1

我正在尝试验证从 IDP 收到的断言签名。它导致失败并出现以下错误:

Verification failed for URI "#_7e59add4-11a0-415f-85a3-6f493110d198"

Expected Digest: PgSvwq0Jn6GLMHID20j1fT40VlhvdavKxEM3PtNUfLM=

Actual Digest: mDcfPO26UwGV/tt/JM20ADDDkGGODjd2CZn7dqqR5LM=

org.opensaml.xml.signature.SignatureValidator(SignatureValidator.java:77) -
                Signature did not validate against the credential's key

以下是我用来验证的代码:

public class SamlTest {

public static void main(String[] args) throws Exception {

    // read the file
    File file = new File("d://a.xml");
    BufferedReader bf = new BufferedReader(new FileReader(file));
    String str = null;
    String samlStr = "";
    while ((str = bf.readLine()) != null) {
        samlStr += str;
    }

    Assertion assertion = SamlTest.unmarshall(samlStr);

    //Always do Profile Validation before cryptographically verify the Signature
    SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
    try {
        profileValidator.validate(assertion.getSignature());
    } catch (ValidationException e) {
        System.out.println("ErrorString [Error in SAMLSignatureProfilValidation]");
    }

    Certificate certificate = SamlTest.getCertificate(assertion.getSignature());

    BasicCredential verificationCredential = new BasicCredential();
    verificationCredential.setPublicKey(certificate.getPublicKey());

    SignatureValidator sigValidator = new SignatureValidator(verificationCredential);
    try {
        sigValidator.validate(assertion.getSignature());
    } catch (ValidationException e) {
        System.out.println("unable to validate");
    }
}

private static Assertion unmarshall(String samlStr) throws Exception {
    DefaultBootstrap.bootstrap();

    DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
    documentBuilderFactory.setNamespaceAware(true);
    DocumentBuilder docBuilder = null;

    docBuilder = documentBuilderFactory.newDocumentBuilder();

    ByteArrayInputStream is = new ByteArrayInputStream(samlStr.getBytes());

    Document document = null;
    document = docBuilder.parse(is);

    Element element = document.getDocumentElement();
    UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
    Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(element);
    return (Assertion) unmarshaller.unmarshall(element);
}

private static Certificate getCertificate(Signature signature) {
    try {
        X509Certificate certificate = signature.getKeyInfo().getX509Datas().get(0).getX509Certificates().get(0);
        if (certificate != null) {
            //Converts org.opensaml.xml.signature.X509Certificate to java.security.cert.Certificate
            String lexicalXSDBase64Binary = certificate.getValue();
            byte[] decoded = DatatypeConverter.parseBase64Binary(lexicalXSDBase64Binary);

            try {
                CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
                Certificate cert = certFactory.generateCertificate(new ByteArrayInputStream(decoded));
                return cert;
            } catch (CertificateException e) {
                //this should never happen
                System.out.println("SAML Signature issue");
                return null;
            }
        }
        return null; // TODO Auto-generated method stub 

    } catch (NullPointerException e) {
        //Null certificates

        return null;
    }
}}

以下是收到的断言 xml:`

<?xml version="1.0" encoding="UTF-8" standalone="no"?><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns10="urn:oasis:names:tc:SAML:2.0:conditions:delegation" xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ns3="http://www.rsa.com/names/2009/12/std-ext/WS-Trust1.4/advice" xmlns:ns4="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns5="http://www.w3.org/2000/09/xmldsig#" xmlns:ns6="http://www.rsa.com/names/2009/12/std-ext/SAML2.0" xmlns:ns7="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns8="http://docs.oasis-open.org/ws-sx/ws-trust/200802" xmlns:ns9="http://www.w3.org/2005/08/addressing" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_7e59add4-11a0-415f-85a3-6f493110d198" IssueInstant="2015-06-16T19:38:03.664Z" Version="2.0"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://localhost/websso/SAML2/Metadata/vsphere.local</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_7e59add4-11a0-415f-85a3-6f493110d198"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs xsi"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>PgSvwq0Jn6GLMHID20j1fT40VlhvdavKxEM3PtNUfLM=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ovoMj6mUzEnhayptgu3MwQOiBEs47GO8Xs/H02SgO8/881X5m7anAmS8yIjHiOTu3Q0kNJH1K2cQ
uBNxKQG75jPHbM3wF6XVKLbcyjAWHjtg3Ndz6F2spIP13LZ7LM2KUBcwGh9YWBnybJWxwr70+qj0
7xHO5wEnV3RpkQPCjMgAfnesEAEHoCGpnQNQu0twSffWzKLKZcg6PHS2g49WY1r65Sw5Jcy9/VdN
4/mtEuNa4fb0wNbaKcpPxsjUo7dbeMdbZxl5T0E2pOTzGJkRKVfw1P6Vd2qIFrORVpfni5LAYkET
GJA40iY7wfVLJflIX7+9QcIEtMKsL5rbtxvQpQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDcDCCAligAwIBAgIJAMGuXxNnFfBZMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAMMAkNBMRcw
FQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2FsMQswCQYDVQQGEwJV
UzEQMA4GA1UECgwHcnVjaGF2YzAeFw0xNTAyMTcxNjMzNTFaFw0yNTAyMTExNjQzNDJaMBgxFjAU
BgNVBAMMDXNzb3NlcnZlclNpZ24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqV+/l
kSS9U2y6RBsLiqxwdiLjJJFCw/3iFu/Fmpu8vltMNPE5ryZsT87HJGzK8jDgGoTcD0DbbUk7+Sbe
XGVj7n5ZsBXiTt8nbpWQkUfBcNxKimqkGm3WgRgF3UjtNt4enC+mOLw4/aicBvvuscd8ur1QyJxK
zTUVOtkKFYg1FuKaelkSA2GrScLBzjaU99L0K2YrWncKG2T+1yIK5Md4TPr4X3GwhEqlBn7YK2sJ
43ILrEu43BCGyhkawp3bOHhnMVzMUHi2eY4NLXj0ZNTUFRrl8LKpDlSqFwL7ChNuhfLJOlncDwvD
20gOa6TWEC8qr3hXo4u5vUx9j2e5PS/pAgMBAAGjeTB3MAsGA1UdDwQEAwIF4DAoBgNVHREEITAf
gh1ydWNoYXZjLnRlc3RsYWIuY29tbXZhdWx0LmNvbTAdBgNVHQ4EFgQUjBP2wdHo83NDTsksTBtf
/1+EwA4wHwYDVR0jBBgwFoAU++fsPhJCQ4XETaWO1bQCjDDAgM8wDQYJKoZIhvcNAQELBQADggEB
AD4WqxL4+y4Uz/IzrKljq8mpU+dZNqpni8u5RaPUa4z/abfpB/vgSD08WGo7FHOYKDVJK6ScE8wB
+cuUV0/rL+4/L1sUVj4hixH/fUVS6jO6/SZerHEZ0ubO/X5zZAyfWXOKvxa6llgNFYjKGqd74+Lh
LCB2w84/VOOOJlaBJFFbh/9AY8cwtd8jFnMAYmQE7YQSLEagIKoeQSiVO1H8Kbhs4EQtLVmEQjR9
Pt1/H8VsRtPs+/0vAbzq8DJ6FTMz+OuhpyJHmIdP2Xw8T/2LGpGFSTVzbeGKGW3h7cCHA0MEHQ2J
ags26hB/IvRy2PxLgA9yRUroro9dbW8jIGch4UM=</ds:X509Certificate><ds:X509Certificate>MIIDgDCCAmigAwIBAgIJAP828FCXHTizMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAMMAkNBMRcw
FQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2FsMQswCQYDVQQGEwJV
UzEQMA4GA1UECgwHcnVjaGF2YzAeFw0xNTAyMTQxNjQzNDJaFw0yNTAyMTExNjQzNDJaMFwxCzAJ
BgNVBAMMAkNBMRcwFQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2Fs
MQswCQYDVQQGEwJVUzEQMA4GA1UECgwHcnVjaGF2YzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALgcEKO2qkQobx4vGXNG2D6HqnHNwiqEBs+cbrAGRwVtT2AxavMu4aUL9kDO8yyrqXT2
UF5W5B2jFEWr413h8MmV4v+F/+MqVW7UXQ6C0f6bsaBLdmQNa69b4EAj0UGvvohogObglvP9Du0n
qXwDTt3NMg2aJefHtLsyAXA6A1IR85g/AdImBezM0ZgUALpf1Jaq3XjZvR9XqRiu/VZHDEJacxep
/Csw9AuLA5D2U8bWBV8URoBIfFzyho+3dYG8zS1l9Ym5CvSP98nryWSH1LwsEBVunoZpVE+TLGsz
A4uui1/y31gO04y44DxZp1Bh/HfIT4woOIOIlBqOGd5Rz+kCAwEAAaNFMEMwHQYDVR0OBBYEFPvn
7D4SQkOFxE2ljtW0AowwwIDPMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMA0G
CSqGSIb3DQEBCwUAA4IBAQBcRs/wwAfkWVbwgVKkucSMnRNb7kPS7qERcUykMGA/46QXhDcDShd1
j2aXbZKx0DNLKpGYuIN4N6uGdHZu0jABaSMOtVYdXCAHdXGPYJB6vV/l3jOOVvOPULwaf8lbBrmM
AuR6F6J1DBiXH+XMuOPB6/Tp9YYSoFJkPqhxqxyns3tjjTXmCIcoEUuPqACniLk6aUzlKFzDUt2N
hp34Qzj4BdH7QepHjR/mcDkVVaMjY597d2f/kAJm0D/l01W3nyKCbDb3yq3w8f6gj1WIIB6o8w9R
HsZwm4eVFYhJWWvi9N2wci8X5PMdDi/abUxhOT7EYEQGk39dfc/VTEQoMKrE</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="http://schemas.xmlsoap.org/claims/UPN">Administrator</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"><saml2:NameID Format="http://schemas.xmlsoap.org/claims/UPN">vsphere-webclient-21665f80-b6c4-11e4-b9fe-005056a638d3@vsphere.local</saml2:NameID><saml2:SubjectConfirmationData xsi:type="saml2:KeyInfoConfirmationDataType"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIID5TCCAs2gAwIBAgIJAMk0TrGWNX/vMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAMMAkNBMRcw
FQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2FsMQswCQYDVQQGEwJV
UzEQMA4GA1UECgwHcnVjaGF2YzAeFw0xNTAyMTcxNjM1MDhaFw0yNTAyMTExNjQzNDJaMIGMMRow
GAYDVQQDDBF2c3BoZXJlLXdlYmNsaWVudDEXMBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJ
kiaJk/IsZAEZFgVsb2NhbDELMAkGA1UEBhMCVVMxMTAvBgNVBAsMKG1JRC0yMTY2NWY4MC1iNmM0
LTExZTQtYjlmZS0wMDUwNTZhNjM4ZDMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA
zkp7RK+aOZqq4+yyp/gfsLr4jQnOiLCNGdvEeLXVhUPWogYl0MkHEt3DY6i2HqL0xmmPeRjmOJ1T
62eR3Nc8ugrapKUy7bYgCTT6rzvjU7KtzHg/SncuwncrB53//lSndJ41UtTWNxZSqqja3tmfg3pT
4EQkv0YiyEeayKJhfNz6XiuL12wdBvai0SIEFIsZTq92hNlTs4W58tT8ov6408BEMtRcTVHrOSAS
BS2waelqHAt141PWos3ynz4MUsxRs2p0T77K+wh2Mj/eWQgJJnVVuc4oVA1uLOQHjP777QV/gEkd
p6v42q8b+24LtTWJssMIVvmsmvoEtItDbpApAgMBAAGjeTB3MAsGA1UdDwQEAwIF4DAoBgNVHREE
ITAfgh1ydWNoYXZjLnRlc3RsYWIuY29tbXZhdWx0LmNvbTAdBgNVHQ4EFgQUHR0Ta1eFnWxSD37T
ZFPQncCZYlswHwYDVR0jBBgwFoAU++fsPhJCQ4XETaWO1bQCjDDAgM8wDQYJKoZIhvcNAQELBQAD
ggEBAETECKs16qfadNvLwNysQq5F9Y9pAhnss6PniRLdQ2D7dbKgLNjgi4CIEV3SuaDXaqONV9IV
+IjAg6N+yMqGghc64MyAzDS0Rkp2R7hfNjyYUcG9lNTSpsKSZE0iNb9RWaqrPKu4RsnPvjIStx43
EytkF63Q7ktYxFCXlnB9AVeMa6nfOzFZS+SXHrd+zWs62Hp/9mBHLoHKEYYQawpJlbBnAkg8WZxq
uVE/Ky5Gv8ni3eAovM2g0Ot7gqqbfPH09Yk4L9pBUPw/lT2icBvZ6yHgWxmEnZuHBKUF5B8F0smI
TSCwNY2lUghkxxCdTEaqsthPGb9uYEB6JFJDgblgEBg=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></saml2:SubjectConfirmationData></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2015-06-16T19:38:51.295Z" NotOnOrAfter="2015-07-16T19:38:51.295Z"><saml2:ProxyRestriction Count="9"/><saml2:Condition xmlns:del="urn:oasis:names:tc:SAML:2.0:conditions:delegation" xsi:type="del:DelegationRestrictionType"><del:Delegate DelegationInstant="2015-06-16T19:36:37.101Z"><saml2:NameID Format="http://schemas.xmlsoap.org/claims/UPN">vsphere-webclient-21665f80-b6c4-11e4-b9fe-005056a638d3@vsphere.local</saml2:NameID></del:Delegate></saml2:Condition><saml2:Condition xmlns:rsa="http://www.rsa.com/names/2009/12/std-ext/SAML2.0" Count="9" xsi:type="rsa:RenewRestrictionType"/></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2015-06-16T19:38:03.662Z"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute FriendlyName="givenName" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xs:string">Administrator</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="Groups" Name="http://rsa.com/schemas/attr-names/2009/01/GroupIdentity" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xs:string">SophosAdministrator</saml2:AttributeValue><saml2:AttributeValue xsi:type="xs:string">Administrators</saml2:AttributeValue><saml2:AttributeValue xsi:type="xs:string">vsphere.localAdministrators</saml2:AttributeValue><saml2:AttributeValue xsi:type="xs:string">vsphere.localEveryone</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="Subject Type" Name="http://vmware.com/schemas/attr-names/2011/07/isSolution" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xs:string">false</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="surname" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xs:string"/></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>

`有人可以帮我在这里找到问题。

4

0 回答 0