我正在尝试对 SAML 2.0 响应进行签名验证,但遇到问题并收到以下错误。奇怪的是,如果我使用 SunJSSE Provider,我会得到“签名长度不正确:得到 512,但期望 256”,但如果我使用 Bouncy CaSTLe Provider,则会出现以下错误
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod>
<ds:Reference URI="#Assertion-uuidab41cfa-014b-103a-bfdc-b02f8a93776c">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<xc14n:InclusiveNamespaces xmlns:xc14n="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs saml xsi"></xc14n:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
<ds:DigestValue>xRjm9aVPUGwyzxWuhWL9/M/To1DGh0KvWWceX+e6Gj4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
WARN 2015-01-27 - Signature verification failed.
org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key
我验证签名的代码如下
try {
byte[] certByte = idp.getIdpDescriptor().getKeyDescriptors().get(0).getKeyInfo().getX509Datas().get(0).getX509Certificates().get(0).getValue().getBytes();
InputStream ss = new ByteArrayInputStream(Base64.decodeBase64(certByte));
Certificate myCert = CertificateFactory
.getInstance("X509").generateCertificate(ss);
X509EncodedKeySpec publicKeySpec = new X509EncodedKeySpec(myCert.getPublicKey().getEncoded());
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PublicKey key = keyFactory.generatePublic(publicKeySpec);
System.out.println(key.getEncoded().length);
/*myCert = CertificateFactory
.getInstance("X509")
.generateCertificate(
// string encoded with default charset
new ByteArrayInputStream(idp.getIdpDescriptor().getKeyDescriptors().get(0).getKeyInfo().getX509Datas().get(0).getX509Certificates().get(0).getValue().getBytes("UTF-8"))
);*/
X509Certificate cert = (X509Certificate) myCert;
BasicX509Credential x509Credential = new BasicX509Credential();
x509Credential.setPublicKey(cert.getPublicKey());
x509Credential.setEntityCertificate(cert);
x509Credential.getEntityCertificateChain().add(cert);
Credential credential = x509Credential;
SignatureValidator sigValidator = new SignatureValidator(
credential);
sigValidator.validate(assertion.getSignature());
System.out.println("Validated.....YYIIIIIPPPPPEEEEEEEEEEEE");
} catch (CertificateException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
} catch (ValidationException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (InvalidKeySpecException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
我是java安全新手,所以不明白。我还将我的 SAML 响应如下所示。
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="uuidab41d1c-014b-15f6-b5cd-b02f8a93776c">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#Assertion-uuidab41cfa-014b-103a-bfdc-b02f8a93776c">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<xc14n:InclusiveNamespaces xmlns:xc14n="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs saml xsi" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>xRjm9aVPUGwyzxWuhWL9/M/To1DGh0KvWWceX+e6Gj4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>PHQGp9g8t8arots0MUsdEAobySe0Cn4FP7M/nUaBbraRRQE5HafATeHJZ96d/udKpHzOgzPnbEbsxNtjT/x6KHwS1HLbktBbBbTfbpEBDPIVYWsTUEEkAIh31V+2gF81dI9dor7ZdpPVhE1i+krgQaTtI5evLjbfwNEIcpjD1q6mKWx/kQR6tg9mwAytuvYLeYylvbiQFnjWJeDNdCqThX3q4LTrom3jPyiSSVORIQIOG4FjN3Bo3caZE31X3Ei0cnxCmJTMfyoGc1h4Kpjvd+UHiXCu5S9THpq9Xz90ol55brZeKHj00g1VZhzjYEdJUqNZTNFUBDGd5IhECKObY39bwQEeE1YhKS6PIScBZ7yFNPQf7Jg8Mhuab147dCX7gXCfwzINxbUfKoQ7GgIS7gKtYSied4uLVR7AjjNnQASZT9Y6eggZSe4NVb7CEECM1X5niFCiYsJ0nuylsOT12Q0B551AyZTb3QEuCy2Y7FOPt4Y2IJt5CCll0zycd2zURHk6HHvq5y+h0hsQrkK4F9lMuhqRIarKx+oNsbwiiPJEEqS48zGyintW5b2p6aoDTfdAoEgRbrOM9BVAMy4qlHwwPkx9OyBS4mEcu8+CEb8Uvj8oGCOMO4MsdZbApkaAHGG/Mzsse09zP6/Odw6aRPpQipiDeGaxGmXoBIqprZQ=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFFDCCAvygAwIBAgIEU7sqbzANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJBVTEPMA0GA1UEBxMGU3lkbmV5MQwwCgYDVQQKEwNNR0wxDDAKBgNVBAsTA0lBTTEQMA4GA1UEAxMHRklNLVNJVDAeFw0xNDA3MDcyMzE3MDNaFw0yNDA3MDQyMzE3MDNaMEwxCzAJBgNVBAYTAkFVMQ8wDQYDVQQHEwZTeWRuZXkxDDAKBgNVBAoTA01HTDEMMAoGA1UECxMDSUFNMRAwDgYDVQQDEwdGSU0tU0lUMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwNSu2CZGpWtgnWBtPzwHXoU1pyh38u97racDwngL6Gzj+q1ZbfZCGepUYCbstWHzAJUGQ9Om0pk/vRVYkzzPm+scfY7nS31LL6FJ4RB/KDeoYretNatBrGqCN9++Go3N4kWjyydq2Bj+q0eLwv2nveiAxnd0zG4nOXH398+ovsOGcsdzAz5g7mzqu/soTqpmAQxY+2+Z0Lyw4IjoROOD/6f3nh4fIelcpBFu8Q6W7rmBWZqMmMcqtGSoZAgduhK9BvlKYJHp3+Wy0YO3Cmf28RsX+EOMUWkJXk8kav6rsMkT+9Fchb8Xop3/Bwl0tpjXk5macXSlPU7v5jnISzqnZ1hq1cKKTcU3C48CKdRmYEwVqjX8VLFDzXAPMONcDvGD3HMBWo6w6l2XKTjkPRRa9+3lodPFaK41R7K/auaR6vxx1NBdIx8P/6LfyKdb/1ZVVP1TsZIvwTUAk2h5GZqwv5O16U5gBOiy5JfSQdL5PMIUQv9KWXicjB4PC0FKZOMCuJ3mDe7otVojLVbO8102sMfXAsiRxS4PUgduD5XxC2N21VfiN32slendlFIRMGxERUJbUaBfjiuXRNlTwzXaVkc/32FdSPGE9onQNHrP3EoWVSTHNE1qNgqBi6GLmcBCJSGLXisDBzGo47IvPP8FGgsFZIVcKNpWW8YsJx2LAokCAwEAATANBgkqhkiG9w0BAQUFAAOCAgEApNhmplDA1phtWJIuihejyosHMh00g0xEvZe1I9cyiz8wjUK/ZzsCoqQgyb19LdPj1/H3hLHudApEm6yzZc5lLYid6YJhnPy0T8Rf8BgbbiUAeAFyt5PVGZDuIV0+6S9rgotRBYqPjt9sIlKkz/NZGS50ptWvDEQIWLFIsEDa1u+pbu7SxmMH9SQkPXQ2uaFuLaBI68XTIyyR7FKVpi3tDTC6Yl5CksbQTXGvs44mXG0Qd7TLMsWiAnk0YWyDtUiz2J714fwDtafLyTxfwYBU6YWC13F98gdpkimn+jUuhtdDDCRIYxis7SiJLEoRwZ3xz7Xt0dR2+Jdn7gPDWOaq1KIzL/Gr+wcgebswdiXxvqqjerC3lvBVSJ5Ui/FfGKCivn8/1Et2YRGsINp6zZZpQXnK/oqC/9jZ9P0fJm0kI9QP7y5RWuXD0WPMQTo+VXqj4XdYGdaELPNc80OCMgsaCW1yTm7Svxk/ufkVRgzVke0hjyMZOwdjdIO5ooMgpQRFCBy6Lg9+ABk6e4YlxSjwlwGga7FIttrNkjch3ekF1APLezbvxQ/E2csMoiUzIuXHsaJbGeV1QGl4YqEzVavnadiuqtyBCqum6CSPi/plSuyn3eG7C3BbxZMIq4h3MZ7TXDx/bCw5Xb+0I84X8AIXHDfAT8n6cgJWR+vo+/WVWrY=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
下面提到的是 IDP 元数据
<md:IDPSSODescriptor WantAuthnRequestsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIFFDCCAvygAwIBAgIEU7sqbzANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJBVTEPMA0GA1UEBxMGU3lkbmV5MQwwCgYDVQQKEwNNR0wxDDAKBgNVBAsTA0lBTTEQMA4GA1UEAxMHRklNLVNJVDAeFw0xNDA3MDcyMzE3MDNaFw0yNDA3MDQyMzE3MDNaMEwxCzAJBgNVBAYTAkFVMQ8wDQYDVQQHEwZTeWRuZXkxDDAKBgNVBAoTA01HTDEMMAoGA1UECxMDSUFNMRAwDgYDVQQDEwdGSU0tU0lUMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwNSu2CZGpWtgnWBtPzwHXoU1pyh38u97racDwngL6Gzj+q1ZbfZCGepUYCbstWHzAJUGQ9Om0pk/vRVYkzzPm+scfY7nS31LL6FJ4RB/KDeoYretNatBrGqCN9++Go3N4kWjyydq2Bj+q0eLwv2nveiAxnd0zG4nOXH398+ovsOGcsdzAz5g7mzqu/soTqpmAQxY+2+Z0Lyw4IjoROOD/6f3nh4fIelcpBFu8Q6W7rmBWZqMmMcqtGSoZAgduhK9BvlKYJHp3+Wy0YO3Cmf28RsX+EOMUWkJXk8kav6rsMkT+9Fchb8Xop3/Bwl0tpjXk5macXSlPU7v5jnISzqnZ1hq1cKKTcU3C48CKdRmYEwVqjX8VLFDzXAPMONcDvGD3HMBWo6w6l2XKTjkPRRa9+3lodPFaK41R7K/auaR6vxx1NBdIx8P/6LfyKdb/1ZVVP1TsZIvwTUAk2h5GZqwv5O16U5gBOiy5JfSQdL5PMIUQv9KWXicjB4PC0FKZOMCuJ3mDe7otVojLVbO8102sMfXAsiRxS4PUgduD5XxC2N21VfiN32slendlFIRMGxERUJbUaBfjiuXRNlTwzXaVkc/32FdSPGE9onQNHrP3EoWVSTHNE1qNgqBi6GLmcBCJSGLXisDBzGo47IvPP8FGgsFZIVcKNpWW8YsJx2LAokCAwEAATANBgkqhkiG9w0BAQUFAAOCAgEApNhmplDA1phtWJIuihejyosHMh00g0xEvZe1I9cyiz8wjUK/ZzsCoqQgyb19LdPj1/H3hLHudApEm6yzZc5lLYid6YJhnPy0T8Rf8BgbbiUAeAFyt5PVGZDuIV0+6S9rgotRBYqPjt9sIlKkz/NZGS50ptWvDEQIWLFIsEDa1u+pbu7SxmMH9SQkPXQ2uaFuLaBI68XTIyyR7FKVpi3tDTC6Yl5CksbQTXGvs44mXG0Qd7TLMsWiAnk0YWyDtUiz2J714fwDtafLyTxfwYBU6YWC13F98gdpkimn+jUuhtdDDCRIYxis7SiJLEoRwZ3xz7Xt0dR2+Jdn7gPDWOaq1KIzL/Gr+wcgebswdiXxvqqjerC3lvBVSJ5Ui/FfGKCivn8/1Et2YRGsINp6zZZpQXnK/oqC/9jZ9P0fJm0kI9QP7y5RWuXD0WPMQTo+VXqj4XdYGdaELPNc80OCMgsaCW1yTm7Svxk/ufkVRgzVke0hjyMZOwdjdIO5ooMgpQRFCBy6Lg9+ABk6e4YlxSjwlwGga7FIttrNkjch3ekF1APLezbvxQ/E2csMoiUzIuXHsaJbGeV1QGl4YqEzVavnadiuqtyBCqum6CSPi/plSuyn3eG7C3BbxZMIq4h3MZ7TXDx/bCw5Xb+0I84X8AIXHDfAT8n6cgJWR+vo+/WVWrY=
</X509Certificate>
</X509Data>
</KeyInfo>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"></md:EncryptionMethod>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIFFDCCAvygAwIBAgIEU7sqbzANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJBVTEPMA0GA1UEBxMGU3lkbmV5MQwwCgYDVQQKEwNNR0wxDDAKBgNVBAsTA0lBTTEQMA4GA1UEAxMHRklNLVNJVDAeFw0xNDA3MDcyMzE3MDNaFw0yNDA3MDQyMzE3MDNaMEwxCzAJBgNVBAYTAkFVMQ8wDQYDVQQHEwZTeWRuZXkxDDAKBgNVBAoTA01HTDEMMAoGA1UECxMDSUFNMRAwDgYDVQQDEwdGSU0tU0lUMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwNSu2CZGpWtgnWBtPzwHXoU1pyh38u97racDwngL6Gzj+q1ZbfZCGepUYCbstWHzAJUGQ9Om0pk/vRVYkzzPm+scfY7nS31LL6FJ4RB/KDeoYretNatBrGqCN9++Go3N4kWjyydq2Bj+q0eLwv2nveiAxnd0zG4nOXH398+ovsOGcsdzAz5g7mzqu/soTqpmAQxY+2+Z0Lyw4IjoROOD/6f3nh4fIelcpBFu8Q6W7rmBWZqMmMcqtGSoZAgduhK9BvlKYJHp3+Wy0YO3Cmf28RsX+EOMUWkJXk8kav6rsMkT+9Fchb8Xop3/Bwl0tpjXk5macXSlPU7v5jnISzqnZ1hq1cKKTcU3C48CKdRmYEwVqjX8VLFDzXAPMONcDvGD3HMBWo6w6l2XKTjkPRRa9+3lodPFaK41R7K/auaR6vxx1NBdIx8P/6LfyKdb/1ZVVP1TsZIvwTUAk2h5GZqwv5O16U5gBOiy5JfSQdL5PMIUQv9KWXicjB4PC0FKZOMCuJ3mDe7otVojLVbO8102sMfXAsiRxS4PUgduD5XxC2N21VfiN32slendlFIRMGxERUJbUaBfjiuXRNlTwzXaVkc/32FdSPGE9onQNHrP3EoWVSTHNE1qNgqBi6GLmcBCJSGLXisDBzGo47IvPP8FGgsFZIVcKNpWW8YsJx2LAokCAwEAATANBgkqhkiG9w0BAQUFAAOCAgEApNhmplDA1phtWJIuihejyosHMh00g0xEvZe1I9cyiz8wjUK/ZzsCoqQgyb19LdPj1/H3hLHudApEm6yzZc5lLYid6YJhnPy0T8Rf8BgbbiUAeAFyt5PVGZDuIV0+6S9rgotRBYqPjt9sIlKkz/NZGS50ptWvDEQIWLFIsEDa1u+pbu7SxmMH9SQkPXQ2uaFuLaBI68XTIyyR7FKVpi3tDTC6Yl5CksbQTXGvs44mXG0Qd7TLMsWiAnk0YWyDtUiz2J714fwDtafLyTxfwYBU6YWC13F98gdpkimn+jUuhtdDDCRIYxis7SiJLEoRwZ3xz7Xt0dR2+Jdn7gPDWOaq1KIzL/Gr+wcgebswdiXxvqqjerC3lvBVSJ5Ui/FfGKCivn8/1Et2YRGsINp6zZZpQXnK/oqC/9jZ9P0fJm0kI9QP7y5RWuXD0WPMQTo+VXqj4XdYGdaELPNc80OCMgsaCW1yTm7Svxk/ufkVRgzVke0hjyMZOwdjdIO5ooMgpQRFCBy6Lg9+ABk6e4YlxSjwlwGga7FIttrNkjch3ekF1APLezbvxQ/E2csMoiUzIuXHsaJbGeV1QGl4YqEzVavnadiuqtyBCqum6CSPi/plSuyn3eG7C3BbxZMIq4h3MZ7TXDx/bCw5Xb+0I84X8AIXHDfAT8n6cgJWR+vo+/WVWrY=
</X509Certificate>
</X509Data>
</KeyInfo>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
</md:KeyDescriptor>
<md:ArtifactResolutionService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://www-test.com.au/sps/login/saml20/soap"
index="0" isDefault="true" />
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www-test.com.au/sps/login/saml20/slo" />
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://www-test.com.au/sps/login/saml20/slo" />
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted
</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</md:NameIDFormat>
<md:SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www-test.com.au/sps/login/saml20/login" />
<md:SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://www-test.com.au/sps/login/saml20/login" />
</md:IDPSSODescriptor>
最佳答案
我在这里并不是 100%,但听起来 SAMLResponse 指定了 1 种签名方法,但实际上使用了不同的方法来生成签名。该消息告诉 SP 使用 sha256 进行验证:
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod>
但是签名验证代码足够聪明,可以意识到它实际上是别的东西(sha512?)。由于两者不匹配,因此签名无效。看看当两者按预期匹配时会发生什么。
关于java - Saml 2.0 签名验证失败,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/28168039/