Use of encrypted private key doesn't work

theseal commented 1 year ago

Results in error:

    |#033[0m org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'bankIdAuthenticationController' defined in file [/app/classes/se/swedenconnect/bankid/idp/authn/BankIdAuthenticationController.class]: Unsatisfied dependency expressed
through constructor parameter 0: Error creating bean with name 'relyingPartyRepository' defined in class path resource [se/swedenconnect/bankid/idp/config/BankIdConfiguration.class]: Failed to instantiate [se.swedenconnect.bankid.idp.rp.RelyingPartyRepository]: Factory method 'relyingPartyRepository' threw exception with message: Failed to create bean for webcli
ent supplier
    |#033[0m #011at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:801)
    |#033[0m #011at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:240)
    |#033[0m #011at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1352)
    |#033[0m #011at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1189)
    |#033[0m #011at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:560)
    |#033[0m #011at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:520)
    |#033[0m #011at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:325)
    |#033[0m #011at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234)
    |#033[0m #011at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323)
    |#033[0m #011at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199)
    |#033[0m #011at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:973)
    |#033[0m #011at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:942)
    |#033[0m #011at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:608)
    |#033[0m #011at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:146)
    |#033[0m #011at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:737)
    |#033[0m #011at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:439)
    |#033[0m #011at org.springframework.boot.SpringApplication.run(SpringApplication.java:315)
    |#033[0m #011at org.springframework.boot.SpringApplication.run(SpringApplication.java:1309)
    |#033[0m #011at org.springframework.boot.SpringApplication.run(SpringApplication.java:1298)
    |#033[0m #011at se.swedenconnect.bankid.idp.IdpApplication.main(IdpApplication.java:56)
    |#033[0m Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'relyingPartyRepository' defined in class path resource [se/swedenconnect/bankid/idp/config/BankIdConfiguration.class]: Failed to instantiate [se.swedenconnect.bankid.idp.rp.RelyingPartyRepository]: Factory method 'relyingPartyRepository' threw exception with message: Failed to create bean for webclient supplier
    |#033[0m #011at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:654)
    |#033[0m #011at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:642)
    |#033[0m #011at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1332)
    |#033[0m #011at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1162)
    |#033[0m #011at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:560)
    |#033[0m #011at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:520)
    |#033[0m #011at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:325)
    |#033[0m #011at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234)
    |#033[0m #011at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323)
    |#033[0m #011at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199)
    |#033[0m #011at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:254)
    |#033[0m #011at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1417)
    |#033[0m #011at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1337)
    |#033[0m #011at org.springframework.beans.factory.support.ConstructorResolver.resolveAutowiredArgument(ConstructorResolver.java:910)
    |#033[0m #011at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:788)
    |#033[0m #011... 19 common frames omitted
    |#033[0m Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [se.swedenconnect.bankid.idp.rp.RelyingPartyRepository]: Factory method 'relyingPartyRepository' threw exception with message: Failed to create bean for webclient supplier
    |#033[0m #011at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:171)
    |#033[0m #011at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:650)
    |#033[0m #011... 33 common frames omitted
    |#033[0m Caused by: java.lang.RuntimeException: Failed to create bean for webclient supplier
    |#033[0m #011at se.swedenconnect.bankid.idp.config.BankIdConfiguration.lambda$bankIdWebClientFactory$3(BankIdConfiguration.java:154)
    |#033[0m #011at se.swedenconnect.bankid.idp.config.BankIdConfiguration.relyingPartyRepository(BankIdConfiguration.java:186)
    |#033[0m #011at se.swedenconnect.bankid.idp.config.BankIdConfiguration$$SpringCGLIB$$0.CGLIB$relyingPartyRepository$4(<generated>)
    |#033[0m #011at se.swedenconnect.bankid.idp.config.BankIdConfiguration$$SpringCGLIB$$2.invoke(<generated>)
    |#033[0m #011at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
    |#033[0m #011at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:331)
    |#033[0m #011at se.swedenconnect.bankid.idp.config.BankIdConfiguration$$SpringCGLIB$$0.relyingPartyRepository(<generated>)
    |#033[0m #011at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    |#033[0m #011at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
    |#033[0m #011at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    |#033[0m #011at java.base/java.lang.reflect.Method.invoke(Method.java:568)
    |#033[0m #011at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:139)
    |#033[0m #011... 34 common frames omitted
    |#033[0m Caused by: org.cryptacular.EncodingException: Key encoding error
    |#033[0m #011at org.cryptacular.asn.AbstractPrivateKeyDecoder.decode(AbstractPrivateKeyDecoder.java:31)
    |#033[0m #011at org.cryptacular.util.KeyPairUtil.decodePrivateKey(KeyPairUtil.java:411)
    |#033[0m #011at org.cryptacular.util.KeyPairUtil.readPrivateKey(KeyPairUtil.java:354)
    |#033[0m #011at se.swedenconnect.security.credential.AbstractPkiCredential.setPrivateKey(AbstractPkiCredential.java:186)
    |#033[0m #011at se.swedenconnect.security.credential.BasicCredential.<init>(BasicCredential.java:140)
    |#033[0m #011at se.swedenconnect.security.credential.factory.PkiCredentialFactoryBean.createInstance(PkiCredentialFactoryBean.java:145)
    |#033[0m #011at se.swedenconnect.security.credential.factory.PkiCredentialFactoryBean.createInstance(PkiCredentialFactoryBean.java:55)
    |#033[0m #011at org.springframework.beans.factory.config.AbstractFactoryBean.afterPropertiesSet(AbstractFactoryBean.java:142)
    |#033[0m #011at se.swedenconnect.security.credential.factory.PkiCredentialFactoryBean.afterPropertiesSet(PkiCredentialFactoryBean.java:338)
    |#033[0m #011at se.swedenconnect.bankid.idp.config.BankIdConfigurationProperties$RelyingPartyConfiguration.createCredential(BankIdConfigurationProperties.java:267)
    |#033[0m #011at se.swedenconnect.bankid.idp.config.BankIdConfiguration.lambda$bankIdWebClientFactory$3(BankIdConfiguration.java:149)
    |#033[0m #011... 45 common frames omitted
    |#033[0m Caused by: java.lang.ArrayIndexOutOfBoundsException: Index 1 out of bounds for length 1
    |#033[0m #011at org.cryptacular.asn.OpenSSLPrivateKeyDecoder.decryptKey(OpenSSLPrivateKeyDecoder.java:43)
    |#033[0m #011at org.cryptacular.asn.AbstractPrivateKeyDecoder.decode(AbstractPrivateKeyDecoder.java:23)
    |#033[0m #011... 55 common frames omitted
    |#033[0m

Example configuration

  relying-parties:
    - id: "sunet"
      entity-ids:
       - "https://ladok3-00.ladok.umu.se/student-sp"
       - "https://ladok3-demo-00.its.umu.se/student-sp"
       - "https://release-check.qa.swamid.se/shibboleth"
      credential:
        name: "test-cred"
        certificate: file:/opt/bankidp/config/bankid.cert
        private-key: file:/opt/bankidp/config/bankid.key
        keyPassword: 1234

The key pair is an unpacked version of BankIds FPTestcert4_20230629.p12 with password 1234:

martin-lindstrom commented 1 year ago

This is an error. The keyPassword is intended to be used when using a JKS or PKCS12 file. We don't support encrypted keys other than having them in JKS/PKCS12 packaging.

      credential:
        name: "test-cred"
        certificate: file:/opt/bankidp/config/bankid.cert
        private-key: file:/opt/bankidp/config/bankid.key
        keyPassword: 1234

See configuration of credentials at: https://github.com/swedenconnect/credentials-support.

theseal commented 1 year ago

Would it be possible to implement? The key pair we receive from BankID is cert and encrypted key so it would easy to use them out of the box.

martin-lindstrom commented 1 year ago

Everything is possible, but at this point you do have the possibility to use encrypted keys via JKS and/or PKCS#12. I'll make an issue in https://github.com/swedenconnect/credentials-support for this, but for the time being, add your cert and key to a P12.

martin-lindstrom commented 1 year ago

@theseal https://github.com/swedenconnect/credentials-support/issues/48

swedenconnect / bankid-saml-idp

Use of encrypted private key doesn't work #203