签名信任建立失败,无法输入元数据

时间:2019-10-16 17:42:24

标签: saml-2.0 spring-saml opensaml xmlsec

我正在尝试升级我的应用程序以支持实体描述符文件中的签名元数据,但是我遇到了Signature trust establishment failed for metadata entry错误,因此到目前为止我无法避免该错误。这是我的EntitiesDescriptor文件中的签名:

  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
      <ds:Reference URI="">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <ds:DigestValue>XJD/Y5ykEBO1jLj+v8xq3KEU1OG6ogxNI44/03bN7J8=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
      5oX7HIlXTR1/lncq1FWPt4HjV2FJUhZieVJiwkPxQZB/oeKdVLyrDsXaOklesb9jnVvD69QasB6t
      LXw0pEcOveJRG5CYfhcIPwIDG/ycLuozCtQJi516k6NqhNG12ink2zWtT3qpiFQq0mGumt5o5o4H
      PAVsRUnsX91g1N6PeB5lnqiFCkPCHBMnoO5QQRX3BVMKPzCj5ySaMlYChIP6I44KuTbPEVzsn6Dk
      qLWmK/z6EpwTT0IBqbzsUGvygnjSMdoO/KbcA5wa3hyT2bB4ym7WQETmIptsYjFx/E76Aq8mbF/j
      vxo8VYbTj5+py1O8maotoddauaBeFwClibGqZQ==
    </ds:SignatureValue>
    <ds:KeyInfo>
      <ds:KeyValue>
        <ds:RSAKeyValue>
          <ds:Modulus>
            6lwHznwAXN8japQKbZi1My3acZQDu1uQZ7BAR2iaKKudUVnYH53kGY/G9p5pO4CZAom25x37Q1eX
            D9T6JRz5s3ouMVQXUR0mExXnpXHnHEiQuwEtW9xcQ87jKe17nBLZVkfw5/WeGxuBJ79asNY1SftX
            tTBX9h08Lnm96uolcOPBwZAc7TD2EFaiOo5Oac2B6UDqkD900xv+nvgOR+shCq6gmjrvrF8ajTip
            17L6uM97K1sr/pKpqQrfoHMwmzgrZ+h4jN3DUvJNW3hviUM+N4ws4EjDmhTO5FZ364yViDdnQHov
            PmScDONLqrx94VBq0CFUmOROSrVO57GItP5LxQ==
          </ds:Modulus>
          <ds:Exponent>AQAB</ds:Exponent>
        </ds:RSAKeyValue>
      </ds:KeyValue>
      <ds:X509Data>
        <ds:X509Certificate>
          MIIC8zCCAdsCBgFtvM1HljANBgkqhkiG9w0BAQsFADA9MTswOQYDVQQDDDJodHRwOi8vbG9jYWxo
          b3N0OjgwODAvbXlEaWdpdGFsR2xvYmUvc2FtbC9tZXRhZGF0YTAeFw0xOTEwMTEyMTQ4NTJaFw0y
          OTEwMTEyMTUwMzJaMD0xOzA5BgNVBAMMMmh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9teURpZ2l0YWxH
          bG9iZS9zYW1sL21ldGFkYXRhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6lwHznwA
          XN8japQKbZi1My3acZQDu1uQZ7BAR2iaKKudUVnYH53kGY/G9p5pO4CZAom25x37Q1eXD9T6JRz5
          s3ouMVQXUR0mExXnpXHnHEiQuwEtW9xcQ87jKe17nBLZVkfw5/WeGxuBJ79asNY1SftXtTBX9h08
          Lnm96uolcOPBwZAc7TD2EFaiOo5Oac2B6UDqkD900xv+nvgOR+shCq6gmjrvrF8ajTip17L6uM97
          K1sr/pKpqQrfoHMwmzgrZ+h4jN3DUvJNW3hviUM+N4ws4EjDmhTO5FZ364yViDdnQHovPmScDONL
          qrx94VBq0CFUmOROSrVO57GItP5LxQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAmhb3BG7++uZYO
          b1Def+dXjay/84hEKSCzRRQek1+XY7OIvjXdf/ImNUZ8t6dEqEQC2Q0k5QwLS3kHGXqn4JwqDeA2
          /X06cCYNYa2+8Wq0PkPH+0e2bmhwQceHu8HgzPmhLvmuT03PHSvyNgo4j0RFfBWZiUu2oes02ZJy
          3DfWkkORLNvgUW14cUlnB4scCZJdccsUZYMN6iFHO+wbVCGOTftau3snoh6SF4yBAQ6gCvKAOKMS
          bHQ6XNX8pmq3QqE9yDEzmYOeeywbegBXJFywuzMDyzxnIx7Amuyjf5OGYpnn1YWm5JB5WkwLMBgF
          ZEuagDSfh4Yb/yvNskoqKbfg
        </ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>

以下是我的Spring Security上下文中的相关内容:

    <bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
        <constructor-arg>
            <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
                <property name="entityBaseURL" value="${services.myBaseUrl}"/>
                <property name="extendedMetadata">
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                        <property name="signMetadata" value="true"/>
                        <property name="idpDiscoveryEnabled" value="false"/>
                    </bean>
                </property>
                <property name="requestSigned" value="true"/>
            </bean>
        </constructor-arg>
    </bean>

    <bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
        <constructor-arg value="file:/Users/vrodrigu/Downloads/keystore.jks"/>
        <constructor-arg type="java.lang.String" value="password"/>
        <constructor-arg>
            <map>
                <entry key="MyKey" value="password"/>
            </map>
        </constructor-arg>
        <constructor-arg type="java.lang.String" value="MyKey"/>
    </bean>

我尝试将X509证书添加到我的keystore.jks中,但仍然出现Signature trust establishment failed for metadata entry错误。我是否需要将密钥和x509证书添加为密钥对?如果是这样,我该怎么做?如果没有,我还应该尝试什么?谢谢!

0 个答案:

没有答案