WARN [org.apache.xml.security.signature.XMLSignature:760] - Signature verification failed.
Mathis, Bradley
bmathis at pima.edu
Mon Dec 4 17:26:10 EST 2017
Howdy all!
Background info:
Be aware that my terminology may not be correct as I'm still pretty new
using and installing shibboleth/IDP.
I'm taking a test run at migrating from idp 2.2.4 to idp 3.3.1. I did a
fresh install of ipd 3.3.1 using jetty 9.3.20 with java 1.8.
Following that I used the documentation at
https://wiki.shibboleth.net/confluence/display/IDP30/UpgradingFromV2 to
manually bring over neccessary configuration files/settings from the idp
2.x system and was able to get idp 3.x to load successfully.
While running in what I think is called Legacy mode, I was also able to
successfully Authenticate/SSO using the Test shib site and a local
application (FreshDesk) that we use in house. Those are the only two SP's
that I have to test against for now.
After having what appeared to be a "BASIC working system" that was running
in Legacymode. I proceeded to try move towards full idp 3.x configuration
with new style relying-party.xml, metadata-providers.xml etc..
I had two SP's that I know were going to be a challenge to get added into
the metadata-providers.xml without generating errors. They both require
signature validation. One of them being the entry for InCommon and the
other for
an app we use called ActiveData Calendar So I left those out of the v3
config temporarily until I could work out all the deprecation messages and
errors.
Without InCommon and ActiveData Calendar configured in my v3
metadata-providers.xml I can start idp 3.0 and SSO to the 2 SP's I'm
testing with successfully ... and I have no errors or deprecation warnings,
in the idp-process.log. So at this point I'm pretty happy thinking all I
have to do now is get these last two SP's figure out.
After much reading and tinkering, I got (InCommon) info added into v3
metadata-providers.xml and the idp started up OK, with no errors, woo hoo!
but when attempting to add the (ActiveData Calendar) I get the following
errors.
+++++++++++++++++++++++++++++++++++++
idp-warn.log
2017-12-04 12:04:02,545 - WARN
[org.apache.xml.security.signature.XMLSignature:760] - Signature
verification failed.
2017-12-04 12:04:02,548 - WARN
[org.apache.xml.security.signature.XMLSignature:760] - Signature
verification failed.
2017-12-04 12:04:02,549 - ERROR
[org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter:420]
- Signature trust establishment failed for metadata entry
https://eventcal.pima.edu/
2017-12-04 12:04:02,779 - WARN
[org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter:251]
- Saw fatal error validating metadata signature(s), metadata will be
filtered out
org.opensaml.saml.metadata.resolver.filter.FilterException: Signature trust
establishment failed for metadata entry
at
org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter.verifySignature(SignatureValidationFilter.java:421)
++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++
idp-process.log
2017-12-04 12:04:02,209 - DEBUG
[net.shibboleth.idp.profile.spring.relyingparty.metadata.filter.impl.SignatureValidationCriteriaSetFactoryBean:123]
- Building CriteriaSet based on factory bean inputs
2017-12-04 12:04:02,210 - DEBUG
[net.shibboleth.idp.profile.spring.relyingparty.metadata.filter.impl.SignatureValidationCriteriaSetFactoryBean:140]
- Resolving SignatureValidationParameters from supplied
SignatureValidationConfigurations
2017-12-04 12:04:02,278 - DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:283]
- Metadata Resolver FilesystemMetadataResolver ADMD: Beginning refresh of
metadata from '/opt/shibboleth-idp/metadata/PimaEventCalSP.xml'
2017-12-04 12:04:02,435 - DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:290]
- Metadata Resolver FilesystemMetadataResolver ADMD: Processing new
metadata from '/opt/shibboleth-idp/metadata/PimaEventCalSP.xml'
2017-12-04 12:04:02,436 - DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:380]
- Metadata Resolver FilesystemMetadataResolver ADMD: Unmarshalling metadata
from '/opt/shibboleth-idp/metadata/PimaEventCalSP.xml'
2017-12-04 12:04:02,534 - DEBUG
[org.apache.xml.security.utils.ElementProxy:91] - setElement("Signature",
"")
2017-12-04 12:04:02,534 - DEBUG
[org.apache.xml.security.utils.ElementProxy:91] - setElement("SignedInfo",
"")
2017-12-04 12:04:02,534 - DEBUG
[org.apache.xml.security.utils.ElementProxy:91] -
setElement("SignatureMethod", "")
2017-12-04 12:04:02,535 - DEBUG
[org.apache.xml.security.algorithms.SignatureAlgorithm:148] - Create URI "
http://www.w3.org/2000/09/xmldsig#rsa-sha1" class "class
org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1"
2017-12-04 12:04:02,535 - DEBUG
[org.apache.xml.security.algorithms.JCEMapper:321] - Request for URI
http://www.w3.org/2000/09/xmldsig#rsa-sha1
2017-12-04 12:04:02,535 - DEBUG
[org.apache.xml.security.algorithms.implementations.SignatureBaseRSA:57] -
Created SignatureRSA using SHA1withRSA
2017-12-04 12:04:02,536 - DEBUG
[org.apache.xml.security.utils.ElementProxy:91] - setElement("KeyInfo", "")
2017-12-04 12:04:02,537 - DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:423]
- Metadata Resolver FilesystemMetadataResolver ADMD: Preprocessing metadata
from '/opt/shibboleth-idp/metadata/PimaEventCalSP.xml'
2017-12-04 12:04:02,537 - DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:376] -
Metadata Resolver FilesystemMetadataResolver ADMD: Applying metadata filter
2017-12-04 12:04:02,537 - DEBUG
[org.opensaml.saml.metadata.resolver.filter.MetadataFilterChain:75] -
Applying filter
org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter
2017-12-04 12:04:02,538 - DEBUG
[org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter:403]
- Verifying signature on metadata entry: https://eventcal.pima.edu/
2017-12-04 12:04:02,538 - DEBUG
[org.apache.xml.security.utils.ElementProxy:91] - setElement("Reference",
"")
2017-12-04 12:04:02,538 - DEBUG
[org.apache.xml.security.utils.ElementProxy:91] - setElement("Transforms",
"")
2017-12-04 12:04:02,539 - DEBUG
[org.apache.xml.security.utils.ElementProxy:91] - setElement("Transform",
"")
2017-12-04 12:04:02,539 - DEBUG
[org.opensaml.saml.security.impl.SAMLSignatureProfileValidator:235] - Saw
Enveloped signature transform
2017-12-04 12:04:02,539 - DEBUG
[org.apache.xml.security.utils.ElementProxy:91] - setElement("Transform",
"")
2017-12-04 12:04:02,539 - DEBUG
[org.opensaml.saml.security.impl.SAMLSignatureProfileValidator:239] - Saw
Exclusive C14N signature transform
2017-12-04 12:04:02,540 - DEBUG
[org.apache.xml.security.signature.XMLSignature:731] - signatureMethodURI =
http://www.w3.org/2000/09/xmldsig#rsa-sha1
2017-12-04 12:04:02,541 - DEBUG
[org.apache.xml.security.signature.XMLSignature:732] - jceSigAlgorithm =
SHA1withRSA
2017-12-04 12:04:02,541 - DEBUG
[org.apache.xml.security.signature.XMLSignature:733] - jceSigProvider =
SunRsaSign
2017-12-04 12:04:02,542 - DEBUG
[org.apache.xml.security.signature.XMLSignature:734] - PublicKey = Sun RSA
public key, 1024 bits
modulus:
139903893700818129923763917507283348539565831909513904498144681001062613781591380290246167882978567758383367896585313556206278819370392138141890359518747198864175236186240358004044099091514930338900369886675005990687898507665880009509192577982265000195960680632675200295946362219208818811104695564396648767203
public exponent: 65537
2017-12-04 12:04:02,542 - DEBUG
[org.apache.xml.security.utils.SignerOutputStream:64] - Canonicalized
SignedInfo:
2017-12-04 12:04:02,543 - DEBUG
[org.apache.xml.security.utils.SignerOutputStream:69] - <SignedInfo xmlns="
http://www.w3.org/2000/09/xmldsig#">
<CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
<SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
<Reference
URI="#_e0ffb229-c45d-428b-b44c-d306f5c58af6">
<Transforms>
<Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
<Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces xmlns="
http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default md saml ds xs
xsi"></InclusiveNamespaces>
</Transform>
</Transforms>
<DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>JgZYpKMrgUQSBTEjRK/sLvXIzCw=</DigestValue>
</Reference>
</SignedInfo>
2017-12-04 12:04:02,545 - WARN
[org.apache.xml.security.signature.XMLSignature:760] - Signature
verification failed.
2017-12-04 12:04:02,546 - DEBUG
[org.apache.xml.security.signature.XMLSignature:731] - signatureMethodURI =
http://www.w3.org/2000/09/xmldsig#rsa-sha1
2017-12-04 12:04:02,546 - DEBUG
[org.apache.xml.security.signature.XMLSignature:732] - jceSigAlgorithm =
SHA1withRSA
2017-12-04 12:04:02,547 - DEBUG
[org.apache.xml.security.signature.XMLSignature:733] - jceSigProvider =
SunRsaSign
2017-12-04 12:04:02,547 - DEBUG
[org.apache.xml.security.signature.XMLSignature:734] - PublicKey = Sun RSA
public key, 1024 bits
modulus:
139903893700818129923763917507283348539565831909513904498144681001062613781591380290246167882978567758383367896585313556206278819370392138141890359518747198864175236186240358004044099091514930338900369886675005990687898507665880009509192577982265000195960680632675200295946362219208818811104695564396648767203
public exponent: 65537
2017-12-04 12:04:02,548 - DEBUG
[org.apache.xml.security.utils.SignerOutputStream:64] - Canonicalized
SignedInfo:
2017-12-04 12:04:02,548 - DEBUG
[org.apache.xml.security.utils.SignerOutputStream:69] - <SignedInfo xmlns="
http://www.w3.org/2000/09/xmldsig#">
<CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
<SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
<Reference
URI="#_e0ffb229-c45d-428b-b44c-d306f5c58af6">
<Transforms>
<Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
<Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces xmlns="
http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default md saml ds xs
xsi"></InclusiveNamespaces>
</Transform>
</Transforms>
<DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>JgZYpKMrgUQSBTEjRK/sLvXIzCw=</DigestValue>
</Reference>
</SignedInfo>
2017-12-04 12:04:02,548 - WARN
[org.apache.xml.security.signature.XMLSignature:760] - Signature
verification failed.
2017-12-04 12:04:02,549 - ERROR
[org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter:420]
- Signature trust establishment failed for metadata entry
https://eventcal.pima.edu/
2017-12-04 12:04:02,779 - WARN
[org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter:251]
- Saw fatal error validating metadata signature(s), metadata will be
filtered out
org.opensaml.saml.metadata.resolver.filter.FilterException: Signature trust
establishment failed for metadata entry
at
org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter.verifySignature(SignatureValidationFilter.java:421)
2017-12-04 12:04:02,780 - INFO
[org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver:285]
- Metadata Resolver FilesystemMetadataResolver ADMD: Metadata filtering
process produced a null document, resulting in an empty data set
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Listed here are entries in the for the two SP's loaded in a
v3 metadata providers (InCommon loads ...Active Data errors out erros
listed above)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
<MetadataProvider id="ICMD"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="/opt/shibboleth-idp/metadata/InCommon-metadata.xml"
metadataURL="
http://md.incommon.org/InCommon/InCommon-metadata.xml">
<MetadataFilter xsi:type="RequiredValidUntil"
maxValidityInterval="P15D"/>
<MetadataFilter xsi:type="SignatureValidation"
certificateFile="/opt/shibboleth-idp/credentials/inc-md-cert.pem"/>
<MetadataFilter xsi:type="EntityRoleWhiteList"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>
<MetadataProvider id="ADMD"
xsi:type="FilesystemMetadataProvider"
metadataFile="/opt/shibboleth-idp/metadata/PimaEventCalSP.xml">
<MetadataFilter xsi:type="SignatureValidation"
certificateFile="/opt/shibboleth-idp/credentials/eventcal.crt"/>
<MetadataFilter xsi:type="EntityRoleWhiteList"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
here's what I was loading in v2 compatablility mode version of
the metadata-providers.xml
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
<!-- Load Metadata for Active Data Calendar eventcal.pima.edu -->
<metadata:MetadataProvider id="ADMD"
xsi:type="metadata:FilesystemMetadataProvider" maxRefreshDelay="PT1H"
metadataFile="/opt/shibboleth-idp/metadata/PimaEventCalSP.xml" />
<!-- The following MetadataProvider (a child element of a
ChainingMetadataProvider)
refreshes the InCommon production metadata aggregate. -->
<metadata:MetadataProvider id="ICMD"
xsi:type="metadata:FileBackedHTTPMetadataProvider" maxRefreshDelay="PT1H"
metadataURL="
http://md.incommon.org/InCommon/InCommon-metadata.xml"
backingFile="/opt/shibboleth-idp/metadata/InCommon-metadata.xml">
<metadata:MetadataFilter xsi:type="metadata:ChainingFilter">
<!--
Require a validUntil XML attribute on the EntitiesDescriptor element
and make sure its value is no more than 14 days into the future
-->
<metadata:MetadataFilter xsi:type="metadata:RequiredValidUntil"
maxValidityInterval="P15D" />
<!--
Require the metadata to be signed and use the trust engine
labeled id="ICTrust" to determine its trustworthiness
-->
<metadata:MetadataFilter xsi:type="metadata:SignatureValidation"
trustEngineRef="ICTrust" requireSignedMetadata="true" />
<!-- Consume all SP metadata in the aggregate -->
<metadata:MetadataFilter xsi:type="metadata:EntityRoleWhiteList">
<metadata:RetainedRole>samlmd:SPSSODescriptor</metadata:RetainedRole>
</metadata:MetadataFilter>
</metadata:MetadataFilter>
</metadata:MetadataProvider>
<!-- ========================================== -->
<!-- Security Configurations -->
<!-- ========================================== -->
<security:TrustEngine id="ICTrust"
xsi:type="security:StaticExplicitKeySignature">
<security:Credential id="MyFederation1Credentials"
xsi:type="security:X509Filesystem">
<security:Certificate>/opt/shibboleth-idp/credentials/inc-md-cert.pem</security:Certificate>
</security:Credential>
<security:Credential id="EventCalCredentials"
xsi:type="security:X509Filesystem">
<security:Certificate>/opt/shibboleth-idp/credentials/eventcal.crt</security:Certificate>
</security:Credential>
</security:TrustEngine>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Thanks in advance for any help!
Brad Mathis
Principal Systems Analyst
Pima Community College
IT - Technical Services
520.206.4826
bmathis at pima.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20171204/3f901146/attachment-0001.html>
More information about the users
mailing list