Ipsilon/FreeIPA issue: what kind of weird pkcs12 file has more than one alias? // java.security.KeyStoreException: Uninitialized keystore

[alexpdp7]

I'm trying to get this working with Ipsilon/FreeIPA and I'm having issues.

First of all, I had to set up:

saml.sso.profile-options.name-id=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Otherwise I'd get an 500 on Ipsilon, showing on the logs as:

[Sat Mar 09 17:29:02.353516 2019] [:error] [pid 28250] [09/Mar/2019:17:29:02] HTTP Traceback (most recent call last):
[Sat Mar 09 17:29:02.353537 2019] [:error] [pid 28250]   File "/usr/lib/python2.7/site-packages/cherrypy/_cprequest.py", line 656, in respond
[Sat Mar 09 17:29:02.353559 2019] [:error] [pid 28250]     response.body = self.handler()
[Sat Mar 09 17:29:02.353571 2019] [:error] [pid 28250]   File "/usr/lib/python2.7/site-packages/cherrypy/lib/encoding.py", line 188, in __call__
[Sat Mar 09 17:29:02.353582 2019] [:error] [pid 28250]     self.body = self.oldhandler(*args, **kwargs)
[Sat Mar 09 17:29:02.353593 2019] [:error] [pid 28250]   File "/usr/lib/python2.7/site-packages/cherrypy/_cpdispatch.py", line 34, in __call__
[Sat Mar 09 17:29:02.353612 2019] [:error] [pid 28250]     return self.callable(*self.args, **self.kwargs)
[Sat Mar 09 17:29:02.353624 2019] [:error] [pid 28250]   File "/usr/lib/python2.7/site-packages/ipsilon/util/page.py", line 91, in __call__
[Sat Mar 09 17:29:02.353635 2019] [:error] [pid 28250]     return op(*args, **kwargs)
[Sat Mar 09 17:29:02.353645 2019] [:error] [pid 28250]   File "/usr/lib/python2.7/site-packages/ipsilon/providers/common.py", line 87, in root
[Sat Mar 09 17:29:02.353664 2019] [:error] [pid 28250]     return op(*args, **kwargs)
[Sat Mar 09 17:29:02.353676 2019] [:error] [pid 28250]   File "/usr/lib/python2.7/site-packages/ipsilon/providers/saml2idp.py", line 96, in POST
[Sat Mar 09 17:29:02.353686 2019] [:error] [pid 28250]     return self.auth(login)
[Sat Mar 09 17:29:02.353697 2019] [:error] [pid 28250]   File "/usr/lib/python2.7/site-packages/ipsilon/providers/saml2/auth.py", line 67, in auth
[Sat Mar 09 17:29:02.353833 2019] [:error] [pid 28250]     self.saml2checks(login)
[Sat Mar 09 17:29:02.353855 2019] [:error] [pid 28250]   File "/usr/lib/python2.7/site-packages/ipsilon/providers/saml2/auth.py", line 156, in saml2checks
[Sat Mar 09 17:29:02.353866 2019] [:error] [pid 28250]     nameidfmt = provider.get_valid_nameid(login.request.nameIdPolicy)
[Sat Mar 09 17:29:02.353877 2019] [:error] [pid 28250]   File "/usr/lib/python2.7/site-packages/ipsilon/providers/saml2/provider.py", line 195, in get_valid_nameid
[Sat Mar 09 17:29:02.353897 2019] [:error] [pid 28250]     self.debug('Requested NameId [%s]' % (nip.format,))
[Sat Mar 09 17:29:02.353912 2019] [:error] [pid 28250] AttributeError: 'NoneType' object has no attribute 'format'

Once that is fixed, if I go to /saml/login, I'm redirected to my Ipsilon server, then redirected back, but then I get lot of:

what kind of weird pkcs12 file has more than one alias?

on my terminal, followed by:

java.security.KeyStoreException: Uninitialized keystore
    at java.base/java.security.KeyStore.aliases(KeyStore.java:1267)
    at org.apache.commons.ssl.TrustMaterial.<init>(TrustMaterial.java:233)
    at org.apache.commons.ssl.TrustMaterial.<init>(TrustMaterial.java:165)
    at org.apache.commons.ssl.TrustMaterial.<init>(TrustMaterial.java:170)
    at org.apache.commons.ssl.TrustMaterial.<init>(TrustMaterial.java:175)
    at org.apache.commons.ssl.TrustMaterial.<clinit>(TrustMaterial.java:88)
    at org.opensaml.xml.security.x509.X509Util.decodeCertificate(X509Util.java:359)
    at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificate(KeyInfoHelper.java:201)
    at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:176)
    at org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider.extractCertificates(InlineX509DataProvider.java:192)
    at org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider.process(InlineX509DataProvider.java:126)
    at org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver.processKeyInfoChild(BasicProviderKeyInfoCredentialResolver.java:300)
    at org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver.processKeyInfoChildren(BasicProviderKeyInfoCredentialResolver.java:256)
    at org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver.processKeyInfo(BasicProviderKeyInfoCredentialResolver.java:190)
    at org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver.resolveFromSource(BasicProviderKeyInfoCredentialResolver.java:149)
    at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:57)
    at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:37)
    at org.opensaml.security.MetadataCredentialResolver.retrieveFromMetadata(MetadataCredentialResolver.java:275)
    at org.springframework.security.saml.trust.MetadataCredentialResolver.retrieveFromMetadata(MetadataCredentialResolver.java:123)
    at org.opensaml.security.MetadataCredentialResolver.resolveFromSource(MetadataCredentialResolver.java:178)
    at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:57)
    at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:37)
    at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:98)
    at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:49)
    at org.opensaml.ws.security.provider.BaseTrustEngineRule.evaluate(BaseTrustEngineRule.java:104)
    at org.opensaml.ws.security.provider.BaseTrustEngineRule.evaluate(BaseTrustEngineRule.java:91)
    at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:128)
    at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.evaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:107)
    at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51)
    at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132)
    at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83)
    at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)
    at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)
    at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)
    at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:85)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.saml.SAMLEntryPoint.doFilter(SAMLEntryPoint.java:102)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.saml.metadata.MetadataDisplayFilter.doFilter(MetadataDisplayFilter.java:84)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
...

I've generated a keypair and configured it using:

saml.sso.key-manager.private-key-der-location=classpath:localhost.key.der
saml.sso.key-manager.public-key-pem-location=classpath:localhost.pem

But I'm kinda lost at this point. Help?

[alexpdp7]

OK, so I found out this is due to:

https://stackoverflow.com/questions/55168337/opensaml-unable-to-decode-x509-certificate-in-java-11

, namely using Java 9. Putting:

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>
                    org.springframework.security.extensions
                </groupId>
                <artifactId>spring-security-saml2-core</artifactId>
                <version>1.0.8.RELEASE</version>
            </dependency>
        </dependencies>
    </dependencyManagement>

in my pom.xml solves the issue, although I expect that:

https://github.com/ulisesbocchio/spring-boot-security-saml/pull/80

will fix this.

[ulisesbocchio]

cool, thanks