我正在尝试通过ssl传输实现saml身份验证,但是当从服务提供者验证令牌时会抛出异常。
问题只发生在我使用我生成的证书时,当我使用我正在使用的应用程序附带的默认密钥库时(WSO2),每个思维工作正常。
例外是:
ID: [0] [ESB] [2014-10-31 17:57:03,320] ERROR {org.apache.synapse.transport.passthru.ServerWorker} - Error processing POST request for : /services/StockQuoteProxy.StockQuoteProxyHttpsSoap12Endpoint {org.apache.synapse.transport.passthru.ServerWorker}
org.apache.axis2.AxisFault: The signature or decryption was invalid; nested exception is:
java.security.UnrecoverableKeyException: Cannot recover key
at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:186)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:411)
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:183)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
Caused by: org.apache.ws.security.WSSecurityException: The signature or decryption was invalid; nested exception is:
java.security.UnrecoverableKeyException: Cannot recover key
at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:370)
at org.apache.ws.security.saml.SAML2Util.getSAML2KeyInfo(SAML2Util.java:244)
at org.apache.ws.security.saml.SAML2Util.getSAML2KeyInfo(SAML2Util.java:148)
at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:334)
at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:124)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
at org.apache.rampart.RampartEngine.process(RampartEngine.java:214)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
... 10 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(KeyProtector.java:311)
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38)
at java.security.KeyStore.getKey(KeyStore.java:763)
at org.wso2.carbon.security.util.ServerCrypto.getPrivateKey(ServerCrypto.java:247)
at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:368)
... 18 more
证书和密钥库的生成如下:
server_ip=10.0.3.124
openssl req -keyout cakey.pem -out cacert.pem -newkey rsa:2048 -x509 -days 100000 -batch -subj "/C=IT/ST=Bari/L=Molfetta/O=Exprivia/OU=Innovation Lab/CN=Exprivia Certification Authority" -passout pass:exprivia
openssl x509 -outform DER -in cacert.pem -out cacert.cert
openssl genrsa -out server.key 1024
#http://apetec.com/support/GenerateSAN-CSR.htm
cp /etc/pki/tls/openssl.cnf myssl.cnf
echo -e "\
[req]\n\
req_extensions = v3_req\n\
\n\
[ v3_req ]\n\
\n\
# Extensions to add to a certificate request\n\
\n\
basicConstraints = CA:FALSE\n\
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment\n\
subjectAltName = @alt_names\n\
\n\
[alt_names]\n\
IP.1 = $server_ip\n\
" >> myssl.cnf
# usare IP.1 IP.2 etc per gli ip e DNS.1 etc per i nomi di dominio
openssl req -key server.key -new -out server.req -subj "/C=IT/ST=Bari/L=Molfetta/O=Exprivia/OU=Innovation Lab/CN=$server_ip" -config myssl.cnf -days 100000
openssl req -text -noout -in server.req > server.req.txt
echo "00" >> file.srl
openssl x509 -req -in server.req -CA cacert.pem -CAkey cakey.pem -CAserial file.srl -out server.pem -days 100000 -extensions v3_req -extfile myssl.cnf -passin pass:exprivia
openssl x509 -text -noout -in server.pem > server.pem.txt
openssl x509 -outform DER -in server.pem -out server.cert
openssl genrsa -out client.key 1024
openssl req -key client.key -new -out client.req -subj "/C=IT/ST=Bari/L=Molfetta/O=Exprivia/OU=Innovation Lab/CN=Client" -days 100000
openssl x509 -req -in client.req -CA cacert.pem -CAkey cakey.pem -CAserial file.srl -out client.pem -days 100000 -passin pass:exprivia
openssl x509 -outform DER -in client.pem -out client.cert
openssl pkcs12 -export -in server.pem -inkey server.key -out server.pkcs12 -passout pass:exprivia
keytool -importkeystore -srckeystore server.pkcs12 -srcstoretype pkcs12 -destkeystore server.jks -deststoretype jks -deststorepass exprivia -srcstorepass exprivia -destalias server -srcalias 1 -destkeypass exprivia
keytool -import -file cacert.cert -keystore server.jks -storepass exprivia -alias cacert -noprompt
keytool -import -file client.cert -keystore server.jks -storepass exprivia -alias client -noprompt
keytool -list -v -keystore server.jks -storepass exprivia > server.txt
openssl pkcs12 -export -in client.pem -inkey client.key -out client.pkcs12 -passout pass:exprivia
keytool -importkeystore -srckeystore client.pkcs12 -srcstoretype pkcs12 -destkeystore client.jks -deststoretype jks -deststorepass exprivia -srcstorepass exprivia -destalias client -srcalias 1 -destkeypass exprivia
keytool -import -file cacert.cert -keystore client.jks -storepass exprivia -alias cacert -noprompt
keytool -list -v -keystore client.jks -storepass exprivia > client.txt
#ora importiamo il certificato wso2
keytool -export -keystore /usr/local/wso2is-5.0.0/repository/resources/security/wso2carbon.jks -alias wso2carbon -file wso2carbon.cert -storepass wso2carbon
#necessario per chiamare l'sts in https
keytool -import -file wso2carbon.cert -keystore client.jks -storepass exprivia -alias wso2carbon -noprompt
#necessario per decifrare il token generato da is
keytool -import -file wso2carbon.cert -keystore server.jks -storepass exprivia -alias wso2carbon -noprompt
和相应的server.jks内容是
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 4 entries
Alias name: client
Creation date: 31-Oct-2014
Entry type: trustedCertEntry
Owner: CN=Client, OU=Innovation Lab, O=Exprivia, L=Molfetta, ST=Bari, C=IT
Issuer: CN=Exprivia Certification Authority, OU=Innovation Lab, O=Exprivia, L=Molfetta, ST=Bari, C=IT
Serial number: 2
Valid from: Fri Oct 31 17:41:32 CET 2014 until: Wed Aug 15 18:41:32 CEST 2288
Certificate fingerprints:
MD5: 02:9B:A0:C9:F9:21:91:F5:C6:53:28:0B:C3:7E:EE:55
SHA1: 64:D9:95:AD:BB:E8:2A:D7:81:11:B7:30:DB:EE:BE:4E:89:FE:26:4A
Signature algorithm name: SHA1withRSA
Version: 1
*******************************************
*******************************************
Alias name: wso2carbon
Creation date: 31-Oct-2014
Entry type: trustedCertEntry
Owner: CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US
Issuer: CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US
Serial number: 4b7e3782
Valid from: Fri Feb 19 08:02:26 CET 2010 until: Tue Feb 13 08:02:26 CET 2035
Certificate fingerprints:
MD5: 02:FB:AA:5F:20:64:49:4A:27:29:55:71:83:F7:46:CD
SHA1: 6B:F8:E1:36:EB:36:D4:A5:6E:A0:5C:7A:E4:B9:A4:5B:63:BF:97:5D
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
]
*******************************************
*******************************************
Alias name: cacert
Creation date: 31-Oct-2014
Entry type: trustedCertEntry
Owner: CN=Exprivia Certification Authority, OU=Innovation Lab, O=Exprivia, L=Molfetta, ST=Bari, C=IT
Issuer: CN=Exprivia Certification Authority, OU=Innovation Lab, O=Exprivia, L=Molfetta, ST=Bari, C=IT
Serial number: f8d3b3c3f00eef91
Valid from: Fri Oct 31 17:41:31 CET 2014 until: Wed Aug 15 18:41:31 CEST 2288
Certificate fingerprints:
MD5: DD:D1:4B:85:BC:C0:62:AA:AA:93:9C:9C:7C:AE:69:FB
SHA1: 20:A6:F2:1B:37:51:C2:5C:F5:98:98:B9:E5:B3:48:BC:03:0E:50:D2
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 06 44 86 D0 72 C6 ED 99 C7 EE A3 71 5A 77 C3 B4 .D..r......qZw..
0010: 7C 18 46 2D ..F-
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 06 44 86 D0 72 C6 ED 99 C7 EE A3 71 5A 77 C3 B4 .D..r......qZw..
0010: 7C 18 46 2D ..F-
]
]
*******************************************
*******************************************
Alias name: server
Creation date: 31-Oct-2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=10.0.3.124, OU=Innovation Lab, O=Exprivia, L=Molfetta, ST=Bari, C=IT
Issuer: CN=Exprivia Certification Authority, OU=Innovation Lab, O=Exprivia, L=Molfetta, ST=Bari, C=IT
Serial number: 1
Valid from: Fri Oct 31 17:41:32 CET 2014 until: Wed Aug 15 18:41:32 CEST 2288
Certificate fingerprints:
MD5: 7C:40:21:05:42:06:12:BC:23:7E:76:69:37:1A:8C:99
SHA1: A8:BD:C7:41:7B:0F:98:CF:40:6B:EF:15:BF:4E:DA:F4:54:D7:38:03
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
IPAddress: 10.0.3.124
]
*******************************************
*******************************************
其中
问题出在哪里?
谢谢,Paolo
答案 0 :(得分:2)
根据例外org.wso2.carbon.security.util.ServerCrypto.getPrivateKey;您配置的私钥密码无效。在使用WSO2产品时,您需要一个carbon.xml文件来配置密钥库详细信息,例如密钥库,私钥密码。您可以根据新的密钥库验证它们是否已正确配置它。