SAML可信证书

时间:2016-12-30 09:53:03

标签: java keytool spring-saml opensaml java-security

我在某些项目中使用opensaml 2.6.1和spring-security-saml2-core 1.0.1来启用SSO。 我正在使用自签名证书进行加密和签名。

当我的服务提供商收到SAML响应时,我收到以下错误:

DEBUG [org.opensaml.xml.signature.SignatureValidator] Creating XMLSignature object
DEBUG [org.opensaml.xml.signature.SignatureValidator] Validating signature with signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
DEBUG [org.opensaml.xml.signature.SignatureValidator] Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
DEBUG [org.opensaml.xml.signature.SignatureValidator] Signature validated with key from supplied credential
DEBUG [org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Signature validation using candidate credential was successful
DEBUG [org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Successfully verified signature using KeyInfo-derived credential
DEBUG [org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Attempting to establish trust of KeyInfo-derived credential
DEBUG [org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Failed to establish trust of KeyInfo-derived credential
DEBUG [org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
DEBUG [org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine] Attempting to verify signature using trusted credentials
DEBUG [org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine] Failed to verify signature using either KeyInfo-derived or directly trusted credentials
DEBUG [org.springframework.security.saml.websso.WebSSOProfileConsumerImpl] Validation of authentication statement in assertion failed, skipping
org.opensaml.xml.validation.ValidationException: Signature is not trusted or invalid
    at org.springframework.security.saml.websso.AbstractProfileBase.verifySignature(AbstractProfileBase.java:272)
    at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertionSignature(WebSSOProfileConsumerImpl.java:419)
    at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:292)
    at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:214)
    at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
    at

我从异常信息中了解到:

  • 签名验证成功
  • 信任我的证书时出现问题 我的决定是否纠正了?

我已使用以下命令将自签名证书导入我的密钥库(JVM中的cacerts商店):

keytool -importcert -trustcacerts  -file "myCcert.crt" -keystore "C:\Program Files\Java\jdk1.8.0_65\jre\lib\security\cacerts" -storepass changeit -alias test

不要这个命令导入我的certif并将其标记为java信任吗?

另一件事,java可以信任自签名签名,还是我必须通过CA验证证书才能通过验证?

1 个答案:

答案 0 :(得分:0)

Spring SAML不使用cacerts进行信任验证,而是使用其专用密钥库(示例应用程序中的samlKeystore.jks)。有关详细信息,请阅读Spring SAML手册中有关证书管理的章节。

相关问题
最新问题