Breedlove: openssl - saml signature verification, cannot recover key exception -

openssl - saml signature verification, cannot recover key exception -

i'm trying implement saml authentication on ssl transport, when token verified service provider exception thrown.

the problem occurs when utilize certificates have generated, on countrary when utilize default keystores comes applicatives i'm using (wso2) everythink works fine.

the exception is:

id: [0] [esb] [2014-10-31 17:57:03,320] error {org.apache.synapse.transport.passthru.serverworker} -  error processing post request : /services/stockquoteproxy.stockquoteproxyhttpssoap12endpoint {org.apache.synapse.transport.passthru.serverworker} org.apache.axis2.axisfault: signature or decryption invalid; nested exception is:      java.security.unrecoverablekeyexception: cannot recover key     @ org.apache.rampart.handler.rampartreceiver.setfaultcodeandthrowaxisfault(rampartreceiver.java:186)     @ org.apache.rampart.handler.rampartreceiver.invoke(rampartreceiver.java:95)     @ org.apache.axis2.engine.phase.invokehandler(phase.java:340)     @ org.apache.axis2.engine.phase.invoke(phase.java:313)     @ org.apache.axis2.engine.axisengine.invoke(axisengine.java:261)     @ org.apache.axis2.engine.axisengine.receive(axisengine.java:167)     @ org.apache.synapse.transport.passthru.serverworker.processentityenclosingrequest(serverworker.java:411)     @ org.apache.synapse.transport.passthru.serverworker.run(serverworker.java:183)     @ org.apache.axis2.transport.base.threads.nativeworkerpool$1.run(nativeworkerpool.java:172)     @ java.util.concurrent.threadpoolexecutor$worker.runtask(threadpoolexecutor.java:886)     @ java.util.concurrent.threadpoolexecutor$worker.run(threadpoolexecutor.java:908)     @ java.lang.thread.run(thread.java:662) caused by: org.apache.ws.security.wssecurityexception: signature or decryption invalid; nested exception is:      java.security.unrecoverablekeyexception: cannot recover key     @ org.apache.ws.security.processor.encryptedkeyprocessor.handleencryptedkey(encryptedkeyprocessor.java:370)     @ org.apache.ws.security.saml.saml2util.getsaml2keyinfo(saml2util.java:244)     @ org.apache.ws.security.saml.saml2util.getsaml2keyinfo(saml2util.java:148)     @ org.apache.ws.security.processor.signatureprocessor.verifyxmlsignature(signatureprocessor.java:334)     @ org.apache.ws.security.processor.signatureprocessor.handletoken(signatureprocessor.java:124)     @ org.apache.ws.security.wssecurityengine.processsecurityheader(wssecurityengine.java:332)     @ org.apache.ws.security.wssecurityengine.processsecurityheader(wssecurityengine.java:249)     @ org.apache.rampart.rampartengine.process(rampartengine.java:214)     @ org.apache.rampart.handler.rampartreceiver.invoke(rampartreceiver.java:92)     ... 10 more caused by: java.security.unrecoverablekeyexception: cannot recover key     @ sun.security.provider.keyprotector.recover(keyprotector.java:311)     @ sun.security.provider.javakeystore.enginegetkey(javakeystore.java:121)     @ sun.security.provider.javakeystore$jks.enginegetkey(javakeystore.java:38)     @ java.security.keystore.getkey(keystore.java:763)     @ org.wso2.carbon.security.util.servercrypto.getprivatekey(servercrypto.java:247)     @ org.apache.ws.security.processor.encryptedkeyprocessor.handleencryptedkey(encryptedkeyprocessor.java:368)     ... 18 more

the certificates , keystores generated follows:

server_ip=10.0.3.124  openssl req -keyout cakey.pem -out cacert.pem -newkey rsa:2048 -x509 -days 100000 -batch -subj "/c=it/st=bari/l=molfetta/o=exprivia/ou=innovation lab/cn=exprivia certification authority" -passout pass:exprivia  openssl x509 -outform der -in cacert.pem -out cacert.cert  openssl genrsa -out server.key 1024  #http://apetec.com/support/generatesan-csr.htm  cp /etc/pki/tls/openssl.cnf myssl.cnf  echo -e "\ [req]\n\ req_extensions = v3_req\n\ \n\ [ v3_req ]\n\ \n\ # extensions  add together certificate request\n\ \n\ basicconstraints = ca:false\n\ keyusage = nonrepudiation, digitalsignature, keyencipherment, dataencipherment\n\ subjectaltname = @alt_names\n\ \n\ [alt_names]\n\ ip.1 = $server_ip\n\ " >> myssl.cnf  # usare ip.1 ip.2 etc per gli ip e dns.1 etc per nomi di dominio  openssl req -key server.key -new -out server.req -subj "/c=it/st=bari/l=molfetta/o=exprivia/ou=innovation lab/cn=$server_ip" -config myssl.cnf  -days 100000   openssl req -text -noout -in server.req > server.req.txt  echo "00" >> file.srl  openssl x509 -req -in server.req -ca cacert.pem -cakey cakey.pem -caserial file.srl -out server.pem  -days 100000 -extensions v3_req -extfile myssl.cnf -passin pass:exprivia  openssl x509 -text -noout -in server.pem > server.pem.txt  openssl x509 -outform der -in server.pem -out server.cert  openssl genrsa -out client.key 1024  openssl req -key client.key -new -out client.req -subj "/c=it/st=bari/l=molfetta/o=exprivia/ou=innovation lab/cn=client" -days 100000   openssl x509 -req -in client.req -ca cacert.pem -cakey cakey.pem -caserial file.srl -out client.pem  -days 100000 -passin pass:exprivia  openssl x509 -outform der -in client.pem -out client.cert  openssl pkcs12 -export -in server.pem -inkey server.key -out server.pkcs12 -passout pass:exprivia  keytool -importkeystore -srckeystore server.pkcs12 -srcstoretype pkcs12 -destkeystore server.jks -deststoretype jks -deststorepass exprivia -srcstorepass exprivia -destalias server -srcalias 1 -destkeypass exprivia  keytool -import -file cacert.cert -keystore server.jks -storepass exprivia -alias cacert -noprompt  keytool -import -file client.cert -keystore server.jks -storepass exprivia -alias client -noprompt  keytool -list -v -keystore server.jks -storepass exprivia > server.txt  openssl pkcs12 -export -in client.pem -inkey client.key -out client.pkcs12 -passout pass:exprivia  keytool -importkeystore -srckeystore client.pkcs12 -srcstoretype pkcs12 -destkeystore client.jks -deststoretype jks -deststorepass exprivia -srcstorepass exprivia -destalias client -srcalias 1 -destkeypass exprivia  keytool -import -file cacert.cert -keystore client.jks -storepass exprivia -alias cacert -noprompt  keytool -list -v -keystore client.jks -storepass exprivia > client.txt  #ora importiamo il certificato wso2  keytool -export -keystore /usr/local/wso2is-5.0.0/repository/resources/security/wso2carbon.jks -alias wso2carbon -file wso2carbon.cert -storepass wso2carbon  #necessario per chiamare l'sts in https keytool -import -file wso2carbon.cert -keystore client.jks -storepass exprivia -alias wso2carbon -noprompt  #necessario per decifrare il token generato da keytool -import -file wso2carbon.cert -keystore server.jks -storepass exprivia -alias wso2carbon -noprompt

and corresponding server.jks content is

keystore type: jks keystore provider:  sun  keystore contains 4 entries  alias name: client creation date: 31-oct-2014 entry type: trustedcertentry  owner: cn=client, ou=innovation lab, o=exprivia, l=molfetta, st=bari, c=it issuer: cn=exprivia certification authority, ou=innovation lab, o=exprivia, l=molfetta, st=bari, c=it serial number: 2 valid from: fri oct 31 17:41:32 cet 2014 until: wed aug 15 18:41:32 cest 2288 certificate fingerprints:      md5:  02:9b:a0:c9:f9:21:91:f5:c6:53:28:0b:c3:7e:ee:55      sha1: 64:d9:95:ad:bb:e8:2a:d7:81:11:b7:30:db:ee:be:4e:89:fe:26:4a      signature algorithm name: sha1withrsa      version: 1   ******************************************* *******************************************   alias name: wso2carbon creation date: 31-oct-2014 entry type: trustedcertentry  owner: cn=localhost, o=wso2, l=mountain view, st=ca, c=us issuer: cn=localhost, o=wso2, l=mountain view, st=ca, c=us serial number: 4b7e3782 valid from: fri feb 19 08:02:26 cet 2010 until: tue feb 13 08:02:26 cet 2035 certificate fingerprints:      md5:  02:fb:aa:5f:20:64:49:4a:27:29:55:71:83:f7:46:cd      sha1: 6b:f8:e1:36:eb:36:d4:a5:6e:a0:5c:7a:e4:b9:a4:5b:63:bf:97:5d      signature algorithm name: sha1withrsa      version: 3  extensions:   #1: objectid: 2.5.29.15 criticality=true keyusage [   digitalsignature   non_repudiation   key_encipherment   data_encipherment ]    ******************************************* *******************************************   alias name: cacert creation date: 31-oct-2014 entry type: trustedcertentry  owner: cn=exprivia certification authority, ou=innovation lab, o=exprivia, l=molfetta, st=bari, c=it issuer: cn=exprivia certification authority, ou=innovation lab, o=exprivia, l=molfetta, st=bari, c=it serial number: f8d3b3c3f00eef91 valid from: fri oct 31 17:41:31 cet 2014 until: wed aug 15 18:41:31 cest 2288 certificate fingerprints:      md5:  dd:d1:4b:85:bc:c0:62:aa:aa:93:9c:9c:7c:ae:69:fb      sha1: 20:a6:f2:1b:37:51:c2:5c:f5:98:98:b9:e5:b3:48:bc:03:0e:50:d2      signature algorithm name: sha1withrsa      version: 3  extensions:   #1: objectid: 2.5.29.14 criticality=false subjectkeyidentifier [ keyidentifier [ 0000: 06 44 86 d0 72 c6 ed 99   c7 ee a3 71 5a 77 c3 b4  .d..r......qzw.. 0010: 7c 18 46 2d                                        ..f- ] ]  #2: objectid: 2.5.29.19 criticality=false basicconstraints:[   ca:true   pathlen:2147483647 ]  #3: objectid: 2.5.29.35 criticality=false authoritykeyidentifier [ keyidentifier [ 0000: 06 44 86 d0 72 c6 ed 99   c7 ee a3 71 5a 77 c3 b4  .d..r......qzw.. 0010: 7c 18 46 2d                                        ..f- ]  ]    ******************************************* *******************************************   alias name: server creation date: 31-oct-2014 entry type: privatekeyentry certificate chain length: 1 certificate[1]: owner: cn=10.0.3.124, ou=innovation lab, o=exprivia, l=molfetta, st=bari, c=it issuer: cn=exprivia certification authority, ou=innovation lab, o=exprivia, l=molfetta, st=bari, c=it serial number: 1 valid from: fri oct 31 17:41:32 cet 2014 until: wed aug 15 18:41:32 cest 2288 certificate fingerprints:      md5:  7c:40:21:05:42:06:12:bc:23:7e:76:69:37:1a:8c:99      sha1: a8:bd:c7:41:7b:0f:98:cf:40:6b:ef:15:bf:4e:da:f4:54:d7:38:03      signature algorithm name: sha1withrsa      version: 3  extensions:   #1: objectid: 2.5.29.15 criticality=false keyusage [   digitalsignature   non_repudiation   key_encipherment   data_encipherment ]  #2: objectid: 2.5.29.19 criticality=false basicconstraints:[   ca:false   pathlen: undefined ]  #3: objectid: 2.5.29.17 criticality=false subjectalternativename [   ipaddress: 10.0.3.124 ]    ******************************************* *******************************************

where

the client asks token secure token service, uses client.jks the sts uses wso2carbon.jks , signs token server.cert the saml protected service provider, uses server.jks

where problem?

thanks, paolo

according exception org.wso2.carbon.security.util.servercrypto.getprivatekey ; private key password have configured not valid. using wso2 products, there carbon.xml file need configure keystore details such keystore, private key password. please verify them have configured according new keystore.

openssl certificate wso2 keystore saml

Breedlove

Monday 15 August 2011

openssl - saml signature verification, cannot recover key exception -

No comments:

Post a Comment