Symfony IDP - openssl 签名错误 EVP_DecryptFinal_ex:bad 解密 - SHA256
Symfony IDP - openssl signing error EVP_DecryptFinal_ex:bad decrypt - SHA256
我认为证书有问题。
我已经设置了我的 idp 并使用 https://samltest.id/start-idp-test/ 对其进行了测试。
我正在使用带有 this bundle 的 Symfony 3.4 来创建 idp。
现在我想添加 talentlms 。我使用以下命令在服务器上创建了一个自签名证书:
openssl req -new -x509 -sha256 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365
我已将文件放在 app/Resources/saml_keys/ 下,并在配置中添加此路径:
public_key: '%kernel.root_dir%/Resources/saml_keys/cert.pem'
private_key: '%kernel.root_dir%/Resources/saml_keys/key.pem'
我已将 public 证书添加到我的 talentlms 个人资料中。如果我从 talentlms 检查,我将被重定向到我的登录页面并可以登录。登录后我在重定向前收到此错误:
app.NOTICE: Authentication succeed [] []
security.INFO: User has been authenticated successfully. {"username":"xxxxxx@xxxxx.de"} []
app.NOTICE: Continue SSO process [] []
request.CRITICAL: Uncaught PHP Exception Exception: "Failure Signing Data: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt - SHA256" at /var/www/vhosts/xxxxxx.de/idp.xxxxx.de/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php line 464 {"exception":"[object] (Exception(code: 0): Failure Signing Data: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt - SHA256 at /var/www/vhosts/xxxx.de/idp.xxxxx.de/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php:464)"}
那么问题出在哪里呢?是不是证书创建有误?
这是我的 SP 配置,如捆绑包中所述:
$this->spMap["xxxxxx.talentlms.com"] = new ServiceProvider(
[
/**
* Returns the contents of an X509 pem certificate, without the '-----BEGIN CERTIFICATE-----' and
* '-----END CERTIFICATE-----'.
*
* @return null|string
*/
'certificateData' => '',
/**
* Returns the full path to the (local) file that contains the X509 pem certificate.
*
* @return null|string
*/
"certificateFile" => $this->rootDir . '/Resources/saml_keys/cert.pem',
/**
* @return null|string
*/
// "entityId" => "https://xxxxx.talentlms.com/simplesaml/module.php/saml/sp/metadata.php/xxxxx.talentlms.com",
"entityId" => "xxxxx.talentlms.com",
/**
* @return null|bool
*/
"assertionEncryptionEnabled" => true,
"assertionConsumerUrl" => "https://xxxxx.talentlms.com/simplesaml/module.php/saml/sp/saml2-acs.php/xxxxxx.talentlms.com",
"assertionConsumerBinding" => \SAML2_Const::BINDING_HTTP_POST,
"singleLogoutUrl" => "https://xxxxx.talentlms.com/simplesaml/module.php/saml/sp/saml2-logout.php/xxxxxx.talentlms.com",
"singleLogoutBinding" => \SAML2_Const::BINDING_HTTP_REDIRECT,
"nameIdFormat" => \SAML2_Const::NAMEID_PERSISTENT,
"nameIdValue" => function (UserInterface $user) {
/** @var Member $user */
return $user->getEmail();
},
"NameQualifier" => 'xxxxx.talentlms.com',
"wantSignedAuthnRequest" => false,
"wantSignedAuthnResponse" => true,
"wantSignedAssertions" => true,
"wantSignedLogoutRequest" => false,
"wantSignedLogoutResponse" => false,
"attributes" => [
'targetedID' => function (UserInterface $user) {
/** @var Member $user */
return $user->getEmail();
},
'email' => function (UserInterface $user) {
/** @var Member $user */
return $user->getEmail();
},
'firstname' => function (UserInterface $user) {
/** @var Member $user */
return $user->getFirstName();
},
'lastname' => function (UserInterface $user) {
/** @var Member $user */
return $user->getLastName();
},
],
"assertionNotBeforeInterval" => new \DateInterval('PT0S'),
"assertionNotOnOrAfterInterval" => new \DateInterval('PT5M'),
"assertionSessionNotOnOrAfterInterval" => new \DateInterval('P1D'),
]
);
我预计会被重定向回 talentlms。
我找到问题了。在我的服务器上,我不能使用 -sha256 标志。我的新 openssl 命令是
openssl req -x509 -nodes -newkey rsa:4096 -keyout key_4096.pem -out cert_4096.pem -days 3655
在 talentlms 上,我需要将证书文件放入配置中。生成的散列也是错误的,因为 talentlms 没有正确保存证书。我自己添加了一个生成的 sha1 哈希并且它有效。
我认为证书有问题。 我已经设置了我的 idp 并使用 https://samltest.id/start-idp-test/ 对其进行了测试。 我正在使用带有 this bundle 的 Symfony 3.4 来创建 idp。
现在我想添加 talentlms 。我使用以下命令在服务器上创建了一个自签名证书:
openssl req -new -x509 -sha256 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365
我已将文件放在 app/Resources/saml_keys/ 下,并在配置中添加此路径:
public_key: '%kernel.root_dir%/Resources/saml_keys/cert.pem'
private_key: '%kernel.root_dir%/Resources/saml_keys/key.pem'
我已将 public 证书添加到我的 talentlms 个人资料中。如果我从 talentlms 检查,我将被重定向到我的登录页面并可以登录。登录后我在重定向前收到此错误:
app.NOTICE: Authentication succeed [] []
security.INFO: User has been authenticated successfully. {"username":"xxxxxx@xxxxx.de"} []
app.NOTICE: Continue SSO process [] []
request.CRITICAL: Uncaught PHP Exception Exception: "Failure Signing Data: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt - SHA256" at /var/www/vhosts/xxxxxx.de/idp.xxxxx.de/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php line 464 {"exception":"[object] (Exception(code: 0): Failure Signing Data: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt - SHA256 at /var/www/vhosts/xxxx.de/idp.xxxxx.de/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php:464)"}
那么问题出在哪里呢?是不是证书创建有误?
这是我的 SP 配置,如捆绑包中所述:
$this->spMap["xxxxxx.talentlms.com"] = new ServiceProvider(
[
/**
* Returns the contents of an X509 pem certificate, without the '-----BEGIN CERTIFICATE-----' and
* '-----END CERTIFICATE-----'.
*
* @return null|string
*/
'certificateData' => '',
/**
* Returns the full path to the (local) file that contains the X509 pem certificate.
*
* @return null|string
*/
"certificateFile" => $this->rootDir . '/Resources/saml_keys/cert.pem',
/**
* @return null|string
*/
// "entityId" => "https://xxxxx.talentlms.com/simplesaml/module.php/saml/sp/metadata.php/xxxxx.talentlms.com",
"entityId" => "xxxxx.talentlms.com",
/**
* @return null|bool
*/
"assertionEncryptionEnabled" => true,
"assertionConsumerUrl" => "https://xxxxx.talentlms.com/simplesaml/module.php/saml/sp/saml2-acs.php/xxxxxx.talentlms.com",
"assertionConsumerBinding" => \SAML2_Const::BINDING_HTTP_POST,
"singleLogoutUrl" => "https://xxxxx.talentlms.com/simplesaml/module.php/saml/sp/saml2-logout.php/xxxxxx.talentlms.com",
"singleLogoutBinding" => \SAML2_Const::BINDING_HTTP_REDIRECT,
"nameIdFormat" => \SAML2_Const::NAMEID_PERSISTENT,
"nameIdValue" => function (UserInterface $user) {
/** @var Member $user */
return $user->getEmail();
},
"NameQualifier" => 'xxxxx.talentlms.com',
"wantSignedAuthnRequest" => false,
"wantSignedAuthnResponse" => true,
"wantSignedAssertions" => true,
"wantSignedLogoutRequest" => false,
"wantSignedLogoutResponse" => false,
"attributes" => [
'targetedID' => function (UserInterface $user) {
/** @var Member $user */
return $user->getEmail();
},
'email' => function (UserInterface $user) {
/** @var Member $user */
return $user->getEmail();
},
'firstname' => function (UserInterface $user) {
/** @var Member $user */
return $user->getFirstName();
},
'lastname' => function (UserInterface $user) {
/** @var Member $user */
return $user->getLastName();
},
],
"assertionNotBeforeInterval" => new \DateInterval('PT0S'),
"assertionNotOnOrAfterInterval" => new \DateInterval('PT5M'),
"assertionSessionNotOnOrAfterInterval" => new \DateInterval('P1D'),
]
);
我预计会被重定向回 talentlms。
我找到问题了。在我的服务器上,我不能使用 -sha256 标志。我的新 openssl 命令是
openssl req -x509 -nodes -newkey rsa:4096 -keyout key_4096.pem -out cert_4096.pem -days 3655
在 talentlms 上,我需要将证书文件放入配置中。生成的散列也是错误的,因为 talentlms 没有正确保存证书。我自己添加了一个生成的 sha1 哈希并且它有效。