Login/Register
Signature trust establishment failed for SAML metadata entry
Asked Answered
Solved javaspringspring-securitysaml-2.0spring-saml
P

4

18

In order to fetch metadata from a remote source, I defined an ExtendedMetadataDelegate bean as follows:

@Bean
@Qualifier("replyMeta")
public ExtendedMetadataDelegate replyMetadataProvider() throws MetadataProviderException {
    String metadataURL = "https://ststest.mydomain.it/FederationMetadata/2007-06/FederationMetadata.xml";
    final Timer backgroundTaskTimer = new Timer(true);
    HTTPMetadataProvider provider = new HTTPMetadataProvider(
            backgroundTaskTimer, httpClient(), metadataURL);
    provider.setParserPool(parserPool());
    ExtendedMetadataDelegate emd = new ExtendedMetadataDelegate(
            provider, new ExtendedMetadata());
    return emd;
}

To ensure the signature trust establishment, I added the related key both in JDK keystore and application keystore (the second step might not be enough); despite that, an error occurs by running the webapp.

[2014-08-18 14:36:47.200] boot - 6000 DEBUG [localhost-startStop-1] --- SignatureValidator: Attempting to validate signature using key from supplied credential
[2014-08-18 14:36:47.200] boot - 6000 DEBUG [localhost-startStop-1] --- SignatureValidator: Creating XMLSignature object
[2014-08-18 14:36:47.206] boot - 6000 DEBUG [localhost-startStop-1] --- SignatureValidator: Validating signature with signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
[2014-08-18 14:36:47.207] boot - 6000 DEBUG [localhost-startStop-1] --- SignatureValidator: Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
[2014-08-18 14:36:47.329] boot - 6000 DEBUG [localhost-startStop-1] --- SignatureValidator: Signature validated with key from supplied credential
[2014-08-18 14:36:47.329] boot - 6000 DEBUG [localhost-startStop-1] --- BaseSignatureTrustEngine: Signature validation using candidate credential was successful
[2014-08-18 14:36:47.330] boot - 6000 DEBUG [localhost-startStop-1] --- BaseSignatureTrustEngine: Successfully verified signature using KeyInfo-derived credential
[2014-08-18 14:36:47.330] boot - 6000 DEBUG [localhost-startStop-1] --- BaseSignatureTrustEngine: Attempting to establish trust of KeyInfo-derived credential
[2014-08-18 14:36:47.330] boot - 6000 DEBUG [localhost-startStop-1] --- BasicX509CredentialNameEvaluator: Supplied trusted names are null or empty, skipping name evaluation
[2014-08-18 14:36:47.331] boot - 6000 DEBUG [localhost-startStop-1] --- MetadataCredentialResolver: Attempting PKIX path validation on untrusted credential: [subjectName='CN=ADFS Signing - ststest-replynet.reply.it']
[2014-08-18 14:36:47.346] boot - 6000 ERROR [localhost-startStop-1] --- MetadataCredentialResolver: PKIX path construction failed for untrusted credential: [subjectName='CN=ADFS Signing - ststest-replynet.reply.it']: unable to find valid certification path to requested target
[2014-08-18 14:36:47.347] boot - 6000 DEBUG [localhost-startStop-1] --- PKIXSignatureTrustEngine: Signature trust could not be established via PKIX validation of signing credential
[2014-08-18 14:36:47.347] boot - 6000 DEBUG [localhost-startStop-1] --- BaseSignatureTrustEngine: Failed to establish trust of KeyInfo-derived credential
[2014-08-18 14:36:47.347] boot - 6000 DEBUG [localhost-startStop-1] --- BaseSignatureTrustEngine: Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
[2014-08-18 14:36:47.347] boot - 6000 DEBUG [localhost-startStop-1] --- PKIXSignatureTrustEngine: PKIX validation of signature failed, unable to resolve valid and trusted signing key
[2014-08-18 14:36:47.347] boot - 6000 ERROR [localhost-startStop-1] --- SignatureValidationFilter: Signature trust establishment failed for metadata entry http://ststest-replynet.reply.it/adfs/services/trust
[2014-08-18 14:36:47.349] boot - 6000 ERROR [localhost-startStop-1] --- AbstractReloadingMetadataProvider: Error filtering metadata from https://ststest-replynet.reply.it/FederationMetadata/2007-06/FederationMetadata.xml
org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry

The error disappears by setting:

emd.setMetadataTrustCheck(false);

... but I'd like to check used metadata.

Is there a way to resolve this error?

Update:

I tried to setup the ExtendedMetadata as follows but the error persists.

em.setAlias("defaultAlias");
em.setSigningKey("*.mydomain.it (Go Daddy Secure Certification Authority)");
Phytology answered 18/8, 2014 at 12:47 Comment(3)
Look like that's because of unable to find valid certification path to requested target - do you have all needed certficates in your truststore? More info here #24699414Router
I added the certificate into the JDK (jre/lib/security/cacerts) and also into samlKeystore.jks.Phytology
emd.setMetadataTrustCheck(false); worked for me thanks! ... My trust was invalid and out of my controlSwen
S
27

You have most likely imported the HTTPS certificate, but not the certificate which is used to create the signature - they differ. You should:

  1. Create file signature.cer with the following content taken from the metadata: 
    -----BEGIN CERTIFICATE-----
MIIC7jCCAdagAwIBAgIQa+pSaOoDP6ZL3qAi564CxzANBgkqhkiG9w0BAQs
FADAzMTEwLwYDVQQDEyhBREZTIFNpZ25pbmcgLSBzdHN0ZXN0LXJlcGx5bm
V0LnJlcGx5Lml0MB4XDTE0MDQyMTAwMzUyNVoXDTE1MDQyMTAwMzUyNVowM
zExMC8GA1UEAxMoQURGUyBTaWduaW5nIC0gc3RzdGVzdC1yZXBseW5ldC5y
ZXBseS5pdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJyI7Se
+UGGHOGRcwHF8LrmivtcPJyNKyicPJ8UJ8pIsEmgYBnJIrpS05RkYtdUdk+
aumDlc3ACt23FxGDLy9hkJJlRbZwklzh4W3RqGC3W5Y+t7KeIuB8d7ZrrLb
2AoJpVHICRagsLjjHMwz9sJUt+PZdUFFc0pZckHba3TY2Y+MgPYVsyjlEkf
QrwL0ggh23g9Pe1VQ9HaInXZvwVMGWZ1oL4Uk0cW11URa8x53ZOWMQSsksi
MUlquItssiuJjRnI9Df+GaDxbQJi51esY2EF1o2JxqGJSA71Apy9EahDho8
eFkfOS0fYbVNBU5X/Wn7BKsf2Rmg3r6mQM94+gAA8CAwEAATANBgkqhkiG9
w0BAQsFAAOCAQEAIX5FEt5JWtINzy4C0LtTtta3DMOsLIBH3raRr53+6MKG
sPP75VAt7fYUutopuk5Y2o++sVPuEuTzcogz5Dj8eglDESkPwR0PrlClVcG
FLFEx9qOOidYIEa90g462niIOgkNkIpb1JRrmZEFo+yrYYdFSR2iXzC3O1f
7JAhNwi+d4a8cOTrqynqL6p1z+hiWEub39FlWDPacELw9HSDIYY151hiiPz
vIRQDBOjDg3Ws8fRwYNjJH4ElwjP2z+1r+sktD/kkh8jj3iWhT37JnQG72D
7c63ovYICwEZUqS4L3vepO0pv6xewkUbfX4KBQbUPaVVgmVUcSecj85mvMx
42g==
-----END CERTIFICATE-----
  2. Import the certificate to your samlKeystore.jks with: 
    keytool -importcert -alias adfssigning -keystore samlKeystore.jks -file signature.cer

This should be all you need, just restart Tomcat and your metadata loading should now pass.

You don't need to include the HTTPS certificate in your JDK's cacerts in case you include the following bean which configures the HTTP client (available in Spring SAML 1.0.0.RELEASE):

<bean class="org.springframework.security.saml.trust.httpclient.TLSProtocolConfigurer"/>
Suffuse answered 19/8, 2014 at 13:39 Comment(4)
how did you generate the signature.cer ?Generalize
@Generalize you can get the certificate from the metadata the identity provider shares. You probably can get it from a certain endpoint like : idp.hostname/saml2/idp/metadata.php , ask the admin of the IPS you are using. Just drop it in an empty file between the BEGIN / END CERTIFICATE tagsBetthezul
Even after adding signing.cer into my keystore, I am getting same error.. Any idea?Loincloth
is there a sample code in spring or java to quickly match the edited .cer and .jks and match with metadata, i am restarting server to retest and all and its taking me ages and then to remove an extra tab or newline and then again restarting server.Flotation
L
9

I'm posting this just in case if it may be helpful even after everything you did like accepted answer for this question and still get the same error.

I too had this problem, I have added IDP's metadata file and imported their certificate into my app keystore. But still had Signature trust verification problem. I did format the metadata.xml from IDP in Intellij, that did some screw up. Once I imported their metadata file as it without formatting, everything went ok.

Loincloth answered 11/5, 2019 at 16:18 Comment(2)
Thank you very much, This saved me a lot of time. I still do not understand how formatting messed up the signature. First I thought it was because of the spaces that were added before and after the signature but it was not because of that. Maybe there are other spaces on other attributes from the XML that messed it upCanst
"Signature is first checked for validity by comparing digital hash included as part of the signature with value calculated from the content." -> Formatting the file means changing its content and that is why the signature verification fails. Ref docs.spring.io/spring-security-saml/docs/current/reference/html/…Canst
U
1

I was facing the same issue.Steps that I have follwoed to resolve the same

  1. extract from IDP metdata fille
  2. copy the certificate in text file and save as.crt. e.g idp.crt
  3. import the crt file in key Store keytool -import -alias adfscert -file idp.crt -keystore samlKeystoreold.jks -storepass keystorepassword
  4. it will ask for is you trust this crt.. say yes
  5. for some cases it will ask to use in pkcs12 format add in warning message do the same
  6. try running your application it should work :)
Unveiling answered 24/3, 2021 at 12:1 Comment(0)
S
0

In my case I had to add the alias of the import certificate in metadataTrustedKeys prop of ExtendedMetadataDelegate emd

if you import using the example of Vladimír Schäfer above

keytool -importcert -alias adfssigning -keystore samlKeystore.jks -file signature.cer

you have to write

emd.setMetadataTrustedKeys(Collections.singleton("adfssigning"));
Schlesinger answered 12/12, 2022 at 13:15 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.