SAML2BearerGrantHandler无法验证签名

时间:2016-12-22 13:27:32

标签: wso2is wso2-am

我试图让APIM 2.0.0中的SAML2BearerGrantHandler启动并运行。我使用Auth0作为IdP并添加了SAML2。

我在碳控制台创建了IdP,上传了签名证书等。 我有点按照本文档来测试授权:https://docs.wso2.com/display/AM200/SAML+Extension+Grant

我得到了一个断言,但是当我尝试获取令牌时,我收到了这个错误:

    [2016-12-22 14:14:07,493] DEBUG -  Starting to unmarshall Apache XML-Security-based SignatureImpl element {org.opensaml.xml.signature.impl.SignatureUnmarshaller}
[2016-12-22 14:14:07,493] DEBUG -  Constructing Apache XMLSignature object {org.opensaml.xml.signature.impl.SignatureUnmarshaller}
[2016-12-22 14:14:07,493] DEBUG -  Adding canonicalization and signing algorithms, and HMAC output length to Signature {org.opensaml.xml.signature.impl.SignatureUnmarshaller}
[2016-12-22 14:14:07,493] DEBUG -  Adding KeyInfo to Signature {org.opensaml.xml.signature.impl.SignatureUnmarshaller}
[2016-12-22 14:14:07,496] DEBUG -  Attempting to validate signature using key from supplied credential {org.opensaml.xml.signature.SignatureValidator}
[2016-12-22 14:14:07,496] DEBUG -  Creating XMLSignature object {org.opensaml.xml.signature.SignatureValidator}
[2016-12-22 14:14:07,496] DEBUG -  Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1 {org.opensaml.xml.signature.SignatureValidator}
[2016-12-22 14:14:07,496] DEBUG -  Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl' {org.opensaml.xml.signature.SignatureValidator}
[2016-12-22 14:14:07,496] DEBUG -  signatureMethodURI = http://www.w3.org/2000/09/xmldsig#rsa-sha1 {org.apache.xml.security.signature.XMLSignature}
[2016-12-22 14:14:07,497] DEBUG -  jceSigAlgorithm    = SHA1withRSA {org.apache.xml.security.signature.XMLSignature}
[2016-12-22 14:14:07,497] DEBUG -  jceSigProvider     = SunRsaSign {org.apache.xml.security.signature.XMLSignature}
[2016-12-22 14:14:07,498] DEBUG -  PublicKey = Sun RSA public key, 2048 bits
  modulus: 26353633891041219443555298896940833763013288672547189529990760782389210433157310523660493244822551263271160825380041450279478692306592200788388889392222651352619319200257986531144181422406322904036906144840963109856120111801402390951198592877952280076297215745933238289610251813795329247172444398191149065258417196041849903979764273498745394547327839617271694646395229047487503702861075929157239530326410733377150539916753245430560066336565896803919667301164361866985565847943467875326115118253431566885711860811510147756117932985644696034426336566866370975790479374077388749068216645015606582681408478883949754138717
  public exponent: 65537 {org.apache.xml.security.signature.XMLSignature}
[2016-12-22 14:14:07,498] ERROR -  Error while validating the signature. {org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler}
org.opensaml.xml.validation.ValidationException: Unable to evaluate key against signature
    at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:74)
    at org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler.validateGrant(SAML2BearerGrantHandler.java:472)
    at org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer.issue(AccessTokenIssuer.java:194)
    at org.wso2.carbon.identity.oauth2.OAuth2Service.issueAccessToken(OAuth2Service.java:219)
    at org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint.getAccessToken(OAuth2TokenEndpoint.java:246)
    at org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint.issueAccessToken(OAuth2TokenEndpoint.java:110)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:188)
    at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:104)
    at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:204)
    at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101)
    at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)
    at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:94)
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
    at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
    at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:249)
    at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
    at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
    at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
    at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:289)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:209)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:265)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:120)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
    at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
    at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
    at org.wso2.carbon.event.receiver.core.internal.tenantmgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:48)
    at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
    at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
    at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:442)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1082)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:623)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1756)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1715)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.xml.security.signature.XMLSignatureException: Signature length not correct: got 0 but was expecting 256
Original Exception was java.security.SignatureException: Signature length not correct: got 0 but was expecting 256
    at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.engineVerify(SignatureBaseRSA.java:93)
    at org.apache.xml.security.algorithms.SignatureAlgorithm.verify(SignatureAlgorithm.java:301)
    at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(XMLSignature.java:723)
    at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:69)
    ... 58 more
Caused by: java.security.SignatureException: Signature length not correct: got 0 but was expecting 256
    at sun.security.rsa.RSASignature.engineVerify(RSASignature.java:189)
    at java.security.Signature$Delegate.engineVerify(Signature.java:1219)
    at java.security.Signature.verify(Signature.java:652)
    at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.engineVerify(SignatureBaseRSA.java:91)
    ... 61 more

所以,看起来这个断言是好的,但是我仍然无法验证签名。有人之前有过这个问题并解决了吗?

- 更新: 这是由Auth0生成的断言:

    <?xml version="1.0" encoding="UTF-8"?><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="nieapeeiianlpgnhhkmildecgaajocfbpdonepgi" IssueInstant="2016-12-27T08:37:07.712Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:spronq.eu.auth0.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#nieapeeiianlpgnhhkmildecgaajocfbpdonepgi">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs xsi"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>z7dAuipcj9k945anY2H4BpJJ00w=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue/>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIC7jCCAdagAwIBAgIJa9PaSP2xH3taMA0GCSqGSIb3DQEBBQUAMB4xHDAaBgNVBAMTE3Nwcm9u
cS5ldS5hdXRoMC5jb20wHhcNMTYxMDEyMDYyMDQyWhcNMzAwNjIxMDYyMDQyWjAeMRwwGgYDVQQD
ExNzcHJvbnEuZXUuYXV0aDAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0MLQ
btTBiUvTRlDMZ8ynAaNQWxuKvoL7FBI47rw1apxLfTtYnBBIeD4NC0XHkEP0hJ8cWKz/z37PmCS9
HNZpIk8yuIQS8pZiafEdMIiBBuFqrDJ1okrTt9koweAs+Gmu1oJIENpFRg5Ud81t1nWqj89m9pOp
F7MBx/z6ZZcUDKBaB+XnrOtZzH4Oo//+AlkFmPHVuU8S0Zva68RC9SLnoxLGpm+ZM4aoHFlP/tOO
kHKh+4w4HLBzXy+fzG6wktEisvGhkAgvcV4PmuVdFXZmj1JCQLGA4O4Itzl4P2337TOK4tMCwSFd
CclqhNBjtITe5tJ+CeBDZD7+8lDvNrtAXQIDAQABoy8wLTAMBgNVHRMEBTADAQH/MB0GA1UdDgQW
BBRMyIkyGViVCCV8fPj7XZY/gjzLGjANBgkqhkiG9w0BAQUFAAOCAQEAx4D72OFZ1KaTrCOYfz7E
Z6OuWHZ21R3zdvJes+JBUcp9imnzvJTBi0IkjK1lOjuBddcPsSI7aGK5Da+zqbiR2TvbWnEphlYY
rPgVsQEp1OhelQwmQALd6C/28HFVUF/rC74LmSP5akXTl5itTt2H04P0dHbTF8/sBTSqfm1PLdp/
gseJTUszQTVNE6oM1U70VAZ4cRR5B8Qkb0Y54nRGllv8FdShxVf2GBaZIOriolh8wojNE47igXOm
nfvfWeZydyV9LVFi9uaT3LOiuct9s+MeFj8WDcUy3QwumVdXwh3a8R82PlPdlTXkZC/UDqSP26t5
0bgZF3esedF3TCqA9w==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">d.kruitbosch@vanlanschot.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="0" NotOnOrAfter="2016-12-27T08:42:07.712Z" Recipient="https://localhost:8243/token"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2016-12-27T08:37:07.712Z" NotOnOrAfter="2016-12-27T08:42:07.712Z"><saml:AudienceRestriction><saml:Audience>https://localhost:8243/token</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2016-12-27T08:37:07.774Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="w"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">s</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>

谢谢,

丹尼

1 个答案:

答案 0 :(得分:1)

所以我用很多手动步骤解决了这个问题。但至少我知道saml bearer token工作正常。

我无法使用在WSO2文档中链接的SAMLAssertionCreator.jar。所以我做的是以下内容:

  • 更改了Auth0中的SAML设置,以设置正确的受众和收件人值。
  • 在Auth0中使用SAML Addon的调试工具创建SAML断言。
  • 复制了SAML响应,复制了function addFormToDB(email, company, subject, text) { return $.post("http://127.0.0.1:3000/submit", { email: email, company: company, subject: subject, text: text }) .done(function (data) { console.log("received", data); alert("Thank You!"); }) .fail(function (jqXhr, status, err) { console.error(err); }); } 部分,缩小了XML并对其进行了编码(使用http://kjur.github.io/jsjws/tool_b64uenc.html)。
  • 在Postman中创建了一个测试,并使用编码的断言获得了一个 访问令牌。

这很有用,所以我知道我可以开始创建我的客户端以使用这些步骤,并有办法验证所有内容。

此致

丹尼

相关问题
最新问题