Is it possible to create a digital signature for a given xml document using command line in openssl?
Expectation
I'm interested in getting a value from command line that looks like below extracted from ds:SignatureValue
Signature Method: SHA1 with two transformations applied
ULNmpuKwXwHwqUMybbwnupC/y9WZo8hi0qy9S2GuWxSB8WVEyA7RB6Qy.........hSq5BVw==
Digital Signature for Reference only.
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pfx238f2615-2267-6ee6-efa9-24dd82d85764">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>6okYcbSa3y18LSbOBJTMMWN7/Rs=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue> <!-- how to compute this value -->
ULNmpuKwXwHwqUMybbwnupC/y9WZo8hi0qy9S2GuWxSB8WVEyA7RB6Qy.........hSq5BVw==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDuDCCAqACCQDpZiKUmwKtZTANBgkqhkiG9w0BAQsFADCBnTEL.......cBnjt9gNFVPaL7+/P+enkq9Vx0thQHUaI+ndr1gpZE=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
I've the keys (public/private) already generated.
My Attempts
openssl dgst -sha1 -sign ../keys/client.pem -out sign.sha1 response.xml
# readable base64
openssl enc -base64 -in sign.sha1 -out sign.sha1.base64
I'm referencing this tutorial https://opensource.com/article/19/6/cryptography-basics-openssl-part-2
Related
I tried to add https url at the endpoint configuration of wso2 and when i try hit the test button it showing error connecting back end but the back end is working fine. I am facing issue only with the https. http is working properly. I even tried setting this <parameter name="HostnameVerifier">AllowAll</parameter> in axis2.xml still got the same and when i checked in the logs i am getting the following errors
In my local System
[2021-06-24 11:12:05,331] INFO - EmbeddedRegistryService Configured Registry in 0ms
[2021-06-24 11:12:13,914] ERROR - APIProviderHostObject Error occurred while connecting to backend : https://www.google.com/, reason : peer not authenticated
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:450)
at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(SSLProtocolSocketFactory.java:276)
at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:186)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at org.wso2.carbon.apimgt.hostobjects.HostObjectUtils.sendHttpHEADRequest(HostObjectUtils.java:267)
at org.wso2.carbon.apimgt.hostobjects.APIProviderHostObject.jsFunction_isURLValid(APIProviderHostObject.java:4393)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126)
at org.mozilla.javascript.FunctionObject.call(FunctionObject.java:386)
at org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52)
at org.jaggeryjs.rhino.publisher.modules.api.c3._c_anonymous_11(/publisher/modules/api/add.jag:255)
at org.jaggeryjs.rhino.publisher.modules.api.c3.call(/publisher/modules/api/add.jag)
at org.mozilla.javascript.ScriptRuntime.applyOrCall(ScriptRuntime.java:2430)
at org.mozilla.javascript.BaseFunction.execIdCall(BaseFunction.java:269)
at org.mozilla.javascript.IdFunctionObject.call(IdFunctionObject.java:97)
at org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42)
at org.jaggeryjs.rhino.publisher.modules.api.c0._c_anonymous_6(/publisher/modules/api/module.jag:21)
at org.jaggeryjs.rhino.publisher.modules.api.c0.call(/publisher/modules/api/module.jag)
at org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52)
at org.jaggeryjs.rhino.publisher.site.blocks.item_add.ajax.c0._c_anonymous_2(/publisher/site/blocks/item-add/ajax/add.jag:237)
at org.jaggeryjs.rhino.publisher.site.blocks.item_add.ajax.c0.call(/publisher/site/blocks/item-add/ajax/add.jag)
at org.mozilla.javascript.optimizer.OptRuntime.call0(OptRuntime.java:23)
at org.jaggeryjs.rhino.publisher.site.blocks.item_add.ajax.c0._c_script_0(/publisher/site/blocks/item-add/ajax/add.jag:9)
at org.jaggeryjs.rhino.publisher.site.blocks.item_add.ajax.c0.call(/publisher/site/blocks/item-add/ajax/add.jag)
at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394)
at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091)
at org.jaggeryjs.rhino.publisher.site.blocks.item_add.ajax.c0.call(/publisher/site/blocks/item-add/ajax/add.jag)
at org.jaggeryjs.rhino.publisher.site.blocks.item_add.ajax.c0.exec(/publisher/site/blocks/item-add/ajax/add.jag)
at org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:567)
at org.jaggeryjs.scriptengine.engine.RhinoEngine.exec(RhinoEngine.java:273)
at org.jaggeryjs.jaggery.core.manager.WebAppManager.exec(WebAppManager.java:588)
at org.jaggeryjs.jaggery.core.manager.WebAppManager.execute(WebAppManager.java:508)
at org.jaggeryjs.jaggery.core.JaggeryServlet.doPost(JaggeryServlet.java:29)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:743)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:485)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:377)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:337)
at org.jaggeryjs.jaggery.core.JaggeryFilter.doFilter(JaggeryFilter.java:21)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter.doFilter(ContentTypeBasedCachePreventionFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:498)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:80)
at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:91)
at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:65)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
at org.wso2.carbon.event.receiver.core.internal.tenantmgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:48)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1775)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1734)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
In cloud environment
java.net.UnknownHostException: sample.domain.com
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
at sun.security.ssl.SSLSocketImpl.<init>(SSLSocketImpl.java:472)
at sun.security.ssl.SSLSocketFactoryImpl.createSocket(SSLSocketFactoryImpl.java:153)
at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:125)
at org.apache.commons.httpclient.protocol.ControllerThreadSocketFactory$1.doit(ControllerThreadSocketFactory.java:91)
at org.apache.commons.httpclient.protocol.ControllerThreadSocketFactory$SocketTask.run(ControllerThreadSocketFactory.java:158)
at java.lang.Thread.run(Thread.java:745)
ssl config of Axis2.xml
<parameter name="port" locked="false">8243</parameter>
<parameter name="non-blocking" locked="false">true</parameter>
<!--parameter name="bind-address" locked="false">hostname or IP address</parameter-->
<!--parameter name="WSDLEPRPrefix" locked="false">https://apachehost:port/somepath</parameter-->
<parameter name="httpGetProcessor" locked="false">org.wso2.carbon.mediation.transport.handlers.PassThroughNHttpGetProcessor</parameter>
<parameter name="keystore" locked="false">
<KeyStore>
<Location>repository/resources/security/wso2carbon.jks</Location>
<Type>JKS</Type>
<Password>wso2carbon</Password>
<KeyPassword>wso2carbon</KeyPassword>
</KeyStore>
</parameter>
<parameter name="truststore" locked="false">
<TrustStore>
<Location>repository/resources/security/client-truststore.jks</Location>
<Type>JKS</Type>
<Password>wso2carbon</Password>
</TrustStore>
</parameter>
<parameter name="HostnameVerifier">AllowAll</parameter>
<!--<parameter name="SSLVerifyClient">require</parameter>
supports optional|require or defaults to none -->
</transportReceiver>
<transportSender name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLSender">
<parameter name="non-blocking" locked="false">true</parameter>
<parameter name="keystore" locked="false">
<KeyStore>
<Location>repository/resources/security/wso2carbon.jks</Location>
<Type>JKS</Type>
<Password>wso2carbon</Password>
<KeyPassword>wso2carbon</KeyPassword>
</KeyStore>
</parameter>
<parameter name="truststore" locked="false">
<TrustStore>
<Location>repository/resources/security/client-truststore.jks</Location>
<Type>JKS</Type>
<Password>wso2carbon</Password>
</TrustStore>
</parameter>
<!-- ============================================== -->
<!-- Configuration for Dynamic SSL Profile loading. -->
<!-- Configured for 10 mins. -->
<!-- ============================================== -->
<parameter name="dynamicSSLProfilesConfig">
<filePath>repository/resources/security/sslprofiles.xml</filePath>
<fileReadInterval>600000</fileReadInterval>
</parameter>
<parameter name="HostnameVerifier">AllowAll</parameter>
<!--supports Strict|AllowAll|DefaultAndLocalhost or the default if none specified -->
</transportSender>
The error produced in your Local Environment is related to Peer Authentication. Generally, the peer not authenticated errors are populated when the trusted cert is not presented in the client-truststore.jks of the API Manager node. Therefore, please export the public TLS cert from your backend and add it to the client-truststore.jks in the API Manager server.
Regarding the second error: Unknown Host Exception, this is populated, when the API Manager (Java) server was not able to resolve the mentioned Hostname. Please check whether the mentioned hostname (sample.domain.com) is a valid one and have any DNS entries to resolve. If it is dummy, you can add a host entry in the /etc/hosts in your cloud environment to pick the correct IP.
Furthermore, to disable the Hostname verification in the API Manager, along with the above-mentioned configurations in the axis2.xml, please perform the following configurations
Edit the <apim>/bin/wso2server.sh
Add the following flag to the bottom of the script where all the JVM properties are defined
-Dhttpclient.hostnameVerifier=AllowAll
Restart the server
I am using WSO2 APIM 2.5.0
I have recently started created/Onboarding APIs into APIM but seeing some issues in accessing them from store or from post.
For few of the API, it does not create any issue and it works absolutely fine. But for few of them I have getting below error:
INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS =
Message dispatched to the main sequence. Invalid URL., RESOURCE =
/rest/abc/fun
{org.apache.synapse.mediators.builtin.LogMediator}
When I am checking the APIs, they donot have the anything dissimilar which points me that something missing in the not working API configuration.
I have checked the
/usr/lib/wso2/wso2am/2.5.0/repository/deployment/server/synapse-
configs/default/endpoints and
/usr/lib/wso2/wso2am/2.5.0/repository/deployment/server/synapse-
configs/default/api
Here is the response when I am trying to consume the API from postman:
<am:fault xmlns:am="http://wso2.org/apimanager">
<am:code>404</am:code>
<am:type>Status report</am:type>
<am:message>Not Found</am:message>
<am:description>The requested resource is not available.
APIs are present as it should be. I am stuck here from long time now and not able to get any resolution.
Adding synapse file as well from usr/lib/wso2/wso2am/2.5.0/repository/deployment/server/synapse-configs/default/api
<?xml version="1.0" encoding="UTF-8"?>
<api xmlns="http://ws.apache.org/ns/synapse"
name="john.doe-AT-abc.com--FUNAPI"
context="/FUNAPI/3.0.0"
version="3.0.0"
version-type="context">
<resource methods="POST" url-mapping="/fun" faultSequence="fault">
<inSequence>
<property name="api.ut.backendRequestTime"
expression="get-property('SYSTEM_TIME')"/>
<filter source="$ctx:AM_KEY_TYPE" regex="PRODUCTION">
<then>
<send>
<endpoint key="FUNAPI--v3.0.0_APIproductionEndpoint"/>
</send>
</then>
<else>
<sequence key="_sandbox_key_error_"/>
</else>
</filter>
</inSequence>
<outSequence>
<class name="org.wso2.carbon.apimgt.gateway.handlers.analytics.APIMgtResponseHandler"/>
<send/>
</outSequence>
</resource>
<handlers>
<handler class="org.wso2.carbon.apimgt.gateway.handlers.common.APIMgtLatencyStatsHandler"/>
<handler class="org.wso2.carbon.apimgt.gateway.handlers.security.CORSRequestHandler">
<property name="apiImplementationType" value="ENDPOINT"/>
</handler>
<handler class="org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler">
<property name="RemoveOAuthHeadersFromOutMessage" value="true"/>
</handler>
<handler class="org.wso2.carbon.apimgt.gateway.handlers.throttling.ThrottleHandler"/>
<handler class="org.wso2.carbon.apimgt.gateway.handlers.analytics.APIMgtUsageHandler"/>
<handler class="org.wso2.carbon.apimgt.gateway.handlers.analytics.APIMgtGoogleAnalyticsTrackingHandler">
<property name="configKey" value="gov:/apimgt/statistics/ga-config.xml"/>
</handler>
<handler class="org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerExtensionHandler"/>
</handlers>
</api>
Request I am making from postman and below is the request form:
curl -X POST \
https://xxx.xx.xx/api/funapifun/1.0.0/fun \
-H 'Accept: */*' \
-H 'Authorization: Bearer <tokenvalue>' \
-H 'Cache-Control: no-cache' \
-H 'Connection: keep-alive' \
-H 'Content-Type: application/json' \
-H 'Host: xxx.xx.xx' \
-H 'Postman-Token: e729-4c33-b3fc-3337cd63d691,c5cbadcd-dace-487d-9cc0-
8e833262905b' \
-H 'User-Agent: PostmanRuntime/7.11.0' \
-H 'accept-encoding: gzip, deflate' \
-H 'cache-control: no-cache'
-H 'content-length: 51' \
-d '{
"abc": "xxx",
"cde": "iouiio"
}'
Can someone please help me.
Thanks
I want call TravelItineraryAddInfo to add passenger to PNR, but api return error ENTRY VALID ONLY FOR SUBSCRIBER PNR , ERR.SWS.HOST.ERROR_IN_RESPONSE.
How can I fix this issue ?
My request
<TravelItineraryAddInfoRQ xmlns="http://webservices.sabre.com/sabreXML/2011/10" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" TimeStamp="2016-05-17T15:30:00-06:00" Version="2.2.0" ReturnHostCommand="false">
<AgencyInfo>
<Address>
<AddressLine>xxxx</AddressLine>
<CityName>xxx</CityName>
<CountryCode>XX</CountryCode>
<PostalCode>xxxx</PostalCode>
<StateCountyProv StateCode="xx"/>
<StreetNmbr>xx</StreetNmbr>
</Address>
</AgencyInfo>
<CustomerInfo>
<ContactNumbers>
<ContactNumber InsertAfter="0" LocationCode="VN" NameNumber="1.1" Phone="984163620" PhoneUseType="H"/>
</ContactNumbers>
<Email Address="xxx#gmail.com" LanguageOverride="O" NameNumber="1.1" Type="CC"/>
<PersonName Infant="false" NameNumber="1.1" PassengerType="ADT">
<GivenName>Smith</GivenName>
<Surname>TEST</Surname>
</PersonName>
</CustomerInfo>
This is response api:
<stl:SystemSpecificResults>
<stl:Message>.ENTRY VALID ONLY FOR SUBSCRIBER PNR</stl:Message>
<stl:ShortText>ERR.SWS.HOST.ERROR_IN_RESPONSE</stl:ShortText>
</stl:SystemSpecificResults>
</stl:Error>
I'm trying to get the SAML2BearerGrantHandler in APIM 2.0.0 up and running. I'm using Auth0 as the IdP with their SAML2 add on.
I've created the IdP in carbon console, uploaded the signing cert etc.
I sort of followed this document to test the grant: https://docs.wso2.com/display/AM200/SAML+Extension+Grant
I get back an assertion, but when I try to get a token, I get this error:
[2016-12-22 14:14:07,493] DEBUG - Starting to unmarshall Apache XML-Security-based SignatureImpl element {org.opensaml.xml.signature.impl.SignatureUnmarshaller}
[2016-12-22 14:14:07,493] DEBUG - Constructing Apache XMLSignature object {org.opensaml.xml.signature.impl.SignatureUnmarshaller}
[2016-12-22 14:14:07,493] DEBUG - Adding canonicalization and signing algorithms, and HMAC output length to Signature {org.opensaml.xml.signature.impl.SignatureUnmarshaller}
[2016-12-22 14:14:07,493] DEBUG - Adding KeyInfo to Signature {org.opensaml.xml.signature.impl.SignatureUnmarshaller}
[2016-12-22 14:14:07,496] DEBUG - Attempting to validate signature using key from supplied credential {org.opensaml.xml.signature.SignatureValidator}
[2016-12-22 14:14:07,496] DEBUG - Creating XMLSignature object {org.opensaml.xml.signature.SignatureValidator}
[2016-12-22 14:14:07,496] DEBUG - Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1 {org.opensaml.xml.signature.SignatureValidator}
[2016-12-22 14:14:07,496] DEBUG - Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl' {org.opensaml.xml.signature.SignatureValidator}
[2016-12-22 14:14:07,496] DEBUG - signatureMethodURI = http://www.w3.org/2000/09/xmldsig#rsa-sha1 {org.apache.xml.security.signature.XMLSignature}
[2016-12-22 14:14:07,497] DEBUG - jceSigAlgorithm = SHA1withRSA {org.apache.xml.security.signature.XMLSignature}
[2016-12-22 14:14:07,497] DEBUG - jceSigProvider = SunRsaSign {org.apache.xml.security.signature.XMLSignature}
[2016-12-22 14:14:07,498] DEBUG - PublicKey = Sun RSA public key, 2048 bits
modulus: 26353633891041219443555298896940833763013288672547189529990760782389210433157310523660493244822551263271160825380041450279478692306592200788388889392222651352619319200257986531144181422406322904036906144840963109856120111801402390951198592877952280076297215745933238289610251813795329247172444398191149065258417196041849903979764273498745394547327839617271694646395229047487503702861075929157239530326410733377150539916753245430560066336565896803919667301164361866985565847943467875326115118253431566885711860811510147756117932985644696034426336566866370975790479374077388749068216645015606582681408478883949754138717
public exponent: 65537 {org.apache.xml.security.signature.XMLSignature}
[2016-12-22 14:14:07,498] ERROR - Error while validating the signature. {org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler}
org.opensaml.xml.validation.ValidationException: Unable to evaluate key against signature
at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:74)
at org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler.validateGrant(SAML2BearerGrantHandler.java:472)
at org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer.issue(AccessTokenIssuer.java:194)
at org.wso2.carbon.identity.oauth2.OAuth2Service.issueAccessToken(OAuth2Service.java:219)
at org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint.getAccessToken(OAuth2TokenEndpoint.java:246)
at org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint.issueAccessToken(OAuth2TokenEndpoint.java:110)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:188)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:104)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:204)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:94)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:249)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:289)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:209)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:265)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:120)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
at org.wso2.carbon.event.receiver.core.internal.tenantmgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:48)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:442)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1082)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:623)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1756)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1715)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.xml.security.signature.XMLSignatureException: Signature length not correct: got 0 but was expecting 256
Original Exception was java.security.SignatureException: Signature length not correct: got 0 but was expecting 256
at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.engineVerify(SignatureBaseRSA.java:93)
at org.apache.xml.security.algorithms.SignatureAlgorithm.verify(SignatureAlgorithm.java:301)
at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(XMLSignature.java:723)
at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:69)
... 58 more
Caused by: java.security.SignatureException: Signature length not correct: got 0 but was expecting 256
at sun.security.rsa.RSASignature.engineVerify(RSASignature.java:189)
at java.security.Signature$Delegate.engineVerify(Signature.java:1219)
at java.security.Signature.verify(Signature.java:652)
at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.engineVerify(SignatureBaseRSA.java:91)
... 61 more
So, it seems that the assertion is read ok, but I'm stuck verifying the signature. Did anyone have this issue before and solved it?
-- UPDATE:
this is the assertion that's generated by Auth0:
<?xml version="1.0" encoding="UTF-8"?><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="nieapeeiianlpgnhhkmildecgaajocfbpdonepgi" IssueInstant="2016-12-27T08:37:07.712Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:spronq.eu.auth0.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#nieapeeiianlpgnhhkmildecgaajocfbpdonepgi">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs xsi"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>z7dAuipcj9k945anY2H4BpJJ00w=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue/>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIC7jCCAdagAwIBAgIJa9PaSP2xH3taMA0GCSqGSIb3DQEBBQUAMB4xHDAaBgNVBAMTE3Nwcm9u
cS5ldS5hdXRoMC5jb20wHhcNMTYxMDEyMDYyMDQyWhcNMzAwNjIxMDYyMDQyWjAeMRwwGgYDVQQD
ExNzcHJvbnEuZXUuYXV0aDAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0MLQ
btTBiUvTRlDMZ8ynAaNQWxuKvoL7FBI47rw1apxLfTtYnBBIeD4NC0XHkEP0hJ8cWKz/z37PmCS9
HNZpIk8yuIQS8pZiafEdMIiBBuFqrDJ1okrTt9koweAs+Gmu1oJIENpFRg5Ud81t1nWqj89m9pOp
F7MBx/z6ZZcUDKBaB+XnrOtZzH4Oo//+AlkFmPHVuU8S0Zva68RC9SLnoxLGpm+ZM4aoHFlP/tOO
kHKh+4w4HLBzXy+fzG6wktEisvGhkAgvcV4PmuVdFXZmj1JCQLGA4O4Itzl4P2337TOK4tMCwSFd
CclqhNBjtITe5tJ+CeBDZD7+8lDvNrtAXQIDAQABoy8wLTAMBgNVHRMEBTADAQH/MB0GA1UdDgQW
BBRMyIkyGViVCCV8fPj7XZY/gjzLGjANBgkqhkiG9w0BAQUFAAOCAQEAx4D72OFZ1KaTrCOYfz7E
Z6OuWHZ21R3zdvJes+JBUcp9imnzvJTBi0IkjK1lOjuBddcPsSI7aGK5Da+zqbiR2TvbWnEphlYY
rPgVsQEp1OhelQwmQALd6C/28HFVUF/rC74LmSP5akXTl5itTt2H04P0dHbTF8/sBTSqfm1PLdp/
gseJTUszQTVNE6oM1U70VAZ4cRR5B8Qkb0Y54nRGllv8FdShxVf2GBaZIOriolh8wojNE47igXOm
nfvfWeZydyV9LVFi9uaT3LOiuct9s+MeFj8WDcUy3QwumVdXwh3a8R82PlPdlTXkZC/UDqSP26t5
0bgZF3esedF3TCqA9w==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">d.kruitbosch#vanlanschot.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="0" NotOnOrAfter="2016-12-27T08:42:07.712Z" Recipient="https://localhost:8243/token"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2016-12-27T08:37:07.712Z" NotOnOrAfter="2016-12-27T08:42:07.712Z"><saml:AudienceRestriction><saml:Audience>https://localhost:8243/token</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2016-12-27T08:37:07.774Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="w"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">s</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>
Thanks,
Danny
So I solved this, with a lot of manual steps. But at least I know the saml bearer token is working.
I couldn't get it to work with the SAMLAssertionCreator.jar that's linked in the WSO2 documentation. So what I did is the following:
Changed the SAML settings in Auth0 to set the proper Audience and Recipient values.
In Auth0 used the debug tool of the SAML Addon to create an SAML assertion.
Copied the SAML response, copied <Assertion>...</Assertion> part, minified the XML and encoded it (using http://kjur.github.io/jsjws/tool_b64uenc.html).
Created a test in Postman and used the encoded assertion to get an
access token.
This works, so know I can start creating my client to use these steps and have a way to verify everything.
Regards,
Danny
I have problem with decryption of the received authentication response SAML message.
My app is connected with two IdP's of different types. Frist is ForgeRocks, OpenAM
and second Microsoft's ADFS server.
Both IdPs were provided with same service provider metadata document that contains same
certificate public keys for encyrption and signing.
Case 01
IdP : OpenAM, ForgeRock
Result : Process properly decryption and response.
Case 02
IdP : ADFS 2.0, Microsoft
Result : Failed decryption with error : CryptographicException, Bad Data.
Is it possible that encryption on IdP side is different for the same asymetric key pair ?
Or I am getting something wrong ?
As I see there are differences in EncryptedAssertion xml node. EncryptionMethod Algorithms are different.
Here are key nodes.
OpenAM, ForgeRock
<saml:EncryptedAssertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Type="http://www.w3.org/2001/04/xmlenc#Element"
>
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
/>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
ADFS 2.0, Microsoft
<EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
</e:EncryptionMethod>
<KeyInfo>
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=certName</ds:X509IssuerName>
<ds:X509SerialNumber>-18xxxxxx</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</KeyInfo>
<e:CipherData>
<e:CipherValue></e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue></xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
As I see there are differences on used encryption methods. Also in second case there is certificate's alias name and serial number. Also serial number has negative value (maybe because I am using self signed certificate).
Thanks,
You have this exception as in corresponding xml nodes there are no data to decrypt that's the reason:
<e:CipherData>
<e:CipherValue>No data!!!</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>No data!!!</xenc:CipherValue>
</xenc:CipherData>
Example how it should be:
<EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
</e:EncryptionMethod>
<KeyInfo>
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=name, O=Name, S=CA, C=us</ds:X509IssuerName>
<ds:X509SerialNumber>0</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</KeyInfo>
<e:CipherData>
<e:CipherValue>qSMgmgpO0+1vhdt5wvyhNT+uh3BhmOlFD4IiWTPoj2N90nOUzwEoEkWCuGzHDizxq6rvc5eoikjgcbz5TYFlIX+eizyxcJQFl02t... SOME VALUES HERE=</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>RSCxYAMJ7RaD+MtEcnmE9EwLmvDJgTsXx5MOKJYUJiAmQWziSLNolZQYt5xgUPHJaD+co/PoWwifWuobHdClFwBBMR/lAqWAHIQldP+ro ... SOME VALUES HERE=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</EncryptedAssertion>