Joshua Swink
Reputation: 3450
OpenSaml unable to decode x509 certificate in Java 11
I am attempting to transition a Shibboleth SP application to Java 11. Authentication with the IdP works under Java 8, but in 11 it fails after the user has authenticated and returned to the app.
2019-03-14 09:21:37.329 DEBUG 21741 --- [nio-8080-exec-5] o.o.s.m.p.ChainingMetadataProvider : Checking child metadata provider for entity descriptor with entity ID: https://...
2019-03-14 09:21:37.330 DEBUG 21741 --- [nio-8080-exec-5] o.o.s.m.p.AbstractMetadataProvider : Searching for entity descriptor with an entity ID of ...
2019-03-14 09:21:37.331 DEBUG 21741 --- [nio-8080-exec-5] k.BasicProviderKeyInfoCredentialResolver : Found 0 key names: []
2019-03-14 09:21:37.331 DEBUG 21741 --- [nio-8080-exec-5] k.BasicProviderKeyInfoCredentialResolver : Processing KeyInfo child with qname: {http://www.w3.org/2000/09/xmldsig#}X509Data
2019-03-14 09:21:37.331 DEBUG 21741 --- [nio-8080-exec-5] k.BasicProviderKeyInfoCredentialResolver : Provider org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping
2019-03-14 09:21:37.331 DEBUG 21741 --- [nio-8080-exec-5] k.BasicProviderKeyInfoCredentialResolver : Provider org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping
2019-03-14 09:21:37.331 DEBUG 21741 --- [nio-8080-exec-5] k.BasicProviderKeyInfoCredentialResolver : Processing KeyInfo child {http://www.w3.org/2000/09/xmldsig#}X509Data with provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
2019-03-14 09:21:37.331 DEBUG 21741 --- [nio-8080-exec-5] o.o.x.s.k.p.InlineX509DataProvider : Attempting to extract credential from an X509Data
what kind of weird pkcs12 file has more than one alias?
what kind of weird pkcs12 file has more than one alias?
what kind of weird pkcs12 file has more than one alias?
what kind of weird pkcs12 file has more than one alias?
what kind of weird pkcs12 file has more than one alias?
what kind of weird pkcs12 file has more than one alias?
[ above message repeated about 50 times ...]
java.security.KeyStoreException: Uninitialized keystore
at java.base/java.security.KeyStore.aliases(KeyStore.java:1267)
at org.apache.commons.ssl.TrustMaterial.<init>(TrustMaterial.java:233)
at org.apache.commons.ssl.TrustMaterial.<init>(TrustMaterial.java:165)
at org.apache.commons.ssl.TrustMaterial.<init>(TrustMaterial.java:170)
at org.apache.commons.ssl.TrustMaterial.<init>(TrustMaterial.java:175)
at org.apache.commons.ssl.TrustMaterial.<clinit>(TrustMaterial.java:88)
at org.opensaml.xml.security.x509.X509Util.decodeCertificate(X509Util.java:359)
at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificate(KeyInfoHelper.java:201)
at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:176)
at org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider.extractCertificates(InlineX509DataProvider.java:192)
at org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider.process(InlineX509DataProvider.java:126)
at org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver.processKeyInfoChild(BasicProviderKeyInfoCredentialResolver.java:300)
at org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver.processKeyInfoChildren(BasicProviderKeyInfoCredentialResolver.java:256)
at org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver.processKeyInfo(BasicProviderKeyInfoCredentialResolver.java:190)
at org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver.resolveFromSource(BasicProviderKeyInfoCredentialResolver.java:149)
at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:57)
at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:37)
at org.opensaml.security.MetadataCredentialResolver.retrieveFromMetadata(MetadataCredentialResolver.java:275)
at org.springframework.security.saml.trust.MetadataCredentialResolver.retrieveFromMetadata(MetadataCredentialResolver.java:123)
at org.opensaml.security.MetadataCredentialResolver.resolveFromSource(MetadataCredentialResolver.java:178)
at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:57)
at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:37)
at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:98)
at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:49)
at org.opensaml.ws.security.provider.BaseTrustEngineRule.evaluate(BaseTrustEngineRule.java:104)
at org.opensaml.ws.security.provider.BaseTrustEngineRule.evaluate(BaseTrustEngineRule.java:91)
at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:128)
at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.evaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:107)
at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51)
at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132)
at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83)
at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:85)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
This is a Spring Boot application using spring-security-saml2-core 1.0.5.RELEASE. Under Oracle Java 8 it works, but under OpenJDK 11 authentication fails with the above error.
Upvotes: 1
Views: 3476
Answers (2)
java track
Reputation: 11
This error is due to unable to decode saml response.
simply downgrade jar version not-yet-commons-ssl.jar to 0.3.9
Upvotes: -2
Joshua Swink
Reputation: 3450
This is a consequence of Java 9 changing to PKCS12 as a default keystore. There are a couple of fixes:
- If using spring-security-saml2-core, upgrade to 1.0.8-RELEASE.
Set the default keystore type to JKS:
Security.setProperty("keystore.type", "jks");
More information: Spring Security Saml issue #263
Upvotes: 3
Related Questions
- Reading an X.509 certificate with Java
- JDK 11 SSL Error on valid certificate (working in previous versions)
- Opensaml Assertion Signature validation failed for decrypted Assertion
- SAML2.0 signature validation failed for SAML Response
- opensaml java encrypted assertion - Failed to decrypt EncryptedData using EncryptedKeyResolver
- How to use a X509 certificate as a public key in SAML response
- opensaml 3 signature from saml response is null
- java.security.cert.CertificateException: Unable to initialize
- OpenSAML: Include X509 Certificate in EncyptedAssertion
- SAML Request Signature verification failure