SAML可信證書

我在某些項目中使用opensaml 2.6.1和spring-security-saml2-core 1.0.1來啓用SSO。我正在使用自簽名證書進行加密和簽名。SAML可信證書

當我的服務提供商處獲得SAML響應，我得到了以下錯誤：

DEBUG [org.opensaml.xml.signature.SignatureValidator] Creating XMLSignature object 
DEBUG [org.opensaml.xml.signature.SignatureValidator] Validating signature with signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 
DEBUG [org.opensaml.xml.signature.SignatureValidator] Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl' 
DEBUG [org.opensaml.xml.signature.SignatureValidator] Signature validated with key from supplied credential 
DEBUG [org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Signature validation using candidate credential was successful 
DEBUG [org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Successfully verified signature using KeyInfo-derived credential 
DEBUG [org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Attempting to establish trust of KeyInfo-derived credential 
DEBUG [org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Failed to establish trust of KeyInfo-derived credential 
DEBUG [org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Failed to verify signature and/or establish trust using any KeyInfo-derived credentials 
DEBUG [org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine] Attempting to verify signature using trusted credentials 
DEBUG [org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine] Failed to verify signature using either KeyInfo-derived or directly trusted credentials 
DEBUG [org.springframework.security.saml.websso.WebSSOProfileConsumerImpl] Validation of authentication statement in assertion failed, skipping 
org.opensaml.xml.validation.ValidationException: Signature is not trusted or invalid 
    at org.springframework.security.saml.websso.AbstractProfileBase.verifySignature(AbstractProfileBase.java:272) 
    at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertionSignature(WebSSOProfileConsumerImpl.java:419) 
    at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:292) 
    at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:214) 
    at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82) 
    at

我從異常messageis明白：

簽名驗證是成功的
信任我的證書時有一個問題我的assupmtions糾正？

我曾嘗試使用下面的命令導入我的自簽名證書到我的密鑰存儲區（cacerts店在JVM）：

keytool -importcert -trustcacerts -file "myCcert.crt" -keystore "C:\Program Files\Java\jdk1.8.0_65\jre\lib\security\cacerts" -storepass changeit -alias test

這麼想的這個命令導入我的certif並將其標誌由Java作爲值得信賴？

另一件事，java可以信任一個自簽名簽名，或者我必須得到一個CA驗證的證書才能通過驗證？

來源

2016-12-30 Zizou

是的。 Java可以信任自簽名證書。 – anacron

感謝anacron，那麼，這種例外的原因是什麼？ – Zizou

如果您試圖實施SSL，那麼您將需要一個密鑰存儲。 'cacerts'是一家信任商店，而不是一家關鍵商店。如果你想訪問別人的SSL站點，它工作正常。但是，如果您在您的網站上設置SSL，那麼您將需要一個不同的密鑰庫。 – anacron

Spring SAML不使用cacerts進行信任驗證，但是它的專用密鑰庫（示例應用程序中的samlKeystore.jks）。有關詳細信息，請閱讀Spring SAML手冊有關證書管理的章節。

來源

2017-01-01 23:37:46

回答

相關問題