SAML Java Spring Boot - PKIX 路径构造因不受信任的凭证而失败

Posted 2023-02-27

【中文标题】SAML Java Spring Boot - PKIX 路径构造因不受信任的凭证而失败

【英文标题】：SAML Java Sping Boot - PKIX path construction failed for untrusted credential

【发布时间】：2020-09-15 04:45:22

【问题描述】：

使用最新库在 Java Spring Boot 中设置 SAML 2.0 时遇到此问题。

我遵循了本指南： https://www.programcreek.com/java-api-examples/?code=choonchernlim%2Fspring-security-adfs-saml2%2Fspring-security-adfs-saml2-master

这里有一些相关的代码，但如果有其他帮助，请告诉我：

    @Bean
    public KeyManager keyManager()
    
        return new JKSKeyManager(keyStoreResource, keystorePassword, ImmutableMap.of(keystoreKeyAlias, keystorePrivateKeyPassword), keystoreKeyAlias);
    

    @Bean
    public SAMLDiscovery samlIDPDiscovery()
    
        return new SAMLDiscovery();
    

    @Bean
    public MetadataDisplayFilter metadataDisplayFilter()
    
        return new MetadataDisplayFilter();
    

    @Bean
    public TLSProtocolConfigurer tlsProtocolConfigurer()
    
        TLSProtocolConfigurer t = new TLSProtocolConfigurer();
        //t.setSslHostnameVerification("allowAll");
        return t;
    

    // Configure TLSProtocolConfigurer
    @Bean
    public ProtocolSocketFactory protocolSocketFactory()
    
        //return new TLSProtocolSocketFactory(keyManager(), null, "defaultAndLocalhost");
        return new TLSProtocolSocketFactory(keyManager(), null, "default");
    

    @Bean
    public Protocol protocol()
    
        return new Protocol("https", protocolSocketFactory(), 443);
    

    @Bean
    public MethodInvokingFactoryBean socketFactoryInitialization()
    
        MethodInvokingFactoryBean methodInvokingFactoryBean = new MethodInvokingFactoryBean();
        methodInvokingFactoryBean.setTargetClass(Protocol.class);
        methodInvokingFactoryBean.setTargetMethod("registerProtocol");
        methodInvokingFactoryBean.setArguments(new Object[]  "https", protocol() );
        return methodInvokingFactoryBean;
    

    @Bean
    public CachingMetadataManager metadata() throws MetadataProviderException
    
        HTTPMetadataProvider httpMetadataProvider = new HTTPMetadataProvider(new Timer(true), httpClient(), idpUrl);
        httpMetadataProvider.setParserPool(parserPool());

        //ExtendedMetadata em = new ExtendedMetadata(); //Attempt to explicitly add cert alias to extended metadata
        //em.setAlias(keystoreCertAlias);
        //em.setSigningKey("*.product.company.com");

        ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(httpMetadataProvider);//, em);

        extendedMetadataDelegate.setMetadataTrustCheck(false);

        return new CachingMetadataManager(ImmutableList.<MetadataProvider>of(extendedMetadataDelegate));
    

这是错误：

2020-05-27 17:02:27.552 ERROR 41402 --- [           main] o.s.s.s.t.MetadataCredentialResolver     : PKIX path construction failed for untrusted credential: [subjectName='CN=*.product.company.com,O=Company,L=Location,ST=state,C=US']: unable to find valid certification path to requested target
2020-05-27 17:02:27.556  INFO 41402 --- [           main] o.a.c.httpclient.HttpMethodDirector      : I/O exception (javax.net.ssl.SSLPeerUnverifiedException) caught when processing request: SSL peer failed hostname validation for name: null
2020-05-27 17:02:27.557  INFO 41402 --- [           main] o.a.c.httpclient.HttpMethodDirector      : Retrying request
...

javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: null
    at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233) ~[openws-1.5.4.jar:na]
    at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:186) ~[openws-1.5.4.jar:na]
    at org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:97) ~[spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]
    at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) ~[commons-httpclient-3.1.jar:na]
    at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) ~[commons-httpclient-3.1.jar:na]
    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) ~[commons-httpclient-3.1.jar:na]
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) ~[commons-httpclient-3.1.jar:na]
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) ~[commons-httpclient-3.1.jar:na]
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) ~[commons-httpclient-3.1.jar:na]
    at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:250) ~[opensaml-2.6.4.jar:na]
    at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255) [opensaml-2.6.4.jar:na]
    at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.doInitialization(AbstractReloadingMetadataProvider.java:236) [opensaml-2.6.4.jar:na]
    at org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.initialize(AbstractMetadataProvider.java:407) [opensaml-2.6.4.jar:na]
    at org.springframework.security.saml.metadata.ExtendedMetadataDelegate.initialize(ExtendedMetadataDelegate.java:167) [spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]
    at com.company.product.ProductApplication.main(ProductApplication.java:10) ~[classes/:na]

像这样创建 JKS 密钥库（使用附加密钥）：

keytool -genkeypair \
 -v \
 -keystore product.jks \
 -storepass hidden \
 -alias product \
 -dname 'CN=localhost, OU=Company, O=Org, L=Loc, ST=State, C=US' \
 -keypass hidden \
 -keyalg RSA \
 -keysize 2048 \
 -sigalg SHA256withRSA

我也包含了证书： Signature trust establishment failed for SAML metadata entry 我的 IDP 提供的证书包含在我的密钥库中：

keytool -importcert \
  -file cert.pem \
  -keystore product.jks \
  -alias idp-server \
  -storepass hidden

我已经尝试了以下所有门票：

SSL peer failed hostname validation in Spring SAML 尝试在 KeyManager 中添加密码中包含的证书（我将证书密码设置为密钥库密码，因为证书没有）

Spring Security SAML + HTTPS to another page 尝试了 TLSProtocolConfigurer.setSslHostnameVerification 中的 allowAll 和 TLSProtocolSocketFactory 构造函数中的 defaultAndLocalhost。

Spring Security SAML IdP Metadata Certificate and Signature 信任检查已被禁用： extendedMetadataDelegate.setMetadataTrustCheck(false);

Signature trust establishment failed for SAML metadata entry 尝试在附加到委托的 ExtendedMetadata 中设置证书的别名：

ExtendedMetadata em = new ExtendedMetadata();
em.setAlias(keystoreCertAlias);
em.setSigningKey("*.product.company.com"); //This is obfuscated
ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(httpMetadataProvider, em);

我的倾向是我使用证书错误地设置了密钥库。我尝试将 PEM 转换为 crt 和 cer 以查看是否会有所不同，但没有。我可以向您保证这是 IDP 证书而不是域证书（仅供参考，这是故意不使用 cacerts，而是在密钥库中包含证书以使用 HTTPS）。

非常感谢任何想法/帮助！ 谢谢。

【参考方案1】：

为了解决这个问题，我删除了 tlsProtocolConfigurer bean 和与之关联的所有 bean。我不完全确定为什么该示例包含此内容，因为没有它，它与 HTTPS（和 localhost）完美结合。

注意： 我假设实际问题是 tlsProtocolConfigurer 没有在密钥库中找到证书，但对于我的应用程序来说，整个 bean 不是必需的，因此它成为一个有争议的问题。