问题:
签名没有根据凭据的密钥进行验证
百里君博
我有一个来自idp的saml响应,它在响应和断言中都有签名。我正在尝试使用X509证书公钥验证签名。这是我的代码
public class SamlTest {
public static void main(String[] args) throws Exception {
// read the file
File file = new File("filepath");
FileReader fileReader = new FileReader(file);
BufferedReader bf = new BufferedReader(fileReader);
String str;
String samlStr = "";
while ((str = bf.readLine()) != null) {
samlStr += str;
}
Response response = SamlTest.unmarshall(samlStr);
SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
try {
profileValidator.validate(response.getSignature());
} catch (ValidationException e) {
System.out.println("ErrorString [Error in SAMLSignatureProfilValidation]");
}
Certificate certificate = SamlTest.getCertificate(response.getSignature());
BasicCredential verificationCredential = new BasicCredential();
verificationCredential.setPublicKey(certificate.getPublicKey());
SignatureValidator sigValidator = new SignatureValidator(verificationCredential);
try {
sigValidator.validate(response.getSignature());
} catch (ValidationException e) {
e.printStackTrace();
}
}
private static Response unmarshall(String samlStr) throws Exception {
DefaultBootstrap.bootstrap();
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();
ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(samlStr.getBytes());
Document document = docBuilder.parse(byteArrayInputStream);
Element element = document.getDocumentElement();
UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(element);
}
private static Certificate getCertificate(Signature signature) {
try {
X509Certificate certificate = signature.getKeyInfo().getX509Datas().get(0).getX509Certificates().get(0);
if (certificate != null) {
//Converts org.opensaml.xml.signature.X509Certificate to java.security.cert.Certificate
String lexicalXSDBase64Binary = certificate.getValue();
byte[] decoded = DatatypeConverter.parseBase64Binary(lexicalXSDBase64Binary);
try {
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
Certificate cert = certFactory.generateCertificate(new ByteArrayInputStream(decoded));
System.out.println(cert);
return cert;
} catch (CertificateException e) {
//this should never happen
System.out.println("SAML Signature issue");
return null;
}
}
return null; // TODO Auto-generated method stub
} catch (NullPointerException e) {
//Null certificates
return null;
}
}}
我尝试了多个saml响应,不仅仅是我的。但我得到一个错误说:
警告org.apache.xml.security.signature。XMLSignature-签名验证失败。org.opensaml.xml.validation。ValidationException:签名未根据凭据的密钥进行验证
这个问题以前被问过,但从来没有一个明确的答案,所以再问一次。
我尝试测试的saml响应示例如下:
<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="pfx7832688a-4c9f-d986-a331-68a568701125" Version="2.0" IssueInstant="2014-07-17T01:01:48Z"
Destination="http://sp.example.com/demo1/index.php?acs"
InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685">
<saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pfx7832688a-4c9f-d986-a331-68a568701125">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>omD68BGTOD4rSkKgo3zHEz2D0Ak=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
C+QerLk231g7kSvB/Bo+JrfdYHrzqt+3ql0+WqBIOPRx7xHHvvSx1GiUyDncs7x+LnldDHb/jU8V1Bay+mHKaKB2GnL06XZW33vK/z5GsVLzIF7h9mfybRrbFwdOPYNQzHgnGxWDp3LsehzL58cRXtu2V+aLbYRB0e3wI6tcpBY=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBSMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRcwFQYDVQQDDA5zcC5leGFtcGxlLmNvbTAeFw0xNDA3MTcxNDEyNTZaFw0xNTA3MTcxNDEyNTZaMFIxCzAJBgNVBAYTAnVzMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxPbmVsb2dpbiBJbmMxFzAVBgNVBAMMDnNwLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZx+ON4IUoIWxgukTb1tOiX3bMYzYQiwWPUNMp+Fq82xoNogso2bykZG0yiJm5o8zv/sd6pGouayMgkx/2FSOdc36T0jGbCHuRSbtia0PEzNIRtmViMrt3AeoWBidRXmZsxCNLwgIV6dn2WpuE5Az0bHgpZnQxTKFek0BMKU/d8wIDAQABo1AwTjAdBgNVHQ4EFgQUGHxYqZYyX7cTxKVODVgZwSTdCnwwHwYDVR0jBBgwFoAUGHxYqZYyX7cTxKVODVgZwSTdCnwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQByFOl+hMFICbd3DJfnp2Rgd/dqttsZG/tyhILWvErbio/DEe98mXpowhTkC04ENprOyXi7ZbUqiicF89uAGyt1oqgTUCD1VsLahqIcmrzgumNyTwLGWo17WDAa1/usDhetWAMhgzF/Cnf5ek0nK00m0YZGyc4LzgD0CROMASTWNg==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"
ID="pfxbab80599-f888-0071-7fd5-1771ae32f2b5" Version="2.0" IssueInstant="2014-07-17T01:01:48Z">
<saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pfxbab80599-f888-0071-7fd5-1771ae32f2b5">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>ui6giJBmDP2ShSBq06MQ/hVkK6U=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
eG/U9aPs3WJjgLQwPJF+liaPVAngVXkonmLxVEmTRa01sivZboNZr+5xgNMqqXjOHsuMfpA9sCJi/Iv3u4g2YEyamo3DxdPG2h/Qx9lcA3hjKIhkKIicqCbwZhMsKupZs71FmvJCKS/MrzNiZJWxtjtCD+Rn3CpWhXPCz4vzfj8=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBSMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRcwFQYDVQQDDA5zcC5leGFtcGxlLmNvbTAeFw0xNDA3MTcxNDEyNTZaFw0xNTA3MTcxNDEyNTZaMFIxCzAJBgNVBAYTAnVzMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxPbmVsb2dpbiBJbmMxFzAVBgNVBAMMDnNwLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZx+ON4IUoIWxgukTb1tOiX3bMYzYQiwWPUNMp+Fq82xoNogso2bykZG0yiJm5o8zv/sd6pGouayMgkx/2FSOdc36T0jGbCHuRSbtia0PEzNIRtmViMrt3AeoWBidRXmZsxCNLwgIV6dn2WpuE5Az0bHgpZnQxTKFek0BMKU/d8wIDAQABo1AwTjAdBgNVHQ4EFgQUGHxYqZYyX7cTxKVODVgZwSTdCnwwHwYDVR0jBBgwFoAUGHxYqZYyX7cTxKVODVgZwSTdCnwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQByFOl+hMFICbd3DJfnp2Rgd/dqttsZG/tyhILWvErbio/DEe98mXpowhTkC04ENprOyXi7ZbUqiicF89uAGyt1oqgTUCD1VsLahqIcmrzgumNyTwLGWo17WDAa1/usDhetWAMhgzF/Cnf5ek0nK00m0YZGyc4LzgD0CROMASTWNg==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID SPNameQualifier="http://sp.example.com/demo1/metadata.php"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7
</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2024-01-18T06:21:48Z"
Recipient="http://sp.example.com/demo1/index.php?acs"
InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2014-07-17T01:01:18Z" NotOnOrAfter="2024-01-18T06:21:48Z">
<saml:AudienceRestriction>
<saml:Audience>http://sp.example.com/demo1/metadata.php</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2014-07-17T01:01:48Z" SessionNotOnOrAfter="2024-07-17T09:01:48Z"
SessionIndex="_be9967abd904ddcae3c0eb4189adbe3f71e327cf93">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">test</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">test@example.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="eduPersonAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">users</saml:AttributeValue>
<saml:AttributeValue xsi:type="xs:string">examplerole1</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
如果有人能发现问题,请告诉我。非常感谢!
共有1个答案
越飞语
当我在SAML工具上验证此消息时,我得到“签名验证失败。引用验证失败”。(强调我的)
这让我想到您可能在验证签名之前格式化或更改了xml内容。
XML签名有两个部分:签名引用被转换为摘要值,然后摘要值被加密为签名值。
验证也执行以下两部分:
- 引用验证 :通过检索相应的资源并应用任何转换,然后对其应用指定的摘要方法,来验证每个引用的摘要。将结果与记录的摘要值进行比较;如果它们不匹配,验证将失败。
- 签名验证 :使用规范化方法中指定的规范化方法序列化已签名信息元素,使用 KeyInfo 或其他方式检索密钥数据,并使用 SignatureMethod 中指定的方法验证签名。
类似资料:
-
我被重定向到我的IdP的登录页面,并可以成功地输入我的凭据。但是出现这样的错误“签名没有根据凭据的密钥进行验证”。 还有另一篇stackoverflow文章描述了类似的问题,请参见“HTTP Status 401-Authentication Failed:传入的SAML消息无效”,将Salesforce用作实现SSO的IdP 但是我在遵循解决方案时遇到了一些问题,因为Fiddler捕获的SAML
-
我想在客户端设备上使用通过Ed25519生成的私钥对JWS(json web签名)进行签名。然后将这个签名发送到我的后端,并用公钥验证它。为了熟悉这个过程,我想尝试在node js中对JWS进行签名和验证 我的私钥和公钥都已生成,可以在base58中使用。这是我目前使用Ed25519私钥签署JWT的尝试: 密钥必须是KeyObject或CryptoKey类型之一。收到一个Uint8Array的实例
-
我试图使用javascript创建ECDSA算法的密钥对,签名消息,然后在服务器端验证它(使用Java)。 示例javascript代码: 例如: 我做错了什么?
-
我是一个新的整合贝宝快递结账。我只想验证API凭据,如用户名、密码和签名,如果这些存在与否。
-
我们有内部工具,可以通过SSO Azure AD访问。我很想知道这个Azure AD如何根据windows凭据进行验证。例如,假设1)我们有内部DEV env。https::/auth/v1/session/profile,因此当我调用此实例时,它会重定向到https://login.microsoftonline.com//oauth2/authorize?response_type=code
-
问题内容: 考虑以下是我的数组 创建了它,就像下面的代码一样: 现在,我正在尝试根据字段进行排序。 所需输出: 关于Java&Gson,谁能以最好的方式帮助解决这个问题? 非常感谢您的投入。 问题答案: 首先,解析JSON的正确方法是创建一个类来封装数据,例如: 然后: 现在您有了一个,并且想要按属性的值对其进行排序,因此可以按照此处的说明使用: 最后: