1. дома
  2. Вопрос и ответ
  3. Проверка подлинности saml, невозможно восстановить ключевое исключение

Проверка подлинности saml, невозможно восстановить ключевое исключение

2014-10-31 2 views
0

Я пытаюсь реализовать проверку подлинности saml для транспорта ssl, но когда токен проверен у поставщика услуг, генерируется исключение.Проверка подлинности saml, невозможно восстановить ключевое исключение

Проблема возникает только в том случае, если я использую сертификаты, которые я сгенерировал, в зависимости от того, когда я использую базовые хранилища по умолчанию, которые поставляются с используемыми вами аппликациями (WSO2), все работает отлично.

Исключение:

ID: [0] [ESB] [2014-10-31 17:57:03,320] ERROR {org.apache.synapse.transport.passthru.ServerWorker} - Error processing POST request for : /services/StockQuoteProxy.StockQuoteProxyHttpsSoap12Endpoint {org.apache.synapse.transport.passthru.ServerWorker} 
org.apache.axis2.AxisFault: The signature or decryption was invalid; nested exception is: 
    java.security.UnrecoverableKeyException: Cannot recover key 
    at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:186) 
    at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95) 
    at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) 
    at org.apache.axis2.engine.Phase.invoke(Phase.java:313) 
    at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261) 
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167) 
    at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:411) 
    at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:183) 
    at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) 
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) 
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) 
    at java.lang.Thread.run(Thread.java:662) 
Caused by: org.apache.ws.security.WSSecurityException: The signature or decryption was invalid; nested exception is: 
    java.security.UnrecoverableKeyException: Cannot recover key 
    at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:370) 
    at org.apache.ws.security.saml.SAML2Util.getSAML2KeyInfo(SAML2Util.java:244) 
    at org.apache.ws.security.saml.SAML2Util.getSAML2KeyInfo(SAML2Util.java:148) 
    at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:334) 
    at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:124) 
    at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332) 
    at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249) 
    at org.apache.rampart.RampartEngine.process(RampartEngine.java:214) 
    at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92) 
    ... 10 more 
Caused by: java.security.UnrecoverableKeyException: Cannot recover key 
    at sun.security.provider.KeyProtector.recover(KeyProtector.java:311) 
    at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121) 
    at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38) 
    at java.security.KeyStore.getKey(KeyStore.java:763) 
    at org.wso2.carbon.security.util.ServerCrypto.getPrivateKey(ServerCrypto.java:247) 
    at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:368) 
    ... 18 more

сертификаты и Хранилища ключей генерируются следующим образом:

server_ip=10.0.3.124 

openssl req -keyout cakey.pem -out cacert.pem -newkey rsa:2048 -x509 -days 100000 -batch -subj "/C=IT/ST=Bari/L=Molfetta/O=Exprivia/OU=Innovation Lab/CN=Exprivia Certification Authority" -passout pass:exprivia 

openssl x509 -outform DER -in cacert.pem -out cacert.cert 

openssl genrsa -out server.key 1024 

#http://apetec.com/support/GenerateSAN-CSR.htm 

cp /etc/pki/tls/openssl.cnf myssl.cnf 

echo -e "\ 
[req]\n\ 
req_extensions = v3_req\n\ 
\n\ 
[ v3_req ]\n\ 
\n\ 
# Extensions to add to a certificate request\n\ 
\n\ 
basicConstraints = CA:FALSE\n\ 
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment\n\ 
subjectAltName = @alt_names\n\ 
\n\ 
[alt_names]\n\ 
IP.1 = $server_ip\n\ 
" >> myssl.cnf 

# usare IP.1 IP.2 etc per gli ip e DNS.1 etc per i nomi di dominio 

openssl req -key server.key -new -out server.req -subj "/C=IT/ST=Bari/L=Molfetta/O=Exprivia/OU=Innovation Lab/CN=$server_ip" -config myssl.cnf -days 100000 

openssl req -text -noout -in server.req > server.req.txt 

echo "00" >> file.srl 

openssl x509 -req -in server.req -CA cacert.pem -CAkey cakey.pem -CAserial file.srl -out server.pem -days 100000 -extensions v3_req -extfile myssl.cnf -passin pass:exprivia 

openssl x509 -text -noout -in server.pem > server.pem.txt 

openssl x509 -outform DER -in server.pem -out server.cert 

openssl genrsa -out client.key 1024 

openssl req -key client.key -new -out client.req -subj "/C=IT/ST=Bari/L=Molfetta/O=Exprivia/OU=Innovation Lab/CN=Client" -days 100000 

openssl x509 -req -in client.req -CA cacert.pem -CAkey cakey.pem -CAserial file.srl -out client.pem -days 100000 -passin pass:exprivia 

openssl x509 -outform DER -in client.pem -out client.cert 

openssl pkcs12 -export -in server.pem -inkey server.key -out server.pkcs12 -passout pass:exprivia 

keytool -importkeystore -srckeystore server.pkcs12 -srcstoretype pkcs12 -destkeystore server.jks -deststoretype jks -deststorepass exprivia -srcstorepass exprivia -destalias server -srcalias 1 -destkeypass exprivia 

keytool -import -file cacert.cert -keystore server.jks -storepass exprivia -alias cacert -noprompt 

keytool -import -file client.cert -keystore server.jks -storepass exprivia -alias client -noprompt 

keytool -list -v -keystore server.jks -storepass exprivia > server.txt 

openssl pkcs12 -export -in client.pem -inkey client.key -out client.pkcs12 -passout pass:exprivia 

keytool -importkeystore -srckeystore client.pkcs12 -srcstoretype pkcs12 -destkeystore client.jks -deststoretype jks -deststorepass exprivia -srcstorepass exprivia -destalias client -srcalias 1 -destkeypass exprivia 

keytool -import -file cacert.cert -keystore client.jks -storepass exprivia -alias cacert -noprompt 

keytool -list -v -keystore client.jks -storepass exprivia > client.txt 

#ora importiamo il certificato wso2 

keytool -export -keystore /usr/local/wso2is-5.0.0/repository/resources/security/wso2carbon.jks -alias wso2carbon -file wso2carbon.cert -storepass wso2carbon 

#necessario per chiamare l'sts in https 
keytool -import -file wso2carbon.cert -keystore client.jks -storepass exprivia -alias wso2carbon -noprompt 

#necessario per decifrare il token generato da is 
keytool -import -file wso2carbon.cert -keystore server.jks -storepass exprivia -alias wso2carbon -noprompt

и соответствующее содержание server.jks является

Keystore type: JKS 
Keystore provider: SUN 

Your keystore contains 4 entries 

Alias name: client 
Creation date: 31-Oct-2014 
Entry type: trustedCertEntry 

Owner: CN=Client, OU=Innovation Lab, O=Exprivia, L=Molfetta, ST=Bari, C=IT 
Issuer: CN=Exprivia Certification Authority, OU=Innovation Lab, O=Exprivia, L=Molfetta, ST=Bari, C=IT 
Serial number: 2 
Valid from: Fri Oct 31 17:41:32 CET 2014 until: Wed Aug 15 18:41:32 CEST 2288 
Certificate fingerprints: 
    MD5: 02:9B:A0:C9:F9:21:91:F5:C6:53:28:0B:C3:7E:EE:55 
    SHA1: 64:D9:95:AD:BB:E8:2A:D7:81:11:B7:30:DB:EE:BE:4E:89:FE:26:4A 
    Signature algorithm name: SHA1withRSA 
    Version: 1 


******************************************* 
******************************************* 


Alias name: wso2carbon 
Creation date: 31-Oct-2014 
Entry type: trustedCertEntry 

Owner: CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US 
Issuer: CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US 
Serial number: 4b7e3782 
Valid from: Fri Feb 19 08:02:26 CET 2010 until: Tue Feb 13 08:02:26 CET 2035 
Certificate fingerprints: 
    MD5: 02:FB:AA:5F:20:64:49:4A:27:29:55:71:83:F7:46:CD 
    SHA1: 6B:F8:E1:36:EB:36:D4:A5:6E:A0:5C:7A:E4:B9:A4:5B:63:BF:97:5D 
    Signature algorithm name: SHA1withRSA 
    Version: 3 

Extensions: 

#1: ObjectId: 2.5.29.15 Criticality=true 
KeyUsage [ 
    DigitalSignature 
    Non_repudiation 
    Key_Encipherment 
    Data_Encipherment 
] 



******************************************* 
******************************************* 


Alias name: cacert 
Creation date: 31-Oct-2014 
Entry type: trustedCertEntry 

Owner: CN=Exprivia Certification Authority, OU=Innovation Lab, O=Exprivia, L=Molfetta, ST=Bari, C=IT 
Issuer: CN=Exprivia Certification Authority, OU=Innovation Lab, O=Exprivia, L=Molfetta, ST=Bari, C=IT 
Serial number: f8d3b3c3f00eef91 
Valid from: Fri Oct 31 17:41:31 CET 2014 until: Wed Aug 15 18:41:31 CEST 2288 
Certificate fingerprints: 
    MD5: DD:D1:4B:85:BC:C0:62:AA:AA:93:9C:9C:7C:AE:69:FB 
    SHA1: 20:A6:F2:1B:37:51:C2:5C:F5:98:98:B9:E5:B3:48:BC:03:0E:50:D2 
    Signature algorithm name: SHA1withRSA 
    Version: 3 

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false 
SubjectKeyIdentifier [ 
KeyIdentifier [ 
0000: 06 44 86 D0 72 C6 ED 99 C7 EE A3 71 5A 77 C3 B4 .D..r......qZw.. 
0010: 7C 18 46 2D          ..F- 
] 
] 

#2: ObjectId: 2.5.29.19 Criticality=false 
BasicConstraints:[ 
    CA:true 
    PathLen:2147483647 
] 

#3: ObjectId: 2.5.29.35 Criticality=false 
AuthorityKeyIdentifier [ 
KeyIdentifier [ 
0000: 06 44 86 D0 72 C6 ED 99 C7 EE A3 71 5A 77 C3 B4 .D..r......qZw.. 
0010: 7C 18 46 2D          ..F- 
] 

] 



******************************************* 
******************************************* 


Alias name: server 
Creation date: 31-Oct-2014 
Entry type: PrivateKeyEntry 
Certificate chain length: 1 
Certificate[1]: 
Owner: CN=10.0.3.124, OU=Innovation Lab, O=Exprivia, L=Molfetta, ST=Bari, C=IT 
Issuer: CN=Exprivia Certification Authority, OU=Innovation Lab, O=Exprivia, L=Molfetta, ST=Bari, C=IT 
Serial number: 1 
Valid from: Fri Oct 31 17:41:32 CET 2014 until: Wed Aug 15 18:41:32 CEST 2288 
Certificate fingerprints: 
    MD5: 7C:40:21:05:42:06:12:BC:23:7E:76:69:37:1A:8C:99 
    SHA1: A8:BD:C7:41:7B:0F:98:CF:40:6B:EF:15:BF:4E:DA:F4:54:D7:38:03 
    Signature algorithm name: SHA1withRSA 
    Version: 3 

Extensions: 

#1: ObjectId: 2.5.29.15 Criticality=false 
KeyUsage [ 
    DigitalSignature 
    Non_repudiation 
    Key_Encipherment 
    Data_Encipherment 
] 

#2: ObjectId: 2.5.29.19 Criticality=false 
BasicConstraints:[ 
    CA:false 
    PathLen: undefined 
] 

#3: ObjectId: 2.5.29.17 Criticality=false 
SubjectAlternativeName [ 
    IPAddress: 10.0.3.124 
] 



******************************************* 
*******************************************

где

  • клиент, который запрашивает маркер для безопасной службы маркеров, использует client.jks
  • СТС использует в wso2carbon.jks и подписывают лексемы с server.cert
  • SAML защищенного поставщика услуг, использует server.jks

Где проблема?

Спасибо, Паоло

источник

2014-10-31 user1387219

ответ

2

Согласно за исключением org.wso2.carbon.security.util.ServerCrypto.getPrivateKey; Неправильный пароль для закрытого ключа. Когда вы используете продукты WSO2, есть файл carbon.xml, в котором вам необходимо настроить данные хранилища ключей, такие как хранилище ключей, пароль секретного ключа. Не могли бы вы убедиться, что вы правильно настроили его в соответствии с вашим новым хранилищем ключей.

источник

2014-11-07 08:42:18 Asela

Смежные вопросы

 Смежные вопросы