signature validation failure
Bobby Lawrence
robertl at jlab.org
Wed Apr 6 16:05:06 UTC 2022
I'm trying to help get an SP to use our IdP and I'm running into an AuthnRequest signing issue. I'm hoping someone can help me discern the cause.
We have metadata for this SP in the form of an X509 certificate:
<KeyDescriptor use="signing">
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:KeyName>MXwrOk8KdR_98uoy06Nyq0b3hcKmCkB_3sZn1Led3LQ</dsig:KeyName>
<dsig:X509Data>
<dsig:X509Certificate>MIIHPzCCBiegAwIBAgIQDtIiDVWpZ1JcJgA/Ne26uDANBgkqhkiG9w0BAQsFADCB
lTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMT0wOwYDVQQD
EzRTZWN0aWdvIFJTQSBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBTZWN1cmUgU2Vy
dmVyIENBMB4XDTIyMDIwMTAwMDAwMFoXDTIzMDIwMTIzNTk1OVowgagxCzAJBgNV
BAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJvbGluYTEQMA4GA1UEBxMHUmFsZWln
aDEpMCcGA1UEChMgTGVhcm5pbmcgVGVjaG5vbG9naWVzIEdyb3VwIEluYy4xIzAh
BgNVBAsTGkN1c3RvbWVyIFNpdGUgQ2VydGlmaWNhdGVzMR4wHAYDVQQDExVzYW1s
LnBlb3BsZWZsdWVudC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC4q1TlyZh91E453OQrITKzPqGkFCgRMDiSE4JVf4lzkQygx94uCZjV0cITljgY
FF5Zo/zML/72ujuC3aAuIS+wDAr2OruOJ28UBpfERgj0fNy1MpDgQyqr5ZMsFCWh
AhT3AXb7M4sqW6k86N6TdT6e+YyOo9QuuvATmXzOl3aSFih/ENmLAyBFho25mASC
Svg3+44JR/hkvEwZUnDK0Yq0zKPiEpIROVp7H+4qfTfmkdYmJoTVSx1bGuIhtXbp
R4yilS31ydPdWmaYa6Y7kQxD/JQZjdujYYZ34bpbtKqPSCaFN9hMU5QtGKHR8TsG
8ktL/8pJz5SOYw4eCtgKN5m3AgMBAAGjggN0MIIDcDAfBgNVHSMEGDAWgBQX2dYl
J2f5McJJQ9kwNkSMbKlP6zAdBgNVHQ4EFgQUEIIU/8DGhBROLRzKLKsSz7pVGT0w
DgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMEoGA1UdIARDMEEwNQYMKwYBBAGyMQECAQMEMCUwIwYIKwYB
BQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECAjBaBgNVHR8E
UzBRME+gTaBLhklodHRwOi8vY3JsLnNlY3RpZ28uY29tL1NlY3RpZ29SU0FPcmdh
bml6YXRpb25WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGKBggrBgEFBQcB
AQR+MHwwVQYIKwYBBQUHMAKGSWh0dHA6Ly9jcnQuc2VjdGlnby5jb20vU2VjdGln
b1JTQU9yZ2FuaXphdGlvblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwIwYI
KwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMDsGA1UdEQQ0MDKCFXNh
bWwucGVvcGxlZmx1ZW50LmNvbYIZd3d3LnNhbWwucGVvcGxlZmx1ZW50LmNvbTCC
AX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHUArfe++nz/EMiLnT2cHj4YarRnKV3P
sQwkyoWGNOvcgooAAAF+tjJtGwAABAMARjBEAiApFHTInF/rMI7MXc6mnrDrBijx
ojRJ6CQ6i95pNCtAsgIgNiUrg5TI4SYiMknj7sZsKULUieLr1N8P1SP+JSDvSOwA
dQB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAAAX62MmzhAAAEAwBG
MEQCIEK3qKiEYSIauu0GqtBI9xn6t10++i1L28kqU/K2EmNTAiBC7wIdHFJQSrp6
6rkayGTnNxgbMdaIY3c5uBlaq7KwWQB3AOg+0No+9QY1MudXKLyJa8kD08vREWvs
62nhd31tBr1uAAABfrYybL8AAAQDAEgwRgIhAN7oyewM2+VmdXNwKjCnMsrK5VUE
o3IjE18rtvTGPzAWAiEAgC6iyyLjDaxkorXtHRigwGB2pwlWo/YoMFGDM6UiZlEw
DQYJKoZIhvcNAQELBQADggEBAJZl1eQr/YU/5FngOTurXz+vClhHZP2v/NbUe5Qy
CW6zIbFY5ixfZNLVzyGc1RUmqS+J7KsbEgc7xu6O5WEn1d81ZR9iUCX7rBqol3eQ
NEQsIm2c1Hm/3BDeHKouBOcofsmL1WNlnZKo7FT1DOM+JOuO541u/+zbRu/J9McK
cAr2c6RA35BQW9OfqoGPuVmdPVuJSQ7BlLkxCwILyePoyGd1qUwgmd5p1z9D7A6Z
TlV3JJrSNl0L6SKNhn5Q6GheQFqaqRGUGVqZieebzvv2wGyNEC02jhLQLV03QgOA
Xysh19X5dGzJLrikIqNK9qsvKkjQkDSgjiw1uea8GFX79Kg=</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</KeyDescriptor>
The AuthnRequest from this SP is coming in with an RSAKeyValue in the signature and not an X509Data (which is different from most other SPs we have worked with):
<?xml version="1.0" encoding="UTF-8"?>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<dsig:Reference URI="#ID_f9a395be-eb95-443d-a79b-ca7c67dfdab8">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<dsig:DigestValue>Qje+BL96Zosg1wEcG/ZMbdUwYVbdaSYcNKKzNXIwDA8=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo> <dsig:SignatureValue>XThpJP4jLfyDHqW+sQAP29T5UBgD/MoErjGx9AoMLLurKJIYpd9LM8qIEesTmMCjvKO5Sz7ACLFlQF/60Rtvv4Mid3HUVXWVRPJsW0HODcKdCqXErM6uiv5X/9vT50hwr5NhBIufbUfQe0VfW23RFQLykWl+/Fh5d6o1rc7jvdEYt9lI/z2iqCZXgI6FVqo7zelQUcELfbnwx4FuQNqRz8SJync4jPO0S9bUhtRSMvYleKS8ruWyaI/o19m9LLqrvC53Z66lWhfd/YFWzXDSO8yv0t4sqYGu8CGE1Ei2SOJdaT+BxzwnyopHhPpS/ZCHsKtmqTZJWCHj3HIM97em7A==</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>pFfobLWE42ZaFD4VzOX9vvQsonD+Irji/j2CrmqePxfAI0W2k7EjTTR9UtkhPPBeH6Bg+AKflZ9dV1lmF4NZDkhYbNIZnbAy9KcRPPps6qbqJxn7cxfrUEbIJj/FfUwNupYNdLHWa33rPi+YhmXi8qv2QyYXteGhXsX1mpzJdDlQ1Bt1gd2z5WMptkeY56iHNPwRu09R6OaeoJDA0NxP8E7e6o2bu/gASll7rleMLchmFYl8UV+y5DVMq6QAujGVpdrgpQ9Vl4SCLQaC9GDeKrB9G3kDQxjS0eY5JYk6o4XnMoCM3AGwSCee61oCfELz8KQK0/pNrfoEJZ/XIvzzzQ==</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
For some reason, IdP (v3.4.7) is failing this request....it states the signature is valid but fails to establish the trust for this key. I do not know why...can anyone help?
Here is a snippet from the log:
2022-04-06 10:00:23,018 - 129.57.40.34 - DEBUG [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine:189] - Attempting to verify signature and establish trust using KeyInfo-derived credentials
2022-04-06 10:00:23,018 - 129.57.40.34 - DEBUG [org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver:356] - Found 0 key names: []
2022-04-06 10:00:23,019 - 129.57.40.34 - DEBUG [org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver:319] - Processing KeyInfo child {http://www.w3.org/2000/09/xmldsig#}KeyValue with provider org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider
2022-04-06 10:00:23,019 - 129.57.40.34 - DEBUG [org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider:76] - Attempting to extract credential from an RSAKeyValue
2022-04-06 10:00:23,019 - 129.57.40.34 - DEBUG [org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider:93] - Credential successfully extracted from RSAKeyValue
2022-04-06 10:00:23,019 - 129.57.40.34 - DEBUG [org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver:329] - Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}KeyValue by provider org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider
2022-04-06 10:00:23,019 - 129.57.40.34 - DEBUG [org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver:397] - Found a credential based on a KeyValue/DEREncodedKeyValue having key type: RSA
2022-04-06 10:00:23,019 - 129.57.40.34 - DEBUG [org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver:213] - No credentials were extracted by registered non-KeyValue handling providers, adding KeyValue credential to returned credential set
2022-04-06 10:00:23,019 - 129.57.40.34 - DEBUG [org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver:179] - A total of 1 credentials were resolved
2022-04-06 10:00:23,020 - 129.57.40.34 - DEBUG [org.opensaml.security.credential.criteria.impl.EvaluableCredentialCriteriaRegistry:96] - Registry could not locate evaluable criteria for criteria class org.opensaml.xmlsec.keyinfo.KeyInfoCriterion
2022-04-06 10:00:23,020 - 129.57.40.34 - DEBUG [org.opensaml.xmlsec.signature.support.SignatureValidationProvider:53] - Using a validation provider of implementation: org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl
2022-04-06 10:00:23,020 - 129.57.40.34 - DEBUG [org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl:50] - Attempting to validate signature using key from supplied credential
2022-04-06 10:00:23,020 - 129.57.40.34 - DEBUG [org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl:92] - Accessing XMLSignature object
2022-04-06 10:00:23,020 - 129.57.40.34 - DEBUG [org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl:65] - Validating signature with signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
2022-04-06 10:00:23,020 - 129.57.40.34 - DEBUG [org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl:66] - Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
2022-04-06 10:00:23,021 - 129.57.40.34 - DEBUG [org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl:71] - Signature validated with key from supplied credential
2022-04-06 10:00:23,021 - 129.57.40.34 - DEBUG [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine:248] - Signature validation using candidate credential was successful
2022-04-06 10:00:23,021 - 129.57.40.34 - DEBUG [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine:199] - Successfully verified signature using KeyInfo-derived credential
2022-04-06 10:00:23,021 - 129.57.40.34 - DEBUG [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine:200] - Attempting to establish trust of KeyInfo-derived credential
2022-04-06 10:00:23,021 - 129.57.40.34 - DEBUG [org.opensaml.xmlsec.signature.support.impl.PKIXSignatureTrustEngine:213] - Can not evaluate trust of non-X509Credential
2022-04-06 10:00:23,021 - 129.57.40.34 - DEBUG [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine:205] - Failed to establish trust of KeyInfo-derived credential
2022-04-06 10:00:23,021 - 129.57.40.34 - DEBUG [org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine:216] - Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
2022-04-06 10:00:23,022 - 129.57.40.34 - DEBUG [org.opensaml.xmlsec.signature.support.impl.PKIXSignatureTrustEngine:166] - PKIX validation of signature failed, unable to resolve valid and trusted signing key
2022-04-06 10:00:23,022 - 129.57.40.34 - WARN [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:202] - Profile Action WebFlowMessageHandlerAdaptor: Exception handling message
org.opensaml.messaging.handler.MessageHandlerException: Validation of protocol message signature failed
at org.opensaml.saml.common.binding.security.impl.SAMLProtocolMessageXMLSignatureSecurityHandler.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityHandler.java:147)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220406/c857ee9b/attachment.htm>
More information about the users
mailing list