Failed to verify signature using KeyInfo-derived
Description
Environment
Activity
Brent Putman June 30, 2016 at 10:43 PM
Closing b/c not a bug reported against OpenSAML.
Brent Putman June 30, 2016 at 10:43 PM
Also, please use the dev list for asking support questions like this. Only open a Jira ticket if you are reporting a bug, or filing an RFE, etc. Thanks.
Brent Putman June 30, 2016 at 10:41 PM
Where you asked:
if I understand correctly, then first performs validation via certificate in metadata file, and second - via certificate in response. It is correct?
No, that's not correct at all. The process of validating the signature is conceptually 2 steps: 1) cryptographically validate the signature with a candidate validation key (such as the public key/cert from the signature's KeyInfo) 2) if successful, establish that that key is trusted.
The first message is establishing that indeed re # 1, the signature did cryptographically validate successfully against the KeyInfo key. So that's good, nothing wrong there.
The second message indicates that that key could not be establishes as trusted. You're using ExplicitKeySignatureTrustEngine, so that trust strategy attempts to match the key against those resolved via the trust credential CredentialResolver you supplied to it. The message:
2016-06-22 14:17:02,136 [DEBUG] org.opensaml.xml.security.trust.ExplicitKeyTrustEvaluator - No trusted credentials were provided to evaluate against
indicates that it didn't resolve any trusted creds at all. So that's your problem.
What sort of credential resolver did you give to the trust engine? Since you mentioned metadata, then I'll assume you're probably using a MetadataCredentialResolver. So that means that there are no creds from metadata resolved based on the criteria supplied. So double-check the metadata itself and also the criteria you are supplying: in particular check the entityID in metadata against the one you are supplying at runtime via the MetadataCredentialResolver. Also check things like the SAML role QName and SAML protocol URI you are supplying. Also check that the KeyDescriptor containing the key is marked with either use="signing" or no 'use' attrib at all.
Hello!
Need your help with a problem validating the signature.
In project client code we use opensaml2 validation of signature via SignatureProfileValidator and ExplicitKeySignatureTrustEngine. And when second validation called we got error:
2016-06-22 14:17:02,099 [TRACE] org.opensaml.security.MetadataCredentialResolver - Write lock over cache acquired 2016-06-22 14:17:02,099 [DEBUG] org.opensaml.security.MetadataCredentialResolver - Added new credential collection to cache with key: [TEST,{urn:oasis:names:tc:SAML:2.0:metadata} IDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING] 2016-06-22 14:17:02,099 [TRACE] org.opensaml.security.MetadataCredentialResolver - Write lock over cache released 2016-06-22 14:17:02,099 [DEBUG] org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableUsageCredentialCriteria for criteria class org.opensaml.xml.security.criteria.UsageCriteria 2016-06-22 14:17:02,099 [DEBUG] org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry - Registry could not locate evaluable criteria for criteria class org.opensaml.security.MetadataCriteria 2016-06-22 14:17:02,127 [DEBUG] org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableKeyAlgorithmCredentialCriteria for criteria class org.opensaml.xml.security.criteria.KeyAlgorithmCriteria 2016-06-22 14:17:02,127 [DEBUG] org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria 2016-06-22 14:17:02,127 [DEBUG] org.opensaml.xml.signature.impl.BaseSignatureTrustEngine - Attempting to verify signature and establish trust using KeyInfo-derived credentials 2016-06-22 14:17:02,128 [DEBUG] org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver - Found 0 key names: [] 2016-06-22 14:17:02,128 [DEBUG] org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver - Processing KeyInfo child with qname: {http://www.w3.org/2000/09/xmldsig#} X509Data 2016-06-22 14:17:02,128 [DEBUG] org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver - Provider org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping 2016-06-22 14:17:02,128 [DEBUG] org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver - Provider org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping 2016-06-22 14:17:02,128 [DEBUG] org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver - Processing KeyInfo child {http://www.w3.org/2000/09/xmldsig#}X509Data with provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider 2016-06-22 14:17:02,128 [DEBUG] org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider - Attempting to extract credential from an X509Data 2016-06-22 14:17:02,134 [DEBUG] org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider - Found 1 X509Certificates 2016-06-22 14:17:02,134 [DEBUG] org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider - Found 0 X509CRLs 2016-06-22 14:17:02,134 [DEBUG] org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider - Single certificate was present, treating as end-entity certificate 2016-06-22 14:17:02,134 [DEBUG] org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver - Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider 2016-06-22 14:17:02,134 [DEBUG] org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver - A total of 1 credentials were resolved 2016-06-22 14:17:02,134 [DEBUG] org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry - Registry could not locate evaluable criteria for criteria class org.opensaml.xml.security.keyinfo.KeyInfoCriteria 2016-06-22 14:17:02,134 [DEBUG] org.opensaml.xml.signature.SignatureValidator - Attempting to validate signature using key from supplied credential 2016-06-22 14:17:02,134 [DEBUG] org.opensaml.xml.signature.SignatureValidator - Creating XMLSignature object 2016-06-22 14:17:02,134 [DEBUG] org.opensaml.xml.signature.SignatureValidator - Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1 2016-06-22 14:17:02,134 [DEBUG] org.opensaml.xml.signature.SignatureValidator - Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl' 2016-06-22 14:17:02,136 [DEBUG] org.opensaml.xml.signature.SignatureValidator - Signature validated with key from supplied credential 2016-06-22 14:17:02,136 [DEBUG] org.opensaml.xml.signature.impl.BaseSignatureTrustEngine - Signature validation using candidate credential was successful 2016-06-22 14:17:02,136 [DEBUG] org.opensaml.xml.signature.impl.BaseSignatureTrustEngine - Successfully verified signature using KeyInfo-derived credential 2016-06-22 14:17:02,136 [DEBUG] org.opensaml.xml.signature.impl.BaseSignatureTrustEngine - Attempting to establish trust of KeyInfo-derived credential 2016-06-22 14:17:02,136 [DEBUG] org.opensaml.xml.security.trust.ExplicitKeyTrustEvaluator - No trusted credentials were provided to evaluate against 2016-06-22 14:17:02,136 [DEBUG] org.opensaml.xml.signature.impl.BaseSignatureTrustEngine - Failed to establish trust of KeyInfo-derived credential 2016-06-22 14:17:02,136 [DEBUG] org.opensaml.xml.signature.impl.BaseSignatureTrustEngine - Failed to verify signature and/or establish trust using any KeyInfo-derived credentials 2016-06-22 14:17:02,136 [DEBUG] org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine - Attempting to verify signature using trusted credentials 2016-06-22 14:17:02,136 [DEBUG] org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine - Failed to verify signature using either KeyInfo-derived or directly trusted credentialsIn logs we see two checks:
1. 2016-06-22 14:17:02,134 org.opensaml.xml.signature.SignatureValidator - Attempting to validate signature using key from supplied credential
2016-06-22 14:17:02,136 org.opensaml.xml.signature.impl.BaseSignatureTrustEngine - Signature validation using candidate credential was successful
2. 2016-06-22 14:17:02,136 org.opensaml.xml.signature.impl.BaseSignatureTrustEngine - Attempting to establish trust of KeyInfo-derived credential
2016-06-22 14:17:02,136 org.opensaml.xml.signature.impl.BaseSignatureTrustEngine - Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
if I understand correctly, then first performs validation via certificate in metadata file, and second - via certificate in response. It is correct?
In our metadata and response certificates are identical, but in response KeyInfo element contains <X509IssuerSerial> element with information about CA issuer (metadata don't contains this element).
When integrated with other systems, it does not cause problems.
Could you please tell me what could be the cause of the problem?
Thanks!