Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

SAML: invalid RSA private key encoding

Avatar

Level 2

We are trying to setup SAML on AEM 5.6.1 for one of our client. We are facing an issue while using the private key. We have generated the private key using OpenSSO using the below commands.

openssl genrsa -out SP-server.pem 2048
openssl rsa -in SP-server.pem -pubout > SP-public-server.pem
openssl req -new -key SP-server.pem -out SP-server.csr
openssl x509 -req -days 365 -in SP-server.csr -signkey SP-server.pem -out SP-server.crt
openssl pkcs8 -topk8 -inform PEM -outform DER -in SP-server.pem -nocrypt > SP-server.PKCS8.key

I have uploaded the key using CURL .But when I access the path set to the SAML auth I am getting the below error. 

CURL:

C:\curl -u admin:admin -F priv
ate=\<sp.pem -F private@TypeHint=Binary http://localhost:4502
/etc/key/saml

testing/test1.html HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials 26.02.2015 14:14:35.455 *INFO* [74.202.85.210 [1424978075454] GET /content/test/en_US/saml-testing/test1.html HTTP/1.1] servletengine Servlet threw exception:  java.lang.RuntimeException: Error reading private key at com.adobe.granite.auth.saml.impl.SlingKeyProvider.getDecryptionKey(SlingKeyProvider.java:123) at com.adobe.granite.auth.saml.configuration.SpConfiguration.getDecryptionKey(SpConfiguration.java:79) at com.adobe.granite.auth.saml.SamlAuthenticationHandler.requestCredentials(SamlAuthenticationHandler.java:367) at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doRequestCredentials(AuthenticationHandlerHolder.java:83) at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.requestCredentials(AbstractAuthenticationHandlerHolder.java:83) at org.apache.sling.auth.core.impl.SlingAuthenticator.login(SlingAuthenticator.java:527) at org.apache.sling.auth.core.impl.SlingAuthenticator.doLogin(SlingAuthenticator.java:1032) at org.apache.sling.auth.core.impl.SlingAuthenticator.getAnonymousResolver(SlingAuthenticator.java:872) at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:478) at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:438) at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:148) at org.apache.felix.http.base.internal.context.ServletContextImpl.handleSecurity(ServletContextImpl.java:272) at org.apache.felix.http.base.internal.handler.ServletHandler.doHandle(ServletHandler.java:91) at org.apache.felix.http.base.internal.handler.ServletHandler.handle(ServletHandler.java:79) at org.apache.felix.http.base.internal.dispatch.ServletPipeline.handle(ServletPipeline.java:42) at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:49) at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33) at org.apache.sling.i18n.impl.I18NFilter.doFilter(I18NFilter.java:127) at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88) at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76) at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47) at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33) at org.apache.felix.http.sslfilter.internal.SslFilter.doFilter(SslFilter.java:55) at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88) at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76) at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47) at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33) at org.apache.sling.security.impl.ReferrerFilter.doFilter(ReferrerFilter.java:263) at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88) at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76) at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47) at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33) at org.apache.wink.osgi.JaxRsFilter.doFilter(JaxRsFilter.java:80) at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88) at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76) at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47) at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33) at com.adobe.granite.license.impl.LicenseCheckFilter.doFilter(LicenseCheckFilter.java:179) at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88) at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76) at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47) at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33) at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:78) at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47) at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33) at org.apache.sling.engine.impl.log.RequestLoggerFilter.doFilter(RequestLoggerFilter.java:75) at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88) at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76) at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47) at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33) at org.apache.felix.http.base.internal.dispatch.FilterPipeline.dispatch(FilterPipeline.java:48) at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:39) at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:67) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at com.day.j2ee.servletengine.ServletRuntimeEnvironment.service(ServletRuntimeEnvironment.java:250) at com.day.j2ee.servletengine.RequestDispatcherImpl.doFilter(RequestDispatcherImpl.java:321) at com.day.j2ee.servletengine.RequestDispatcherImpl.service(RequestDispatcherImpl.java:340) at com.day.j2ee.servletengine.RequestDispatcherImpl.service(RequestDispatcherImpl.java:383) at com.day.j2ee.servletengine.ServletHandlerImpl.process(ServletHandlerImpl.java:335) at com.day.j2ee.servletengine.HttpListener$Worker.run(HttpListener.java:644) at java.lang.Thread.run(Thread.java:745) Caused by: java.security.spec.InvalidKeySpecException: Invalid RSA private key encoding. at com.rsa.cryptoj.o.n.b(Unknown Source) at com.rsa.cryptoj.o.n.engineGeneratePrivate(Unknown Source) at java.security.KeyFactory.generatePrivate(KeyFactory.java:372) at com.adobe.granite.auth.saml.impl.SlingKeyProvider.getDecryptionKey(SlingKeyProvider.java:115) ... 60 more

 

Please let me know if I am missing anything or this is a bug.

1 Accepted Solution

Avatar

Correct answer by
Level 10

Not seen issue with openjdk.  Please note open jdk is not supported with AEM so you need to switch.

http://docs.adobe.com/docs/en/cq/5-6-1/deploying/technical_requirements.html#Java%20Virtual%20Machin...

View solution in original post

3 Replies

Avatar

Level 10

There are couple of causes like

  1. Misconfiguration  (uploading wrong keys )
  2. Jre issue (I have seen with IBM jre and you have to register keyfactory RSA)
  3. Response decrypted twice (It was product bug in 6 but is fixed in sp2.  But you say 5.6.1 so not be applicable)
  4. Validate certificate.

5.6.1 should not have such issue may be some fp like mutual ssl could have caused.  This needs to be investigated imo before concluding as a bug. Can you file a daycare ticket with logs, jre version,  & output of http://host:port/crx/packmgr/service.jsp?cmd=ls   . If possible the certificate.

Avatar

Level 2

Hi Sham,

The JDK used is OpenJDK Runtime Environment(build 1.7.0_75-mockbuild_2015_01_08_20_32-b00). I have also verified the certificate and it looks fine. Is this a issue with using OpenJDK 

Avatar

Correct answer by
Level 10

Not seen issue with openjdk.  Please note open jdk is not supported with AEM so you need to switch.

http://docs.adobe.com/docs/en/cq/5-6-1/deploying/technical_requirements.html#Java%20Virtual%20Machin...