ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <j...@apache.org>
Subject [jira] Commented: (WSS-261) Rampart failing to extract keyinfo from SAML assertion
Date Wed, 22 Dec 2010 10:14:02 GMT

    [ https://issues.apache.org/jira/browse/WSS-261?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12974133#action_12974133
] 

Colm O hEigeartaigh commented on WSS-261:
-----------------------------------------


KeyValue is supported in WSS4J 1.5.9, see here:

https://issues.apache.org/jira/browse/WSS-240

IssuerSerial is not - I will fix this.

Colm.

> Rampart failing to extract keyinfo from SAML assertion
> ------------------------------------------------------
>
>                 Key: WSS-261
>                 URL: https://issues.apache.org/jira/browse/WSS-261
>             Project: WSS4J
>          Issue Type: Bug
>         Environment: Server: Tomcat 5.5.28, Axis 1.5.1, Rampart 1.5, Windows XP SP2
> Client: .NET WCF 3.5, Windows XP
>            Reporter: Jason Rattos
>            Assignee: Ruchith Udayanga Fernando
>
> Validation of a SAML 1.1 and 2.0 token is failing due to an inability to extract KeyInfo
from the Subject of a SAML assertion. The issue appears to be independant of using SAML 1.1/2.0
or symmetric/asymmetric bindings.
> The extract of the SAML subject (symmetric binding) is as follows:
> <saml:Subject>
> 			<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos">DOMAIN\JOE</saml:NameIdentifier>
> 			<saml:SubjectConfirmation>
> 				<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> 				<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> 					<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> 						<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> 							<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> 						</e:EncryptionMethod>
> 						<KeyInfo>
> 							<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> 								<X509Data>
> 									<X509IssuerSerial>
> 										<X509IssuerName>CN=Root Agency</X509IssuerName>
> 										<X509SerialNumber>-147027885241304943914470421251724308948</X509SerialNumber>
> 									</X509IssuerSerial>
> 								</X509Data>
> 							</o:SecurityTokenReference>
> 						</KeyInfo>
> 						<e:CipherData>
> 							<e:CipherValue>YPzUKhWVjM56ugTvgLF8nbCULmITwiE2lGFWf5rsRwm7v+g/J2cswNJoK5oBpROUXJRV3P10PRtWloXNU3eR8kZRn7nutFp5iEpRW4FHcoRMTK3KHYILz7EaBwYsNaGJ45PD6IeJvjGb79/5N9boePWZBMl708vsXp63fXNbUPo=</e:CipherValue>
> 						</e:CipherData>
> 					</e:EncryptedKey>
> 				</KeyInfo>
> 			</saml:SubjectConfirmation>
> 		</saml:Subject>
> The extract of the SAML subject (asymmetric binding) is as follows:
> <Subject>
> 			<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos">DOMAIN\JOE</NameID>
> 			<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
> 				<SubjectConfirmationData xmlns:a="http://www.w3.org/2001/XMLSchema-instance" a:type="KeyInfoConfirmationDataType">
> 					<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> 						<KeyValue>
> 							<RSAKeyValue>
> 								<Modulus>qq45WmIc5AJQF8f06R8KMm9G4RsT4Vi9Xx5psYuyDzD1M7480CQ7dEmOLkYnOP/qwLNiKgvG/Xm2rGYf1fgQD+dH+jwoirACflwEGUk7nU88mZOeJwqfXq4oWdsGVAMREyJQnW2q5+KJQt6/Pt3UBWquTvJnwes9/0WrQUAUX9s=</Modulus>
> 								<Exponent>AQAB</Exponent>
> 							</RSAKeyValue>
> 						</KeyValue>
> 					</KeyInfo>
> 				</SubjectConfirmationData>
> 			</SubjectConfirmation>
> 		</Subject>
> In both cases the SAMUtil.java (as part of WSSJ-1.5.8) fails to extract the certificate
info. The following lines are an extract from the source code for which this is failing:
>                     Element e = samlSubj.getKeyInfo();
>                     X509Certificate[] certs = null;
>                     try {
>                         KeyInfo ki = new KeyInfo(e, null);
>                         if (ki.containsX509Data()) {
>                             X509Data data = ki.itemX509Data(0);
>                             XMLX509Certificate certElem = null;
> In both use cases the ki instance return false for ki.containsX509Data() and hence the
processing fails.
> In an attempt to see whether the KeyInfo constructor limited itself to certain types
of certificate references, I manually modified the SAML assertion subject using TCPMon to
include the X509 Base64 representation of the certificate as follows and found that this actually
works, as a result of the ki.containsX509Data() statement returns true:
> <saml:Subject>
> 			<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos">DOMAIN\JOE</saml:NameIdentifier>
> 			<saml:SubjectConfirmation>
> 				<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> 				<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> 					<X509Data>
> 						<X509Certificate>MIIBsTCCAV+gAwIBAgIQKCrSOt8UsKxIAPFEMK316zAJBgUrDgMCHQUAMBYxFDASBgNVBAMTC1Jvb3QgQWdlbmN5MB4XDTA4MDgxMzE1MDkyM1oXDTM5MTIzMTIzNTk1OVowFDESMBAGA1UEAxMJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEhqjNMe8M8CA0yGX1pUlJZ4r5WKvQfJ6k8DPBR/VGcvbWPBeiHRjBhH5I5kszg04on8M+FFg0RkW1cfmQRc8kf1XLudHdBUxJx3nfLXH2OscsxQkgcNfdvo5/GCewDIRHMxI+2TO9tgLP6SEJBdprO/55q8t4k/VW4Yi9u9/2VQIDAQABo0swSTBHBgNVHQEEQDA+gBAS5AktBh0dTwCNYSHcFmRjoRgwFjEUMBIGA1UEAxMLUm9vdCBBZ2VuY3mCEAY3bACqAGSKEc+41KpcNfQwCQYFKw4DAh0FAANBAEWsx9wociNjb8uidCy6WRHfS8qhIYjSbgGCYL8/bZ0Xoc8ETPOgZsnD0zSgLuWj7tlY0cHNtY4Nvu8tRo/U2ts=</X509Certificate>
> 					</X509Data>
> 				</KeyInfo>
> 			</saml:SubjectConfirmation>
> 		</saml:Subject>
> Have previously submitted this an email request directly to rampart-dev but thought it
best to formally raise the issue here as it's blocking any further use of rampart for this
particular project.
> Thanks,
> Jason

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message