0
我嘗試實施的安全場景有問題。
其實我認爲這是一個很常見的情況,因爲它在oasis examples:saml2令牌通過ssl客戶端認證的連接。
WS-Security策略和saml2令牌,使用自定義令牌的簽名錯誤
我使用的政策是這樣的:
<wsp:Policy wsu:Id="MyX509" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="true"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedEndorsingSupportingTokens>
<wsp:Policy>
<sp:IssuedToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<sp:Issuer>
<Address xmlns="http://www.w3.org/2005/08/addressing">https://localhost:9443/services/wso2carbon-sts</Address>
</sp:Issuer>
<sp:RequestSecurityTokenTemplate xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</t:TokenType>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey</t:KeyType>
<t:KeySize>256</t:KeySize>
<t:Claims Dialect="http://wso2.org/claims" xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity">
<ic:ClaimType Uri="http://wso2.org/claims/givenname" />
</t:Claims>
</sp:RequestSecurityTokenTemplate>
</sp:IssuedToken>
</wsp:Policy>
</sp:SignedEndorsingSupportingTokens>
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
<rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
<rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
<rampart:timestampTTL>300</rampart:timestampTTL>
<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
<rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore</rampart:tokenStoreClass>
<rampart:nonceLifeTime>300</rampart:nonceLifeTime>
</rampart:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
我使用WSO2身份服務器作爲STS和WSO2 ESB作爲PEP。 我的問題是在客戶端:從IS獲取saml令牌後,axis2在構建請求時會收到異常;發送請求之前發生異常。所以我認爲我的政策存在一些問題。
這是例外:
org.apache.axis2.AxisFault: Error in signature with a custom token
at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:76)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:427)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:406)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
at samples.services.StockQuoteProxyStub.getQuote(StockQuoteProxyStub.java:259)
at org.wso2.carbon.identity.samples.sts.Client.run(Client.java:203)
at org.wso2.carbon.identity.samples.sts.Client.main(Client.java:91)
Caused by: org.apache.rampart.RampartException: Error in signature with a custom token
at org.apache.rampart.builder.TransportBindingBuilder.doIssuedTokenSignature(TransportBindingBuilder.java:462)
at org.apache.rampart.builder.TransportBindingBuilder.build(TransportBindingBuilder.java:119)
at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:140)
at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65)
... 10 more
Caused by: org.apache.ws.security.WSSecurityException: Signature creation failed
at org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:558)
at org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:478)
at org.apache.rampart.builder.TransportBindingBuilder.doIssuedTokenSignature(TransportBindingBuilder.java:451)
... 13 more
Caused by: java.lang.IllegalArgumentException: list of references must contain at least one entry
at org.jcp.xml.dsig.internal.dom.DOMSignedInfo.<init>(DOMSignedInfo.java:70)
at org.jcp.xml.dsig.internal.dom.DOMSignedInfo.<init>(DOMSignedInfo.java:99)
at org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.newSignedInfo(DOMXMLSignatureFactory.java:100)
at org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.newSignedInfo(DOMXMLSignatureFactory.java:95)
at org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:507)
... 15 more
UPDATE
我注意到從綠洲例如我的一個交通綁定策略的差異。該政策現在是:
<wsp:Policy wsu:Id="MyX509" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken>
<wsp:Policy>
<sp:RequireClientCertificate/>
</wsp:Policy>
</sp:HttpsToken>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedEndorsingSupportingTokens>
<wsp:Policy>
<sp:IssuedToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<sp:Issuer>
<Address xmlns="http://www.w3.org/2005/08/addressing">https://localhost:9443/services/wso2carbon-sts</Address>
</sp:Issuer>
<sp:RequestSecurityTokenTemplate xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</t:TokenType>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey</t:KeyType>
<t:KeySize>256</t:KeySize>
<t:Claims Dialect="http://wso2.org/claims" xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity">
<ic:ClaimType Uri="http://wso2.org/claims/givenname" />
</t:Claims>
</sp:RequestSecurityTokenTemplate>
</sp:IssuedToken>
</wsp:Policy>
</sp:SignedEndorsingSupportingTokens>
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
<rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
<rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
<rampart:timestampTTL>300</rampart:timestampTTL>
<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
<rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore</rampart:tokenStoreClass>
<rampart:nonceLifeTime>300</rampart:nonceLifeTime>
</rampart:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
現在我可以發送請求,但得到的ESB異常:
TID: [0] [ESB] [2014-10-31 11:10:20,673] ERROR {org.apache.axis2.transport.base.threads.NativeWorkerPool} - Uncaught exception {org.apache.axis2.transport.base.threads.NativeWorkerPool}
java.lang.NullPointerException
at org.apache.ws.security.message.token.SecurityTokenReference.getKeyIdentifier(SecurityTokenReference.java:446)
at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:250)
at org.apache.ws.security.saml.SAML2Util.getSAML2KeyInfo(SAML2Util.java:244)
at org.apache.ws.security.saml.SAML2Util.getSAML2KeyInfo(SAML2Util.java:148)
at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:334)
at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:124)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
at org.apache.rampart.RampartEngine.process(RampartEngine.java:214)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:411)
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:183)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
可能是一個密鑰庫的問題?
UPDATE2
我再次修改了政策,試圖給城牆約密鑰存儲一些配置(其實我也不知道我在做什麼:))
<wsp:Policy wsu:Id="MyX509"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken>
<wsp:Policy>
<sp:RequireClientCertificate />
</wsp:Policy>
</sp:HttpsToken>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedEndorsingSupportingTokens>
<wsp:Policy>
<sp:IssuedToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<sp:Issuer>
<Address xmlns="http://www.w3.org/2005/08/addressing">https://localhost:9443/services/wso2carbon-sts
</Address>
</sp:Issuer>
<sp:RequestSecurityTokenTemplate
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</t:TokenType>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
</t:KeyType>
<t:KeySize>256</t:KeySize>
<t:Claims Dialect="http://wso2.org/claims"
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity">
<ic:ClaimType Uri="http://wso2.org/claims/givenname" />
</t:Claims>
</sp:RequestSecurityTokenTemplate>
</sp:IssuedToken>
</wsp:Policy>
</sp:SignedEndorsingSupportingTokens>
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
<rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
<rampart:timestampPrecisionInMilliseconds>true
</rampart:timestampPrecisionInMilliseconds>
<rampart:timestampTTL>300</rampart:timestampTTL>
<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
<rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore
</rampart:tokenStoreClass>
<rampart:nonceLifeTime>300</rampart:nonceLifeTime>
<rampart:encryptionCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto"
cryptoKey="org.wso2.carbon.security.crypto.privatestore">
<rampart:property name="org.wso2.carbon.security.crypto.alias">server</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">server.jks
</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">server.jks,
</rampart:property>
<rampart:property name="rampart.config.user">server</rampart:property>
</rampart:crypto>
</rampart:encryptionCrypto>
<rampart:signatureCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto"
cryptoKey="org.wso2.carbon.security.crypto.privatestore">
<rampart:property name="org.wso2.carbon.security.crypto.alias">server</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">server.jks
</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">server.jks,
</rampart:property>
<rampart:property name="rampart.config.user">server</rampart:property>
</rampart:crypto>
</rampart:signatureCrypto>
</rampart:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
現在我得到一個全新的例外:
TID: [0] [ESB] [2014-10-31 11:44:51,583] ERROR {org.apache.synapse.transport.passthru.ServerWorker} - Error processing POST request for : /services/StockQuoteProxy.StockQuoteProxyHttpsSoap12Endpoint {org.apache.synapse.transport.passthru.ServerWorker}
org.apache.axis2.AxisFault: The signature or decryption was invalid; nested exception is:
java.security.UnrecoverableKeyException: Cannot recover key
at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:186)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:411)
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:183)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
Caused by: org.apache.ws.security.WSSecurityException: The signature or decryption was invalid; nested exception is:
java.security.UnrecoverableKeyException: Cannot recover key
at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:370)
at org.apache.ws.security.saml.SAML2Util.getSAML2KeyInfo(SAML2Util.java:244)
at org.apache.ws.security.saml.SAML2Util.getSAML2KeyInfo(SAML2Util.java:148)
at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:334)
at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:124)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
at org.apache.rampart.RampartEngine.process(RampartEngine.java:214)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
... 10 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(KeyProtector.java:311)
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38)
at java.security.KeyStore.getKey(KeyStore.java:763)
at org.wso2.carbon.security.util.ServerCrypto.getPrivateKey(ServerCrypto.java:247)
at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:368)
... 18 more
把server.jks內容,也可用於axis2.xml配置爲:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 4 entries
Alias name: client
Creation date: 27-Oct-2014
Entry type: trustedCertEntry
Owner: CN=Client, OU=Innovation Lab, O=Exprivia, L=Molfetta, ST=Bari, C=IT
Issuer: CN=Exprivia Certification Authority, OU=Innovation Lab, O=Exprivia, L=Molfetta, ST=Bari, C=IT
Serial number: 2
Valid from: Mon Oct 27 15:50:03 CET 2014 until: Sat Aug 11 16:50:03 CEST 2288
Certificate fingerprints:
MD5: F5:5E:E1:2D:AF:0A:BE:D2:62:8C:90:61:BD:6B:60:5C
SHA1: B4:47:78:08:14:FC:79:86:3F:01:32:85:4C:1F:97:67:9E:0F:E3:4F
Signature algorithm name: SHA1withRSA
Version: 1
*******************************************
*******************************************
Alias name: wso2carbon
Creation date: 31-Oct-2014
Entry type: trustedCertEntry
Owner: CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US
Issuer: CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US
Serial number: 4b7e3782
Valid from: Fri Feb 19 08:02:26 CET 2010 until: Tue Feb 13 08:02:26 CET 2035
Certificate fingerprints:
MD5: 02:FB:AA:5F:20:64:49:4A:27:29:55:71:83:F7:46:CD
SHA1: 6B:F8:E1:36:EB:36:D4:A5:6E:A0:5C:7A:E4:B9:A4:5B:63:BF:97:5D
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
]
*******************************************
*******************************************
Alias name: cacert
Creation date: 27-Oct-2014
Entry type: trustedCertEntry
Owner: CN=Exprivia Certification Authority, OU=Innovation Lab, O=Exprivia, L=Molfetta, ST=Bari, C=IT
Issuer: CN=Exprivia Certification Authority, OU=Innovation Lab, O=Exprivia, L=Molfetta, ST=Bari, C=IT
Serial number: d072ec58b3585976
Valid from: Mon Oct 27 15:50:03 CET 2014 until: Sat Aug 11 16:50:03 CEST 2288
Certificate fingerprints:
MD5: FA:4F:7C:C5:6A:43:5B:25:7C:3E:5B:E5:76:39:82:44
SHA1: 20:F3:C0:3F:28:A1:2E:9B:82:81:1A:08:D7:99:02:A3:87:BD:23:2F
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 87 3F E9 0F 6E F0 2D CD 7C 11 9D DC 54 F8 70 B6 .?..n.-.....T.p.
0010: CA 80 FE DD ....
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 87 3F E9 0F 6E F0 2D CD 7C 11 9D DC 54 F8 70 B6 .?..n.-.....T.p.
0010: CA 80 FE DD ....
]
]
*******************************************
*******************************************
Alias name: server
Creation date: 27-Oct-2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=10.0.3.124, OU=Innovation Lab, O=Exprivia, L=Molfetta, ST=Bari, C=IT
Issuer: CN=Exprivia Certification Authority, OU=Innovation Lab, O=Exprivia, L=Molfetta, ST=Bari, C=IT
Serial number: 1
Valid from: Mon Oct 27 15:50:03 CET 2014 until: Sat Aug 11 16:50:03 CEST 2288
Certificate fingerprints:
MD5: 2B:67:3A:03:1D:33:3B:C4:49:EE:4C:EA:17:74:E0:10
SHA1: 41:92:2A:E3:8E:DE:FE:0A:3D:3D:CF:F1:10:02:02:74:45:3A:6B:8E
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
IPAddress: 10.0.3.124
]
*******************************************
*******************************************
任何線索?
謝謝,保羅