Spring Secure SAML Security Certificates not password protected
I am integrating spring-saml2-sample application into my application. My service provider is connecting to IDB Shibboleth. I am testing SP using a private certificate provided in samlKeystore.jks that comes with my Spring Security SAML application. I registered the IDP public key signing in the keystore using the command: keytool -importcert -alias idpSignKey -keypass passwordS file key.cer -keystore samlKeystore.jks
I can launch the application and login to IDP. I can see in the log that the public certificate they sent me in the saml message matches the one I have in the idp metadata and registered in the keystore. My application crashes by getting idp credentials from JKSKeyManager.
java.lang.UnsupportedOperationException: Trusted Certificate Entries are not password protected java.security.KeyStoreSpi.engineGetEntry (Unknown Source) java.security.KeyStore.getEntry (Unknown Source) org.opensaml.xml.security.creredenresolver.KeyStore. java: 132) org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve (AbstractCriteriaFilteringCredentialResolver.java:57) org.opensaml.xml.security.credential.AbstractCredentialCredentialResolver.credential.AbstractCredentialResolver.resolve security.credential.AbstractCredentialResolver.resolveSingle (AbstractCredentialResolver.java:26) org.springframework.security.saml.key.JKSKeyManager.resolveSingle (JKSKeyManager.java:172) org.springfeykslwork.seagergetCredential (JKSKeyManager.java:194) org.springframework.security.saml.trust.MetadataCredentialResolver.retrieveFromMetadata (MetadataCredentialResolver.java:102) org.opensaml.serecuritydentialRetadataverata
This is what the KeyManager looks like in contextSecurity.xml:
<!-- Central storage of cryptographic keys -->
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg value="classpath:security/samlKeystore.jks"/>
<constructor-arg type="java.lang.String" value="nalle123"/>
<constructor-arg>
<map>
<entry key="apollo" value="nalle123"/>
<entry key="idpSignKey" value="passwordS"/>
<entry key="idpEncKey" value="passwordE"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="apollo"/>
</bean>
This is the extended metadata for idp:
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="local" value="false"/>
<property name="securityProfile" value="metaiop"/>
<property name="sslSecurityProfile" value="pkix"/>
<property name="signingKey" value="idpSignKey"/>
<property name="encryptionKey" value="idpEncKey"/>
<property name="requireArtifactResolveSigned" value="false"/>
<property name="requireLogoutRequestSigned" value="false"/>
<property name="requireLogoutResponseSigned" value="false"/>
<property name="idpDiscoveryEnabled" value="false"/>
</bean>
source to share
Certificates for IDP do not need to be imported into the keystore as they are provided from IDP metadata. You should only use ExtendedMetadata
both properties signingKey
and / or encryptionKey
if you want to supplement the keys already available in the metadata.
Since the file key.cer
only contains your IDP's public key, you cannot password protect it. You should just remove it from Map
used for initialization JKSKeyManager
as it only needs passwords for entries containing private keys. Initialization will look like this:
<!-- Central storage of cryptographic keys -->
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg value="classpath:security/samlKeystore.jks"/>
<constructor-arg type="java.lang.String" value="nalle123"/>
<constructor-arg>
<map>
<entry key="apollo" value="nalle123"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="apollo"/>
</bean>
source to share