cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: SAML2.0 Encrypted assertion is not working.
Date Thu, 31 Jul 2014 08:27:42 GMT
Hi

It appears that a wrong DOM element was used to check the EncryptedKey 
element which is actually a sibling of EncryptedData, not a child.
I know Colm has very extensively tested it against various IDPs but I 
believe none of them were encrypting the SAMLP responses.

I've committed a possible fix. Can you please retry the snapshot ?

Cheers, Sergey

On 30/07/14 19:06, rathnapandi wrote:
> Hi,
>
> I am working on IDP initiated single sign on. while trying to decrypt the
> encrypted SAML assertion, i am getting following exception.
>
> org.apache.wss4j.common.ext.WSSecurityException: SAML token security failure
> 	at
> org.apache.cxf.rs.security.saml.sso.SAMLProtocolResponseValidator.decryptAssertion(SAMLProtocolResponseValidator.java:417)
> 	at
> org.apache.cxf.rs.security.saml.sso.SAMLProtocolResponseValidator.validateSamlResponse(SAMLProtocolResponseValidator.java:121)
> 	at
> org.apache.cxf.rs.security.saml.sso.SAMLResponseValidatorTest.testSignedResponse(SAMLResponseValidatorTest.java:293)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> 	at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 	at java.lang.reflect.Method.invoke(Method.java:606)
> 	at
> org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
> 	at
> org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
> 	at
> org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
> 	at
> org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
> 	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
> 	at
> org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
> 	at
> org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
> 	at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
> 	at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
> 	at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
> 	at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
> 	at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
> 	at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
> 	at
> org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
> 	at
> org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
> 	at
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)
> 	at
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)
> 	at
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)
> 	at
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)
>
> SAML Request:
>
>
> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
> 	ID="e39bdc9e-6920-4894-9742-f56534aa870c"
> InResponseTo="http://cxf.apache.org/saml"
> 	IssueInstant="2014-07-30T00:12:08.486Z" Version="2.0">
> 	<saml2:Issuer
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://cxf.apache.org/issuer</saml2:Issuer>
> 	<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> 		<ds:SignedInfo>
> 			<ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> 			<ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> 			<ds:Reference URI="#e39bdc9e-6920-4894-9742-f56534aa870c">
> 				<ds:Transforms>
> 					<ds:Transform
> 						Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
> 					<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> 				</ds:Transforms>
> 				<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
> 				<ds:DigestValue>1/IygBB7AS3HnpfezbRDVKV9rKo=</ds:DigestValue>
> 			</ds:Reference>
> 		</ds:SignedInfo>
> 	
> <ds:SignatureValue>fF42I5HivEoC435ItcmlYGOZcOGdS+EJGGwYLdm7osNVx8fpMAr7x4coH6P18xrnBG7VxShNUdRCAHfGbInBOcI3D5gyN3IRJZxgnJkJ0MKSrEDvKTm2d/YtBD34Wt8ov0TwYYmranknhutIjcTmPzqtAY2SRU4iIaS+1oh6Ans=</ds:SignatureValue>
> 		<ds:KeyInfo>
> 			<ds:X509Data>
> 			
> <ds:X509Certificate>MIICGjCCAYOgAwIBAgIESVRgATANBgkqhkiG9w0BAQUFADAzMRMwEQYDVQQKEwphcGFjaGUub3Jn
> 				
> MQwwCgYDVQQLEwNlbmcxDjAMBgNVBAMTBWN4ZmNhMB4XDTcwMDEwMTAwMDAwMFoXDTM4MDExOTAz
> 				
> MTQwN1owMzETMBEGA1UEChMKYXBhY2hlLm9yZzEMMAoGA1UECxMDZW5nMQ4wDAYDVQQDEwVhbGlj
> 				
> ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCs
> 				
> K8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfBEfIqwTR7vuihOxyNTwEzVwIJz
> 				
> vo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzsCAwEAAaM7MDkwIQYD
> 				
> VR0SBBowGIIWTk9UX0ZPUl9QUk9EVUNUSU9OX1VTRTAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJ
> 				
> KoZIhvcNAQEFBQADgYEAhLwkm+8psKt4gnbikGzV0TgpSWGcWxWKBi+z8tI2n6hFA5v1jVHHa4G9
> 				
> h3s0nxQ2TewzeR/k7gmgV2sI483NgrYHmTmLKaDBWza2pAuZuDhQH8GAEhJakFtKBP++EC9rNNpZ
> 					nqqHxx3qb2tW25qRtBzDmK921gg9PMomMc7uqRQ=</ds:X509Certificate>
> 			</ds:X509Data>
> 		</ds:KeyInfo>
> 	</ds:Signature>
> 	<saml2p:Status>
> 		<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
> 	</saml2p:Status>
> 	<saml2:EncryptedAssertion
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
> 		<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
> 			Id="_5db2d7b21d83fd63ffcec446a2d45e9f"
> Type="http://www.w3.org/2001/04/xmlenc#Element">
> 			<xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
> 			<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> 				<ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"
> 					URI="#_fc396a1ca1321c7137314335ce6b32c3" />
> 			</ds:KeyInfo>
> 			<xenc:CipherData>
> 			
> <xenc:CipherValue>HVkriaqxkl1H9E/p68bSL2HOZGF7wzq2Dc8knEDAu7FHhJwaIGmPdEoh0ff2m4xkYmCJFQGsJu7iDuG48guU8E/gEVRaljRFrYfLJ3mWhPv99DvseZtX1DyQiu9ceiXfYIlXJ2QwKEqeEpEG8+myFQ/HpNlZ2Zxf9/Hs/TFUHlrv3QvF1toLgVmHLPlqojVvMy4pa5+pRpUx8qqxRlEVYGN2yrWUEom/HTPZ23N3Jrjfin6oiQo3ljCrysjZsO4v6R+BcmhDbyUT8bHZhUQ7AfygUV6QxKUwbUXZimL+YjwzCl3TXn/UuGJscsXNQmuKh5/yRntgzIMzc3kFq9d1V5e+opnVfJVxElK3xGCXbroS5/BgzYuHhu08OH93c5ekpIUtstNbdLDuJLiGUrwzkMEPtVTWepLLVYI8wV5S/fvTWqvtZa4fz9IE9QZ8QGkaI2rZKkRi/jXU1bkluXk0k1v2xxLQy2qofGzNvW7j5XyW3cdjISZECH/CRxq1vA2y9W2cqvivpmEd2h8qf+y6N2yYQZuc+yTCUNP63KT51ZP+vgSAtRZICHY7KGMK0/bS1UC2n6lEtVEJv3EztYprLiItApIafraDZZai0rjFxxXOwedaDdEhUXWMd7TReeNEPUTa3NzzWWxc6DWDnCOtdGHI5+m2msKs26a+Q1CW0OYyv083B0NXUi7OxGTxFyT2evfwSaEZlRUWqiipPwkvxr1VXE4/uiDjFm2yJc1a1nDKIx56MY5mVnJwk82xLyuQKjJW8KruD1ArxQn/HEwzmz7POPCy8rA/dEp8s83waJ/PyJbE2dnkroWjG4QeX3NDtmxuIdDGqSB7bdXl9eF4+0SDoWNbQQna30hmFyN6Z0Hl1S/xVK8lNOKMG5j4JNjyZoSDfnJJWQtbIB/OUxFhXTEwUIU5jwpnazTNy7oe+lwqPG5/s45zGZf54gAFSNhD5zpWMQFR1oZOFwYbO/
 S
IwyoVUqPDpoS+nyMrwCeklklNs0c1dFAc4ZUzwRs5oqLxuW3wh+wqIFCoy+bOONYNdvnBgLfjSqczEPXZ/oNDlfGN9gwEtqn/ZrXG2wjic4lyU6jZbHKTPgQzVVvH+TS2NuVSez0fLbs+8gEU6Oc7zWeSm+D/xPNkRDOwJJJ4db801V7K2cE3lCrUyYaUPnLyKqd5E9vJL7KENehLJTEOGkP1dINt1Zmm2b3HUYB4ckgprND8x23ugNz3MAbuDklUvvGwUPT/T8hJsO5PXLF8X6NssiHYa12sGWEdsAZHx1pHBiIFG0iTacnTmJ5nxZ4mT1YadBkWtf3eo2VoDI1USaM=</xenc:CipherValue>
> 			</xenc:CipherData>
> 		</xenc:EncryptedData>
> 		<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
> 			Id="_fc396a1ca1321c7137314335ce6b32c3">
> 			<xenc:EncryptionMethod
> 				Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> 				<ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> 					Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
> 			</xenc:EncryptionMethod>
> 			<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> 				<ds:X509Data>
> 				
> <ds:X509Certificate>MIICozCCAYsCBgFHeaCnQzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpBeHdheSBDU09TMB4X
> 					
> DTE0MDcyNzIxMDEwMFoXDTE5MDcyNzIxMDEwMFowFTETMBEGA1UEAxMKQXh3YXkgQ1NPUzCCASIw
> 					
> DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANEA0LYHjry0wGwrWGCxtN5fMJMESjKe2fjdnPqN
> 					
> oOFxTqtubtLNFjo+1FIM6+zrerB0QbKMN6YJfJ9rUvWSullbx8cpfiGqU9PYtl5NKuu8sSUN4W3E
> 					
> 5jSK5j1Wab/Z1oliX3Vt4P/6r33RtrPtk7kcJR3T/fafYKY1L7hrEEK3TXp7hIddf8oPjAYVzK9q
> 					
> VYNvU2jjR16CNkGjLqxCnW1JZQ704yuO9BfhYP0Z4QDvHQb5hbWox70T6/MIrZn/IofmotuwDWeV
> 					
> J5wWmPXEAcitA1hIw0VKj4qiVAHUmA8ae88jQcMD/I10hJg9Hs4EXZTDIwr7hyLLaL19BeuYlWMC
> 					
> AwEAATANBgkqhkiG9w0BAQUFAAOCAQEAZHrHcTqRiJ/5k4NmrCD5HIed1mLwbUxO63CkM/PYQVTG
> 					
> tDn4zD8IjfqhjLNud7g53HjqIdu2Qi86+0ZVncQdMfX9X8y3pz42vfpFStqNt8ExxDZXdKW747AX
> 					
> GzgLLT02AulArd5wd3y3qFJGfVkqvrSvuAtC6lE+TezMZQIAh5Lxa9EugFrG0llZvVDNg20iOr7y
> 					
> HpVGyI3P82+krv1LhqhKuTJoH0vLaAQQxGxBWLhpsefIEAEPepDbz/fW0fGoQYTMmnY2nVFd1N4T
> 					
> oKAVYsvYK14fPtUgx+lUyJaMfMFXX6babq2wctv18WkAolymV22ToHnEC/QdI6sszFBh2g==</ds:X509Certificate>
> 				</ds:X509Data>
> 			</ds:KeyInfo>
> 			<xenc:CipherData>
> 			
> <xenc:CipherValue>eJ7Ro0S+tyKFPfhlhzarGWJTLDVt/mE/V9ooLwlX91BM2GOfL6P+6WaHijY/oXjwKXBHQ36jM+1wIwEo5FWSQTCVaU4vsxpkyzz2XkHO1uvUHSXQo/Z6LIcBh2OfNXCET1vu+B7XHRmEQIeDg6hI3kUJTcIJ+VDtYTdtzF/OJMMLeypCIvyt1b2Z5xHVxYbaItdqQbQ/nNgJdUcYvlNj3J6ZmVxIekVHKhUVe6PWK/79v0VdPi2VBQ1b5ukkDalsH64irOjcXfeZe6N4Sxgw84gbF6X9qGHt738Fu5i3lcL0fwEz8BpRrpX1eMMIVZFKukUuocw6X8f0NwPjF7O3Sw==</xenc:CipherValue>
> 			</xenc:CipherData>
> 			<xenc:ReferenceList>
> 				<xenc:DataReference URI="#_5db2d7b21d83fd63ffcec446a2d45e9f" />
> 			</xenc:ReferenceList>
> 		</xenc:EncryptedKey>
> 	</saml2:EncryptedAssertion>
> </saml2p:Response>
>
> Am i missing anything?
>
>
> CXF Version: 3.1.0-SNAPSHOT
>
> Thanks
> Rathnapandi
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/SAML2-0-Encrypted-assertion-is-not-working-tp5747089.html
> Sent from the cxf-dev mailing list archive at Nabble.com.
>



Mime
View raw message