WARN [org.apache.xml.security.signature.XMLSignature:760] - Signature verification failed.

Mathis, Bradley bmathis at pima.edu
Mon Dec 4 17:26:10 EST 2017


Howdy all!


Background info:

Be aware that my terminology may not be correct as I'm still pretty new
using and installing shibboleth/IDP.

I'm taking a test run at migrating from idp 2.2.4 to idp 3.3.1.   I did a
fresh install of ipd 3.3.1 using jetty 9.3.20 with java 1.8.
Following that I used the documentation at
https://wiki.shibboleth.net/confluence/display/IDP30/UpgradingFromV2 to
manually bring over neccessary configuration files/settings from the idp
2.x system and was able to get idp 3.x to load successfully.
While running in what I think is called Legacy mode,  I was also able to
successfully Authenticate/SSO using the Test shib site and a local
application (FreshDesk) that we use in house. Those are the only two SP's
that I have to test against for now.

After having what appeared to be a "BASIC working system" that was running
in Legacymode.  I proceeded to try move towards full idp 3.x configuration
with new style relying-party.xml, metadata-providers.xml etc..
I had two SP's that I know were going to be a challenge to get added into
the metadata-providers.xml without generating errors.  They both require
signature validation.  One of them being the entry for InCommon and the
other for
an app we use called ActiveData Calendar  So I left those out of the v3
config temporarily until I could work out all the deprecation messages and
errors.


Without InCommon and ActiveData Calendar configured in my v3
metadata-providers.xml I can start idp 3.0 and SSO to the 2 SP's I'm
testing with successfully ... and I have no errors or deprecation warnings,

in the idp-process.log.  So at this point I'm pretty happy thinking all I
have to do now is get these last two SP's figure out.

After much reading and tinkering, I got (InCommon) info added into v3
metadata-providers.xml and the idp started up OK, with no errors,  woo hoo!

but when attempting to add the (ActiveData Calendar) I get the following
errors.

+++++++++++++++++++++++++++++++++++++
idp-warn.log

  2017-12-04 12:04:02,545 - WARN
[org.apache.xml.security.signature.XMLSignature:760] - Signature
verification failed.
2017-12-04 12:04:02,548 - WARN
[org.apache.xml.security.signature.XMLSignature:760] - Signature
verification failed.
2017-12-04 12:04:02,549 - ERROR
[org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter:420]
- Signature trust establishment failed for metadata entry
https://eventcal.pima.edu/
2017-12-04 12:04:02,779 - WARN
[org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter:251]
- Saw fatal error validating metadata signature(s), metadata will be
filtered out
org.opensaml.saml.metadata.resolver.filter.FilterException: Signature trust
establishment failed for metadata entry
        at
org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter.verifySignature(SignatureValidationFilter.java:421)
++++++++++++++++++++++++++++++++++++++


+++++++++++++++++++++++++++++++++++++
 idp-process.log

2017-12-04 12:04:02,209 - DEBUG
[net.shibboleth.idp.profile.spring.relyingparty.metadata.filter.impl.SignatureValidationCriteriaSetFactoryBean:123]
- Building CriteriaSet based on factory bean inputs
2017-12-04 12:04:02,210 - DEBUG
[net.shibboleth.idp.profile.spring.relyingparty.metadata.filter.impl.SignatureValidationCriteriaSetFactoryBean:140]
- Resolving SignatureValidationParameters from supplied
SignatureValidationConfigurations
2017-12-04 12:04:02,278 - DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:283]
- Metadata Resolver FilesystemMetadataResolver ADMD: Beginning refresh of
metadata from '/opt/shibboleth-idp/metadata/PimaEventCalSP.xml'
2017-12-04 12:04:02,435 - DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:290]
- Metadata Resolver FilesystemMetadataResolver ADMD: Processing new
metadata from '/opt/shibboleth-idp/metadata/PimaEventCalSP.xml'
2017-12-04 12:04:02,436 - DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:380]
- Metadata Resolver FilesystemMetadataResolver ADMD: Unmarshalling metadata
from '/opt/shibboleth-idp/metadata/PimaEventCalSP.xml'
2017-12-04 12:04:02,534 - DEBUG
[org.apache.xml.security.utils.ElementProxy:91] - setElement("Signature",
"")
2017-12-04 12:04:02,534 - DEBUG
[org.apache.xml.security.utils.ElementProxy:91] - setElement("SignedInfo",
"")
2017-12-04 12:04:02,534 - DEBUG
[org.apache.xml.security.utils.ElementProxy:91] -
setElement("SignatureMethod", "")
2017-12-04 12:04:02,535 - DEBUG
[org.apache.xml.security.algorithms.SignatureAlgorithm:148] - Create URI "
http://www.w3.org/2000/09/xmldsig#rsa-sha1" class "class
org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1"
2017-12-04 12:04:02,535 - DEBUG
[org.apache.xml.security.algorithms.JCEMapper:321] - Request for URI
http://www.w3.org/2000/09/xmldsig#rsa-sha1
2017-12-04 12:04:02,535 - DEBUG
[org.apache.xml.security.algorithms.implementations.SignatureBaseRSA:57] -
Created SignatureRSA using SHA1withRSA
2017-12-04 12:04:02,536 - DEBUG
[org.apache.xml.security.utils.ElementProxy:91] - setElement("KeyInfo", "")
2017-12-04 12:04:02,537 - DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:423]
- Metadata Resolver FilesystemMetadataResolver ADMD: Preprocessing metadata
from '/opt/shibboleth-idp/metadata/PimaEventCalSP.xml'
2017-12-04 12:04:02,537 - DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:376] -
Metadata Resolver FilesystemMetadataResolver ADMD: Applying metadata filter
2017-12-04 12:04:02,537 - DEBUG
[org.opensaml.saml.metadata.resolver.filter.MetadataFilterChain:75] -
Applying filter
org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter
2017-12-04 12:04:02,538 - DEBUG
[org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter:403]
- Verifying signature on metadata entry: https://eventcal.pima.edu/
2017-12-04 12:04:02,538 - DEBUG
[org.apache.xml.security.utils.ElementProxy:91] - setElement("Reference",
"")
2017-12-04 12:04:02,538 - DEBUG
[org.apache.xml.security.utils.ElementProxy:91] - setElement("Transforms",
"")
2017-12-04 12:04:02,539 - DEBUG
[org.apache.xml.security.utils.ElementProxy:91] - setElement("Transform",
"")
2017-12-04 12:04:02,539 - DEBUG
[org.opensaml.saml.security.impl.SAMLSignatureProfileValidator:235] - Saw
Enveloped signature transform
2017-12-04 12:04:02,539 - DEBUG
[org.apache.xml.security.utils.ElementProxy:91] - setElement("Transform",
"")
2017-12-04 12:04:02,539 - DEBUG
[org.opensaml.saml.security.impl.SAMLSignatureProfileValidator:239] - Saw
Exclusive C14N signature transform
2017-12-04 12:04:02,540 - DEBUG
[org.apache.xml.security.signature.XMLSignature:731] - signatureMethodURI =
http://www.w3.org/2000/09/xmldsig#rsa-sha1
2017-12-04 12:04:02,541 - DEBUG
[org.apache.xml.security.signature.XMLSignature:732] - jceSigAlgorithm    =
SHA1withRSA
2017-12-04 12:04:02,541 - DEBUG
[org.apache.xml.security.signature.XMLSignature:733] - jceSigProvider     =
SunRsaSign
2017-12-04 12:04:02,542 - DEBUG
[org.apache.xml.security.signature.XMLSignature:734] - PublicKey = Sun RSA
public key, 1024 bits
  modulus:
139903893700818129923763917507283348539565831909513904498144681001062613781591380290246167882978567758383367896585313556206278819370392138141890359518747198864175236186240358004044099091514930338900369886675005990687898507665880009509192577982265000195960680632675200295946362219208818811104695564396648767203
  public exponent: 65537
2017-12-04 12:04:02,542 - DEBUG
[org.apache.xml.security.utils.SignerOutputStream:64] - Canonicalized
SignedInfo:
2017-12-04 12:04:02,543 - DEBUG
[org.apache.xml.security.utils.SignerOutputStream:69] - <SignedInfo xmlns="
http://www.w3.org/2000/09/xmldsig#">
                        <CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
                        <SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
                        <Reference
URI="#_e0ffb229-c45d-428b-b44c-d306f5c58af6">
                                <Transforms>
                                        <Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
                                        <Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#">
                                                <InclusiveNamespaces xmlns="
http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default md saml ds xs
xsi"></InclusiveNamespaces>
                                        </Transform>
                                </Transforms>
                                                <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>

<DigestValue>JgZYpKMrgUQSBTEjRK/sLvXIzCw=</DigestValue>
                                                </Reference>
                </SignedInfo>
2017-12-04 12:04:02,545 - WARN
[org.apache.xml.security.signature.XMLSignature:760] - Signature
verification failed.
2017-12-04 12:04:02,546 - DEBUG
[org.apache.xml.security.signature.XMLSignature:731] - signatureMethodURI =
http://www.w3.org/2000/09/xmldsig#rsa-sha1
2017-12-04 12:04:02,546 - DEBUG
[org.apache.xml.security.signature.XMLSignature:732] - jceSigAlgorithm    =
SHA1withRSA
2017-12-04 12:04:02,547 - DEBUG
[org.apache.xml.security.signature.XMLSignature:733] - jceSigProvider     =
SunRsaSign
2017-12-04 12:04:02,547 - DEBUG
[org.apache.xml.security.signature.XMLSignature:734] - PublicKey = Sun RSA
public key, 1024 bits
  modulus:
139903893700818129923763917507283348539565831909513904498144681001062613781591380290246167882978567758383367896585313556206278819370392138141890359518747198864175236186240358004044099091514930338900369886675005990687898507665880009509192577982265000195960680632675200295946362219208818811104695564396648767203
  public exponent: 65537
2017-12-04 12:04:02,548 - DEBUG
[org.apache.xml.security.utils.SignerOutputStream:64] - Canonicalized
SignedInfo:
2017-12-04 12:04:02,548 - DEBUG
[org.apache.xml.security.utils.SignerOutputStream:69] - <SignedInfo xmlns="
http://www.w3.org/2000/09/xmldsig#">
                        <CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
                        <SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
                        <Reference
URI="#_e0ffb229-c45d-428b-b44c-d306f5c58af6">
                                <Transforms>
                                        <Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
                                        <Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#">
                                                <InclusiveNamespaces xmlns="
http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default md saml ds xs
xsi"></InclusiveNamespaces>
                                        </Transform>
                                </Transforms>
                                                <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>

<DigestValue>JgZYpKMrgUQSBTEjRK/sLvXIzCw=</DigestValue>
                                                </Reference>
                </SignedInfo>
2017-12-04 12:04:02,548 - WARN
[org.apache.xml.security.signature.XMLSignature:760] - Signature
verification failed.
2017-12-04 12:04:02,549 - ERROR
[org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter:420]
- Signature trust establishment failed for metadata entry
https://eventcal.pima.edu/
2017-12-04 12:04:02,779 - WARN
[org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter:251]
- Saw fatal error validating metadata signature(s), metadata will be
filtered out
org.opensaml.saml.metadata.resolver.filter.FilterException: Signature trust
establishment failed for metadata entry
        at
org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter.verifySignature(SignatureValidationFilter.java:421)
2017-12-04 12:04:02,780 - INFO
[org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver:285]
- Metadata Resolver FilesystemMetadataResolver ADMD: Metadata filtering
process produced a null document, resulting in an empty data set
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Listed here are entries in the for the two SP's loaded in a


v3 metadata providers    (InCommon loads ...Active Data errors out erros
listed above)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

<MetadataProvider id="ICMD"
                      xsi:type="FileBackedHTTPMetadataProvider"

backingFile="/opt/shibboleth-idp/metadata/InCommon-metadata.xml"
                      metadataURL="
http://md.incommon.org/InCommon/InCommon-metadata.xml">
         <MetadataFilter xsi:type="RequiredValidUntil"
maxValidityInterval="P15D"/>
         <MetadataFilter xsi:type="SignatureValidation"
certificateFile="/opt/shibboleth-idp/credentials/inc-md-cert.pem"/>
         <MetadataFilter xsi:type="EntityRoleWhiteList"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
           <RetainedRole>md:SPSSODescriptor</RetainedRole>
         </MetadataFilter>
        </MetadataProvider>

        <MetadataProvider id="ADMD"
                      xsi:type="FilesystemMetadataProvider"

metadataFile="/opt/shibboleth-idp/metadata/PimaEventCalSP.xml">
         <MetadataFilter xsi:type="SignatureValidation"
certificateFile="/opt/shibboleth-idp/credentials/eventcal.crt"/>
         <MetadataFilter xsi:type="EntityRoleWhiteList"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
          <RetainedRole>md:SPSSODescriptor</RetainedRole>
         </MetadataFilter>

        </MetadataProvider>

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



here's what I was loading in v2 compatablility mode version of
the metadata-providers.xml



+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 <!-- Load Metadata for Active Data Calendar eventcal.pima.edu -->

     <metadata:MetadataProvider id="ADMD"
xsi:type="metadata:FilesystemMetadataProvider" maxRefreshDelay="PT1H"

metadataFile="/opt/shibboleth-idp/metadata/PimaEventCalSP.xml" />


<!-- The following MetadataProvider (a child element of a
ChainingMetadataProvider)
             refreshes the InCommon production metadata aggregate. -->

        <metadata:MetadataProvider id="ICMD"
xsi:type="metadata:FileBackedHTTPMetadataProvider" maxRefreshDelay="PT1H"
             metadataURL="
http://md.incommon.org/InCommon/InCommon-metadata.xml"

 backingFile="/opt/shibboleth-idp/metadata/InCommon-metadata.xml">
        <metadata:MetadataFilter xsi:type="metadata:ChainingFilter">

    <!--
        Require a validUntil XML attribute on the EntitiesDescriptor element
        and make sure its value is no more than 14 days into the future
    -->
    <metadata:MetadataFilter xsi:type="metadata:RequiredValidUntil"
maxValidityInterval="P15D" />

    <!--
        Require the metadata to be signed and use the trust engine
        labeled id="ICTrust" to determine its trustworthiness
    -->
    <metadata:MetadataFilter xsi:type="metadata:SignatureValidation"
        trustEngineRef="ICTrust" requireSignedMetadata="true" />

    <!-- Consume all SP metadata in the aggregate -->
    <metadata:MetadataFilter xsi:type="metadata:EntityRoleWhiteList">
      <metadata:RetainedRole>samlmd:SPSSODescriptor</metadata:RetainedRole>
    </metadata:MetadataFilter>

    </metadata:MetadataFilter>
  </metadata:MetadataProvider>


    <!-- ========================================== -->
    <!--     Security Configurations                -->
    <!-- ========================================== -->

<security:TrustEngine id="ICTrust"
xsi:type="security:StaticExplicitKeySignature">

 <security:Credential id="MyFederation1Credentials"
xsi:type="security:X509Filesystem">

<security:Certificate>/opt/shibboleth-idp/credentials/inc-md-cert.pem</security:Certificate>
  </security:Credential>


 <security:Credential id="EventCalCredentials"
xsi:type="security:X509Filesystem">

<security:Certificate>/opt/shibboleth-idp/credentials/eventcal.crt</security:Certificate>
  </security:Credential>


</security:TrustEngine>

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Thanks in advance for any help!





Brad Mathis
Principal Systems Analyst
Pima Community College
IT - Technical Services
520.206.4826
bmathis at pima.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20171204/3f901146/attachment-0001.html>


More information about the users mailing list