Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-6309

Eap6 SAML filter fails while downloading keys from Keycloak server when SSL is enabled

    XMLWordPrintable

    Details

    • Steps to Reproduce:
      Hide

      1. Configure Keycloak and application server eap6 (tried version 6.4.15, 6.4.17, 6.4.18) to use SSL
      2. Create Realm keys for example rsa
      3. Prepare SAML client and include servlet filter with all dependencies
      4. Try to login

      There are also tests failing in testsuite, failing test (all tests for key rotation, but this one use for investigation):
      AbstractSAMLServletAdapterTest#employeeSigPostNoIdpKeyTest

      For running adapter tests with ssl you need to specify:
      -Dauth.server.ssl.required=true -Dapp.server.ssl.required=true

      Show
      1. Configure Keycloak and application server eap6 (tried version 6.4.15, 6.4.17, 6.4.18) to use SSL 2. Create Realm keys for example rsa 3. Prepare SAML client and include servlet filter with all dependencies 4. Try to login There are also tests failing in testsuite, failing test (all tests for key rotation, but this one use for investigation): AbstractSAMLServletAdapterTest#employeeSigPostNoIdpKeyTest For running adapter tests with ssl you need to specify: -Dauth.server.ssl.required=true -Dapp.server.ssl.required=true
    • Workaround:
      Workaround Exists
    • Workaround Description:
      Hide

      Use bouncy castle version 1.52 instead of 1.56
      OR
      Start EAP6 with -Dcom.sun.net.ssl.enableECC=false argument

      Show
      Use bouncy castle version 1.52 instead of 1.56 OR Start EAP6 with -Dcom.sun.net.ssl.enableECC=false argument
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      When EAP6 servlet filter tries to download keys from Keycloak it fails with exception below.

      It looks like problem is present only in case that servlet uses bouncycastle version 1.56 (probably also with 1.59), but it works with bc version 1.52. The issue is present only with EAP6 + filter + SSL. Other combinations work correctly: All EAP7 and EAP6 + adapter.

      12:59:09,266 ERROR [org.keycloak.adapters.saml.rotation.SamlDescriptorPublicKeyLocator] (http-127.0.0.1:8643-1) Could not refresh certificates from the server: org.keycloak.adapters.cloned.HttpClientAdapterException: IO error
      		 
      	at org.keycloak.adapters.cloned.HttpAdapterUtils.downloadKeysFromSamlDescriptor(HttpAdapterUtils.java:63) [keycloak-saml-adapter-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.adapters.saml.rotation.SamlDescriptorPublicKeyLocator.refreshCertificateCacheAndGet(SamlDescriptorPublicKeyLocator.java:131) [keycloak-saml-adapter-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.adapters.saml.rotation.SamlDescriptorPublicKeyLocator.getKey(SamlDescriptorPublicKeyLocator.java:98) [keycloak-saml-adapter-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.rotation.CompositeKeyLocator.getKey(CompositeKeyLocator.java:41) [keycloak-saml-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.saml.processing.core.util.XMLSignatureUtil$KeySelectorUtilizingKeyNameHint.select(XMLSignatureUtil.java:141) [keycloak-saml-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:558) [xmlsec-2.0.8.jar:2.0.8]
      		 
      	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:264) [xmlsec-2.0.8.jar:2.0.8]
      		 
      	at org.keycloak.saml.processing.core.util.XMLSignatureUtil.validateUsingKeySelector(XMLSignatureUtil.java:518) [keycloak-saml-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.saml.processing.core.util.XMLSignatureUtil.validateSingleNode(XMLSignatureUtil.java:482) [keycloak-saml-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.saml.processing.core.util.XMLSignatureUtil.validate(XMLSignatureUtil.java:463) [keycloak-saml-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature.validate(SAML2Signature.java:178) [keycloak-saml-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.verifyPostBindingSignature(AbstractSamlAuthenticationHandler.java:592) [keycloak-saml-adapter-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.validateSamlSignature(AbstractSamlAuthenticationHandler.java:277) [keycloak-saml-adapter-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.handleSamlResponse(AbstractSamlAuthenticationHandler.java:198) [keycloak-saml-adapter-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint.handle(SamlEndpoint.java:44) [keycloak-saml-adapter-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.adapters.saml.SamlAuthenticator.authenticate(SamlAuthenticator.java:48) [keycloak-saml-adapter-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.adapters.saml.servlet.SamlFilter.doFilter(SamlFilter.java:167) [keycloak-saml-servlet-filter-adapter-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.5.18.Final-redhat-1.jar:7.5.18.Final-redhat-1]
      		 
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:151) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:656) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_73]
      		 
      Caused by: javax.net.ssl.SSLException: java.security.ProviderException: Could not derive key
      		 
      	at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) [jsse.jar:1.8.0_73]
      		 
      	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) [jsse.jar:1.8.0_73]
      		 
      	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1906) [jsse.jar:1.8.0_73]
      		 
      	at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1889) [jsse.jar:1.8.0_73]
      		 
      	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1410) [jsse.jar:1.8.0_73]
      		 
      	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) [jsse.jar:1.8.0_73]
      		 
      	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:535) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
      		 
      	at org.keycloak.adapters.cloned.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:117) [keycloak-saml-adapter-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
      		 
      	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
      		 
      	at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
      		 
      	at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
      		 
      	at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
      		 
      	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
      		 
      	at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
      		 
      	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
      		 
      	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
      		 
      	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
      		 
      	at org.keycloak.adapters.cloned.HttpAdapterUtils.downloadKeysFromSamlDescriptor(HttpAdapterUtils.java:42) [keycloak-saml-adapter-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	... 29 more
      		 
      Caused by: java.security.ProviderException: Could not derive key
      		 
      	at sun.security.ec.ECDHKeyAgreement.engineGenerateSecret(ECDHKeyAgreement.java:133)
      		 
      	at sun.security.ec.ECDHKeyAgreement.engineGenerateSecret(ECDHKeyAgreement.java:163)
      		 
      	at javax.crypto.KeyAgreement.generateSecret(KeyAgreement.java:648) [jce.jar:1.8.0_71]
      		 
      	at sun.security.ssl.ECDHCrypt.getAgreedSecret(ECDHCrypt.java:101) [jsse.jar:1.8.0_73]
      		 
      	at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1067) [jsse.jar:1.8.0_73]
      		 
      	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348) [jsse.jar:1.8.0_73]
      		 
      	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) [jsse.jar:1.8.0_73]
      		 
      	at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) [jsse.jar:1.8.0_73]
      		 
      	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) [jsse.jar:1.8.0_73]
      		 
      	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) [jsse.jar:1.8.0_73]
      		 
      	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) [jsse.jar:1.8.0_73]
      		 
      	... 43 more
      		 
      Caused by: java.security.InvalidAlgorithmParameterException
      		 
      	at sun.security.ec.ECDHKeyAgreement.deriveKey(Native Method)
      		 
      	at sun.security.ec.ECDHKeyAgreement.engineGenerateSecret(ECDHKeyAgreement.java:130)
      		 
      	... 53 more
      		 
       
      		 
      12:59:09,305 ERROR [org.keycloak.adapters.saml.rotation.SamlDescriptorPublicKeyLocator] (http-127.0.0.1:8643-1) Could not refresh certificates from the server: org.keycloak.adapters.cloned.HttpClientAdapterException: IO error
      		 
      	at org.keycloak.adapters.cloned.HttpAdapterUtils.downloadKeysFromSamlDescriptor(HttpAdapterUtils.java:63) [keycloak-saml-adapter-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.adapters.saml.rotation.SamlDescriptorPublicKeyLocator.refreshCertificateCacheAndGet(SamlDescriptorPublicKeyLocator.java:131) [keycloak-saml-adapter-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.adapters.saml.rotation.SamlDescriptorPublicKeyLocator.iterator(SamlDescriptorPublicKeyLocator.java:170) [keycloak-saml-adapter-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.rotation.CompositeKeyLocator$JointKeyIterator$1.nextIterator(CompositeKeyLocator.java:144) [keycloak-saml-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.rotation.CompositeKeyLocator$JointKeyIterator$1.(CompositeKeyLocator.java:129) [keycloak-saml-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.rotation.CompositeKeyLocator$JointKeyIterator.iterator(CompositeKeyLocator.java:128) [keycloak-saml-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.rotation.CompositeKeyLocator.iterator(CompositeKeyLocator.java:99) [keycloak-saml-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.saml.processing.core.util.XMLSignatureUtil.validateSingleNode(XMLSignatureUtil.java:500) [keycloak-saml-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.saml.processing.core.util.XMLSignatureUtil.validate(XMLSignatureUtil.java:463) [keycloak-saml-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature.validate(SAML2Signature.java:178) [keycloak-saml-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.verifyPostBindingSignature(AbstractSamlAuthenticationHandler.java:592) [keycloak-saml-adapter-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.validateSamlSignature(AbstractSamlAuthenticationHandler.java:277) [keycloak-saml-adapter-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.handleSamlResponse(AbstractSamlAuthenticationHandler.java:198) [keycloak-saml-adapter-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint.handle(SamlEndpoint.java:44) [keycloak-saml-adapter-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.adapters.saml.SamlAuthenticator.authenticate(SamlAuthenticator.java:48) [keycloak-saml-adapter-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.adapters.saml.servlet.SamlFilter.doFilter(SamlFilter.java:167) [keycloak-saml-servlet-filter-adapter-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.5.18.Final-redhat-1.jar:7.5.18.Final-redhat-1]
      		 
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:151) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:656) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_73]
      		 
      Caused by: javax.net.ssl.SSLException: java.security.ProviderException: Could not derive key
      		 
      	at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) [jsse.jar:1.8.0_73]
      		 
      	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) [jsse.jar:1.8.0_73]
      		 
      	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1906) [jsse.jar:1.8.0_73]
      		 
      	at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1889) [jsse.jar:1.8.0_73]
      		 
      	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1410) [jsse.jar:1.8.0_73]
      		 
      	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) [jsse.jar:1.8.0_73]
      		 
      	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:535) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
      		 
      	at org.keycloak.adapters.cloned.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:117) [keycloak-saml-adapter-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
      		 
      	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
      		 
      	at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
      		 
      	at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
      		 
      	at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
      		 
      	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
      		 
      	at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
      		 
      	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
      		 
      	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
      		 
      	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
      		 
      	at org.keycloak.adapters.cloned.HttpAdapterUtils.downloadKeysFromSamlDescriptor(HttpAdapterUtils.java:42) [keycloak-saml-adapter-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	... 28 more
      		 
      Caused by: java.security.ProviderException: Could not derive key
      		 
      	at sun.security.ec.ECDHKeyAgreement.engineGenerateSecret(ECDHKeyAgreement.java:133)
      		 
      	at sun.security.ec.ECDHKeyAgreement.engineGenerateSecret(ECDHKeyAgreement.java:163)
      		 
      	at javax.crypto.KeyAgreement.generateSecret(KeyAgreement.java:648) [jce.jar:1.8.0_71]
      		 
      	at sun.security.ssl.ECDHCrypt.getAgreedSecret(ECDHCrypt.java:101) [jsse.jar:1.8.0_73]
      		 
      	at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1067) [jsse.jar:1.8.0_73]
      		 
      	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348) [jsse.jar:1.8.0_73]
      		 
      	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) [jsse.jar:1.8.0_73]
      		 
      	at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) [jsse.jar:1.8.0_73]
      		 
      	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) [jsse.jar:1.8.0_73]
      		 
      	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) [jsse.jar:1.8.0_73]
      		 
      	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) [jsse.jar:1.8.0_73]
      		 
      	... 42 more
      		 
      Caused by: java.security.InvalidAlgorithmParameterException
      		 
      	at sun.security.ec.ECDHKeyAgreement.deriveKey(Native Method)
      		 
      	at sun.security.ec.ECDHKeyAgreement.engineGenerateSecret(ECDHKeyAgreement.java:130)
      		 
      	... 52 more
      		 
       
      		 
      12:59:09,310 ERROR [org.keycloak.adapters.saml.profile.webbrowsersso.WebBrowserSsoAuthenticationHandler] (http-127.0.0.1:8643-1) Failed to verify saml response signature: org.keycloak.common.VerificationException: Invalid signature on document
      		 
      	at org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.verifyPostBindingSignature(AbstractSamlAuthenticationHandler.java:593) [keycloak-saml-adapter-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.validateSamlSignature(AbstractSamlAuthenticationHandler.java:277) [keycloak-saml-adapter-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.handleSamlResponse(AbstractSamlAuthenticationHandler.java:198) [keycloak-saml-adapter-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint.handle(SamlEndpoint.java:44) [keycloak-saml-adapter-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.adapters.saml.SamlAuthenticator.authenticate(SamlAuthenticator.java:48) [keycloak-saml-adapter-core-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.keycloak.adapters.saml.servlet.SamlFilter.doFilter(SamlFilter.java:167) [keycloak-saml-servlet-filter-adapter-3.4.3.Final-redhat-2.jar:3.4.3.Final-redhat-2]
      		 
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.5.18.Final-redhat-1.jar:7.5.18.Final-redhat-1]
      		 
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:151) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:656) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.5.26.Final-redhat-1.jar:7.5.26.Final-redhat-1]
      		 
      	at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_73]

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                mitko Michal Hajas
                Reporter:
                mitko Michal Hajas
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: