在Java中验证SAML 1.1令牌的数字签名失败

时间:2012-04-24 08:51:27

标签: java digital-signature saml

能够在Java中验证SAML2.0令牌的数字签名。使用下面的代码段。

DOMValidateContext valContext = new DOMValidateContext(new X509KeySelector(), nl.item(0));
//Unmarshaling the XML Signature
XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM");
XMLSignature signature = factory.unmarshalXMLSignature(valContext);

//Validating the XML Signature
boolean coreValidity = signature.validate(valContext);
if (coreValidity == false) {
   System.err.println("Signature failed"); 
} else {
   System.out.println("Signature passed");
}

if(!coreValidity){
boolean sv = signature.getSignatureValue().validate(valContext);
Iterator i = signature.getSignedInfo().getReferences().iterator();
  for (int j=0; i.hasNext(); j++) {
    boolean refValid = ((Reference)i.next()).validate(valContext);
  }
}

然而无法在Java中验证SAML1.1令牌的数字签名。 •参考验证(签名中每个参考文摘的验证)失败 •签名验证(签名的加密验证)失败

需要帮助才能解决此问题。

使用下面的代码段

解决了这个问题
NodeList assertnode = doc.getElementsByTagNameNS("urn:oasis:names:tc:SAML:1.0:assertion", "Assertion");
 NamedNodeMap attrStore = assertnode.item(0).getAttributes();
 System.out.println("ID - " + attrStore.getNamedItem("AssertionID").getNodeValue());
 IdResolver.registerElementById(doc.getDocumentElement(), attrStore.getNamedItem("AssertionID").getNodeValue());

以下抛出异常

exception:-> javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.URIReferenceException: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _165367aa-cf9b-442b-9f44-167ecbc84b54
javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.URIReferenceException: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _165367aa-cf9b-442b-9f44-167ecbc84b54
    at org.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:352)
    at org.jcp.xml.dsig.internal.dom.DOMReference.validate(DOMReference.java:311)
    at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:244)
    at com.pkg.RequestProcessor.processTokenResponse(RequestProcessor.java:134)
    at com.pkg.LoginFilter.doFilter(LoginFilter.java:69)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:185)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:151)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:405)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:269)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:515)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
    at java.lang.Thread.run(Thread.java:662)
Caused by: javax.xml.crypto.URIReferenceException: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _165367aa-cf9b-442b-9f44-167ecbc84b54
    at org.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:82)
    at org.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:344)
    ... 20 more
Caused by: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _165367aa-cf9b-442b-9f44-167ecbc84b54
    at com.sun.org.apache.xml.internal.security.utils.resolver.implementations.ResolverFragment.engineResolve(ResolverFragment.java:89)
    at com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:236)
    at org.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:75)
    ... 21 more

下面还列出了STS服务器返回的请求中的XML

<trust:RequestSecurityTokenResponseCollection
    xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
    <trust:RequestSecurityTokenResponse>
        <trust:Lifetime>
            <wsu:Created
                xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2012-04-20T11:58:45.250Z</wsu:Created>
            <wsu:Expires
                xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2012-04-20T12:38:45.250Z</wsu:Expires>
        </trust:Lifetime>
        <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
            <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
                <Address>http://localhost:8080/</Address>
            </EndpointReference>
        </wsp:AppliesTo>
        <trust:RequestedSecurityToken>
            <saml:Assertion MajorVersion="1" MinorVersion="1"
                AssertionID="_eadcac75-e528-4b58-9b53-f6f03a8ec691" Issuer="http://3MTLO/STS/"
                IssueInstant="2012-04-20T11:58:45.250Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
                <saml:Conditions NotBefore="2012-04-20T11:58:45.250Z"
                    NotOnOrAfter="2012-04-20T12:38:45.250Z">
                    <saml:AudienceRestrictionCondition>
                        <saml:Audience>http://localhost:8080/</saml:Audience>
                    </saml:AudienceRestrictionCondition>
                </saml:Conditions>
                <saml:AttributeStatement>
                    <saml:Subject>
                        <saml:SubjectConfirmation>
                            <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer
                            </saml:ConfirmationMethod>
                        </saml:SubjectConfirmation>
                    </saml:Subject>
                    <saml:Attribute AttributeName="name"
                        AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
                        <saml:AttributeValue>user1</saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute AttributeName="Firstname"
                        AttributeNamespace="http://mmm.his.com/identity/claims">
                        <saml:AttributeValue>John</saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute AttributeName="Lastname"
                        AttributeNamespace="http://mmm.his.com/identity/claims">
                        <saml:AttributeValue>Doe</saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute AttributeName="emailaddress"
                        AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
                        <saml:AttributeValue>user@user.com</saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute AttributeName="role"
                        AttributeNamespace="http://schemas.microsoft.com/ws/2008/06/identity/claims">
                        <saml:AttributeValue>User</saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute AttributeName="ApplicationName"
                        AttributeNamespace="http://mmm.his.com/identity/claims">
                        <saml:AttributeValue>App1</saml:AttributeValue>
                    </saml:Attribute>
                </saml:AttributeStatement>
                <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:SignedInfo>
                        <ds:CanonicalizationMethod
                            Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        <ds:SignatureMethod
                            Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                        <ds:Reference URI="#_eadcac75-e528-4b58-9b53-f6f03a8ec691">
                            <ds:Transforms>
                                <ds:Transform
                                    Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                            </ds:Transforms>
                            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                            <ds:DigestValue>mLiTJH3R86N3G6N8f0qFmvbmzQMXELpn/JTn3xNGtf4=
                            </ds:DigestValue>
                        </ds:Reference>
                    </ds:SignedInfo>
                    <ds:SignatureValue>lpvRnkevRgtd+cuV+judi2rfM11CuvQ1hZQJlCYUz8wsJScub9vgB3PisDfFFSnV70dR+R6SVhXyrWraIbpXVNaCvghrDITEJirUS7rMxvM9haxFC1ujIXLamFhnNcKY7UP55dFhAO6hZxTtreUIFffg8GwfHdRsazmhPc5SMGPOH++zk+GsQywo+T+fKNby3r2jOz099pHWtcrkJCT5cFKwdnkU9Sre/AtlMWkCSALsjSOSiTHNyC/6gBW423Zowrltjs986m33jNWRxB/1FoCpKcXwbNp2GV8rPR6FzLRBn/j9IjsD7pO6XdPI8gfErDydNx0jiuJwunHB3spspw==
                    </ds:SignatureValue>
                    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                        <X509Data>
                            <X509Certificate>MIIC5DCCAcygAwIBAgIQLhotot90t7ZCWstBDJgCfTANBgkqhkiG9w0BAQUFADAWMRQwEgYDVQQDEwtTVFNUZXN0Q2VydDAeFw0xMTEyMDYwMTM4MTZaFw0xMjEyMDUwNzM4MTZaMBYxFDASBgNVBAMTC1NUU1Rlc3RDZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyQJJ6VeBw5yT4pNLTgW4wmKPit1omxdbSMVv7OxgRrECIKRxuGdNxkJHUhrjoyolLRnoXw5LpeLfD7eAWQPasvyumfCJZ07h5paLcS5gSqDy7R6YoTn4jUZwmqNh/X2lbHgIwkAWs7IWGHRkiPGDduDLK94nE6DErDO8pb8uIfL81wPCAnCCrI61C4lne5ES3f1tqpgfwSn23QHOJm9JGfXf8sAQvOd/sk+lpS16q4tHdjCpPZQtGv6pDMaz3OUWnkO82r5xgKYzxE+x6902mF7e8P2QenN99Ofo9sHP07aDTnXJG4nWDVFKzXaf299UCigz1LxtNitAeENZcvz0HQIDAQABoy4wLDALBgNVHQ8EBAMCBPAwHQYDVR0OBBYEFPT4jquZkXO8hlnKu4TSVANGO7YlMA0GCSqGSIb3DQEBBQUAA4IBAQCTnk3MwK6DWrJbSFxrr3ImCDXnpVR+sdypKdrVCme3Iwr0cnjJWkf16iMOIdoAmhC+A7JT6htAAXYk0gu06s1SMC/DPv/7a1zklO+FHS3gobx0pvFjBSDCC6ohqXCRxL5dos2r2SG2TCf4Uru9ihn0bdEy7BjdwQ7XM5cryrdVhhvf6o8Eh6z3EnqQyO4KPcCRREAXlQfrU0u/aPyYsBfoyjmsGTSMOxEDytwq20j35m0ckWg1mZi9r0BeL3klx4DS4Ibr5pyxyd9YmU/9AUlu+/pQqiVHKlv1qvUWsQ5S+2RWc+cvRwfRlGdBQeQqsvz9oyV3MXCmYFV4YKwVMyqb
                            </X509Certificate>
                        </X509Data>
                    </KeyInfo>
                </ds:Signature>
            </saml:Assertion>
        </trust:RequestedSecurityToken>
        <trust:RequestedAttachedReference>
            <o:SecurityTokenReference
                k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
                xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
                xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                <o:KeyIdentifier
                    ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_eadcac75-e528-4b58-9b53-f6f03a8ec691</o:KeyIdentifier>
            </o:SecurityTokenReference>
        </trust:RequestedAttachedReference>
        <trust:RequestedUnattachedReference>
            <o:SecurityTokenReference
                k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
                xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
                xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                <o:KeyIdentifier
                    ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_eadcac75-e528-4b58-9b53-f6f03a8ec691</o:KeyIdentifier>
            </o:SecurityTokenReference>
        </trust:RequestedUnattachedReference>
        <trust:TokenType>urn:oasis:names:tc:SAML:1.0:assertion
        </trust:TokenType>
        <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
        </trust:RequestType>
        <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
        </trust:KeyType>
    </trust:RequestSecurityTokenResponse>
</trust:RequestSecurityTokenResponseCollection>

0 个答案:

没有答案