我正在尝试使用 saml 修改 spring-boot 安全示例程序。 https://github.com/vdenotaris/spring-boot-security-saml-sample。我从我的身份提供商那里获得了证书 (.crt),并且我尝试创建一个示例 keystore (.jks) 以在集成到我的应用程序之前测试我的连接性。 我按照以下步骤创建证书。
创建 key 存储
keytool -keystore mykeystore.jks -genkey -alias saml
当我尝试列出我的 keystore 时,我有一个私钥
列出 keystore
keytool -list -V -storepass changeit -keystore mykeystore.jks
我使用以下命令导入了 IDP 团队提供的证书。
keytool -import -file myidp.crt -storepass changeit -keystore mykeystore.jks
现在,当我列出我的 jks 文件时,我有两个条目,一个是私有(private)的。
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: saml
Creation date: May 24, 2016
Entry type: PrivateKeyEntry
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXX
*******************************************
*******************************************
Alias name: mykey
Creation date: May 24, 2016
Entry type: trustedCertEntry
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
*******************************************
*******************************************
我修改了 WebSecurityConfi.java 类,在将 crt 导入 keystore 时我没有提供任何密码短语。我试图让别名保持不变,但后来出现以下错误。
keytool 错误:java.lang.Exception:**回复和 keystore 中的公钥不匹配
@Bean
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader.getResource("classpath:/saml/myKeystore.jks");
String storePass = "changeit";
Map<String, String> passwords = new HashMap<>();
passwords.put("changeit", "changeit");
String defaultKey = "mykey";
return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}
现在我遇到了异常,我知道我的 JKS 创建存在一些问题。您能否建议如何为我信任的商店添加私钥。我只从 IDP 提供商那里收到了 .crt 文件。我是否必须执行任何其他步骤才能为我的受信任商店添加私钥?我检查了几个类似于我的问题的帖子,比如 Key with alias xxx doesn't have a private key with Spring SAML,但我无法弄清楚证书创建的问题。
ERROR [http-nio-8080-exec-4] (DirectJDKLog.java:182) - Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception java.lang.RuntimeException: Key with alias mykey doesn't have a private key at org.springframework.security.saml.metadata.MetadataGenerator.getServerKeyInfo(MetadataGenerator.java:209) at org.springframework.security.saml.metadata.MetadataGenerator.buildSPSSODescriptor(MetadataGenerator.java:329) at org.springframework.security.saml.metadata.MetadataGenerator.generateMetadata(MetadataGenerator.java:189) at org.springframework.security.saml.metadata.MetadataGeneratorFilter.processMetadataInitialization(MetadataGeneratorFilter.java:127) at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:86) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:87) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:521) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) DEBUG [http-nio-8080-exec-4] (DispatcherServlet.java:861) - DispatcherServlet with name 'dispatcherServlet' processing GET request for [/error] DEBUG [http-nio-8080-exec-4] (AbstractHandlerMethodMapping.java:318) - Looking up handler method for path /error DEBUG [http-nio-8080-exec-4] (AbstractHandlerMethodMapping.java:325) - Returning handler method [public org.springframework.http.ResponseEntity> org.springframework.boot.autoconfigure.web.BasicErrorController.error(javax.servlet.http.HttpServletRequest)] DEBUG [http-nio-8080-exec-4] (AbstractBeanFactory.java:251) - Returning cached instance of singleton bean 'basicErrorController' DEBUG [http-nio-8080-exec-4] (DispatcherServlet.java:947) - Last-Modified value for [/error] is: -1 DEBUG [http-nio-8080-exec-4] (AbstractMessageConverterMethodProcessor.java:225) - Written [{timestamp=Tue May 24 19:12:00 IST 2016, status=500, error=Internal Server Error, exception=java.lang.RuntimeException, message=Key with alias mykey doesn't have a private key, path=/favicon.ico}] as "application/json;charset=UTF-8" using [org.springframework.http.converter.json.MappingJackson2HttpMessageConverter@380682cd] DEBUG [http-nio-8080-exec-4] (DispatcherServlet.java:1034) - Null ModelAndView returned to DispatcherServlet with name 'dispatcherServlet': assuming HandlerAdapter completed request handling
最佳答案
您需要使用与私钥相同的别名导入签名证书。
Now my when I list my jks file I have two entries, one private
你应该只有一个,私有(private)的。
关于ssl - 别名为 mykey 的 SAML-Key 没有私钥,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/37427526/