user1387219
Reputation: 465
saml signature verification, cannot recover key exception
I'm trying to implement saml authentication over ssl transport, but when the token is verified from the service provider an exception is thrown.
The problem only occurs when I use the certificates I have generated, on the countrary when I use default keystores that comes with the applicatives I'm using (WSO2) everythink works fine.
The exception is:
ID: [0] [ESB] [2014-10-31 17:57:03,320] ERROR {org.apache.synapse.transport.passthru.ServerWorker} - Error processing POST request for : /services/StockQuoteProxy.StockQuoteProxyHttpsSoap12Endpoint {org.apache.synapse.transport.passthru.ServerWorker}
org.apache.axis2.AxisFault: The signature or decryption was invalid; nested exception is:
java.security.UnrecoverableKeyException: Cannot recover key
at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:186)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:411)
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:183)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
Caused by: org.apache.ws.security.WSSecurityException: The signature or decryption was invalid; nested exception is:
java.security.UnrecoverableKeyException: Cannot recover key
at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:370)
at org.apache.ws.security.saml.SAML2Util.getSAML2KeyInfo(SAML2Util.java:244)
at org.apache.ws.security.saml.SAML2Util.getSAML2KeyInfo(SAML2Util.java:148)
at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:334)
at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:124)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
at org.apache.rampart.RampartEngine.process(RampartEngine.java:214)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
... 10 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(KeyProtector.java:311)
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38)
at java.security.KeyStore.getKey(KeyStore.java:763)
at org.wso2.carbon.security.util.ServerCrypto.getPrivateKey(ServerCrypto.java:247)
at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:368)
... 18 more
the certificates and keystores are generated as follows:
server_ip=10.0.3.124
openssl req -keyout cakey.pem -out cacert.pem -newkey rsa:2048 -x509 -days 100000 -batch -subj "/C=IT/ST=Bari/L=Molfetta/O=Exprivia/OU=Innovation Lab/CN=Exprivia Certification Authority" -passout pass:exprivia
openssl x509 -outform DER -in cacert.pem -out cacert.cert
openssl genrsa -out server.key 1024
#http://apetec.com/support/GenerateSAN-CSR.htm
cp /etc/pki/tls/openssl.cnf myssl.cnf
echo -e "\
[req]\n\
req_extensions = v3_req\n\
\n\
[ v3_req ]\n\
\n\
# Extensions to add to a certificate request\n\
\n\
basicConstraints = CA:FALSE\n\
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment\n\
subjectAltName = @alt_names\n\
\n\
[alt_names]\n\
IP.1 = $server_ip\n\
" >> myssl.cnf
# usare IP.1 IP.2 etc per gli ip e DNS.1 etc per i nomi di dominio
openssl req -key server.key -new -out server.req -subj "/C=IT/ST=Bari/L=Molfetta/O=Exprivia/OU=Innovation Lab/CN=$server_ip" -config myssl.cnf -days 100000
openssl req -text -noout -in server.req > server.req.txt
echo "00" >> file.srl
openssl x509 -req -in server.req -CA cacert.pem -CAkey cakey.pem -CAserial file.srl -out server.pem -days 100000 -extensions v3_req -extfile myssl.cnf -passin pass:exprivia
openssl x509 -text -noout -in server.pem > server.pem.txt
openssl x509 -outform DER -in server.pem -out server.cert
openssl genrsa -out client.key 1024
openssl req -key client.key -new -out client.req -subj "/C=IT/ST=Bari/L=Molfetta/O=Exprivia/OU=Innovation Lab/CN=Client" -days 100000
openssl x509 -req -in client.req -CA cacert.pem -CAkey cakey.pem -CAserial file.srl -out client.pem -days 100000 -passin pass:exprivia
openssl x509 -outform DER -in client.pem -out client.cert
openssl pkcs12 -export -in server.pem -inkey server.key -out server.pkcs12 -passout pass:exprivia
keytool -importkeystore -srckeystore server.pkcs12 -srcstoretype pkcs12 -destkeystore server.jks -deststoretype jks -deststorepass exprivia -srcstorepass exprivia -destalias server -srcalias 1 -destkeypass exprivia
keytool -import -file cacert.cert -keystore server.jks -storepass exprivia -alias cacert -noprompt
keytool -import -file client.cert -keystore server.jks -storepass exprivia -alias client -noprompt
keytool -list -v -keystore server.jks -storepass exprivia > server.txt
openssl pkcs12 -export -in client.pem -inkey client.key -out client.pkcs12 -passout pass:exprivia
keytool -importkeystore -srckeystore client.pkcs12 -srcstoretype pkcs12 -destkeystore client.jks -deststoretype jks -deststorepass exprivia -srcstorepass exprivia -destalias client -srcalias 1 -destkeypass exprivia
keytool -import -file cacert.cert -keystore client.jks -storepass exprivia -alias cacert -noprompt
keytool -list -v -keystore client.jks -storepass exprivia > client.txt
#ora importiamo il certificato wso2
keytool -export -keystore /usr/local/wso2is-5.0.0/repository/resources/security/wso2carbon.jks -alias wso2carbon -file wso2carbon.cert -storepass wso2carbon
#necessario per chiamare l'sts in https
keytool -import -file wso2carbon.cert -keystore client.jks -storepass exprivia -alias wso2carbon -noprompt
#necessario per decifrare il token generato da is
keytool -import -file wso2carbon.cert -keystore server.jks -storepass exprivia -alias wso2carbon -noprompt
and the corresponding server.jks content is
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 4 entries
Alias name: client
Creation date: 31-Oct-2014
Entry type: trustedCertEntry
Owner: CN=Client, OU=Innovation Lab, O=Exprivia, L=Molfetta, ST=Bari, C=IT
Issuer: CN=Exprivia Certification Authority, OU=Innovation Lab, O=Exprivia, L=Molfetta, ST=Bari, C=IT
Serial number: 2
Valid from: Fri Oct 31 17:41:32 CET 2014 until: Wed Aug 15 18:41:32 CEST 2288
Certificate fingerprints:
MD5: 02:9B:A0:C9:F9:21:91:F5:C6:53:28:0B:C3:7E:EE:55
SHA1: 64:D9:95:AD:BB:E8:2A:D7:81:11:B7:30:DB:EE:BE:4E:89:FE:26:4A
Signature algorithm name: SHA1withRSA
Version: 1
*******************************************
*******************************************
Alias name: wso2carbon
Creation date: 31-Oct-2014
Entry type: trustedCertEntry
Owner: CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US
Issuer: CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US
Serial number: 4b7e3782
Valid from: Fri Feb 19 08:02:26 CET 2010 until: Tue Feb 13 08:02:26 CET 2035
Certificate fingerprints:
MD5: 02:FB:AA:5F:20:64:49:4A:27:29:55:71:83:F7:46:CD
SHA1: 6B:F8:E1:36:EB:36:D4:A5:6E:A0:5C:7A:E4:B9:A4:5B:63:BF:97:5D
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
]
*******************************************
*******************************************
Alias name: cacert
Creation date: 31-Oct-2014
Entry type: trustedCertEntry
Owner: CN=Exprivia Certification Authority, OU=Innovation Lab, O=Exprivia, L=Molfetta, ST=Bari, C=IT
Issuer: CN=Exprivia Certification Authority, OU=Innovation Lab, O=Exprivia, L=Molfetta, ST=Bari, C=IT
Serial number: f8d3b3c3f00eef91
Valid from: Fri Oct 31 17:41:31 CET 2014 until: Wed Aug 15 18:41:31 CEST 2288
Certificate fingerprints:
MD5: DD:D1:4B:85:BC:C0:62:AA:AA:93:9C:9C:7C:AE:69:FB
SHA1: 20:A6:F2:1B:37:51:C2:5C:F5:98:98:B9:E5:B3:48:BC:03:0E:50:D2
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 06 44 86 D0 72 C6 ED 99 C7 EE A3 71 5A 77 C3 B4 .D..r......qZw..
0010: 7C 18 46 2D ..F-
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 06 44 86 D0 72 C6 ED 99 C7 EE A3 71 5A 77 C3 B4 .D..r......qZw..
0010: 7C 18 46 2D ..F-
]
]
*******************************************
*******************************************
Alias name: server
Creation date: 31-Oct-2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=10.0.3.124, OU=Innovation Lab, O=Exprivia, L=Molfetta, ST=Bari, C=IT
Issuer: CN=Exprivia Certification Authority, OU=Innovation Lab, O=Exprivia, L=Molfetta, ST=Bari, C=IT
Serial number: 1
Valid from: Fri Oct 31 17:41:32 CET 2014 until: Wed Aug 15 18:41:32 CEST 2288
Certificate fingerprints:
MD5: 7C:40:21:05:42:06:12:BC:23:7E:76:69:37:1A:8C:99
SHA1: A8:BD:C7:41:7B:0F:98:CF:40:6B:EF:15:BF:4E:DA:F4:54:D7:38:03
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
IPAddress: 10.0.3.124
]
*******************************************
*******************************************
where
- the client that asks for the token to a secure token service, uses the client.jks
- the STS uses the wso2carbon.jks and signs the token with server.cert
- the saml protected service provider, uses the server.jks
Where is the problem?
Thanks, Paolo
Upvotes: 0
Views: 1438
Answers (1)
Asela
Reputation: 5821
According to the exception org.wso2.carbon.security.util.ServerCrypto.getPrivateKey ; The Private key password that you have configured is not valid. As you are using WSO2 products, there is a carbon.xml file that you need to configure the keystore details such as keystore, private key password. Could you please verify them that you have configured it properly according to the your new keystore.
Upvotes: 2
Related Questions
- org.opensaml.common.SAMLRuntimeException: Can't obtain SP signing key
- The signature verified correctly with the key contained in the signature, but that key is not trusted
- SAML2.0 signature validation failed for SAML Response
- Signature did not validate against the credential's key
- Signature cryptographic validation not successful opensaml
- SAML2BearerGrantHandler unable to verify signature
- SSO with signing and signature validation doesn't work
- Signature Validation Failed for the SAML Assertion in Wso2IS
- SAML Request Signature verification failure
- Cannot validate SAML assertion signature