java - Signature trust establishment failed for SAML metadata entry -
in order fetch metadata remote source, defined extendedmetadatadelegate bean follows:
@bean @qualifier("replymeta") public extendedmetadatadelegate replymetadataprovider() throws metadataproviderexception { string metadataurl = "https://ststest-replynet.reply.it/federationmetadata/2007-06/federationmetadata.xml"; final timer backgroundtasktimer = new timer(true); httpmetadataprovider provider = new httpmetadataprovider( backgroundtasktimer, httpclient(), metadataurl); provider.setparserpool(parserpool()); extendedmetadatadelegate emd = new extendedmetadatadelegate( provider, new extendedmetadata()); return emd; } to ensure signature trust establishment, added related key both in jdk keystore , application keystore (the second step might not enough); despite that, error occurs running webapp.
[2014-08-18 14:36:47.200] boot - 6000 debug [localhost-startstop-1] --- signaturevalidator: attempting validate signature using key supplied credential [2014-08-18 14:36:47.200] boot - 6000 debug [localhost-startstop-1] --- signaturevalidator: creating xmlsignature object [2014-08-18 14:36:47.206] boot - 6000 debug [localhost-startstop-1] --- signaturevalidator: validating signature signature algorithm uri: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 [2014-08-18 14:36:47.207] boot - 6000 debug [localhost-startstop-1] --- signaturevalidator: validation credential key algorithm 'rsa', key instance class 'sun.security.rsa.rsapublickeyimpl' [2014-08-18 14:36:47.329] boot - 6000 debug [localhost-startstop-1] --- signaturevalidator: signature validated key supplied credential [2014-08-18 14:36:47.329] boot - 6000 debug [localhost-startstop-1] --- basesignaturetrustengine: signature validation using candidate credential successful [2014-08-18 14:36:47.330] boot - 6000 debug [localhost-startstop-1] --- basesignaturetrustengine: verified signature using keyinfo-derived credential [2014-08-18 14:36:47.330] boot - 6000 debug [localhost-startstop-1] --- basesignaturetrustengine: attempting establish trust of keyinfo-derived credential [2014-08-18 14:36:47.330] boot - 6000 debug [localhost-startstop-1] --- basicx509credentialnameevaluator: supplied trusted names null or empty, skipping name evaluation [2014-08-18 14:36:47.331] boot - 6000 debug [localhost-startstop-1] --- metadatacredentialresolver: attempting pkix path validation on untrusted credential: [subjectname='cn=adfs signing - ststest-replynet.reply.it'] [2014-08-18 14:36:47.346] boot - 6000 error [localhost-startstop-1] --- metadatacredentialresolver: pkix path construction failed untrusted credential: [subjectname='cn=adfs signing - ststest-replynet.reply.it']: unable find valid certification path requested target [2014-08-18 14:36:47.347] boot - 6000 debug [localhost-startstop-1] --- pkixsignaturetrustengine: signature trust not established via pkix validation of signing credential [2014-08-18 14:36:47.347] boot - 6000 debug [localhost-startstop-1] --- basesignaturetrustengine: failed establish trust of keyinfo-derived credential [2014-08-18 14:36:47.347] boot - 6000 debug [localhost-startstop-1] --- basesignaturetrustengine: failed verify signature and/or establish trust using keyinfo-derived credentials [2014-08-18 14:36:47.347] boot - 6000 debug [localhost-startstop-1] --- pkixsignaturetrustengine: pkix validation of signature failed, unable resolve valid , trusted signing key [2014-08-18 14:36:47.347] boot - 6000 error [localhost-startstop-1] --- signaturevalidationfilter: signature trust establishment failed metadata entry http://ststest-replynet.reply.it/adfs/services/trust [2014-08-18 14:36:47.349] boot - 6000 error [localhost-startstop-1] --- abstractreloadingmetadataprovider: error filtering metadata https://ststest-replynet.reply.it/federationmetadata/2007-06/federationmetadata.xml org.opensaml.saml2.metadata.provider.filterexception: signature trust establishment failed metadata entry the error disappears setting:
emd.setmetadatatrustcheck(false); ... i'd check used metadata.
is there way resolve error?
update:
i tried setup extendedmetadata follows error persists.
em.setalias("defaultalias"); em.setsigningkey("*.reply.it (go daddy secure certification authority)");
you have imported https certificate, not certificate used create signature - differ. should:
create file signature.cer following content taken metadata:
-----begin certificate----- miic7jccadagawibagiqa+psaoodp6zl3qai564cxzanbgkqhkig9w0baqs fadazmtewlwydvqqdeyhbreztifnpz25pbmcglsbzdhn0zxn0lxjlcgx5bm v0lnjlcgx5lml0mb4xdte0mdqymtawmzuynvoxdte1mdqymtawmzuynvowm zexmc8ga1ueaxmoqurguybtawduaw5nic0gc3rzdgvzdc1yzxbsew5ldc5y zxbses5pddccasiwdqyjkozihvcnaqebbqadggepadccaqocggebajyi7se +ugghogrcwhf8lrmivtcpjynkyicpj8uj8pisemgybnjirps05rkytdudk+ aumdlc3act23fxgdly9hkjjlrbzwklzh4w3rqgc3w5y+t7keiub8d7zrrlb 2aojpvhicragsljjhmwz9sjut+pzduffc0pzckhba3ty2y+mgpyvsyjlekf qrwl0ggh23g9pe1vq9hainxzvwvmgwz1ol4uk0cw11ura8x53zowmqssksi mulquitssiujjrni9df+gadxbqji51esy2ef1o2jxqgjsa71apy9eahdho8 efkfos0fybvnbu5x/wn7bksf2rmg3r6mqm94+gaa8caweaatanbgkqhkig9 w0baqsfaaocaqeaix5fet5jwtinzy4c0ltttta3dmoslibh3rarr53+6mkg spp75vat7fyuutopuk5y2o++svpueutzcogz5dj8egldeskpwr0prlclvcg flfex9qooidyiea90g462niiogknkipb1jrrmzefo+yryydfsr2ixzc3o1f 7jahnwi+d4a8cotrqynql6p1z+hiweub39flwdpacelw9hsdiyy151hiipz virqdbojdg3ws8frwynjjh4elwjp2z+1r+sktd/kkh8jj3iwht37jnqg72d 7c63ovyicwezuqs4l3vepo0pv6xewkubfx4kbqbupavvgmvucsecj85mvmx 42g== -----end certificate-----import certificate samlkeystore.jks with:
keytool -importcert -alias adfssigning -keystore samlkeystore.jks -file signature.cer
this should need, restart tomcat , metadata loading should pass.
you don't need include https certificate in jdk's cacerts in case include following bean configures http client (available in spring saml 1.0.0.release):
<bean class="org.springframework.security.saml.trust.httpclient.tlsprotocolconfigurer"/> 
Comments
Post a Comment