Where for XML Signature the requested algorithm is configured?
oliver42 Dec 12, 2013 7:34 AMHi there!
As newbie trying to dig into SAML2 using picketlink-quickstarts-2.1.9.Final-webapps-jboss-as7.zip on top of EAP 6.2 I adapted the settings to our internal environment. Now when log on to *-sig.war it always end up with this in server.log:
08:41:23,300 ERROR [org.picketlink.identity.federation] (http-MYSERVER/10.10.10.10:8080-2) PLFED000241: Error validating signature: org.picketlink.identity.federation.core.exceptions.ProcessingException: javax.xml.crypto.dsig.XMLSignatureException: PLFED000100: Signing Process Failure
at org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature.validate(SAML2Signature.java:303) [picketlink-core-2.1.9.SP2-redhat-1.jar:2.1.9.SP2-redhat-1]
at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyPostBindingSignature(SAML2SignatureValidationHandler.java:121) [picketlink-core-2.1.9.SP2-redhat-1.jar:2.1.9.SP2-redhat-1]
at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:92) [picketlink-core-2.1.9.SP2-redhat-1.jar:2.1.9.SP2-redhat-1]
at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleRequestType(SAML2SignatureValidationHandler.java:56) [picketlink-core-2.1.9.SP2-redhat-1.jar:2.1.9.SP2-redhat-1]
at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:730) [picketlink-jbas7-2.1.9.SP2-redhat-1.jar:2.1.9.SP2-redhat-1]
at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.handleSAMLMessage(AbstractIDPValve.java:329) [picketlink-jbas7-2.1.9.SP2-redhat-1.jar:2.1.9.SP2-redhat-1]
at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.invoke(AbstractIDPValve.java:284) [picketlink-jbas7-2.1.9.SP2-redhat-1.jar:2.1.9.SP2-redhat-1]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45]
Caused by: javax.xml.crypto.dsig.XMLSignatureException: PLFED000100: Signing Process Failure
at org.picketlink.identity.federation.PicketLinkLoggerImpl.signatureError(PicketLinkLoggerImpl.java:99) [picketlink-jbas7-2.1.9.SP2-redhat-1.jar:2.1.9.SP2-redhat-1]
... 16 more
Caused by: javax.xml.crypto.dsig.XMLSignatureException: java.security.SignatureException: Signature length not correct: got 128 but was expecting 256
On client side the request was tracked as:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
AssertionConsumerServiceURL="http://MYSERVER-FQDN:8080/sales-post-sig/"
Destination="http://MYSERVER-FQDN:8080/idp-sig/"
ID="ID_c8ec9fdd-ba6d-4498-b194-d5123d572618"
IssueInstant="2013-12-12T08:39:13.114Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://MYSERVER-FQDN:8080/sales-post-sig/</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<dsig:Reference URI="#ID_c8ec9fdd-ba6d-4498-b194-d5123d572618">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
...
Am I right in believing that the algorithm chosen for the signature is conflicting between SHA-256 and rsa-sha1? Where is this enforced on server/deployment side?
TIA
Regards,
Oliver