Ssl 别名为mykey的SAML密钥没有私钥
我试图用saml修改spring boot安全性的一个示例程序。 . 我从我的身份提供者那里获得了certificate.crt,并尝试创建一个示例keystore.jks,以在集成到我的应用程序之前测试我的连接性。 我按照以下步骤创建证书Ssl 别名为mykey的SAML密钥没有私钥,ssl,jakarta-ee,spring-security,spring-boot,spring-saml,Ssl,Jakarta Ee,Spring Security,Spring Boot,Spring Saml,我试图用saml修改spring boot安全性的一个示例程序。 . 我从我的身份提供者那里获得了certificate.crt,并尝试创建一个示例keystore.jks,以在集成到我的应用程序之前测试我的连接性。 我按照以下步骤创建证书 @Bean public KeyManager keyManager() { DefaultResourceLoader loader = new DefaultResourceLoader(); Resource
@Bean
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader.getResource("classpath:/saml/myKeystore.jks");
String storePass = "changeit";
Map<String, String> passwords = new HashMap<>();
passwords.put("changeit", "changeit");
String defaultKey = "mykey";
return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}
创建密钥存储
@Bean
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader.getResource("classpath:/saml/myKeystore.jks");
String storePass = "changeit";
Map<String, String> passwords = new HashMap<>();
passwords.put("changeit", "changeit");
String defaultKey = "mykey";
return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}
当我尝试列出我的密钥库时,我有一个私钥
@Bean
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader.getResource("classpath:/saml/myKeystore.jks");
String storePass = "changeit";
Map<String, String> passwords = new HashMap<>();
passwords.put("changeit", "changeit");
String defaultKey = "mykey";
return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}
列出密钥库
@Bean
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader.getResource("classpath:/saml/myKeystore.jks");
String storePass = "changeit";
Map<String, String> passwords = new HashMap<>();
passwords.put("changeit", "changeit");
String defaultKey = "mykey";
return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}
我使用下面的命令导入了IDP团队提供的证书
@Bean
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader.getResource("classpath:/saml/myKeystore.jks");
String storePass = "changeit";
Map<String, String> passwords = new HashMap<>();
passwords.put("changeit", "changeit");
String defaultKey = "mykey";
return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}
keytool-import-file myidp.crt-storepass changeit-keystore mykeystore.jks
@Bean
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader.getResource("classpath:/saml/myKeystore.jks");
String storePass = "changeit";
Map<String, String> passwords = new HashMap<>();
passwords.put("changeit", "changeit");
String defaultKey = "mykey";
return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}
现在,当我列出我的jks文件时,我有两个条目,一个是私有的
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: saml
Creation date: May 24, 2016
Entry type: PrivateKeyEntry
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXX
*******************************************
*******************************************
Alias name: mykey
Creation date: May 24, 2016
Entry type: trustedCertEntry
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
*******************************************
*******************************************
@Bean
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader.getResource("classpath:/saml/myKeystore.jks");
String storePass = "changeit";
Map<String, String> passwords = new HashMap<>();
passwords.put("changeit", "changeit");
String defaultKey = "mykey";
return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}
我修改了websecurityconfig.java类,在将crt导入密钥存储时没有给出任何密码短语。我曾试图保持别名不变,但后来我发现了以下错误
@Bean
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader.getResource("classpath:/saml/myKeystore.jks");
String storePass = "changeit";
Map<String, String> passwords = new HashMap<>();
passwords.put("changeit", "changeit");
String defaultKey = "mykey";
return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}
keytool错误:java.lang.Exception:*应答中的公钥和密钥库不匹配
@Bean
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader.getResource("classpath:/saml/myKeystore.jks");
String storePass = "changeit";
Map<String, String> passwords = new HashMap<>();
passwords.put("changeit", "changeit");
String defaultKey = "mykey";
return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}
现在我得到以下例外,我知道这是一些问题与我的JKS创造。请您建议如何为我的受信任存储添加私钥。我只从IDP提供程序收到了.crt文件。我是否需要执行任何其他步骤来为我的受信任存储添加私钥?我检查了两个类似于我的问题的帖子,但我无法找出证书创建的问题
@Bean
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader.getResource("classpath:/saml/myKeystore.jks");
String storePass = "changeit";
Map<String, String> passwords = new HashMap<>();
passwords.put("changeit", "changeit");
String defaultKey = "mykey";
return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}
路径为[]的上下文中Servlet[dispatcherServlet]的错误[http-nio-8080-exec-4]DirectJDKLog.java:182-Servlet.service引发异常
java.lang.RuntimeException:别名为mykey的密钥没有私钥
位于org.springframework.security.saml.metadata.MetadataGenerator.getServerKeyInfoMetadataGenerator.java:209
位于org.springframework.security.saml.metadata.MetadataGenerator.buildSPSSODescriptorMetadataGenerator.java:329
位于org.springframework.security.saml.metadata.MetadataGenerator.generateMetadataMetadataGenerator.java:189
位于org.springframework.security.saml.metadata.MetadataGeneratorFilter.processMetadataInitializationMetadataGeneratorFilter.java:127
位于org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilterMetadataGeneratorFilter.java:86
位于org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilterFilterChainProxy.java:330
位于org.springframework.security.web.FilterChainProxy.doFilterInternalFilterChainProxy.java:213
位于org.springframework.security.web.FilterChainProxy.doFilterFilterChainProxy.java:176
位于org.springframework.web.filter.DelegatingFilterProxy.invokedelegatingfilterproxy.java:346
位于org.springframework.web.filter.DelegatingFilterProxy.doFilterDelegatingFilterProxy.java:262
位于org.apache.catalina.core.ApplicationFilterChain.internalDoFilterApplicationFilterChain.java:239
位于org.apache.catalina.core.ApplicationFilterChain.doFilterApplicationFilterChain.java:206
在org.springframework.web.filter.RequestContextFilter.doFilterInternalRequestContextFilter.java:99
位于org.springframework.web.filter.OncePerRequestFilter.doFilterOncePerRequestFilter.java:107
位于org.apache.catalina.core.ApplicationFilterChain.internalDoFilterApplicationFilterChain.java:239
位于org.apache.catalina.core.ApplicationFilterChain.doFilterApplicationFilterChain.java:206
位于org.springframework.web.filter.HttpPutFormContentFilter.dofilternertnalhttpputformcontentfilter.java:87
位于org.springframework.web.filter.OncePerRequestFilter.doFilterOncePerRequestFilter.java:107
位于org.apache.catalina.core.ApplicationFilterChain.internalDoFilterApplicationFilterChain.java:239
位于org.apache.catalina.core.ApplicationFilterChain.doFilterApplicationFilterChain.java:206
位于org.springframework.web.filter.hiddenhttmpmethodfilter.dofilterInternalHiddenhttmpmethodfilter.java:77
位于org.springframework.web.filter.OncePerRequestFilter.doFilterOncePerRequestFilter.java:107
位于org.apache.catalina.core.ApplicationFilterChain.internalDoFilterApplicationFilterChain.java:239
位于org.apache.catalina.core.ApplicationFilterChain.doFilterApplicationFilterChain.java:206
在org.springframework.web.filter.CharacterEncodingFilter.doFilterInternalCharacterEncodingFilter.java:121
位于org.springframework.web.filter.OncePerRequestFilter.doFilterOncePerRequestFilter.java:107
位于org.apache.catalina.core.ApplicationFilterChain.internalDoFilterApplicationFilterChain.java:239
位于org.apache.catalina.core.ApplicationFilterChain.doFilterApplicationFilterChain.java:206
位于org.apache.catalina.core.StandardWrapperValve.invokeStandardWrapperValve.java:212
位于org.apache.catalina.core.StandardContextValve.invokeStandardContextValve.java:106
位于org.apache.catalina.authenticator.AuthenticatorBase.invokeAuthenticatorBase。
爪哇:502
位于org.apache.catalina.core.StandardHostValve.invokeStandardHostValve.java:141
在org.apache.catalina.valves.ErrorReportValve.InvokeerErrorReportValve.java:79
位于org.apache.catalina.core.StandardEngineValve.invokeStandardenginievalve.java:88
位于org.apache.catalina.connector.CoyoteAdapter.serviceCoyoteAdapter.java:521
位于org.apache.coyote.http11.AbstractHttp11Processor.processAbstractHttp11Processor.java:1096
位于org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.processAbstractProtocol.java:674
位于org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRunNioEndpoint.java:1500
位于org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.runNioEndpoint.java:1456
位于java.util.concurrent.ThreadPoolExecutor.runWorkerThreadPoolExecutor.java:1142
位于java.util.concurrent.ThreadPoolExecutor$Worker.runThreadPoolExecutor.java:617
位于org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.runTaskThread.java:61
java:745
调试[http-nio-8080-exec-4]DispatcherServlet.java:861-名为'DispatcherServlet'的DispatcherServlet正在处理针对[/error]的GET请求
DEBUG[http-nio-8080-exec-4]AbstractHandlerMethodMapping.java:318-查找处理程序方法的路径/错误
调试[http-nio-8080-exec-4]AbstractHandlerMethodMapping.java:325-返回处理程序方法[public org.springframework.http.ResponseEntity>org.springframework.boot.autoconfigure.web.BasicErrorController.errorjavax.servlet.http.HttpServletRequest]
DEBUG[http-nio-8080-exec-4]AbstractBeanFactory.java:251-返回singleton bean'basicErrorController'的缓存实例
DEBUG[http-nio-8080-exec-4]DispatcherServlet.java:947-上次修改[/error]的值为:-1
DEBUG[http-nio-8080-exec-4]AbstractMessageConverterMethodProcessor.java:225-编写[{timestamp=Tue May 24 19:12:00 IST 2016,状态=500,错误=Internal Server error,异常=java.lang.RuntimeException,消息=Key别名为mykey没有私钥,路径=/favicon.ico}]为application/json;charset=UTF-8,使用[org.springframework.http.converter.json]。MappingJackson2HttpMessageConverter@380682cd]
DEBUG[http-nio-8080-exec-4]DispatcherServlet.java:1034-返回给名为“DispatcherServlet”的DispatcherServlet的Null ModelAndView:假设HandlerAdapter完成了请求处理
@Bean
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader.getResource("classpath:/saml/myKeystore.jks");
String storePass = "changeit";
Map<String, String> passwords = new HashMap<>();
passwords.put("changeit", "changeit");
String defaultKey = "mykey";
return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}
您需要使用与私钥相同的别名导入已签名证书
@Bean
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader.getResource("classpath:/saml/myKeystore.jks");
String storePass = "changeit";
Map<String, String> passwords = new HashMap<>();
passwords.put("changeit", "changeit");
String defaultKey = "mykey";
return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}
现在,当我列出我的jks文件时,我有两个条目,一个是私有的
@Bean
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader.getResource("classpath:/saml/myKeystore.jks");
String storePass = "changeit";
Map<String, String> passwords = new HashMap<>();
passwords.put("changeit", "changeit");
String defaultKey = "mykey";
return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}
您应该只有一个私钥。您的密钥库中可以有任意数量的私钥项。。。但是您只能为spring saml配置一个私钥。。。私钥的类型应为Entry类型:PrivateKeyEntry。。并更新spring-security.xml,使其具有私钥的别名。例如
@Bean
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader.getResource("classpath:/saml/myKeystore.jks");
String storePass = "changeit";
Map<String, String> passwords = new HashMap<>();
passwords.put("changeit", "changeit");
String defaultKey = "mykey";
return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}
<!-- Central storage of cryptographic keys -->
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg value="classpath:keycloak.jks"/>
<constructor-arg type="java.lang.String" value="password"/>
<constructor-arg>
<map>
<entry key="YOUR_ALIAS" value="password"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="YOUR_ALIAS"/>
</bean>
可能是重复的,我已经试过了,但我得到下面的错误。keytool错误:java.lang.Exception:应答中的公钥与密钥库不匹配如果您的密钥库或别名或证书错误。您从一个密钥对开始,它有一个别名;您从同一别名生成了CSR:您从CSR获得了签名证书;然后,您需要将已签名的证书导入到具有相同别名的相同密钥库中。