C:\Users\user\Desktop\samlKeystore.jks -file C:\Users\user\Desktop\testIdp.cer
When executed it has asked to enter a password for which I have given a password. For the question "Trust this certificate? [no]:", I have given "y" as input. Message came out as "Certificate was added to keystore".
执行时,它要求输入密码,我已为其提供密码。对于“信任此证书?[否]:”这个问题,我输入了“y”。消息显示为“证书已添加到密钥库”。
Then I have configured the following details in securityContext.xml
然后我在securityContext.xml中配置了以下细节
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg value="classpath:security/samlKeystore.jks"/>
<constructor-arg type="java.lang.String" value="mypassword"/>
<constructor-arg>
<map>
<entry key="adfssigning" value="mypassword"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="adfssigning"/>
</bean>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="alias" value="adfssigning" />
<property name="signingKey" value="adfssigning"/>
</bean>
But when I run the application, I get the following two exceptions when the server is starting and when I load the homepage of the application. Can anyone let me know if I am missing anything else.
但是当我运行应用程序时,我在服务器启动和加载应用程序主页时遇到以下两个异常。任何人都可以让我知道我是否还缺少其他任何东西。
This exception is occuring when I start the server
当我启动服务器时发生此异常
Caused by: org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry
at org.opensaml.saml2.metadata.provider.SignatureValidationFilter.verifySignature(SignatureValidationFilter.java:327)
at org.opensaml.saml2.metadata.provider.SignatureValidationFilter.processEntityGroup(SignatureValidationFilter.java:240)
at org.opensaml.saml2.metadata.provider.SignatureValidationFilter.doFilter(SignatureValidationFilter.java:158)
at org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.filterMetadata(AbstractMetadataProvider.java:493)
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.processNonExpiredMetadata(AbstractReloadingMetadataProvider.java:395)
This exception is occuring when I run the homepage of my application
当我运行我的应用程序的主页时发生此异常
java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected
at java.security.KeyStoreSpi.engineGetEntry(Unknown Source)
at java.security.KeyStore.getEntry(Unknown Source)
at org.opensaml.xml.security.credential.KeyStoreCredentialResolver.resolveFromSource(KeyStoreCredentialResolver.java:132)
采纳答案by Vladimír Sch?fer
Your .cercertificate contains only a public key, you mustn't define <entry key="adfssigning" value="mypassword"/>for public keys; it can only be used for private ones. Simply take out the adfssigningentry and make sure to include a private key instead - just like in the Spring SAML sample application.
您的.cer证书只包含一个公钥,您不能<entry key="adfssigning" value="mypassword"/>为公钥定义;它只能用于私人。只需取出adfssigning条目并确保包含私钥 - 就像在 Spring SAML 示例应用程序中一样。
The SAML keystore can contain two basic types of keys - public and private ones (plus their certificates). Each key has an alias which is used to refer to it. The keystore itself can be protected by a password (provided in the second constructor parameter), plus each private key can be also protected by an additional password (these are defined in third parameter of the constructor in a map of alias->password). The public keys which you import to the keystore (just like you did with the command above) mustn't be defined in this map. They will be automatically available after being imported without additional declarations. For Spring SAML to work, the keystore must contain at least one private key (the sample application contains private key with alias apollo) and its alias needs to be provided in the third parameter of the constructor.
SAML 密钥库可以包含两种基本类型的密钥 - 公共密钥和私有密钥(以及它们的证书)。每个键都有一个别名,用于引用它。密钥库本身可以由密码保护(在第二个构造函数参数中提供),另外每个私钥也可以由附加密码保护(这些在别名->密码映射中的构造函数的第三个参数中定义)。您导入到密钥库的公钥(就像您使用上面的命令所做的一样)不得在此映射中定义。它们将在导入后自动可用,无需额外声明。要使 Spring SAML 工作,密钥库必须至少包含一个私钥(示例应用程序包含别名为 apollo 的私钥),并且需要在构造函数的第三个参数中提供其别名。
Your example above fails, because you have imported a public key, but included it in the map which can only be used for private keys.
您上面的示例失败了,因为您导入了一个公钥,但将其包含在只能用于私钥的映射中。
回答by Matthias M
Vladimir answered correctly the question whythe error occurs. In my answer I want to show howyou can import a certificate to the keystore to solve that problem:
弗拉基米尔正确地回答了这个问题,为什么错误发生。在我的回答中,我想展示如何将证书导入密钥库以解决该问题:
You have to import the certificate andprivate key which could not be done directly by keytool.
您必须导入keytool 无法直接完成的证书和私钥。
The detailed described solution is found here: https://stackoverflow.com/a/8224863/1909531
详细描述的解决方案可以在这里找到:https: //stackoverflow.com/a/8224863/1909531
Here's an excerpt:
这是摘录:
openssl pkcs12 -export -in server.crt -inkey server.key \
-out server.p12 -name [some-alias] \
-CAfile ca.crt -caname root
keytool -importkeystore \
-deststorepass [changeit] -destkeypass [changeit] -destkeystore server.keystore \
-srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass some-password \
-alias [some-alias]
回答by Jakob Hemicke Greve
This error occurs also when you don't have a private key in your Keystore. SAML uses the private key to generate the Service provider meta data used to communicate with the IDP. Just add one to the Keystore like this: keytool -genkey -v -keystore some_key_store.jks -alias some_alias -keyalg RSA -keysize 2048 -validity 36500 Fill in the questions and set validity to an appropriate number of days. (In my example it's valid for 100 years) Remember to add the public certificate from IDP. Then you should be ready to go.
当您的密钥库中没有私钥时,也会发生此错误。SAML 使用私钥生成用于与 IDP 通信的服务提供者元数据。只需像这样向密钥库添加一个: keytool -genkey -v -keystore some_key_store.jks -alias some_alias -keyalg RSA -keysize 2048 -validity 36500 填写问题并将有效期设置为适当的天数。(在我的示例中,它的有效期为 100 年)记得添加来自 IDP 的公共证书。那么你应该准备好了。
回答by Velu
Get the public certificate using openssl command:
使用 openssl 命令获取公共证书:
openssl s_client -showcerts -connect iam-sso.google.net:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycertfile.pem
Import it into the Keystore:
将其导入密钥库:
keytool -import -alias "new-qet-alias" -keystore /usr/share/tomcat8/webapps/ROOT/WEB-INF/classes/saml/samlKeystore.jks -file mycertfile.pem
回答by Sandeep Shukla
For those looking for answers in java config please comment out the line passwords.put("mykeyalias", "mystorepass"); .... shown in code snippet below.
对于那些在 java 配置中寻找答案的人,请注释掉 passwords.put("mykeyalias", "mystorepass"); .... 显示在下面的代码片段中。
@Bean
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader.getResource("classpath:saml-keystore.jks");
Map<String, String> passwords = new HashMap<>();
// passwords.put("mykeyalias", "mystorepass");
return new JKSKeyManager(storeFile, "mystorepass", passwords, "mykeyalias");
}
