SAML 元数据条目的签名信任建立失败 [英] Signature trust establishment failed for SAML metadata entry

查看：28 发布时间：2021/12/25 11:12:15 java spring spring-security saml-2.0 spring-saml

本文介绍了SAML 元数据条目的签名信任建立失败的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

为了从远程源获取元数据，我定义了一个 ExtendedMetadataDelegate bean，如下所示:

In order to fetch metadata from a remote source, I defined an ExtendedMetadataDelegate bean as follows:

@Bean
@Qualifier("replyMeta")
public ExtendedMetadataDelegate replyMetadataProvider() throws MetadataProviderException {
    String metadataURL = "https://ststest.mydomain.it/FederationMetadata/2007-06/FederationMetadata.xml";
    final Timer backgroundTaskTimer = new Timer(true);
    HTTPMetadataProvider provider = new HTTPMetadataProvider(
            backgroundTaskTimer, httpClient(), metadataURL);
    provider.setParserPool(parserPool());
    ExtendedMetadataDelegate emd = new ExtendedMetadataDelegate(
            provider, new ExtendedMetadata());
    return emd;
}

为了保证签名信任的建立，我在JDK keystore和application keystore中都添加了相关的key(第二步可能不够)；尽管如此，运行 webapp 还是会出错.

To ensure the signature trust establishment, I added the related key both in JDK keystore and application keystore (the second step might not be enough); despite that, an error occurs by running the webapp.

[2014-08-18 14:36:47.200] boot - 6000 DEBUG [localhost-startStop-1] --- SignatureValidator: Attempting to validate signature using key from supplied credential
[2014-08-18 14:36:47.200] boot - 6000 DEBUG [localhost-startStop-1] --- SignatureValidator: Creating XMLSignature object
[2014-08-18 14:36:47.206] boot - 6000 DEBUG [localhost-startStop-1] --- SignatureValidator: Validating signature with signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
[2014-08-18 14:36:47.207] boot - 6000 DEBUG [localhost-startStop-1] --- SignatureValidator: Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
[2014-08-18 14:36:47.329] boot - 6000 DEBUG [localhost-startStop-1] --- SignatureValidator: Signature validated with key from supplied credential
[2014-08-18 14:36:47.329] boot - 6000 DEBUG [localhost-startStop-1] --- BaseSignatureTrustEngine: Signature validation using candidate credential was successful
[2014-08-18 14:36:47.330] boot - 6000 DEBUG [localhost-startStop-1] --- BaseSignatureTrustEngine: Successfully verified signature using KeyInfo-derived credential
[2014-08-18 14:36:47.330] boot - 6000 DEBUG [localhost-startStop-1] --- BaseSignatureTrustEngine: Attempting to establish trust of KeyInfo-derived credential
[2014-08-18 14:36:47.330] boot - 6000 DEBUG [localhost-startStop-1] --- BasicX509CredentialNameEvaluator: Supplied trusted names are null or empty, skipping name evaluation
[2014-08-18 14:36:47.331] boot - 6000 DEBUG [localhost-startStop-1] --- MetadataCredentialResolver: Attempting PKIX path validation on untrusted credential: [subjectName='CN=ADFS Signing - ststest-replynet.reply.it']
[2014-08-18 14:36:47.346] boot - 6000 ERROR [localhost-startStop-1] --- MetadataCredentialResolver: PKIX path construction failed for untrusted credential: [subjectName='CN=ADFS Signing - ststest-replynet.reply.it']: unable to find valid certification path to requested target
[2014-08-18 14:36:47.347] boot - 6000 DEBUG [localhost-startStop-1] --- PKIXSignatureTrustEngine: Signature trust could not be established via PKIX validation of signing credential
[2014-08-18 14:36:47.347] boot - 6000 DEBUG [localhost-startStop-1] --- BaseSignatureTrustEngine: Failed to establish trust of KeyInfo-derived credential
[2014-08-18 14:36:47.347] boot - 6000 DEBUG [localhost-startStop-1] --- BaseSignatureTrustEngine: Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
[2014-08-18 14:36:47.347] boot - 6000 DEBUG [localhost-startStop-1] --- PKIXSignatureTrustEngine: PKIX validation of signature failed, unable to resolve valid and trusted signing key
[2014-08-18 14:36:47.347] boot - 6000 ERROR [localhost-startStop-1] --- SignatureValidationFilter: Signature trust establishment failed for metadata entry http://ststest-replynet.reply.it/adfs/services/trust
[2014-08-18 14:36:47.349] boot - 6000 ERROR [localhost-startStop-1] --- AbstractReloadingMetadataProvider: Error filtering metadata from https://ststest-replynet.reply.it/FederationMetadata/2007-06/FederationMetadata.xml
org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry

通过设置错误消失:

emd.setMetadataTrustCheck(false);

...但我想检查使用的元数据.

... but I'd like to check used metadata.

有没有办法解决这个错误?

Is there a way to resolve this error?

我尝试按如下方式设置 ExtendedMetadata，但错误仍然存在.

I tried to setup the ExtendedMetadata as follows but the error persists.

em.setAlias("defaultAlias");
em.setSigningKey("*.mydomain.it (Go Daddy Secure Certification Authority)");

推荐答案

您很可能导入了 HTTPS 证书，而不是用于创建签名的证书 - 它们不同.你应该:

You have most likely imported the HTTPS certificate, but not the certificate which is used to create the signature - they differ. You should:

使用从元数据中提取的以下内容创建文件 signature.cer:

Create file signature.cer with the following content taken from the metadata:

使用以下命令将证书导入您的 samlKeystore.jks:

Import the certificate to your samlKeystore.jks with:

 keytool -importcert -alias adfssigning -keystore samlKeystore.jks -file signature.cer

这应该就是您所需要的，只需重新启动 Tomcat，您的元数据加载现在就应该通过了.

This should be all you need, just restart Tomcat and your metadata loading should now pass.

如果您包含以下配置 HTTP 客户端的 bean(在 Spring SAML 1.0.0.RELEASE 中可用)，则无需在 JDK 的 cacerts 中包含 HTTPS 证书:

You don't need to include the HTTPS certificate in your JDK's cacerts in case you include the following bean which configures the HTTP client (available in Spring SAML 1.0.0.RELEASE):

 <bean class="org.springframework.security.saml.trust.httpclient.TLSProtocolConfigurer"/>

这篇关于SAML 元数据条目的签名信任建立失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！

查看全文

SAML 元数据条目的签名信任建立失败 [英] Signature trust establishment failed for SAML metadata entry

问题描述

推荐答案

相关文章

Java开发最新文章

热门教程

热门工具

登录关闭

SAML 元数据条目的签名信任建立失败 [英] Signature trust establishment failed for SAML metadata entry

问题描述

推荐答案

相关文章

Java开发最新文章

热门教程

热门工具

登录 关闭

登录关闭