Error while decrypting assertion sent from IDP

2019-03-30 08:37发布

问题:

I am trying to decrypt the encrypted assertion sent by IDP within artifact resolve. But I get an error as :

17:01:55.734 [http-8443-2] ERROR o.o.x.e.Decrypter - Error decrypting the encrypted data element
org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size
    at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1756) ~[xmlsec-1.5.4.jar:1.5.4]
    at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:585) [xmltooling-1.4.0.jar:na]
    at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:774) [xmltooling-1.4.0.jar:na]
    at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:524) [xmltooling-1.4.0.jar:na]
    at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:442) [xmltooling-1.4.0.jar:na]
    at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:403) [xmltooling-1.4.0.jar:na]
    at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141) [opensaml-2.6.0.jar:na]
    at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69) [opensaml-2.6.0.jar:na]
    at opensamlbook.sp.ConsumerServlet.decryptAssertion(ConsumerServlet.java:119) [ConsumerServlet.class:na]
    at opensamlbook.sp.ConsumerServlet.doGet(ConsumerServlet.java:85) [ConsumerServlet.class:na]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:617) [servlet-api.jar:na]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:723) [servlet-api.jar:na]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:6.0.44]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.44]
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) [catalina.jar:6.0.44]
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.44]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:563) [catalina.jar:6.0.44]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.44]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) [catalina.jar:6.0.44]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.44]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) [catalina.jar:6.0.44]
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861) [tomcat-coyote.jar:6.0.44]
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:620) [tomcat-coyote.jar:6.0.44]
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) [tomcat-coyote.jar:6.0.44]
    at java.lang.Thread.run(Thread.java:745) [na:1.7.0_55]
Caused by: java.security.InvalidKeyException: Illegal key size
    at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1024) ~[na:1.7.0_51]
    at javax.crypto.Cipher.init(Cipher.java:1345) ~[na:1.7.0_51]
    at javax.crypto.Cipher.init(Cipher.java:1282) ~[na:1.7.0_51]
    at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1754) ~[xmlsec-1.5.4.jar:1.5.4]
    ... 24 common frames omitted
17:01:55.734 [http-8443-2] ERROR o.o.x.e.Decrypter - Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
17:01:55.734 [http-8443-2] ERROR o.o.s.e.Decrypter - SAML Decrypter encountered an error decrypting element content
org.opensaml.xml.encryption.DecryptionException: Failed to decrypt EncryptedData
    at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:535) ~[xmltooling-1.4.0.jar:na]
    at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:442) ~[xmltooling-1.4.0.jar:na]
    at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:403) ~[xmltooling-1.4.0.jar:na]
    at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141) [opensaml-2.6.0.jar:na]
    at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69) [opensaml-2.6.0.jar:na]
    at opensamlbook.sp.ConsumerServlet.decryptAssertion(ConsumerServlet.java:119) [ConsumerServlet.class:na]
    at opensamlbook.sp.ConsumerServlet.doGet(ConsumerServlet.java:85) [ConsumerServlet.class:na]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:617) [servlet-api.jar:na]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:723) [servlet-api.jar:na]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:6.0.44]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.44]
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) [catalina.jar:6.0.44]
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.44]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:563) [catalina.jar:6.0.44]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.44]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) [catalina.jar:6.0.44]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.44]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) [catalina.jar:6.0.44]
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861) [tomcat-coyote.jar:6.0.44]
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:620) [tomcat-coyote.jar:6.0.44]
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) [tomcat-coyote.jar:6.0.44]
    at java.lang.Thread.run(Thread.java:745) [na:1.7.0_55]

Code for Decrypting assertion:

private Assertion decryptAssertion(EncryptedAssertion encryptedAssertion) {
        StaticKeyInfoCredentialResolver keyInfoCredentialResolver = new StaticKeyInfoCredentialResolver(SPCredentials.getCredential());
        Decrypter decrypter = new Decrypter(null, keyInfoCredentialResolver, new InlineEncryptedKeyResolver());
        decrypter.setRootInNewDocument(true);
        try {
            return decrypter.decrypt(encryptedAssertion);
        } catch (DecryptionException e) {
            throw new RuntimeException(e);
        }
    }

I am getting error at line:

 return decrypter.decrypt(encryptedAssertion);

Guys please help me to resolve this issue. I have been stuck from past 3 days on this error.

回答1:

This happens due to limitation of cryptography strength in default distribution of Java Runtime Environment.

  1. Download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files (for Java 7) (for Java 8)

  2. Extract zip archive and find there local_policy.jar and US_export_policy.jar.

  3. Replace your JRE version of these files under $JAVA_HOME/jre{version_number}/lib/security/ with downloaded ones.

  4. Restart JRE process, if any running. Now you can use longer keys.