SAML: invalid RSA private key encoding

Question

We are trying to setup SAML on AEM 5.6.1 for one of our client. We are facing an issue while using the private key. We have generated the private key using OpenSSO using the below commands.

openssl genrsa -out SP-server.pem 2048
openssl rsa -in SP-server.pem -pubout > SP-public-server.pem
openssl req -new -key SP-server.pem -out SP-server.csr
openssl x509 -req -days 365 -in SP-server.csr -signkey SP-server.pem -out SP-server.crt
openssl pkcs8 -topk8 -inform PEM -outform DER -in SP-server.pem -nocrypt > SP-server.PKCS8.key

I have uploaded the key using CURL .But when I access the path set to the SAML auth I am getting the below error.

CURL:

C:\curl -u admin:admin -F priv
ate=\<sp.pem -F private@TypeHint=Binary http://localhost:4502
/etc/key/saml

testing/test1.html HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials 26.02.2015 14:14:35.455 *INFO* [74.202.85.210 [1424978075454] GET /content/test/en_US/saml-testing/test1.html HTTP/1.1] servletengine Servlet threw exception:  java.lang.RuntimeException: Error reading private key at com.adobe.granite.auth.saml.impl.SlingKeyProvider.getDecryptionKey(SlingKeyProvider.java:123) at com.adobe.granite.auth.saml.configuration.SpConfiguration.getDecryptionKey(SpConfiguration.java:79) at com.adobe.granite.auth.saml.SamlAuthenticationHandler.requestCredentials(SamlAuthenticationHandler.java:367) at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doRequestCredentials(AuthenticationHandlerHolder.java:83) at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.requestCredentials(AbstractAuthenticationHandlerHolder.java:83) at org.apache.sling.auth.core.impl.SlingAuthenticator.login(SlingAuthenticator.java:527) at org.apache.sling.auth.core.impl.SlingAuthenticator.doLogin(SlingAuthenticator.java:1032) at org.apache.sling.auth.core.impl.SlingAuthenticator.getAnonymousResolver(SlingAuthenticator.java:872) at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:478) at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:438) at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:148) at org.apache.felix.http.base.internal.context.ServletContextImpl.handleSecurity(ServletContextImpl.java:272) at org.apache.felix.http.base.internal.handler.ServletHandler.doHandle(ServletHandler.java:91) at org.apache.felix.http.base.internal.handler.ServletHandler.handle(ServletHandler.java:79) at org.apache.felix.http.base.internal.dispatch.ServletPipeline.handle(ServletPipeline.java:42) at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:49) at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33) at org.apache.sling.i18n.impl.I18NFilter.doFilter(I18NFilter.java:127) at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88) at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76) at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47) at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33) at org.apache.felix.http.sslfilter.internal.SslFilter.doFilter(SslFilter.java:55) at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88) at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76) at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47) at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33) at org.apache.sling.security.impl.ReferrerFilter.doFilter(ReferrerFilter.java:263) at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88) at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76) at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47) at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33) at org.apache.wink.osgi.JaxRsFilter.doFilter(JaxRsFilter.java:80) at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88) at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76) at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47) at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33) at com.adobe.granite.license.impl.LicenseCheckFilter.doFilter(LicenseCheckFilter.java:179) at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88) at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76) at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47) at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33) at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:78) at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47) at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33) at org.apache.sling.engine.impl.log.RequestLoggerFilter.doFilter(RequestLoggerFilter.java:75) at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88) at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76) at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47) at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33) at org.apache.felix.http.base.internal.dispatch.FilterPipeline.dispatch(FilterPipeline.java:48) at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:39) at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:67) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at com.day.j2ee.servletengine.ServletRuntimeEnvironment.service(ServletRuntimeEnvironment.java:250) at com.day.j2ee.servletengine.RequestDispatcherImpl.doFilter(RequestDispatcherImpl.java:321) at com.day.j2ee.servletengine.RequestDispatcherImpl.service(RequestDispatcherImpl.java:340) at com.day.j2ee.servletengine.RequestDispatcherImpl.service(RequestDispatcherImpl.java:383) at com.day.j2ee.servletengine.ServletHandlerImpl.process(ServletHandlerImpl.java:335) at com.day.j2ee.servletengine.HttpListener$Worker.run(HttpListener.java:644) at java.lang.Thread.run(Thread.java:745) Caused by: java.security.spec.InvalidKeySpecException: Invalid RSA private key encoding. at com.rsa.cryptoj.o.n.b(Unknown Source) at com.rsa.cryptoj.o.n.engineGeneratePrivate(Unknown Source) at java.security.KeyFactory.generatePrivate(KeyFactory.java:372) at com.adobe.granite.auth.saml.impl.SlingKeyProvider.getDecryptionKey(SlingKeyProvider.java:115) ... 60 more

Please let me know if I am missing anything or this is a bug.

Sham_HC · Accepted Answer

Not seen issue with openjdk. Please note open jdk is not supported with AEM so you need to switch.http://docs.adobe.com/docs/en/cq/5-6-1/deploying/technical_requirements.html#Java%20Virtual%20Machines

Sham_HC · Answer

There are couple of causes likeMisconfiguration (uploading wrong keys )Jre issue (I have seen with IBM jre and you have to register keyfactory RSA)Response decrypted twice (It was product bug in 6 but is fixed in sp2. But you say 5.6.1 so not be applicable)Validate certificate.5.6.1 should not have such issue may be some fp like mutual ssl could have caused. This needs to be investigated imo before concluding as a bug. Can you file a daycare ticket with logs, jre version, & output of http://host:port/crx/packmgr/service.jsp?cmd=ls . If possible the certificate.

Registrati

Accesso al social

Accedi alla community

Accesso al social

Scansione del file per virus.

Questo file non può essere scaricato