PKIX validation of signature failed, unable to resolve valid and trusted signing key - Shibboleth Idp and Spring-Saml

Thomas Jones thomas.jones.g at gmail.com
Mon Sep 8 09:04:23 EDT 2014


Hi,

I'm configuring Shib as the IDP and Spring-saml as the SP (spring-saml web
site: http://spring-saml.sourceforge.net/) but I'm having problems with the
AuthRequest message.

These are my IDP's configuration files:

*Relying Party (Part of the File):*

 ...
    </rp:DefaultRelyingParty>

    <rp:RelyingParty id="sp_dms" provider="
http://idp.example.org/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">

        <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
encryptAssertions="never" encryptNameIds="never"/>

    </rp:RelyingParty>

    <metadata:MetadataProvider id="ShibbolethMetadata"
xsi:type="metadata:ChainingMetadataProvider">

        <!-- Load the IdP's own metadata.  This is necessary for artifact
support. -->
        <metadata:MetadataProvider id="IdPMD"
xsi:type="metadata:FilesystemMetadataProvider"

 metadataFile="/opt/shibboleth-idp/metadata/idp-metadata.xml"
                                   maxRefreshDelay="P1D" />

        <metadata:MetadataProvider id="met.for.sp.net"
xsi:type="metadata:FilesystemMetadataProvider"
metadataFile="/opt/shibboleth-idp/metadata/sp1-metadata.xml"
maxRefreshDelay="P1D" />
   ...

*SP's Metadata (Complete File):*

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor entityID="sp_dms"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
validUntil="2050-01-01T00:00:00Z">
    <md:SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol
urn:oasis:names:tc:SAML:2.0:protocol">

        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                        <ds:X509Certificate>
                                MIICXTCCAcag...
                        </ds:X509Certificate>
                </ds:X509Data>
        </ds:KeyInfo>


<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
        <md:AssertionConsumerService index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://dmsqa.easysol.net:7443/portal/sp/AssertionConsumerService"/>
    </md:SPSSODescriptor>
</md:EntityDescriptor>


*Attribute-Filter (Complete File):*

<?xml version="1.0" encoding="UTF-8"?>

<afp:AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
                                xmlns:afp="urn:mace:shibboleth:2.0:afp"
xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"

xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="urn:mace:shibboleth:2.0:afp
classpath:/schema/shibboleth-2.0-afp.xsd

urn:mace:shibboleth:2.0:afp:mf:basic
classpath:/schema/shibboleth-2.0-afp-mf-basic.xsd

urn:mace:shibboleth:2.0:afp:mf:saml
classpath:/schema/shibboleth-2.0-afp-mf-saml.xsd">

    <afp:AttributeFilterPolicy id="releaseTransientIdToAnyone">
        <afp:PolicyRequirementRule xsi:type="basic:ANY"/>

        <afp:AttributeRule attributeID="transientId">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>

    </afp:AttributeFilterPolicy>

</afp:AttributeFilterPolicyGroup>


*Attribute-Resolver (Complete File):*

<?xml version="1.0" encoding="UTF-8"?>

<resolver:AttributeResolver
xmlns:resolver="urn:mace:shibboleth:2.0:resolver" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
                            xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad"
                            xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder"
                            xmlns:sec="urn:mace:shibboleth:2.0:security"

xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver
classpath:/schema/shibboleth-2.0-attribute-resolver.xsd

 urn:mace:shibboleth:2.0:resolver:pc
classpath:/schema/shibboleth-2.0-attribute-resolver-pc.xsd

 urn:mace:shibboleth:2.0:resolver:ad
classpath:/schema/shibboleth-2.0-attribute-resolver-ad.xsd

 urn:mace:shibboleth:2.0:resolver:dc
classpath:/schema/shibboleth-2.0-attribute-resolver-dc.xsd

 urn:mace:shibboleth:2.0:attribute:encoder
classpath:/schema/shibboleth-2.0-attribute-encoder.xsd

 urn:mace:shibboleth:2.0:security
classpath:/schema/shibboleth-2.0-security.xsd">

    <!-- Name Identifier related attributes -->
    <resolver:AttributeDefinition id="transientId"
xsi:type="ad:TransientId">
        <resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier"
nameFormat="urn:mace:shibboleth:1.0:nameIdentifier"/>
        <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID"
nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
    </resolver:AttributeDefinition>

    <resolver:PrincipalConnector xsi:type="pc:Transient" id="shibTransient"
nameIDFormat="urn:mace:shibboleth:1.0:nameIdentifier"/>
    <resolver:PrincipalConnector xsi:type="pc:Transient" id="saml1Unspec"
nameIDFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
    <resolver:PrincipalConnector xsi:type="pc:Transient"
id="saml2Transient"
nameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>

</resolver:AttributeResolver>


Here's the log:
...
18:20:20.159 - DEBUG
[org.opensaml.ws.message.decoder.BaseMessageDecoder:205] - Message
succesfully unmarshalled
18:20:20.159 - DEBUG
[org.opensaml.saml2.binding.decoding.HTTPPostDecoder:94] - Decoded SAML
message
18:20:20.159 - DEBUG
[org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder:112] -
Extracting ID, issuer and issue instant from request
18:20:20.159 - DEBUG
[org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] -
Checking child metadata provider for entity descriptor with entity ID:
sp_dms
18:20:20.160 - DEBUG
[org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] -
Searching for entity descriptor with an entity ID of sp_dms
18:20:20.160 - TRACE
[org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:533] -
Metadata root is an entity descriptor, checking if it's the one we're
looking for.
18:20:20.160 - DEBUG
[org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:167] -
Metadata document does not contain an EntityDescriptor with the ID sp_dms
18:20:20.160 - DEBUG
[org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] -
Checking child metadata provider for entity descriptor with entity ID:
sp_dms
18:20:20.160 - DEBUG
[org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] -
Searching for entity descriptor with an entity ID of sp_dms
18:20:20.160 - TRACE
[org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:524] -
Entity descriptor for the ID sp_dms was found in index cache, returning
18:20:20.161 - DEBUG [PROTOCOL_MESSAGE:113] -
<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="http://domain/sp/AssertionConsumerServicePath"
Destination="http://idp.example.org/idp/profile/SAML2/POST/SSO"
ID="7a092b8d-6e4e-46aa-bf8c-1bdf54799220"
IssueInstant="2014-09-06T23:20:19.860Z" Version="2.0">
   <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">sp_dms</saml2:Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
         <ds:SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
         <ds:Reference URI="#7a092b8d-6e4e-46aa-bf8c-1bdf54799220">
            <ds:Transforms>
               <ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
               <ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>D2HrzVmrGp...=</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>inMstvKI061xF...</ds:SignatureValue>
      <ds:KeyInfo>
         <ds:X509Data>
            <ds:X509Certificate>MIICXTCCAcagAwIBAg...</ds:X509Certificate>
         </ds:X509Data>
      </ds:KeyInfo>
   </ds:Signature>
</saml2p:AuthnRequest>

18:20:20.162 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:128]
- Looking up relying party configuration for sp_dms
18:20:20.163 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:130]
- Custom relying party configuration found for sp_dms
18:20:20.163 - DEBUG
[org.opensaml.ws.message.decoder.BaseMessageDecoder:130] - Evaluating
security policy of type
'edu.internet2.middleware.shibboleth.common.security.ShibbolethSecurityPolicy'
for decoded message
18:20:20.163 - DEBUG [org.opensaml.util.storage.ReplayCache:92] -
Attempting to acquire lock for replay cache check
18:20:20.163 - DEBUG [org.opensaml.util.storage.ReplayCache:94] - Lock
acquired
18:20:20.163 - DEBUG [org.opensaml.util.storage.ReplayCache:105] - Message
ID 7a092b8d-6e4e-46aa-bf8c-1bdf54799220 was not a replay
18:20:20.164 - DEBUG [org.opensaml.util.storage.ReplayCache:132] - Writing
message ID sp_dms7a092b8d-6e4e-46aa-bf8c-1bdf54799220 to replay cache with
expiration time 2014-09-06T18:25:20.163-05:00
18:20:20.164 - DEBUG
[org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:308] -
Checking child metadata provider for entity descriptor with entity ID:
sp_dms
18:20:20.164 - DEBUG
[org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] -
Searching for entity descriptor with an entity ID of sp_dms
18:20:20.164 - TRACE
[org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:533] -
Metadata root is an entity descriptor, checking if it's the one we're
looking for.
18:20:20.164 - DEBUG
[org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:250] -
Metadata document did not contain a descriptor for entity sp_dms
18:20:20.165 - DEBUG
[org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:317] -
Metadata document did not contain any role descriptors of type
{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor for entity sp_dms
18:20:20.165 - DEBUG
[org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:286] -
Metadata document does not contain a role of type
{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor supporting protocol
urn:oasis:names:tc:SAML:2.0:protocol for entity sp_dms
18:20:20.165 - DEBUG
[org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:308] -
Checking child metadata provider for entity descriptor with entity ID:
sp_dms
18:20:20.165 - DEBUG
[org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] -
Searching for entity descriptor with an entity ID of sp_dms
18:20:20.165 - TRACE
[org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:524] -
Entity descriptor for the ID sp_dms was found in index cache, returning
18:20:20.165 - DEBUG
[org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule:92] -
SPSSODescriptor for entity ID 'sp_dms' does not require AuthnRequests to be
signed
18:20:20.166 - DEBUG [org.apache.xml.security.utils.ElementProxy:90] -
setElement("ds:Reference", "")
18:20:20.166 - DEBUG [org.apache.xml.security.utils.ElementProxy:90] -
setElement("ds:Transforms", "")
18:20:20.166 - DEBUG [org.apache.xml.security.utils.ElementProxy:90] -
setElement("ds:Transform", "")
18:20:20.166 - DEBUG
[org.opensaml.security.SAMLSignatureProfileValidator:229] - Saw Enveloped
signature transform
18:20:20.166 - DEBUG [org.apache.xml.security.utils.ElementProxy:90] -
setElement("ds:Transform", "")
18:20:20.167 - DEBUG
[org.opensaml.security.SAMLSignatureProfileValidator:233] - Saw Exclusive
C14N signature transform
18:20:20.167 - DEBUG
[org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule:125]
- Attempting to verify signature on signed SAML protocol message using
context issuer message type:
{urn:oasis:names:tc:SAML:2.0:protocol}AuthnRequest
18:20:20.167 - DEBUG [org.apache.xml.security.algorithms.JCEMapper:271] -
Request for URI http://www.w3.org/2000/09/xmldsig#rsa-sha1
18:20:20.167 - DEBUG [org.apache.xml.security.algorithms.JCEMapper:236] -
Request for URI http://www.w3.org/2000/09/xmldsig#rsa-sha1
18:20:20.167 - DEBUG [org.opensaml.security.MetadataCredentialResolver:167]
- Forcing on-demand metadata provider refresh if necessary
18:20:20.168 - DEBUG [org.opensaml.security.MetadataCredentialResolver:215]
- Attempting to retrieve credentials from cache using index:
[sp_dms,{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING]
18:20:20.168 - TRACE [org.opensaml.security.MetadataCredentialResolver:218]
- Read lock over cache acquired
18:20:20.168 - DEBUG [org.opensaml.security.MetadataCredentialResolver:223]
- Retrieved credentials from cache using index:
[sp_dms,{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING]
18:20:20.168 - TRACE [org.opensaml.security.MetadataCredentialResolver:229]
- Read lock over cache released
18:20:20.169 - DEBUG
[org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:105]
- Registry could not locate evaluable criteria for criteria class
org.opensaml.security.MetadataCriteria
...
18:20:20.196 - DEBUG [org.apache.xml.security.signature.Manifest:313] -
verify 1 References
18:20:20.196 - DEBUG [org.apache.xml.security.signature.Manifest:314] - I
am not requested to follow nested Manifests
18:20:20.196 - DEBUG [org.apache.xml.security.utils.ElementProxy:90] -
setElement("ds:Reference", "")
18:20:20.197 - DEBUG [org.apache.xml.security.utils.ElementProxy:90] -
setElement("ds:Transforms", "")
18:20:20.197 - DEBUG [org.apache.xml.security.algorithms.JCEMapper:219] -
Request for URI http://www.w3.org/2000/09/xmldsig#sha1
18:20:20.197 - DEBUG
[org.apache.xml.security.utils.resolver.ResourceResolver:165] - I was asked
to create a ResourceResolver and got 0
18:20:20.197 - DEBUG
[org.apache.xml.security.utils.resolver.ResourceResolver:108] - check
resolvability by class
org.apache.xml.security.utils.resolver.ResourceResolver
18:20:20.197 - DEBUG
[org.apache.xml.security.utils.resolver.implementations.ResolverFragment:136]
- State I can resolve reference: "#7a092b8d-6e4e-46aa-bf8c-1bdf54799220"
18:20:20.198 - DEBUG
[org.apache.xml.security.utils.resolver.implementations.ResolverFragment:99]
- Try to catch an Element with ID 7a092b8d-6e4e-46aa-bf8c-1bdf54799220 and
Element was [saml2p:AuthnRequest: null]
18:20:20.198 - DEBUG [org.apache.xml.security.utils.ElementProxy:90] -
setElement("ds:Transform", "")
18:20:20.198 - DEBUG [org.apache.xml.security.transforms.Transforms:269] -
Perform the (0)th http://www.w3.org/2000/09/xmldsig#enveloped-signature
transform
18:20:20.198 - DEBUG [org.apache.xml.security.utils.ElementProxy:90] -
setElement("ds:Transform", "")
18:20:20.199 - DEBUG
[org.apache.xml.security.utils.DigesterOutputStream:55] - Pre-digested
input:
18:20:20.199 - DEBUG
[org.apache.xml.security.utils.DigesterOutputStream:60] -
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="http://domain/sp/AssertionConsumerServicePath"
Destination="http://idp.example.org/idp/profile/SAML2/POST/SSO"
ID="7a092b8d-6e4e-46aa-bf8c-1bdf54799220"
IssueInstant="2014-09-06T23:20:19.860Z" Version="2.0"><saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">sp_dms</saml2:Issuer></saml2p:AuthnRequest>
18:20:20.199 - DEBUG [org.apache.xml.security.signature.Reference:784] -
Verification successful for URI "#7a092b8d-6e4e-46aa-bf8c-1bdf54799220"
18:20:20.199 - DEBUG [org.apache.xml.security.signature.Manifest:344] - The
Reference has Type
18:20:20.199 - DEBUG [org.opensaml.xml.signature.SignatureValidator:70] -
Signature validated with key from supplied credential
18:20:20.199 - DEBUG
[org.opensaml.xml.signature.impl.BaseSignatureTrustEngine:148] - Signature
validation using candidate credential was successful
18:20:20.200 - DEBUG
[org.opensaml.xml.signature.impl.BaseSignatureTrustEngine:101] -
Successfully verified signature using KeyInfo-derived credential
18:20:20.200 - DEBUG
[org.opensaml.xml.signature.impl.BaseSignatureTrustEngine:102] - Attempting
to establish trust of KeyInfo-derived credential
18:20:20.200 - DEBUG
[org.opensaml.xml.security.x509.BasicX509CredentialNameEvaluator:220] -
Supplied trusted names are null or empty, skipping name evaluation
18:20:20.200 - DEBUG
[org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine:234] - Signature
trust could not be established via PKIX validation of signing credential
18:20:20.200 - DEBUG
[org.opensaml.xml.signature.impl.BaseSignatureTrustEngine:107] - Failed to
establish trust of KeyInfo-derived credential
18:20:20.200 - DEBUG
[org.opensaml.xml.signature.impl.BaseSignatureTrustEngine:115] - Failed to
verify signature and/or establish trust using any KeyInfo-derived
credentials
18:20:20.201 - DEBUG
[org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine:162] - PKIX
validation of signature failed, unable to resolve valid and trusted signing
key
18:20:20.201 - DEBUG
[org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule:136]
- Validation of protocol message signature failed for context issuer
'sp_dms', message type: {urn:oasis:names:tc:SAML:2.0:protocol}AuthnRequest
18:20:20.202 - WARN
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:406]
- Message did not meet security requirements
org.opensaml.ws.security.SecurityPolicyException: Validation of protocol
message signature failed
at
org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:138)
~[opensaml-2.6.2.jar:na]
at
org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.evaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:107)
~[opensaml-2.6.2.jar:na]
at
org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51)
~[openws-1.5.2.jar:na]
at
org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132)
~[openws-1.5.2.jar:na]
...
18:20:20.203 - DEBUG
[edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:339] -
LoginContext key cookie was not present in request
18:20:20.203 - DEBUG
[edu.internet2.middleware.shibboleth.idp.ui.ServiceContactTag:177] - No
relying party, nothing to display
18:20:20.236 - TRACE
[edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:117] -
Attempting to retrieve IdP session cookie.

I loaded Shib's idp.crt file into the SP (they stored it in the KeyStore)
but as you can see I getting a problem with the certificate.

I've found several other posts on the web about this problem (Failed to
establish trust of KeyInfo-derived credential) but none of them worked for
me.

Any help is appreciated.

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140908/76d3c881/attachment-0001.html 


More information about the users mailing list