Ssl 别名为mykey的SAML密钥没有私钥_Ssl_Jakarta Ee_Spring Security_Spring Boot_Spring Saml

Ssl 别名为mykey的SAML密钥没有私钥

ssl jakarta-ee spring-security spring-boot

Ssl 别名为mykey的SAML密钥没有私钥,ssl,jakarta-ee,spring-security,spring-boot,spring-saml,Ssl,Jakarta Ee,Spring Security,Spring Boot,Spring Saml,我试图用saml修改spring boot安全性的一个示例程序。 . 我从我的身份提供者那里获得了certificate.crt，并尝试创建一个示例keystore.jks，以在集成到我的应用程序之前测试我的连接性。我按照以下步骤创建证书 @Bean public KeyManager keyManager() { DefaultResourceLoader loader = new DefaultResourceLoader(); Resource

我试图用saml修改spring boot安全性的一个示例程序。 . 我从我的身份提供者那里获得了certificate.crt，并尝试创建一个示例keystore.jks，以在集成到我的应用程序之前测试我的连接性。我按照以下步骤创建证书

  @Bean
    public KeyManager keyManager() {
        DefaultResourceLoader loader = new DefaultResourceLoader();
        Resource storeFile =   loader.getResource("classpath:/saml/myKeystore.jks");

        String storePass = "changeit";
        Map<String, String> passwords = new HashMap<>();
        passwords.put("changeit", "changeit");
        String defaultKey = "mykey";
        return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
    }

创建密钥存储

  @Bean
    public KeyManager keyManager() {
        DefaultResourceLoader loader = new DefaultResourceLoader();
        Resource storeFile =   loader.getResource("classpath:/saml/myKeystore.jks");

        String storePass = "changeit";
        Map<String, String> passwords = new HashMap<>();
        passwords.put("changeit", "changeit");
        String defaultKey = "mykey";
        return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
    }

当我尝试列出我的密钥库时，我有一个私钥

  @Bean
    public KeyManager keyManager() {
        DefaultResourceLoader loader = new DefaultResourceLoader();
        Resource storeFile =   loader.getResource("classpath:/saml/myKeystore.jks");

        String storePass = "changeit";
        Map<String, String> passwords = new HashMap<>();
        passwords.put("changeit", "changeit");
        String defaultKey = "mykey";
        return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
    }

列出密钥库

  @Bean
    public KeyManager keyManager() {
        DefaultResourceLoader loader = new DefaultResourceLoader();
        Resource storeFile =   loader.getResource("classpath:/saml/myKeystore.jks");

        String storePass = "changeit";
        Map<String, String> passwords = new HashMap<>();
        passwords.put("changeit", "changeit");
        String defaultKey = "mykey";
        return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
    }

我使用下面的命令导入了IDP团队提供的证书

  @Bean
    public KeyManager keyManager() {
        DefaultResourceLoader loader = new DefaultResourceLoader();
        Resource storeFile =   loader.getResource("classpath:/saml/myKeystore.jks");

        String storePass = "changeit";
        Map<String, String> passwords = new HashMap<>();
        passwords.put("changeit", "changeit");
        String defaultKey = "mykey";
        return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
    }

keytool-import-file myidp.crt-storepass changeit-keystore mykeystore.jks

  @Bean
    public KeyManager keyManager() {
        DefaultResourceLoader loader = new DefaultResourceLoader();
        Resource storeFile =   loader.getResource("classpath:/saml/myKeystore.jks");

        String storePass = "changeit";
        Map<String, String> passwords = new HashMap<>();
        passwords.put("changeit", "changeit");
        String defaultKey = "mykey";
        return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
    }

现在，当我列出我的jks文件时，我有两个条目，一个是私有的

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: saml
Creation date: May 24, 2016
Entry type: PrivateKeyEntry
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXX
*******************************************
*******************************************
Alias name: mykey
Creation date: May 24, 2016
Entry type: trustedCertEntry
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
*******************************************
*******************************************

  @Bean
    public KeyManager keyManager() {
        DefaultResourceLoader loader = new DefaultResourceLoader();
        Resource storeFile =   loader.getResource("classpath:/saml/myKeystore.jks");

        String storePass = "changeit";
        Map<String, String> passwords = new HashMap<>();
        passwords.put("changeit", "changeit");
        String defaultKey = "mykey";
        return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
    }

我修改了websecurityconfig.java类，在将crt导入密钥存储时没有给出任何密码短语。我曾试图保持别名不变，但后来我发现了以下错误

  @Bean
    public KeyManager keyManager() {
        DefaultResourceLoader loader = new DefaultResourceLoader();
        Resource storeFile =   loader.getResource("classpath:/saml/myKeystore.jks");

        String storePass = "changeit";
        Map<String, String> passwords = new HashMap<>();
        passwords.put("changeit", "changeit");
        String defaultKey = "mykey";
        return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
    }

keytool错误：java.lang.Exception:*应答中的公钥和密钥库不匹配

  @Bean
    public KeyManager keyManager() {
        DefaultResourceLoader loader = new DefaultResourceLoader();
        Resource storeFile =   loader.getResource("classpath:/saml/myKeystore.jks");

        String storePass = "changeit";
        Map<String, String> passwords = new HashMap<>();
        passwords.put("changeit", "changeit");
        String defaultKey = "mykey";
        return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
    }

现在我得到以下例外，我知道这是一些问题与我的JKS创造。请您建议如何为我的受信任存储添加私钥。我只从IDP提供程序收到了.crt文件。我是否需要执行任何其他步骤来为我的受信任存储添加私钥？我检查了两个类似于我的问题的帖子，但我无法找出证书创建的问题

  @Bean
    public KeyManager keyManager() {
        DefaultResourceLoader loader = new DefaultResourceLoader();
        Resource storeFile =   loader.getResource("classpath:/saml/myKeystore.jks");

        String storePass = "changeit";
        Map<String, String> passwords = new HashMap<>();
        passwords.put("changeit", "changeit");
        String defaultKey = "mykey";
        return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
    }

路径为[]的上下文中Servlet[dispatcherServlet]的错误[http-nio-8080-exec-4]DirectJDKLog.java:182-Servlet.service引发异常 java.lang.RuntimeException:别名为mykey的密钥没有私钥位于org.springframework.security.saml.metadata.MetadataGenerator.getServerKeyInfoMetadataGenerator.java:209 位于org.springframework.security.saml.metadata.MetadataGenerator.buildSPSSODescriptorMetadataGenerator.java:329 位于org.springframework.security.saml.metadata.MetadataGenerator.generateMetadataMetadataGenerator.java:189 位于org.springframework.security.saml.metadata.MetadataGeneratorFilter.processMetadataInitializationMetadataGeneratorFilter.java:127 位于org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilterMetadataGeneratorFilter.java:86 位于org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilterFilterChainProxy.java:330 位于org.springframework.security.web.FilterChainProxy.doFilterInternalFilterChainProxy.java:213 位于org.springframework.security.web.FilterChainProxy.doFilterFilterChainProxy.java:176 位于org.springframework.web.filter.DelegatingFilterProxy.invokedelegatingfilterproxy.java:346 位于org.springframework.web.filter.DelegatingFilterProxy.doFilterDelegatingFilterProxy.java:262 位于org.apache.catalina.core.ApplicationFilterChain.internalDoFilterApplicationFilterChain.java:239 位于org.apache.catalina.core.ApplicationFilterChain.doFilterApplicationFilterChain.java:206 在org.springframework.web.filter.RequestContextFilter.doFilterInternalRequestContextFilter.java:99 位于org.springframework.web.filter.OncePerRequestFilter.doFilterOncePerRequestFilter.java:107 位于org.apache.catalina.core.ApplicationFilterChain.internalDoFilterApplicationFilterChain.java:239 位于org.apache.catalina.core.ApplicationFilterChain.doFilterApplicationFilterChain.java:206 位于org.springframework.web.filter.HttpPutFormContentFilter.dofilternertnalhttpputformcontentfilter.java:87 位于org.springframework.web.filter.OncePerRequestFilter.doFilterOncePerRequestFilter.java:107 位于org.apache.catalina.core.ApplicationFilterChain.internalDoFilterApplicationFilterChain.java:239 位于org.apache.catalina.core.ApplicationFilterChain.doFilterApplicationFilterChain.java:206 位于org.springframework.web.filter.hiddenhttmpmethodfilter.dofilterInternalHiddenhttmpmethodfilter.java:77 位于org.springframework.web.filter.OncePerRequestFilter.doFilterOncePerRequestFilter.java:107 位于org.apache.catalina.core.ApplicationFilterChain.internalDoFilterApplicationFilterChain.java:239 位于org.apache.catalina.core.ApplicationFilterChain.doFilterApplicationFilterChain.java:206 在org.springframework.web.filter.CharacterEncodingFilter.doFilterInternalCharacterEncodingFilter.java:121 位于org.springframework.web.filter.OncePerRequestFilter.doFilterOncePerRequestFilter.java:107 位于org.apache.catalina.core.ApplicationFilterChain.internalDoFilterApplicationFilterChain.java:239 位于org.apache.catalina.core.ApplicationFilterChain.doFilterApplicationFilterChain.java:206 位于org.apache.catalina.core.StandardWrapperValve.invokeStandardWrapperValve.java:212 位于org.apache.catalina.core.StandardContextValve.invokeStandardContextValve.java:106 位于org.apache.catalina.authenticator.AuthenticatorBase.invokeAuthenticatorBase。爪哇：502 位于org.apache.catalina.core.StandardHostValve.invokeStandardHostValve.java:141 在org.apache.catalina.valves.ErrorReportValve.InvokeerErrorReportValve.java:79 位于org.apache.catalina.core.StandardEngineValve.invokeStandardenginievalve.java:88 位于org.apache.catalina.connector.CoyoteAdapter.serviceCoyoteAdapter.java:521 位于org.apache.coyote.http11.AbstractHttp11Processor.processAbstractHttp11Processor.java:1096 位于org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.processAbstractProtocol.java:674 位于org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRunNioEndpoint.java:1500 位于org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.runNioEndpoint.java:1456 位于java.util.concurrent.ThreadPoolExecutor.runWorkerThreadPoolExecutor.java:1142 位于java.util.concurrent.ThreadPoolExecutor$Worker.runThreadPoolExecutor.java:617 位于org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.runTaskThread.java:61 java:745 调试[http-nio-8080-exec-4]DispatcherServlet.java:861-名为'DispatcherServlet'的DispatcherServlet正在处理针对[/error]的GET请求 DEBUG[http-nio-8080-exec-4]AbstractHandlerMethodMapping.java:318-查找处理程序方法的路径/错误调试[http-nio-8080-exec-4]AbstractHandlerMethodMapping.java:325-返回处理程序方法[public org.springframework.http.ResponseEntity>org.springframework.boot.autoconfigure.web.BasicErrorController.errorjavax.servlet.http.HttpServletRequest] DEBUG[http-nio-8080-exec-4]AbstractBeanFactory.java:251-返回singleton bean'basicErrorController'的缓存实例 DEBUG[http-nio-8080-exec-4]DispatcherServlet.java:947-上次修改[/error]的值为：-1 DEBUG[http-nio-8080-exec-4]AbstractMessageConverterMethodProcessor.java:225-编写[{timestamp=Tue May 24 19:12:00 IST 2016，状态=500，错误=Internal Server error，异常=java.lang.RuntimeException，消息=Key别名为mykey没有私钥，路径=/favicon.ico}]为application/json；charset=UTF-8，使用[org.springframework.http.converter.json]。MappingJackson2HttpMessageConverter@380682cd] DEBUG[http-nio-8080-exec-4]DispatcherServlet.java:1034-返回给名为“DispatcherServlet”的DispatcherServlet的Null ModelAndView：假设HandlerAdapter完成了请求处理

  @Bean
    public KeyManager keyManager() {
        DefaultResourceLoader loader = new DefaultResourceLoader();
        Resource storeFile =   loader.getResource("classpath:/saml/myKeystore.jks");

        String storePass = "changeit";
        Map<String, String> passwords = new HashMap<>();
        passwords.put("changeit", "changeit");
        String defaultKey = "mykey";
        return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
    }

您需要使用与私钥相同的别名导入已签名证书

  @Bean
    public KeyManager keyManager() {
        DefaultResourceLoader loader = new DefaultResourceLoader();
        Resource storeFile =   loader.getResource("classpath:/saml/myKeystore.jks");

        String storePass = "changeit";
        Map<String, String> passwords = new HashMap<>();
        passwords.put("changeit", "changeit");
        String defaultKey = "mykey";
        return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
    }

现在，当我列出我的jks文件时，我有两个条目，一个是私有的

  @Bean
    public KeyManager keyManager() {
        DefaultResourceLoader loader = new DefaultResourceLoader();
        Resource storeFile =   loader.getResource("classpath:/saml/myKeystore.jks");

        String storePass = "changeit";
        Map<String, String> passwords = new HashMap<>();
        passwords.put("changeit", "changeit");
        String defaultKey = "mykey";
        return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
    }

您应该只有一个私钥。

您的密钥库中可以有任意数量的私钥项。。。但是您只能为spring saml配置一个私钥。。。私钥的类型应为Entry类型：PrivateKeyEntry。。并更新spring-security.xml，使其具有私钥的别名。例如

  @Bean
    public KeyManager keyManager() {
        DefaultResourceLoader loader = new DefaultResourceLoader();
        Resource storeFile =   loader.getResource("classpath:/saml/myKeystore.jks");

        String storePass = "changeit";
        Map<String, String> passwords = new HashMap<>();
        passwords.put("changeit", "changeit");
        String defaultKey = "mykey";
        return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
    }

<!-- Central storage of cryptographic keys -->
            <bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
                <constructor-arg value="classpath:keycloak.jks"/>
                <constructor-arg type="java.lang.String" value="password"/>
                <constructor-arg>
                    <map>
                        <entry key="YOUR_ALIAS" value="password"/>
                    </map>
                </constructor-arg>
                <constructor-arg type="java.lang.String" value="YOUR_ALIAS"/>
            </bean>

可能是重复的，我已经试过了，但我得到下面的错误。keytool错误：java.lang.Exception:应答中的公钥与密钥库不匹配如果您的密钥库或别名或证书错误。您从一个密钥对开始，它有一个别名；您从同一别名生成了CSR：您从CSR获得了签名证书；然后，您需要将已签名的证书导入到具有相同别名的相同密钥库中。