WIF:ID1014:签名无效.数据可能被篡改 [英] WIF: ID1014: The signature is not valid. The data may have been tampered with

问题描述

我们已经构建了一个基于 Windows Identity Foundation 的依赖方应用程序.我们遵循 Vittorio 书中的建议，创建了一组自定义的 cookie 转换，以使用 RSA 对令牌进行加密/签名.

We've built a Relying Party application based on the Windows Identity Foundation. We followed the advice in Vittorio's book and created a custom set of cookie transforms to use RSA to encrypt/sign the token.

private void OnServiceConfigurationCreated( object sender, ServiceConfigurationCreatedEventArgs e )
{
    List<CookieTransform> sessionTransforms = new List<CookieTransform>( new CookieTransform[]
    {
        new DeflateCookieTransform(),
        new RsaEncryptionCookieTransform( e.ServiceConfiguration.ServiceCertificate ),
        new RsaSignatureCookieTransform( e.ServiceConfiguration.ServiceCertificate )
    } );

    SessionSecurityTokenHandler sessionHandler =
        new SessionSecurityTokenHandler( sessionTransforms.AsReadOnly() );

    e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace( sessionHandler );
}

我们在 web.config 中配置了一个.

We configured a in the web.config.

<microsoft.identityModel>
  <service>
    <serviceCertificate>
      <certificateReference x509FindType="FindByThumbprint" findValue="C7FD338059CCB374798923A915BC91B718814A8E" storeLocation="LocalMachine" storeName="TrustedPeople" />
    </serviceCertificate>
  </service>
</microsoft.identityModel>

我知道 OnServiceConfigurationCreated 中的代码正在执行，因为如果我将垃圾指纹值放入配置文件，OnServiceConfigurationCreated 会引发异常.

I know the code in the OnServiceConfigurationCreated is executing because if I put a garbage thumbprint value into the config file the OnServiceConfigurationCreated throws an exception.

很遗憾，我们的日志中经常出现以下异常.

Unfortunately we are frequently getting the following exception showing up in our logs.

System.Security.Cryptography.CryptographicException: ID1014: The signature is not valid. The data may have been tampered with.
at Microsoft.IdentityModel.Web.RsaSignatureCookieTransform.Decode(Byte[] encoded)
at Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound)
at Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver)
at Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver)
at Microsoft.IdentityModel.Web.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie)
at Microsoft.IdentityModel.Web.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken)
at Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

我们认为此异常会导致系统出现其他问题，但无法弄清楚为什么会出现这种情况.我们有三台网络服务器，我们已经三重检查它们都配置为使用相同的证书指纹，并且证书安装在所有三台服务器上的相同位置.

We believe this exception is causing other problems in the system but can't figure out why it's occurring. We have three web servers and we've triple-checked that they are all configured to use the same certificate thumbprint and that the certificate is installed in the same place on all three servers.

我们还使用自定义 SessionAuthenticationModule 来处理滑动会话过期.我认为 也许 当该代码(如下)重新发布 cookie 时，它​​可能使用了不同的加密/签名方法，但我很确定我已经对其进行了测试，但似乎并非如此案子.我只是为了充分披露而将其包含在内.

We are also using a custom SessionAuthenticationModule to handle sliding session expiration. I thought that maybe when that code (below) was reissuing the cookie it might be using a different encryption/signing approach but I'm pretty sure I've tested it and that doesn't seem to be the case. I'm including it only in the interest of full disclosure.

void CustomSessionAuthenticationModule_SessionSecurityTokenReceived( object sender, SessionSecurityTokenReceivedEventArgs e )
{
    DateTime now = DateTime.UtcNow;
    DateTime validFrom = e.SessionToken.ValidFrom;
    DateTime validTo = e.SessionToken.ValidTo;

    double tokenLifetime = (validTo - validFrom).TotalMinutes;

    SessionAuthenticationModule sam = sender as SessionAuthenticationModule;

    if( now < validTo && now > validFrom.AddMinutes( tokenLifetime / 2 ) )
    {
        e.SessionToken = sam.CreateSessionSecurityToken(
            e.SessionToken.ClaimsPrincipal, e.SessionToken.Context,
            now, now.AddMinutes( tokenLifetime ), e.SessionToken.IsPersistent );
        e.ReissueCookie = true;
    }
}

据我们所知，我们已经完成了 docs/blogs/etc 所说的所有内容，但我们仍然收到此异常.在这一点上，任何提示/指示/有根据的猜测都会有所帮助.

From what we can tell we've done everything the docs/blogs/etc have said but we're still getting this exception. Any tips/pointers/educated guesses would be helpful at this point.

推荐答案

您可能想要检查应用程序设置的 cookie 数据的总大小.如果您包含大量声明，cookie 会相应增长，除非您使用会话模式.例如.Safari 对总 cookie 数据大小有 4K 限制.如果您打破此限制，您将开始丢失 cookie，这可能意味着您将丢失带有部分签名的 cookie.

You might want to check the total size of cookie data your application sets. If you include lots of claims, the cookies grow accordingly unless you use session mode. E.g. Safari has a 4K limit on total cookie data size. If you break this limit you'd start losing cookies, which could mean you'd lose a cookie with part of the signature.

附带说明，如果您可以迁移到 WIF 4.5，您可以选择使用 MachineKeySessionSecurityTokenHandler 而不是进行基于证书的 cookie 加密.

As a side note, if you can move to WIF 4.5 you have the option of using the MachineKeySessionSecurityTokenHandler instead of doing the certficate based cookie encryption.

这篇关于WIF:ID1014:签名无效.数据可能被篡改的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！