Return-Path: 
 <java-dev-return-81459-apmail-axis-java-dev-archive=axis.apache.org@axis.apache.org>
Delivered-To: apmail-axis-java-dev-archive@www.apache.org
Received: (qmail 84578 invoked from network); 22 Dec 2010 03:44:27 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 22 Dec 2010 03:44:27 -0000
Received: (qmail 17668 invoked by uid 500); 22 Dec 2010 03:44:25 -0000
Delivered-To: apmail-axis-java-dev-archive@axis.apache.org
Received: (qmail 17426 invoked by uid 500); 22 Dec 2010 03:44:25 -0000
Mailing-List: contact java-dev-help@axis.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:java-dev-help@axis.apache.org>
List-Unsubscribe: <mailto:java-dev-unsubscribe@axis.apache.org>
List-Post: <mailto:java-dev@axis.apache.org>
List-Id: <java-dev.axis.apache.org>
Reply-To: java-dev@axis.apache.org
Delivered-To: mailing list java-dev@axis.apache.org
Received: (qmail 17381 invoked by uid 99); 22 Dec 2010 03:44:25 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Dec 2010 03:44:25 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=10.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Dec 2010 03:44:22 +0000
Received: from thor (localhost [127.0.0.1])
	by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id oBM3i0pp004889
	for <java-dev@axis.apache.org>; Wed, 22 Dec 2010 03:44:01 GMT
Message-ID: <27390307.257891292989440776.JavaMail.jira@thor>
Date: Tue, 21 Dec 2010 22:44:00 -0500 (EST)
From: "S.Uthaiyashankar (JIRA)" <jira@apache.org>
To: java-dev@axis.apache.org
Subject: [jira] Commented: (RAMPART-295) Rampart failing to extract keyinfo
 from SAML assertion
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
X-Virus-Checked: Checked by ClamAV on apache.org


    [ https://issues.apache.org/jira/browse/RAMPART-295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12974034#action_12974034 ] 

S.Uthaiyashankar commented on RAMPART-295:
------------------------------------------

This is WSS4J issue. Moving to WSS4J project. 

> Rampart failing to extract keyinfo from SAML assertion
> ------------------------------------------------------
>
>                 Key: RAMPART-295
>                 URL: https://issues.apache.org/jira/browse/RAMPART-295
>             Project: Rampart
>          Issue Type: Bug
>    Affects Versions: 1.5
>         Environment: Server: Tomcat 5.5.28, Axis 1.5.1, Rampart 1.5, Windows XP SP2
> Client: .NET WCF 3.5, Windows XP
>            Reporter: Jason Rattos
>            Assignee: Ruchith Udayanga Fernando
>            Priority: Blocker
>
> Validation of a SAML 1.1 and 2.0 token is failing due to an inability to extract KeyInfo from the Subject of a SAML assertion. The issue appears to be independant of using SAML 1.1/2.0 or symmetric/asymmetric bindings.
> The extract of the SAML subject (symmetric binding) is as follows:
> <saml:Subject>
> 			<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos">DOMAIN\JOE</saml:NameIdentifier>
> 			<saml:SubjectConfirmation>
> 				<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> 				<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> 					<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> 						<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> 							<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> 						</e:EncryptionMethod>
> 						<KeyInfo>
> 							<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> 								<X509Data>
> 									<X509IssuerSerial>
> 										<X509IssuerName>CN=Root Agency</X509IssuerName>
> 										<X509SerialNumber>-147027885241304943914470421251724308948</X509SerialNumber>
> 									</X509IssuerSerial>
> 								</X509Data>
> 							</o:SecurityTokenReference>
> 						</KeyInfo>
> 						<e:CipherData>
> 							<e:CipherValue>YPzUKhWVjM56ugTvgLF8nbCULmITwiE2lGFWf5rsRwm7v+g/J2cswNJoK5oBpROUXJRV3P10PRtWloXNU3eR8kZRn7nutFp5iEpRW4FHcoRMTK3KHYILz7EaBwYsNaGJ45PD6IeJvjGb79/5N9boePWZBMl708vsXp63fXNbUPo=</e:CipherValue>
> 						</e:CipherData>
> 					</e:EncryptedKey>
> 				</KeyInfo>
> 			</saml:SubjectConfirmation>
> 		</saml:Subject>
> The extract of the SAML subject (asymmetric binding) is as follows:
> <Subject>
> 			<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos">DOMAIN\JOE</NameID>
> 			<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
> 				<SubjectConfirmationData xmlns:a="http://www.w3.org/2001/XMLSchema-instance" a:type="KeyInfoConfirmationDataType">
> 					<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> 						<KeyValue>
> 							<RSAKeyValue>
> 								<Modulus>qq45WmIc5AJQF8f06R8KMm9G4RsT4Vi9Xx5psYuyDzD1M7480CQ7dEmOLkYnOP/qwLNiKgvG/Xm2rGYf1fgQD+dH+jwoirACflwEGUk7nU88mZOeJwqfXq4oWdsGVAMREyJQnW2q5+KJQt6/Pt3UBWquTvJnwes9/0WrQUAUX9s=</Modulus>
> 								<Exponent>AQAB</Exponent>
> 							</RSAKeyValue>
> 						</KeyValue>
> 					</KeyInfo>
> 				</SubjectConfirmationData>
> 			</SubjectConfirmation>
> 		</Subject>
> In both cases the SAMUtil.java (as part of WSSJ-1.5.8) fails to extract the certificate info. The following lines are an extract from the source code for which this is failing:
>                     Element e = samlSubj.getKeyInfo();
>                     X509Certificate[] certs = null;
>                     try {
>                         KeyInfo ki = new KeyInfo(e, null);
>                         if (ki.containsX509Data()) {
>                             X509Data data = ki.itemX509Data(0);
>                             XMLX509Certificate certElem = null;
> In both use cases the ki instance return false for ki.containsX509Data() and hence the processing fails.
> In an attempt to see whether the KeyInfo constructor limited itself to certain types of certificate references, I manually modified the SAML assertion subject using TCPMon to include the X509 Base64 representation of the certificate as follows and found that this actually works, as a result of the ki.containsX509Data() statement returns true:
> <saml:Subject>
> 			<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos">DOMAIN\JOE</saml:NameIdentifier>
> 			<saml:SubjectConfirmation>
> 				<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> 				<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> 					<X509Data>
> 						<X509Certificate>MIIBsTCCAV+gAwIBAgIQKCrSOt8UsKxIAPFEMK316zAJBgUrDgMCHQUAMBYxFDASBgNVBAMTC1Jvb3QgQWdlbmN5MB4XDTA4MDgxMzE1MDkyM1oXDTM5MTIzMTIzNTk1OVowFDESMBAGA1UEAxMJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEhqjNMe8M8CA0yGX1pUlJZ4r5WKvQfJ6k8DPBR/VGcvbWPBeiHRjBhH5I5kszg04on8M+FFg0RkW1cfmQRc8kf1XLudHdBUxJx3nfLXH2OscsxQkgcNfdvo5/GCewDIRHMxI+2TO9tgLP6SEJBdprO/55q8t4k/VW4Yi9u9/2VQIDAQABo0swSTBHBgNVHQEEQDA+gBAS5AktBh0dTwCNYSHcFmRjoRgwFjEUMBIGA1UEAxMLUm9vdCBBZ2VuY3mCEAY3bACqAGSKEc+41KpcNfQwCQYFKw4DAh0FAANBAEWsx9wociNjb8uidCy6WRHfS8qhIYjSbgGCYL8/bZ0Xoc8ETPOgZsnD0zSgLuWj7tlY0cHNtY4Nvu8tRo/U2ts=</X509Certificate>
> 					</X509Data>
> 				</KeyInfo>
> 			</saml:SubjectConfirmation>
> 		</saml:Subject>
> Have previously submitted this an email request directly to rampart-dev but thought it best to formally raise the issue here as it's blocking any further use of rampart for this particular project.
> Thanks,
> Jason

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org