'Signature cryptographic validation not successful - opensaml

I am a newbie to SAML and inherited an application with spring boot and SAML extension. I have problem to update the certificate in test environment. The certificate in production was updated without issue earlier. The certificate is packaged in the war file. Here are the last part of the log outputs.

o.o.x.s.impl.BaseSignatureTrustEngine    : Attempting to verify signature and establish trust using KeyInfo-derived credentials 
k.BasicProviderKeyInfoCredentialResolver : Found 0 key names: [] 
k.BasicProviderKeyInfoCredentialResolver : Processing KeyInfo child with qname: {http://www.w3.org/2000/09/xmldsig#}X509Data 
k.BasicProviderKeyInfoCredentialResolver : Provider org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping 
k.BasicProviderKeyInfoCredentialResolver : Provider org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping 
k.BasicProviderKeyInfoCredentialResolver : Processing KeyInfo child {http://www.w3.org/2000/09/xmldsig#}X509Data with provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider 
o.o.x.s.k.p.InlineX509DataProvider       : Attempting to extract credential from an X509Data 
o.o.x.s.k.p.InlineX509DataProvider       : Found 1 X509Certificates 
o.o.x.s.k.p.InlineX509DataProvider       : Found 0 X509CRLs 
o.o.x.s.k.p.InlineX509DataProvider       : Single certificate was present, treating as end-entity certificate 
k.BasicProviderKeyInfoCredentialResolver : Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider 
k.BasicProviderKeyInfoCredentialResolver : A total of 1 credentials were resolved 
.c.c.EvaluableCredentialCriteriaRegistry : Registry could not locate evaluable criteria for criteria class org.opensaml.xml.security.keyinfo.KeyInfoCriteria 
o.o.xml.signature.SignatureValidator     : Attempting to validate signature using key from supplied credential 
o.o.xml.signature.SignatureValidator     : Creating XMLSignature object 
o.o.xml.signature.SignatureValidator     : Validating signature with signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 
o.o.xml.signature.SignatureValidator     : Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl' 
o.o.xml.signature.SignatureValidator     : Signature validated with key from supplied credential 
o.o.x.s.impl.BaseSignatureTrustEngine    : Signature validation using candidate credential was successful 
o.o.x.s.impl.BaseSignatureTrustEngine    : Successfully verified signature using KeyInfo-derived credential 
o.o.x.s.impl.BaseSignatureTrustEngine    : Attempting to establish trust of KeyInfo-derived credential 
o.o.x.s.trust.ExplicitKeyTrustEvaluator  : Failed to validate untrusted credential against trusted key 
o.o.x.s.impl.BaseSignatureTrustEngine    : Failed to establish trust of KeyInfo-derived credential 
o.o.x.s.impl.BaseSignatureTrustEngine    : Failed to verify signature and/or establish trust using any KeyInfo-derived credentials 
.o.x.s.i.ExplicitKeySignatureTrustEngine : Attempting to verify signature using trusted credentials 
o.o.xml.signature.SignatureValidator     : Attempting to validate signature using key from supplied credential 
o.o.xml.signature.SignatureValidator     : Creating XMLSignature object 
o.o.xml.signature.SignatureValidator     : Validating signature with signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 
o.o.xml.signature.SignatureValidator     : Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl' 
o.o.xml.signature.SignatureValidator     : Signature cryptographic validation not successful 
o.o.x.s.impl.BaseSignatureTrustEngine    : Signature validation using candidate validation credential failed
org.opensaml.xml.validation.ValidationException: Signature cryptographic validation not successful
    at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:79)
    at org.opensaml.xml.signature.impl.BaseSignatureTrustEngine.verifySignature(BaseSignatureTrustEngine.java:142)
spring-bootsamlsaml-2.0opensaml


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

Logging into SAML/Shibboleth authenticated server using python

Configuring Oracle APEX to use SAML authentication

SAML response and assertion is signed/unsigned?

Why is Cognito rejecting my SAML assertion?

Howto disable signature verification in Spring Security SAML 5.6.1?

InResponseToField error after Spring Session upgrade

How to change outgoing claims for SAML based SSO in Azure AD?

Sustainsys.Saml2 - Saml2/Acs endpoint returns Error 500 when processing SSO

How to get metadata xml for SAML IdP initiated SSO

AADSTS75011 Authentication method by which the user authenticated with the service doesn't match requested authentication method AuthnContextClassRef

Get expiration date of signing certificate(s) within a SAML metadata file

Shibboleth IDP with ADB2C integration

How can I diagnose the cause of AWS Cognito's SAML assertion processing errors?

Logging into SAML/Shibboleth authenticated server using python

InvalidSignatureException: Signature is invalid