Quantcast

unable to verify message signature with supplied trust engine

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

unable to verify message signature with supplied trust engine

Ian MacDonald
So I appear to be having some credentials issues

I have signed all my metadata, and now I can not seem to get my Shib SP
working.  Oracle SP is working fine.

Two profile scenarios I have tried are below.

With this defaultRelying profile :
        <ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
                              includeAttributeStatement="true"
                              assertionLifetime="300000"
                              assertionProxyCount="0"
                              signResponses="conditional"
                              signAssertions="never"
                              encryptAssertions="conditional"
                              encryptNameIds="never" />

I get this on screen

opensaml::FatalProfileException at
(https://sp.example.org/Shibboleth.sso/SAML2/POST)
Unable to establish security of incoming assertion.


And this in my SP logs with the default profile

2010-04-06 23:58:06 DEBUG XMLTooling.StorageService [1]: inserted record (_75e8a1c86cf286e11ac7fedd4e4dc961) in context (MessageFlow)
2010-04-06 23:58:06 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]: validating signature profile
2010-04-06 23:58:06 DEBUG XMLTooling.CredentialCriteria [1]: keys didn't match
2010-04-06 23:58:06 DEBUG XMLTooling.TrustEngine.ExplicitKey [1]: unable to validate signature, no credentials available from peer
2010-04-06 23:58:06 DEBUG XMLTooling.TrustEngine.PKIX [1]: validating signature using certificate from within the signature
2010-04-06 23:58:06 DEBUG XMLTooling.TrustEngine.PKIX [1]: signature verified with key inside signature, attempting certificate validation...
2010-04-06 23:58:06 DEBUG XMLTooling.TrustEngine.PKIX [1]: checking that the certificate name is acceptable
2010-04-06 23:58:06 DEBUG XMLTooling.CredentialCriteria [1]: keys didn't match
2010-04-06 23:58:06 ERROR XMLTooling.TrustEngine.PKIX [1]: certificate name was not acceptable
2010-04-06 23:58:06 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [1]: unable to verify message signature with supplied trust engine


I believe my certs are okay, so I try to disable signatures to test
further with this profile,

      <ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
                              includeAttributeStatement="true"
                              assertionLifetime="300000"
                              assertionProxyCount="0"
                              signResponses="never"
                              signAssertions="never"
                              encryptAssertions="never"
                              encryptNameIds="never" />

On my SP I have   <ApplicationDefaults ...
        signing="false" encryption="false">

And I see this on screen

opensaml::FatalProfileException at
(https://sp.example.org/Shibboleth.sso/SAML2/POST)
Unable to establish security of incoming assertion.

And I see this in my logs.

2010-04-07 01:10:04 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [3]:
evaluating message flow policy (replay checking on, expiration 60)
2010-04-07 01:10:04 DEBUG XMLTooling.StorageService [3]: inserted record
(_bc35419566268c2dc8b783fa001591c4) in context (MessageFlow)
2010-04-07 01:10:04 DEBUG OpenSAML.SecurityPolicyRule.BearerConfirmation
[3]: assertion satisfied bearer confirmation requirements
2010-04-07 01:10:04 WARN Shibboleth.SSO.SAML2 [3]: detected a problem
with assertion: Unable to establish security of incoming assertion.

I have not changed <SecurityPolicies> from flexible defaults
My IdP metadata cert is configured <MetadataFilter type="Signature"
certificate="/etc/ssl/certs/idp.crt"/>
My SP credentials are the ones used to sign my SP metadata
My signed SP metadata comes from the handler

I may be tired, but I seem to be travelling in circles with this latest
credential issue.



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: unable to verify message signature with supplied trust engine

Ian MacDonald
There is an error below,
On Wed, 2010-04-07 at 01:27 -0400, Ian MacDonald wrote:

> So I appear to be having some credentials issues
>
> I have signed all my metadata, and now I can not seem to get my Shib SP
> working.  Oracle SP is working fine.
>
> Two profile scenarios I have tried are below.
>
> With this defaultRelying profile :
>         <ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
>                               includeAttributeStatement="true"
>                               assertionLifetime="300000"
>                               assertionProxyCount="0"
>                               signResponses="conditional"
>                               signAssertions="never"
>                               encryptAssertions="conditional"
>                               encryptNameIds="never" />
>
> I get this on screen
>
> opensaml::FatalProfileException at
> (https://sp.example.org/Shibboleth.sso/SAML2/POST)
> Unable to establish security of incoming assertion.

For the default profile, my previously working SP's (two of them) now
show


Message was signed, but signature could not be verified.

This is the message associated with the log below,

My IDP metadata and its IdPCredentials are in sync, so I am lost as to
what is causing this message.

Spent hours just on this one issue.. on to another round of total cert
purge regen-cert-resign..

>
> And this in my SP logs with the default profile
>
> 2010-04-06 23:58:06 DEBUG XMLTooling.StorageService [1]: inserted record (_75e8a1c86cf286e11ac7fedd4e4dc961) in context (MessageFlow)
> 2010-04-06 23:58:06 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]: validating signature profile
> 2010-04-06 23:58:06 DEBUG XMLTooling.CredentialCriteria [1]: keys didn't match
> 2010-04-06 23:58:06 DEBUG XMLTooling.TrustEngine.ExplicitKey [1]: unable to validate signature, no credentials available from peer
> 2010-04-06 23:58:06 DEBUG XMLTooling.TrustEngine.PKIX [1]: validating signature using certificate from within the signature
> 2010-04-06 23:58:06 DEBUG XMLTooling.TrustEngine.PKIX [1]: signature verified with key inside signature, attempting certificate validation...
> 2010-04-06 23:58:06 DEBUG XMLTooling.TrustEngine.PKIX [1]: checking that the certificate name is acceptable
> 2010-04-06 23:58:06 DEBUG XMLTooling.CredentialCriteria [1]: keys didn't match
> 2010-04-06 23:58:06 ERROR XMLTooling.TrustEngine.PKIX [1]: certificate name was not acceptable
> 2010-04-06 23:58:06 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [1]: unable to verify message signature with supplied trust engine
>
>
> I believe my certs are okay, so I try to disable signatures to test
> further with this profile,
>
>       <ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
>                               includeAttributeStatement="true"
>                               assertionLifetime="300000"
>                               assertionProxyCount="0"
>                               signResponses="never"
>                               signAssertions="never"
>                               encryptAssertions="never"
>                               encryptNameIds="never" />
>
> On my SP I have   <ApplicationDefaults ...
>         signing="false" encryption="false">
>
> And I see this on screen
>
> opensaml::FatalProfileException at
> (https://sp.example.org/Shibboleth.sso/SAML2/POST)
> Unable to establish security of incoming assertion.
>
> And I see this in my logs.
>
> 2010-04-07 01:10:04 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [3]:
> evaluating message flow policy (replay checking on, expiration 60)
> 2010-04-07 01:10:04 DEBUG XMLTooling.StorageService [3]: inserted record
> (_bc35419566268c2dc8b783fa001591c4) in context (MessageFlow)
> 2010-04-07 01:10:04 DEBUG OpenSAML.SecurityPolicyRule.BearerConfirmation
> [3]: assertion satisfied bearer confirmation requirements
> 2010-04-07 01:10:04 WARN Shibboleth.SSO.SAML2 [3]: detected a problem
> with assertion: Unable to establish security of incoming assertion.
>
> I have not changed <SecurityPolicies> from flexible defaults
> My IdP metadata cert is configured <MetadataFilter type="Signature"
> certificate="/etc/ssl/certs/idp.crt"/>
> My SP credentials are the ones used to sign my SP metadata
> My signed SP metadata comes from the handler
>
> I may be tired, but I seem to be travelling in circles with this latest
> credential issue.
>
>
>


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: unable to verify message signature with supplied trust engine

Ian MacDonald
On Wed, 2010-04-07 at 02:55 -0400, Ian MacDonald wrote:
>
> My IDP metadata and its IdPCredentials are in sync, so I am lost as to
> what is causing this message.
>
> Spent hours just on this one issue.. on to another round of total cert
> purge regen-cert-resign..

And after one more round, it all works.  My problem was way too many
metadata files and certs lying around with similar names, paths, etc.
after a week of tinkering.

One total purge on the IdP did not solve the issue, so I patiently read
a few more threads..all with the same answer.. but the one below led me
to the fact that my SPs had the wrong version IdP metadata.. not just
that the metadata and IdP credentials were outta whack.

For the record, I think chad's response here:

https://mail.internet2.edu/wws/arc/shibboleth-users/2008-05/msg00609.html

is a better stepwise answer than #1's description here

https://spaces.internet2.edu/display/SHIB2/NativeSPTroubleshootingCommonErrors#NativeSPTroubleshootingCommonErrors-Messagewassigned%2Cbutsignaturecouldnotbeverified.

The certificate in the metadata is different from the one configured in
relying-party.xml, and hence, the one in the message. You should change
them so they match.


Loading...