x509certificate - Spring Security SAML trusted certificate entries are not password-protected -
i'm integrating spring-saml2-sample app own application. service provider connects shibboleth idp. i'm testing sp private certificate provided in samlkeystore.jks came spring security saml application. registered idp signing public key in keystore using command: keytool -importcert -alias idpsignkey -keypass passwords -file key.cer -keystore samlkeystore.jks
i'm able run app , login idp. can see in log public certificate send me in saml message corresponds 1 have in idp metadata , registered in keystore. app breaks while getting idp credential jkskeymanager.
java.lang.unsupportedoperationexception: trusted certificate entries not password-protected java.security.keystorespi.enginegetentry(unknown source) java.security.keystore.getentry(unknown source) org.opensaml.xml.security.credential.keystorecredentialresolver.resolvefromsource(keystorecredentialresolver.java:132) org.opensaml.xml.security.credential.abstractcriteriafilteringcredentialresolver.resolve(abstractcriteriafilteringcredentialresolver.java:57) org.opensaml.xml.security.credential.abstractcredentialresolver.resolvesingle(abstractcredentialresolver.java:30) org.opensaml.xml.security.credential.abstractcredentialresolver.resolvesingle(abstractcredentialresolver.java:26) org.springframework.security.saml.key.jkskeymanager.resolvesingle(jkskeymanager.java:172) org.springframework.security.saml.key.jkskeymanager.getcredential(jkskeymanager.java:194) org.springframework.security.saml.trust.metadatacredentialresolver.retrievefrommetadata(metadatacredentialresolver.java:102) org.opensaml.security.metadatacredentialresolver.resolvefromsource(metadatacredentialresolver.java:169)
this how keymanager looks in contextsecurity.xml:
<!-- central storage of cryptographic keys --> <bean id="keymanager" class="org.springframework.security.saml.key.jkskeymanager"> <constructor-arg value="classpath:security/samlkeystore.jks"/> <constructor-arg type="java.lang.string" value="nalle123"/> <constructor-arg> <map> <entry key="apollo" value="nalle123"/> <entry key="idpsignkey" value="passwords"/> <entry key="idpenckey" value="passworde"/> </map> </constructor-arg> <constructor-arg type="java.lang.string" value="apollo"/> </bean>
this extended metadata idp:
<bean class="org.springframework.security.saml.metadata.extendedmetadata"> <property name="local" value="false"/> <property name="securityprofile" value="metaiop"/> <property name="sslsecurityprofile" value="pkix"/> <property name="signingkey" value="idpsignkey"/> <property name="encryptionkey" value="idpenckey"/> <property name="requireartifactresolvesigned" value="false"/> <property name="requirelogoutrequestsigned" value="false"/> <property name="requirelogoutresponsesigned" value="false"/> <property name="idpdiscoveryenabled" value="false"/> </bean>
certificates idps not need typically imported keystore provided idp's metadata. should use extendedmetadata , properties signingkey and/or encryptionkey in case want supplement keys available in metadata.
as file key.cer contains public key of idp, cannot password protect it. should remove map used initialization of jkskeymanager needs passwords entries include private keys. initialization this:
<!-- central storage of cryptographic keys --> <bean id="keymanager" class="org.springframework.security.saml.key.jkskeymanager"> <constructor-arg value="classpath:security/samlkeystore.jks"/> <constructor-arg type="java.lang.string" value="nalle123"/> <constructor-arg> <map> <entry key="apollo" value="nalle123"/> </map> </constructor-arg> <constructor-arg type="java.lang.string" value="apollo"/> </bean>
Comments
Post a Comment