Spring Security SAML元数据条目的签名信任建立失败

wrrgggsh  于 2022-12-13  发布在  Spring
关注(0)|答案(4)|浏览(221)

为了从远程源获取元数据,我定义了一个ExtendedMetadataDelegate bean,如下所示:

@Bean
@Qualifier("replyMeta")
public ExtendedMetadataDelegate replyMetadataProvider() throws MetadataProviderException {
    String metadataURL = "https://ststest.mydomain.it/FederationMetadata/2007-06/FederationMetadata.xml";
    final Timer backgroundTaskTimer = new Timer(true);
    HTTPMetadataProvider provider = new HTTPMetadataProvider(
            backgroundTaskTimer, httpClient(), metadataURL);
    provider.setParserPool(parserPool());
    ExtendedMetadataDelegate emd = new ExtendedMetadataDelegate(
            provider, new ExtendedMetadata());
    return emd;
}

为了确保签名信任的建立,我在JDK密钥库和应用程序密钥库中都添加了相关的密钥(第二步可能还不够);尽管如此,运行Web应用程序时仍会发生错误。

[2014-08-18 14:36:47.200] boot - 6000 DEBUG [localhost-startStop-1] --- SignatureValidator: Attempting to validate signature using key from supplied credential
[2014-08-18 14:36:47.200] boot - 6000 DEBUG [localhost-startStop-1] --- SignatureValidator: Creating XMLSignature object
[2014-08-18 14:36:47.206] boot - 6000 DEBUG [localhost-startStop-1] --- SignatureValidator: Validating signature with signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
[2014-08-18 14:36:47.207] boot - 6000 DEBUG [localhost-startStop-1] --- SignatureValidator: Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
[2014-08-18 14:36:47.329] boot - 6000 DEBUG [localhost-startStop-1] --- SignatureValidator: Signature validated with key from supplied credential
[2014-08-18 14:36:47.329] boot - 6000 DEBUG [localhost-startStop-1] --- BaseSignatureTrustEngine: Signature validation using candidate credential was successful
[2014-08-18 14:36:47.330] boot - 6000 DEBUG [localhost-startStop-1] --- BaseSignatureTrustEngine: Successfully verified signature using KeyInfo-derived credential
[2014-08-18 14:36:47.330] boot - 6000 DEBUG [localhost-startStop-1] --- BaseSignatureTrustEngine: Attempting to establish trust of KeyInfo-derived credential
[2014-08-18 14:36:47.330] boot - 6000 DEBUG [localhost-startStop-1] --- BasicX509CredentialNameEvaluator: Supplied trusted names are null or empty, skipping name evaluation
[2014-08-18 14:36:47.331] boot - 6000 DEBUG [localhost-startStop-1] --- MetadataCredentialResolver: Attempting PKIX path validation on untrusted credential: [subjectName='CN=ADFS Signing - ststest-replynet.reply.it']
[2014-08-18 14:36:47.346] boot - 6000 ERROR [localhost-startStop-1] --- MetadataCredentialResolver: PKIX path construction failed for untrusted credential: [subjectName='CN=ADFS Signing - ststest-replynet.reply.it']: unable to find valid certification path to requested target
[2014-08-18 14:36:47.347] boot - 6000 DEBUG [localhost-startStop-1] --- PKIXSignatureTrustEngine: Signature trust could not be established via PKIX validation of signing credential
[2014-08-18 14:36:47.347] boot - 6000 DEBUG [localhost-startStop-1] --- BaseSignatureTrustEngine: Failed to establish trust of KeyInfo-derived credential
[2014-08-18 14:36:47.347] boot - 6000 DEBUG [localhost-startStop-1] --- BaseSignatureTrustEngine: Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
[2014-08-18 14:36:47.347] boot - 6000 DEBUG [localhost-startStop-1] --- PKIXSignatureTrustEngine: PKIX validation of signature failed, unable to resolve valid and trusted signing key
[2014-08-18 14:36:47.347] boot - 6000 ERROR [localhost-startStop-1] --- SignatureValidationFilter: Signature trust establishment failed for metadata entry http://ststest-replynet.reply.it/adfs/services/trust
[2014-08-18 14:36:47.349] boot - 6000 ERROR [localhost-startStop-1] --- AbstractReloadingMetadataProvider: Error filtering metadata from https://ststest-replynet.reply.it/FederationMetadata/2007-06/FederationMetadata.xml
org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry

通过设置以下内容,错误消失:

emd.setMetadataTrustCheck(false);

...但我想检查使用的元数据。
是否有解决此错误的方法?

更新:

我尝试如下设置ExtendedMetadata,但错误仍然存在。

em.setAlias("defaultAlias");
em.setSigningKey("*.mydomain.it (Go Daddy Secure Certification Authority)");
svgewumm

svgewumm1#

您很可能导入了HTTPS证书,但没有导入用于创建签名的证书-它们是不同的。您应该:
1.使用从元数据中获取的以下内容创建文件签名.cer:

-----BEGIN CERTIFICATE-----
MIIC7jCCAdagAwIBAgIQa+pSaOoDP6ZL3qAi564CxzANBgkqhkiG9w0BAQs
FADAzMTEwLwYDVQQDEyhBREZTIFNpZ25pbmcgLSBzdHN0ZXN0LXJlcGx5bm
V0LnJlcGx5Lml0MB4XDTE0MDQyMTAwMzUyNVoXDTE1MDQyMTAwMzUyNVowM
zExMC8GA1UEAxMoQURGUyBTaWduaW5nIC0gc3RzdGVzdC1yZXBseW5ldC5y
ZXBseS5pdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJyI7Se
+UGGHOGRcwHF8LrmivtcPJyNKyicPJ8UJ8pIsEmgYBnJIrpS05RkYtdUdk+
aumDlc3ACt23FxGDLy9hkJJlRbZwklzh4W3RqGC3W5Y+t7KeIuB8d7ZrrLb
2AoJpVHICRagsLjjHMwz9sJUt+PZdUFFc0pZckHba3TY2Y+MgPYVsyjlEkf
QrwL0ggh23g9Pe1VQ9HaInXZvwVMGWZ1oL4Uk0cW11URa8x53ZOWMQSsksi
MUlquItssiuJjRnI9Df+GaDxbQJi51esY2EF1o2JxqGJSA71Apy9EahDho8
eFkfOS0fYbVNBU5X/Wn7BKsf2Rmg3r6mQM94+gAA8CAwEAATANBgkqhkiG9
w0BAQsFAAOCAQEAIX5FEt5JWtINzy4C0LtTtta3DMOsLIBH3raRr53+6MKG
sPP75VAt7fYUutopuk5Y2o++sVPuEuTzcogz5Dj8eglDESkPwR0PrlClVcG
FLFEx9qOOidYIEa90g462niIOgkNkIpb1JRrmZEFo+yrYYdFSR2iXzC3O1f
7JAhNwi+d4a8cOTrqynqL6p1z+hiWEub39FlWDPacELw9HSDIYY151hiiPz
vIRQDBOjDg3Ws8fRwYNjJH4ElwjP2z+1r+sktD/kkh8jj3iWhT37JnQG72D
7c63ovYICwEZUqS4L3vepO0pv6xewkUbfX4KBQbUPaVVgmVUcSecj85mvMx
42g==
-----END CERTIFICATE-----

1.使用以下命令将证书导入samlKeystore.jks:

keytool -importcert -alias adfssigning -keystore samlKeystore.jks -file signature.cer

这应该是您所需要的全部,只需重新启动Tomcat,您的元数据加载现在应该通过。
如果包含以下配置HTTP客户端的Bean(在Spring SAML 1.0.0.RELEASE中提供),则无需在JDK的cacerts中包含HTTPS证书:

<bean class="org.springframework.security.saml.trust.httpclient.TLSProtocolConfigurer"/>
zyfwsgd6

zyfwsgd62#

我张贴这只是以防万一,如果它可能是有帮助的,即使你做了一切喜欢接受这个问题的答案,仍然得到同样的错误。
我也遇到了这个问题,我添加了IDP的元数据文件,并将他们的证书导入到我的应用密钥库中。但仍然有签名信任验证问题。我确实在Intellij中格式化了IDP的metadata.xml,这确实有些麻烦。一旦我导入了他们的元数据文件,没有格式化,一切都很好。

toe95027

toe950273#

我也面临着同样的问题。我采取了哪些步骤来解决同样的问题
1.从IDP元数据文件中提取
1.复制文本文件中的证书并保存为. crt。例如idp.crt
1.导入密钥库中的crt文件keytool -import -别名adfscert -文件idp.crt -密钥库samlKeystoreold.jks -存储密码密钥存储密码
1.它会问你是否信任这个crt..说是
1.在某些情况下,它将要求使用pkcs 12格式,并在警告消息中添加相同的内容
1.尝试运行您的应用程序,它应该工作:)

kknvjkwl

kknvjkwl4#

在我的例子中,我必须在ExtendedMetadataDelegateemd的metadataTrustedKeysprop中添加导入证书的别名
如果你用上面的Vladimír Schäfer的例子导入
keytool -importcert -别名adfsinging-密钥库samlKeystore.jks -文件签名.cer
你必须写

emd.setMetadataTrustedKeys(Collections.singleton("adfssigning"));

相关问题