时间戳

首页 > 解决方案 > ADFS saml 响应有两种加密算法如何处理呢?

java - ADFS saml 响应有两种加密算法如何处理呢?

问题描述

这是我的 SAML 回复:

<samlp:Response ID="_f81c3493-8dc7-4f3e-a5c7-9a3681d1bd3e" Version="2.0" IssueInstant="2021-09-02T13:13:42.285Z" Destination="https://localhost:4200/auth/login" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://saml.mlads.mindlogic.app/adfs/services/trust</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"><e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /></e:EncryptionMethod><KeyInfo><ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509IssuerSerial><ds:X509IssuerName>CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB</ds:X509IssuerName><ds:X509SerialNumber>178758501147093338516359025564238573536</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></KeyInfo><e:CipherData><e:CipherValue>J51XGnrke3CP6Hg9b1WSNFX13nWAdm9twzbY7dX5G4Z5s5kU2N1kShUBxZxH7d8t7nEiUZNPj3UxT21V57DkLZhphv30MvKVAZNj4urjyN+eokaG2caJWololyfObmp0Cwc6GbaCHIVE38vfAx9XvOXnhq5JrlrqCIBjNNkfqKfJSxU+nsUySGvT8Z3eEOCcwWhcLlWLvtpZppz+40X4a8Lv530FDFVZVZMv8abwevi1tPK0Yw7v4drpPIh3epyXl8dgyxt8MPdnNES/DaLFlVaQW2lQbQueP+VO6v2JYVGpoQXoVDOLMzNA0AsYybU1IXbCcy7isim+4S5a4Ljf+w==</e:CipherValue></e:CipherData></e:EncryptedKey></KeyInfo><xenc:CipherData><xenc:CipherValue>ivaby17znjQmrTPIaq97S+CnfoMaXBUcseGLq+iWlYhPoqLOzBCZOX0BFGb68k9QGPPnVN9OFZqgtxBsoFWYxpYKsgSqKTBxIBop9xT8jv5QCBX7WAIPenXqyxnIkNEkQ8haCzGyjHHJ86AKOUibEPWZnoTSDnuaioi10cHLOaTjfF5x0JCqgjmwgOay34VpvQxX2He6bDmxel0j/wGVUBClzbIh0+cAoJMnnzDYOAyiLB5IbUUPBoDLNRgj9KoqFpMugzOoZ1Ixs721NL0R95xP6YSEptl//oK43JwEgxi44FyVqHeTLfEzcjBvl0JDoFnbfxQfQh27yb772d1hqV9W+zhhIqiBKKEI2mKWfDuPs8a2ccCYzEqH8S1e7NhN4l50cwFXouOcs5AnwxUHJAqpdrDBWG2QTz8ms4Lv+cyrIgDwg1tyToHr5pJuDdn6O6GmTCupddnvOt6F0Widmr8awMsVJGe1LA8nIqpakAPH0YAjwOFgx7EVvWjaCxYKjCBV4KhlACoWveGdeAbM48n3yd/u/sTBsjSw3FcakiBd47KLnwUrb+YVnvDKa624e5zQn+dDWgkUhLez2MG6jD+eAVgL1teJAX7MgzM6dSpNp91zbhY8UGfmU1gXgntKEP97PeZhyjlLxW7EzGysZ0EPDpvO/VxocVJ5zO55tNzlu5+zEudnwT5urxhpyTbFXEjxrI13U1eBiTDJcPvFEC2iTtvGyVLUo0omylULZq8PzLzxqbcZPDwFKg3WqoI2JqlW8wB1cmvZ7hr++aObnx5vsuSFcmCDCqWq4Hm31+ZSVU9awfBdvG2p2RPLu0QKw8B4shgNba8mHI85BDBrWnLxTWs7ndplP+SYWlRGCvwJSqKANDB+26LxjC2502RtU4ttj66MlQ8G1VE6IDVTUijCREsZbsqEt23mZMGrJxGVYwq1NKrG5Jfv5yy+PnqxmyHHfiRB55g1GxeiXQfpvFSyB/OZRTou4rumxxRKdaVTpNdwgY+QWpyRkZfcHDjRAeRWMMWPD9e0PdeFZIyzsDQJzZqP7vxMDetfrej94Ic/bBKYLOqnGN+FOoOKy9mcev8KqKcE4Dbd5Au4JtckRECYdBWLMt9QoDqWOJAEzR8/lvyaMkwu2760kNtRMmO+htxkD41u8FH2KwMWEgyG1+3l8PWmOy/4DlmRjzwMGm0eNAxoxLwxbOQ8mWtJHn2DdfYDW6iZrbm+rdGR23bkJ2Hr031xy6PoBXJD8aQrQSXSHR+gW3ieCZyRAzXa76XmFtrGQVQpm6mT2h/ZOprAqT0jSHC42yztcJnVPYuzmiGobrGj77kero463SdYQSI+TuPZFxFyUgmOgVxbWRN2Zy2ilN+/iYgNCWPY01e1TWI62C4QyLpThf9Vk4ezR3f1</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></EncryptedAssertion></samlp:Response>

在上面的响应中,它有两个加密算法,我给了我的身份提供者基于 RSA 的公钥,但我的响应用两种算法解密:AES 和 RSA。

如何在 Python 中解密?

标签: javapythoncryptographysingle-sign-onsaml-2.0

解决方案

几天后,我终于做到了

蟒蛇片段

  1. 使用 SP 私钥解密 Chiper 值以获取用于解密 SAML 断言的公钥
chiper_Data = ' P+VO6v2JYVGpoQXoVDOLMzNA0AsYybU1IXbCcy7isim+4S5a4Ljf+w==' 
cipher = base64.b64decode(chiper_Data)  # base64 decoding
pri_bio = BIO.MemoryBuffer(prikey.encode())  #  load the private key
pri_rsa = RSA.load_key_bio(pri_bio)
plain = pri_rsa.private_decrypt(cipher, M2Crypto.RSA.pkcs1_oaep_padding)
print(len(plain)) # lenght of public key
print(base64.b64encode(plain))
  1. 使用上述解密的公钥解密断言数据并切片前 16 个消息块以获得 iv
data = 'xMDetfrej94Ic/bBKYLOqnGN+FOoOKy9mcev8KqKcE4Dbd5Au'
cipher = base64.b64decode(data)  # base64 decoding
iv = cipher[:16]
aes = AES.new(plain, AES.MODE_CBC, iv)
decd = aes.decrypt(cipher)
print(decd)

推荐阅读