1. 首頁
  2. 問答
  3. OpenSAML(2.0)簽名驗證不工作

OpenSAML(2.0)簽名驗證不工作

2013-07-26 34 views
5

問題:OpenSAML(2.0)簽名驗證不工作

我使用OpenSAML建立驗證發佈到我們的服務器的SAML 2.0的反應的一種手段。我已經掌握了大部分工作,並有能力訪問斷言的各個方面。唯一的問題是,當我嘗試驗證使用下面的公鑰簽名,它指出:「簽名沒有驗證對憑證的關鍵」。

任何想法?

公鑰:

MIICozCCAgygAwIBAgIGATxK1oY4MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEG 
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU 
MBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDHdlc3Rlcm51bmlvbjEcMBoGCSqGSIb3DQEJ 
ARYNaW5mb0Bva3RhLmNvbTAeFw0xMzAxMTcyMzI2MThaFw00MzAxMTcyMzI3MThaMIGUMQswCQYD 
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG 
A1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDHdlc3Rlcm51bmlvbjEc 
MBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA 
njQZkKTyJuS1evlG/ThBqGT9VID9RnN31yr1EQXYODs1pXy8w58QkztCWTvevj8GekbJ8dsVZ2Ij 
UXJ50psNL1zyq0cJp8M08E75SCwaH7Q9goaReIFpYQZTbTE9FMfGcsrNIFZyBsCXS2dm+FfuGDQ6 
4/W0mxOHdYxqSTD+fvMCAwEAATANBgkqhkiG9w0BAQUFAAOBgQByeciVKaK5IKFPVzK3ZS37IOQm 
2vDXZYXEzUaq1urk8gunQs75ZzgIsIh6jlUZy+FO3maAoVyW5mUzqT0jBTfI0Ea3vJfQAlgn4gW2 
eiqdbu1uI48a5K1+GneO1xzqTYzMXvUoJpXqoifsrikkpHHATF8z5Y4ULKgKFSBB9VypDg==

簽名:

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
    <ds:SignedInfo> 
     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
     <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> 
     <ds:Reference URI="#id7437579890833705637451361"> 
      <ds:Transforms> 
       <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> 
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
      </ds:Transforms> 
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
      <ds:DigestValue>zIoW9N/wJrjwXfQS7I5jNyZqbJQ=</ds:DigestValue> 
     </ds:Reference> 
    </ds:SignedInfo> 
    <ds:SignatureValue>ZybzDLQ2Q8RiIqyShZFNKR8+vbVhjsAT18hIh6IcqDO5ER2ah5Fs1bErmgeITatRNgdqzxgX4jErtkituiI3vdr56g5kmaTKHf2lrU6OLW3JHUokCt9Bv9E7duvnpGEA0uFvzNMVMcqZOGUbJ1m1lkYxUIIaeOjSxPjBTZB+g3A=</ds:SignatureValue> 
    <ds:KeyInfo> 
     <ds:X509Data> 
      <ds:X509Certificate>MIICozCCAgygAwIBAgIGATxK1oY4MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEG 
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU 
MBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDHdlc3Rlcm51bmlvbjEcMBoGCSqGSIb3DQEJ 
ARYNaW5mb0Bva3RhLmNvbTAeFw0xMzAxMTcyMzI2MThaFw00MzAxMTcyMzI3MThaMIGUMQswCQYD 
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG 
A1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDHdlc3Rlcm51bmlvbjEc 
MBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA 
njQZkKTyJuS1evlG/ThBqGT9VID9RnN31yr1EQXYODs1pXy8w58QkztCWTvevj8GekbJ8dsVZ2Ij 
UXJ50psNL1zyq0cJp8M08E75SCwaH7Q9goaReIFpYQZTbTE9FMfGcsrNIFZyBsCXS2dm+FfuGDQ6 
4/W0mxOHdYxqSTD+fvMCAwEAATANBgkqhkiG9w0BAQUFAAOBgQByeciVKaK5IKFPVzK3ZS37IOQm 
2vDXZYXEzUaq1urk8gunQs75ZzgIsIh6jlUZy+FO3maAoVyW5mUzqT0jBTfI0Ea3vJfQAlgn4gW2 
eiqdbu1uI48a5K1+GneO1xzqTYzMXvUoJpXqoifsrikkpHHATF8z5Y4ULKgKFSBB9VypDg==</ds:X509Certificate> 
     </ds:X509Data> 
    </ds:KeyInfo> 
</ds:Signature>

實現:

try { 
    //Retrieve SAML response from post 
    Document document = ppMgr.parse(request.getInputStream()); 
    UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory(); 
    Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(document.getDocumentElement()); 
    response = (Response)unmarshaller.unmarshall(document.getDocumentElement()); 

    //Get Public Key 
    BasicX509Credential publicCredential = new BasicX509Credential(); 
    File publicKeyFile = new File("C:/saml.cer"); 

    if (publicKeyFile.exists()) { 
     CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); 
     InputStream fileStream = new FileInputStream(publicKeyFile); 
     X509Certificate certificate = (X509Certificate)certificateFactory.generateCertificate(fileStream); 
     fileStream.close(); 

     X509EncodedKeySpec publicKeySpec = new X509EncodedKeySpec(certificate.getPublicKey().getEncoded()); 
     KeyFactory keyFactory = KeyFactory.getInstance("RSA"); 
     key = keyFactory.generatePublic(publicKeySpec); 

     //Validate Public Key against Signature 
     if (key != null) { 
      publicCredential.setPublicKey(key); 
      SignatureValidator signatureValidator = new SignatureValidator(publicCredential); 
      signatureValidator.validate(signature); 
     } 
    } 

    returnValue = true; 
} catch (ValidationException e) { 
    throw e; //Throws a 'Signature did not validate against the credential's key' exception 
}

來源

2013-07-26 schlock

+0

'文件publicKeyFile =新的文件(「C:/saml.cer」); '這是從IDP生成的公共證書嗎? – Gobliins

+1

隨着OpenSAML的更新版本V3的代碼不再可用。沒有'新的SignatureValidator()'了。有人知道如何重寫它嗎? – axelrose

+0

http://blog.samlsecurity.com/2016/08/verifying-signatures-with-opensaml-v3.html –

回答

4

嗯,牛逼嗯,上面的代碼正確的。這是SAML響應示例不正確。我想教訓從所有這一切可以瞭解到在您的實現:)相信

來源

2013-08-15 14:58:38 schlock

+3

可以請你提供我在哪裏可以找到有效的樣本SAML響應上面的代碼成功解析運行? –

相關問題

 相關問題