Validation of protocol message signature failed
Vince Johnson
vince.walsh at qvc.com
Mon Apr 7 11:14:45 EDT 2014
Hello,
I am getting an error that has been reported before. Sorry for the
repeat. I have some issue with configuration that I cannot identify. I
have checked the signing certificate and it appears to match between SP
metadata (attached to the relying-party.xml) and the Authn HTTP Request. I
do not see any validUntil and Expired values of the SP Metadata. A detailed
trace log for ipd-process.log is included at the bottom. I have tried
different formats of the SP Metadata X509 Certificate (No Line Feed /
Carriage Returns, Line Feed Only, Line Feed & Carriage Return) and the
SignatureValue. The SP and IdP are running on the same server using
different ports IdP (8445) SP (8443)
Thanks
Environment:
Shibboleth 2.4
Tomcat 6.0.39
SP - Spring-Security-SAML
Windows
Error Message:
10:23:56.718 - DEBUG
[org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule:136]
- Validation of protocol message signature failed for context issuer
'https://testserver.com:8443/spring-security-saml2-sample/saml/metadata/alias/defaultAlias',
message type: {urn:oasis:names:tc:SAML:2.0:protocol}AuthnRequest
10:23:56.718 - WARN
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:406]
- Message did not meet security requirements
org.opensaml.ws.security.SecurityPolicyException: Validation of protocol
message signature failed
at
org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:138)
~[opensaml-2.6.0.jar:na]
at
org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.evaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:107)
~[opensaml-2.6.0.jar:na]
at
org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51)
~[openws-1.5.0.jar:na]
at
org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132)
~[openws-1.5.0.jar:na]
at
org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83)
~[openws-1.5.0.jar:na]
CONFIGURATION:
relying-party.xml
<metadata:MetadataProvider id="ShibbolethMetadata"
xsi:type="metadata:ChainingMetadataProvider">
.....
<metadata:MetadataProvider xsi:type="FilesystemMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
id="MyMetadata"
<!-- if I do not include the full path, it reports file
not found -->
metadataFile="c:/java/shibboleth-idp/metadata/sp-test-metadata.xml" />
</metadata:MetadataProvider>
sp-test-metadata.xml
<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="testserver.com"><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI=""><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>6gHPCmTbYKm78rCO6MtOgBoYO6A=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>PHLn6lr13KytwSMHFXfPG/8fDX729V--RemovedDetail--WoaDUbdGyu6g==
</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UE
CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM
--REMOVED DETAIL FOR CLARITY --
RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW
bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/GuHE=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor
AuthnRequestsSigned="true" WantAssertionsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor
use="signing"><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UE
CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM
--REMOVED DETAIL FOR CLARITY --
RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW
bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/GuHE=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor
use="encryption"><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UE
CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM
--REMOVED DETAIL FOR CLARITY --
RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW
bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/GuHE=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://testserver.com:8443/spring-security-saml2-sample/saml/SingleLogout/alias/testserver.com"/><md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://testserver.com:8443/spring-security-saml2-sample/saml/SingleLogout/alias/testserver.com"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="https://testserver.com:8443/spring-security-saml2-sample/saml/SSO/alias/testserver.com"
index="0" isDefault="true"/><md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://testserver.com:8443/spring-security-saml2-sample/saml/SSO/alias/testserver.com"
index="1"/></md:SPSSODescriptor></md:EntityDescriptor>
REQUEST MESSAGE from Spring SAML
<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://testserver.com:8443/spring-security-saml2-sample/saml/SSO/alias/defaultAlias"
Destination="https://testserver.com:8445/idp/profile/SAML2/POST/SSO"
ForceAuthn="false" ID="a420j7e8fje376h61jdbe0188c77367" IsPassive="false"
IssueInstant="2014-04-07T14:13:25.375Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Version="2.0">
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://testserver.com:8443/spring-security-saml2-sample/saml/metadata/alias/defaultAlias</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#a420j7e8fje376h61jdbe0188c77367">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>7kiq/apoMlErg3+IIshHeialv2w=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>EZxpAhHvru4iXrwrgQA0RRQr1eN4MBm/--RemovedDetail--Qmgv4a5QVVy+R+ZyYqHCBjhjX2gvikGWGcpkTDQ==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UE
CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM
--REMOVED DETAIL FOR CLARITY--
RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW
bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/GuHE=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml2p:AuthnRequest>
--DETAILED idp-process.log ----
10:23:56.702 - DEBUG
[org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver:163]
- A total of 1 credentials were resolved
10:23:56.702 - DEBUG
[org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:105]
- Registry could not locate evaluable criteria for criteria class
org.opensaml.xml.security.keyinfo.KeyInfoCriteria
10:23:56.702 - DEBUG [org.opensaml.xml.signature.SignatureValidator:54] -
Attempting to validate signature using key from supplied credential
10:23:56.702 - DEBUG [org.opensaml.xml.signature.SignatureValidator:90] -
Creating XMLSignature object
10:23:56.702 - DEBUG [org.opensaml.xml.signature.SignatureValidator:64] -
Validating signature with signature algorithm URI:
http://www.w3.org/2000/09/xmldsig#rsa-sha1
10:23:56.702 - DEBUG [org.opensaml.xml.signature.SignatureValidator:65] -
Validation credential key algorithm 'RSA', key instance class
'sun.security.rsa.RSAPublicKeyImpl'
10:23:56.702 - DEBUG [org.opensaml.xml.signature.SignatureValidator:70] -
Signature validated with key from supplied credential
10:23:56.702 - DEBUG
[org.opensaml.xml.signature.impl.BaseSignatureTrustEngine:148] - Signature
validation using candidate credential was successful
10:23:56.702 - DEBUG
[org.opensaml.xml.signature.impl.BaseSignatureTrustEngine:101] -
Successfully verified signature using KeyInfo-derived credential
10:23:56.702 - DEBUG
[org.opensaml.xml.signature.impl.BaseSignatureTrustEngine:102] - Attempting
to establish trust of KeyInfo-derived credential
10:23:56.702 - DEBUG
[org.opensaml.xml.signature.impl.BaseSignatureTrustEngine:107] - Failed to
establish trust of KeyInfo-derived credential
10:23:56.702 - DEBUG
[org.opensaml.xml.signature.impl.BaseSignatureTrustEngine:115] - Failed to
verify signature and/or establish trust using any KeyInfo-derived
credentials
10:23:56.702 - DEBUG
[org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine:107] -
Attempting to verify signature using trusted credentials
10:23:56.702 - DEBUG
[org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine:115] -
Failed to verify signature using either KeyInfo-derived or directly trusted
credentials
10:23:56.702 - DEBUG
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:189]
- Forcing on-demand metadata provider refresh if necessary
10:23:56.702 - DEBUG
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:601]
- Attempting to retrieve trusted names from cache using index:
[https://testserver.com:8443/spring-security-saml2-sample/saml/metadata/alias/defaultAlias,{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING]
10:23:56.702 - DEBUG
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:604]
- Read lock over cache acquired
10:23:56.702 - DEBUG
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:609]
- Retrieved trusted names from cache using index:
[https://testserver.com:8443/spring-security-saml2-sample/saml/metadata/alias/defaultAlias,{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING]
10:23:56.702 - DEBUG
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:615]
- Read lock over cache released
10:23:56.702 - DEBUG
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:152]
- Forcing on-demand metadata provider refresh if necessary
10:23:56.702 - DEBUG
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:531]
- Attempting to retrieve PKIX validation info from cache using index:
[https://testserver.com:8443/spring-security-saml2-sample/saml/metadata/alias/defaultAlias,{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING]
10:23:56.702 - DEBUG
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:534]
- Read lock over cache acquired
10:23:56.702 - DEBUG
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:539]
- Retrieved PKIX validation info from cache using index:
[https://testserver.com:8443/spring-security-saml2-sample/saml/metadata/alias/defaultAlias,{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING]
10:23:56.702 - DEBUG
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:545]
- Read lock over cache released
10:23:56.702 - DEBUG
[org.opensaml.xml.signature.impl.BaseSignatureTrustEngine:92] - Attempting
to verify signature and establish trust using KeyInfo-derived credentials
10:23:56.702 - DEBUG
[org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver:330]
- Found 0 key names: []
10:23:56.702 - DEBUG
[org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver:255]
- Processing KeyInfo child with qname:
{http://www.w3.org/2000/09/xmldsig#}X509Data
10:23:56.702 - DEBUG
[org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver:293]
- Provider org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider
doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data,
skipping
10:23:56.702 - DEBUG
[org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver:293]
- Provider org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider
doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data,
skipping
10:23:56.702 - DEBUG
[org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver:298]
- Processing KeyInfo child {http://www.w3.org/2000/09/xmldsig#}X509Data with
provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
10:23:56.702 - DEBUG
[org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider:124] -
Attempting to extract credential from an X509Data
10:23:56.702 - DEBUG
[org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider:197] -
Found 1 X509Certificates
10:23:56.702 - DEBUG
[org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider:178] -
Found 0 X509CRLs
10:23:56.702 - DEBUG
[org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider:216] -
Single certificate was present, treating as end-entity certificate
10:23:56.702 - DEBUG
[org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver:303]
- Credentials successfully extracted from child
{http://www.w3.org/2000/09/xmldsig#}X509Data by provider
org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
10:23:56.702 - DEBUG
[org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver:163]
- A total of 1 credentials were resolved
10:23:56.702 - DEBUG
[org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:105]
- Registry could not locate evaluable criteria for criteria class
org.opensaml.xml.security.keyinfo.KeyInfoCriteria
10:23:56.702 - DEBUG [org.opensaml.xml.signature.SignatureValidator:54] -
Attempting to validate signature using key from supplied credential
10:23:56.702 - DEBUG [org.opensaml.xml.signature.SignatureValidator:90] -
Creating XMLSignature object
10:23:56.702 - DEBUG [org.opensaml.xml.signature.SignatureValidator:64] -
Validating signature with signature algorithm URI:
http://www.w3.org/2000/09/xmldsig#rsa-sha1
10:23:56.702 - DEBUG [org.opensaml.xml.signature.SignatureValidator:65] -
Validation credential key algorithm 'RSA', key instance class
'sun.security.rsa.RSAPublicKeyImpl'
10:23:56.702 - DEBUG [org.opensaml.xml.signature.SignatureValidator:70] -
Signature validated with key from supplied credential
10:23:56.702 - DEBUG
[org.opensaml.xml.signature.impl.BaseSignatureTrustEngine:148] - Signature
validation using candidate credential was successful
10:23:56.702 - DEBUG
[org.opensaml.xml.signature.impl.BaseSignatureTrustEngine:101] -
Successfully verified signature using KeyInfo-derived credential
10:23:56.702 - DEBUG
[org.opensaml.xml.signature.impl.BaseSignatureTrustEngine:102] - Attempting
to establish trust of KeyInfo-derived credential
10:23:56.702 - DEBUG
[org.opensaml.xml.security.x509.BasicX509CredentialNameEvaluator:220] -
Supplied trusted names are null or empty, skipping name evaluation
10:23:56.702 - DEBUG
[org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine:234] - Signature
trust could not be established via PKIX validation of signing credential
10:23:56.702 - DEBUG
[org.opensaml.xml.signature.impl.BaseSignatureTrustEngine:107] - Failed to
establish trust of KeyInfo-derived credential
10:23:56.718 - DEBUG
[org.opensaml.xml.signature.impl.BaseSignatureTrustEngine:115] - Failed to
verify signature and/or establish trust using any KeyInfo-derived
credentials
10:23:56.718 - DEBUG
[org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine:162] - PKIX
validation of signature failed, unable to resolve valid and trusted signing
key
10:23:56.718 - DEBUG
[org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule:136]
- Validation of protocol message signature failed for context issuer '
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/Validation-of-protocol-message-signature-failed-tp7598445.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
More information about the users
mailing list