0 Replies Latest reply on Dec 12, 2013 7:34 AM by oliver42

    Where for XML Signature the requested algorithm is configured?

    oliver42

      Hi there!

       

      As newbie trying to dig into SAML2 using picketlink-quickstarts-2.1.9.Final-webapps-jboss-as7.zip on top of EAP 6.2 I adapted the settings to our internal environment. Now when log on to  *-sig.war it always end up with this in server.log:

       

      08:41:23,300 ERROR [org.picketlink.identity.federation] (http-MYSERVER/10.10.10.10:8080-2) PLFED000241: Error validating signature: org.picketlink.identity.federation.core.exceptions.ProcessingException: javax.xml.crypto.dsig.XMLSignatureException: PLFED000100: Signing Process Failure

          at org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature.validate(SAML2Signature.java:303) [picketlink-core-2.1.9.SP2-redhat-1.jar:2.1.9.SP2-redhat-1]

          at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyPostBindingSignature(SAML2SignatureValidationHandler.java:121) [picketlink-core-2.1.9.SP2-redhat-1.jar:2.1.9.SP2-redhat-1]

          at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:92) [picketlink-core-2.1.9.SP2-redhat-1.jar:2.1.9.SP2-redhat-1]

          at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleRequestType(SAML2SignatureValidationHandler.java:56) [picketlink-core-2.1.9.SP2-redhat-1.jar:2.1.9.SP2-redhat-1]

          at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:730) [picketlink-jbas7-2.1.9.SP2-redhat-1.jar:2.1.9.SP2-redhat-1]

          at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.handleSAMLMessage(AbstractIDPValve.java:329) [picketlink-jbas7-2.1.9.SP2-redhat-1.jar:2.1.9.SP2-redhat-1]

          at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.invoke(AbstractIDPValve.java:284) [picketlink-jbas7-2.1.9.SP2-redhat-1.jar:2.1.9.SP2-redhat-1]

          at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]

          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]

          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]

          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]

          at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]

          at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]

          at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]

          at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45]

      Caused by: javax.xml.crypto.dsig.XMLSignatureException: PLFED000100: Signing Process Failure

          at org.picketlink.identity.federation.PicketLinkLoggerImpl.signatureError(PicketLinkLoggerImpl.java:99) [picketlink-jbas7-2.1.9.SP2-redhat-1.jar:2.1.9.SP2-redhat-1]

          ... 16 more

      Caused by: javax.xml.crypto.dsig.XMLSignatureException: java.security.SignatureException: Signature length not correct: got 128 but was expecting 256

       

       

       

      On client side the request was tracked as:

       

      <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

        xmlns="urn:oasis:names:tc:SAML:2.0:assertion"

        AssertionConsumerServiceURL="http://MYSERVER-FQDN:8080/sales-post-sig/"

        Destination="http://MYSERVER-FQDN:8080/idp-sig/"

        ID="ID_c8ec9fdd-ba6d-4498-b194-d5123d572618"

        IssueInstant="2013-12-12T08:39:13.114Z"

        ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

        Version="2.0"

        >

        <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://MYSERVER-FQDN:8080/sales-post-sig/</saml:Issuer>

        <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">

        <dsig:SignedInfo>

        <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />

        <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

        <dsig:Reference URI="#ID_c8ec9fdd-ba6d-4498-b194-d5123d572618">

        <dsig:Transforms>

        <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

        <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

        </dsig:Transforms>

        <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

      ...

       

       

      Am I right in believing that the algorithm chosen for the signature is conflicting between SHA-256 and rsa-sha1? Where is this enforced on server/deployment side?

       

      TIA

       

      Regards,

      Oliver