You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by St...@faa.gov on 2014/10/01 15:18:22 UTC
Weird AssertionWrapper.signAssertion() problem
In CXF 2.7.12, I'm having a weird problem when signing a SAML 1.1 assertion, when the assertion contains another assertion in the Advice element. All SAML assertions are required to be signed by the issuer, including assertions embedded in the Advice element. But what is happening is that when I sign the "outer" assertion, the AssertionWrapper.signAssertion() method is stripping the digest and signature values from the "inner" assertion in the Advice element.
The signature line looks like this:
sa.signAssertion(issuerAlias, issuerPassword, issuerCrypto, false,
"http://www.w3.org/2001/10/xml-exc-c14n#", signatureAlgorithm, digestAlgorithm);
Here is what the assertion looks like immediately before and after this call, stripped down a bit for brevity. You can see in the second assertion that the signature on the inner Advice/Assertion has been changed - the digest method is changed, and the digest and signature values have been removed. What is causing this, and how can I prevent it? Any and all help would be appreciated, thanx!
BEFORE:
<saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332" IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS" MajorVersion="1" MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
<saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z" NotOnOrAfter="2014-10-01T13:03:16.748Z">
...
</saml1:Conditions>
<saml1:Advice>
<saml1:Assertion AssertionID="_99B35E24E753D60162141216853713111" IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS" MajorVersion="1" MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
<saml1:Conditions NotBefore="2014-10-01T13:02:16.748Z" NotOnOrAfter="2014-10-01T13:03:16.748Z">
...
</saml1:Conditions>
<saml1:AuthenticationStatement AuthenticationInstant="2014-10-01T13:02:16.748Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
<saml1:Subject>
...
</saml1:Subject>
</saml1:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_99B35E24E753D60162141216853713111">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>1EEQlsuneSKs81Hq+3lcqiKjOXMMNmbgVnZ0pFuIQOs=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml1:Assertion>
</saml1:Advice>
<saml1:AuthenticationStatement AuthenticationInstant="2014-10-01T13:02:17.585Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
<saml1:Subject>
...
</saml1:Subject>
</saml1:AuthenticationStatement>
</saml1:Assertion>
AFTER:
<saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332" IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS" MajorVersion="1" MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
<saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z" NotOnOrAfter="2014-10-01T13:03:16.748Z">
...
</saml1:Conditions>
<saml1:Advice>
<saml1:Assertion AssertionID="_99B35E24E753D60162141216853713111" IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS" MajorVersion="1" MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
<saml1:Conditions NotBefore="2014-10-01T13:02:16.748Z" NotOnOrAfter="2014-10-01T13:03:16.748Z">
...
</saml1:Conditions>
<saml1:AuthenticationStatement AuthenticationInstant="2014-10-01T13:02:16.748Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
<saml1:Subject>
...
</saml1:Subject>
</saml1:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_99B35E24E753D60162141216853713111">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue/>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue/>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml1:Assertion>
</saml1:Advice>
<saml1:AuthenticationStatement AuthenticationInstant="2014-10-01T13:02:17.585Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
<saml1:Subject>
...
</saml1:Subject>
</saml1:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_99B35E24E753D60162141216853759332">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>OnmMYA4JG7RZRa1+NdrGAcHt5K03l1ZLCufXdF+qXmI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml1:Assertion>
Stephen W. Chappell
RE: Weird AssertionWrapper.signAssertion() problem
Posted by St...@faa.gov.
Thanx, Colm. I'll rework it using the OpenSAML API's directly as you suggest and pursue it that way.
Stephen W. Chappell
-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Monday, October 06, 2014 5:37 AM
To: users@cxf.apache.org
Subject: Re: Weird AssertionWrapper.signAssertion() problem
I added support in WSS4J for creating SAML Assertions with "Advice"
Elements - I can reproduce the issue you are seeing with the internal signature stuff:
http://svn.apache.org/viewvc?view=revision&revision=r1629601
I recommend breaking it down into a testcase that uses just the OpenSAML APIs + send it to the OpenSAML dev list to see what they think. WSS4J is also using a slightly older version of OpenSAML so there is a possibility that it is a bug which has since been fixed.
Colm.
On Wed, Oct 1, 2014 at 2:18 PM, <St...@faa.gov> wrote:
> In CXF 2.7.12, I'm having a weird problem when signing a SAML 1.1
> assertion, when the assertion contains another assertion in the Advice
> element. All SAML assertions are required to be signed by the issuer,
> including assertions embedded in the Advice element. But what is
> happening is that when I sign the "outer" assertion, the
> AssertionWrapper.signAssertion() method is stripping the digest and
> signature values from the "inner" assertion in the Advice element.
>
> The signature line looks like this:
> sa.signAssertion(issuerAlias, issuerPassword,
> issuerCrypto, false,
> "http://www.w3.org/2001/10/xml-exc-c14n#",
> signatureAlgorithm, digestAlgorithm);
>
> Here is what the assertion looks like immediately before and after
> this call, stripped down a bit for brevity. You can see in the second
> assertion that the signature on the inner Advice/Assertion has been
> changed - the digest method is changed, and the digest and signature
> values have been removed. What is causing this, and how can I prevent
> it? Any and all help would be appreciated, thanx!
>
> BEFORE:
>
> <saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332"
> IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS" MajorVersion="1"
> MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z"
> NotOnOrAfter="2014-10-01T13:03:16.748Z">
> ...
> </saml1:Conditions>
> <saml1:Advice>
> <saml1:Assertion
> AssertionID="_99B35E24E753D60162141216853713111"
> IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS" MajorVersion="1"
> MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml1:Conditions
> NotBefore="2014-10-01T13:02:16.748Z"
> NotOnOrAfter="2014-10-01T13:03:16.748Z">
> ...
> </saml1:Conditions>
>
> <saml1:AuthenticationStatement
> AuthenticationInstant="2014-10-01T13:02:16.748Z"
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
>
> <saml1:Subject>
> ...
>
> </saml1:Subject>
>
> </saml1:AuthenticationStatement>
> <ds:Signature xmlns:ds="
> http://www.w3.org/2000/09/xmldsig#">
>
> <ds:SignedInfo>
>
> <ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
> <ds:SignatureMethod Algorithm="
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
>
> <ds:Reference URI="#_99B35E24E753D60162141216853713111">
>
> <ds:Transforms>
>
> <ds:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>
> <ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
> </ds:Transforms>
>
> <ds:DigestMethod Algorithm="
> http://www.w3.org/2001/04/xmlenc#sha256"/>
>
>
> <ds:DigestValue>1EEQlsuneSKs81Hq+3lcqiKjOXMMNmbgVnZ0pFuIQOs=</ds:Diges
> tValue>
>
> </ds:Reference>
>
> </ds:SignedInfo>
>
> <ds:SignatureValue>...</ds:SignatureValue>
>
> <ds:KeyInfo>
>
> <ds:X509Data>
>
> <ds:X509Certificate>...</ds:X509Certificate>
>
> </ds:X509Data>
>
> </ds:KeyInfo>
> </ds:Signature>
> </saml1:Assertion>
> </saml1:Advice>
> <saml1:AuthenticationStatement
> AuthenticationInstant="2014-10-01T13:02:17.585Z"
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
> <saml1:Subject>
> ...
> </saml1:Subject>
> </saml1:AuthenticationStatement> </saml1:Assertion>
>
> AFTER:
>
> <saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332"
> IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS" MajorVersion="1"
> MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z"
> NotOnOrAfter="2014-10-01T13:03:16.748Z">
> ...
> </saml1:Conditions>
> <saml1:Advice>
> <saml1:Assertion
> AssertionID="_99B35E24E753D60162141216853713111"
> IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS" MajorVersion="1"
> MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml1:Conditions
> NotBefore="2014-10-01T13:02:16.748Z"
> NotOnOrAfter="2014-10-01T13:03:16.748Z">
> ...
> </saml1:Conditions>
>
> <saml1:AuthenticationStatement
> AuthenticationInstant="2014-10-01T13:02:16.748Z"
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
>
> <saml1:Subject>
> ...
>
> </saml1:Subject>
>
> </saml1:AuthenticationStatement>
> <ds:Signature xmlns:ds="
> http://www.w3.org/2000/09/xmldsig#">
>
> <ds:SignedInfo>
>
> <ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
> <ds:SignatureMethod Algorithm="
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
>
> <ds:Reference URI="#_99B35E24E753D60162141216853713111">
>
> <ds:Transforms>
>
> <ds:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>
> <ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
> </ds:Transforms>
>
> <ds:DigestMethod Algorithm="
> http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <ds:DigestValue/>
>
> </ds:Reference>
>
> </ds:SignedInfo>
>
> <ds:SignatureValue/>
>
> <ds:KeyInfo>
>
> <ds:X509Data>
>
> <ds:X509Certificate>...</ds:X509Certificate>
>
> </ds:X509Data>
>
> </ds:KeyInfo>
> </ds:Signature>
> </saml1:Assertion>
> </saml1:Advice>
> <saml1:AuthenticationStatement
> AuthenticationInstant="2014-10-01T13:02:17.585Z"
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
> <saml1:Subject>
> ...
> </saml1:Subject>
> </saml1:AuthenticationStatement>
> <ds:Signature
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#
> ">
> <ds:SignedInfo>
>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> <ds:Reference
> URI="#_99B35E24E753D60162141216853759332">
>
> <ds:Transforms>
>
> <ds:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
> </ds:Transforms>
>
> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>
> <ds:DigestValue>OnmMYA4JG7RZRa1+NdrGAcHt5K03l1ZLCufXdF+qXmI=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>...</ds:SignatureValue>
> <ds:KeyInfo>
> <ds:X509Data>
>
> <ds:X509Certificate>...</ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
> </ds:Signature>
> </saml1:Assertion>
>
>
> Stephen W. Chappell
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
RE: Weird AssertionWrapper.signAssertion() problem
Posted by St...@faa.gov.
Well, what I got back from the OpenSAML list is not helpful. This is what they had to say:
"it looks questionable to me that you're dropping the DOM at the end, because I don't recall the Java code ever having full round trip fidelity when the DOM isn't cached, particularly when signatures are involved"
But obviously, WSS4J relies on that behavior. And when I don’t release the DOM, then I have other issues downstream in another module ("org.opensaml.xml.XMLRuntimeException: DOM Element node adoption failed" when I use WSSecSignatureSAML to build a message signature).
So, there must be another answer, so I will keep looking.
Stephen W. Chappell
-----Original Message-----
From: Chappell, Stephen CTR (FAA)
Sent: Thursday, October 09, 2014 8:03 AM
To: users@cxf.apache.org; coheigea@apache.org
Subject: RE: Weird AssertionWrapper.signAssertion() problem
Yeah, I was afraid of something like that. It's caused a few problems here and there elsewhere in my code as well. Back to the drawing board, I suppose...
Stephen W. Chappell
-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Thursday, October 09, 2014 5:07 AM
To: users@cxf.apache.org
Subject: Re: Weird AssertionWrapper.signAssertion() problem
Hi Stephen,
This change breaks some of the SAML tests in WSS4J, so I can't apply it.
Colm.
On Wed, Oct 8, 2014 at 2:21 PM, <St...@faa.gov> wrote:
> Colm -
>
> It looks like I have a solution for this. I had extracted some code to
> post to the OpenSAML list, and posted the problem over there. While
> waiting for something to happen, I tried a few things with the
> extracted code, mostly with no positive changes. But then I tried this
> change, and now I think the output looks correct:
>
> protected final void addSignatureToAssertion(
> AssertionWrapper sa,
> Signature signature,
> String signatureDigestAlgorithm)
> {
> LOG.info("SIGTEST Replacement addSignatureToAssertion");
> if ( sa.getXmlObject() instanceof SignableSAMLObject ) {
> SignableSAMLObject signableObject = (SignableSAMLObject)
> sa.getXmlObject();
> signableObject.setSignature(signature);
>
> SAMLObjectContentReference contentRef =
>
> (SAMLObjectContentReference)signature.getContentReferences().get(0);
> contentRef.setDigestAlgorithm(signatureDigestAlgorithm);
>
> //signableObject.releaseChildrenDOM(true);
> //signableObject.releaseDOM();
> } else {
> LOG.error("Attempt to sign an unsignable object " +
> sa.getXmlObject().getClass().getName());
> }
> }
>
> This is just the AssertionWrapper.setSignature() method extracted into
> my local code base, with the releaseDOM lines commented out. I
> expected this to fail miserably with various exceptions. But instead,
> I got this (very
> trimmed) assertion back:
>
> <saml1:Assertion
> xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
> AssertionID="_5FFEE2CBDBBCD91A5A141277359654832"
> IssueInstant="2014-10-08T13:06:36.547Z" Issuer="SWIM-STS" MajorVersion="1"
> MinorVersion="1">
> <saml1:Conditions>...</saml1:Conditions>
> <saml1:Advice>
> <saml1:Assertion
> xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
> AssertionID="_5FFEE2CBDBBCD91A5A141277359605611"
> IssueInstant="2014-10-08T13:06:36.055Z" Issuer="SWIM-STS" MajorVersion="1"
> MinorVersion="1">
>
> <saml1:Conditions>...</saml1:Conditions>
>
> <saml1:AuthenticationStatement>...</saml1:AuthenticationStatement>
> <ds:Signature xmlns:ds="
> http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> <ds:Reference
> URI="#_5FFEE2CBDBBCD91A5A141277359605611">
>
> <ds:Transforms>
>
> <ds:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
> </ds:Transforms>
>
> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>
> <ds:DigestValue>hHfSTh/rgdxN5iGLNfJYxjI9YPowXPQsJ1sl3IH520U=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
>
> <ds:SignatureValue>...</ds:SignatureValue>
> <ds:KeyInfo>...</ds:KeyInfo>
> </ds:Signature>
> </saml1:Assertion>
> </saml1:Advice>
>
> <saml1:AuthenticationStatement>...</saml1:AuthenticationStatement>
> <ds:Signature
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#
> ">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> <ds:Reference
> URI="#_5FFEE2CBDBBCD91A5A141277359654832">
> <ds:Transforms>
> <ds:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="
> http://www.w3.org/2001/04/xmlenc#sha256"/>
>
> <ds:DigestValue>OoWn7FcGrYsFTCbO+DXVawtVcY9UhzqHvlEovFWds1U=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>...</ds:SignatureValue>
> <ds:KeyInfo>...</ds:KeyInfo>
> </ds:Signature>
> </saml1:Assertion>
>
> So I have not done enough analysis yet to figure out why this works or
> what sort of unintended consequences it may have, but for the moment,
> the output is more along the lines of what I expected.
>
> Thanx,
>
> Stephen W. Chappell
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Monday, October 06, 2014 5:37 AM
> To: users@cxf.apache.org
> Subject: Re: Weird AssertionWrapper.signAssertion() problem
>
> I added support in WSS4J for creating SAML Assertions with "Advice"
> Elements - I can reproduce the issue you are seeing with the internal
> signature stuff:
>
> http://svn.apache.org/viewvc?view=revision&revision=r1629601
>
> I recommend breaking it down into a testcase that uses just the
> OpenSAML APIs + send it to the OpenSAML dev list to see what they
> think. WSS4J is also using a slightly older version of OpenSAML so
> there is a possibility that it is a bug which has since been fixed.
>
> Colm.
>
> On Wed, Oct 1, 2014 at 2:18 PM, <St...@faa.gov> wrote:
>
> > In CXF 2.7.12, I'm having a weird problem when signing a SAML 1.1
> > assertion, when the assertion contains another assertion in the
> > Advice element. All SAML assertions are required to be signed by the
> > issuer, including assertions embedded in the Advice element. But
> > what is happening is that when I sign the "outer" assertion, the
> > AssertionWrapper.signAssertion() method is stripping the digest and
> > signature values from the "inner" assertion in the Advice element.
> >
> > The signature line looks like this:
> > sa.signAssertion(issuerAlias, issuerPassword,
> > issuerCrypto, false,
> > "http://www.w3.org/2001/10/xml-exc-c14n#",
> > signatureAlgorithm, digestAlgorithm);
> >
> > Here is what the assertion looks like immediately before and after
> > this call, stripped down a bit for brevity. You can see in the
> > second assertion that the signature on the inner Advice/Assertion
> > has been changed - the digest method is changed, and the digest and
> > signature values have been removed. What is causing this, and how
> > can I prevent it? Any and all help would be appreciated, thanx!
> >
> > BEFORE:
> >
> > <saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332"
> > IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS"
> MajorVersion="1"
> > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> > <saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z"
> > NotOnOrAfter="2014-10-01T13:03:16.748Z">
> > ...
> > </saml1:Conditions>
> > <saml1:Advice>
> > <saml1:Assertion
> > AssertionID="_99B35E24E753D60162141216853713111"
> > IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS"
> MajorVersion="1"
> > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> > <saml1:Conditions
> > NotBefore="2014-10-01T13:02:16.748Z"
> > NotOnOrAfter="2014-10-01T13:03:16.748Z">
> > ...
> > </saml1:Conditions>
> >
> > <saml1:AuthenticationStatement
> > AuthenticationInstant="2014-10-01T13:02:16.748Z"
> > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
> >
> > <saml1:Subject>
> > ...
> >
> > </saml1:Subject>
> >
> > </saml1:AuthenticationStatement>
> > <ds:Signature xmlns:ds="
> > http://www.w3.org/2000/09/xmldsig#">
> >
> > <ds:SignedInfo>
> >
> > <ds:CanonicalizationMethod Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >
> > <ds:SignatureMethod Algorithm="
> > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> >
> > <ds:Reference URI="#_99B35E24E753D60162141216853713111">
> >
> > <ds:Transforms>
> >
> > <ds:Transform Algorithm="
> > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> >
> > <ds:Transform Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >
> > </ds:Transforms>
> >
> > <ds:DigestMethod Algorithm="
> > http://www.w3.org/2001/04/xmlenc#sha256"/>
> >
> >
> > <ds:DigestValue>1EEQlsuneSKs81Hq+3lcqiKjOXMMNmbgVnZ0pFuIQOs=</ds:Dig
> > es
> > tValue>
> >
> > </ds:Reference>
> >
> > </ds:SignedInfo>
> >
> > <ds:SignatureValue>...</ds:SignatureValue>
> >
> > <ds:KeyInfo>
> >
> > <ds:X509Data>
> >
> > <ds:X509Certificate>...</ds:X509Certificate>
> >
> > </ds:X509Data>
> >
> > </ds:KeyInfo>
> > </ds:Signature>
> > </saml1:Assertion>
> > </saml1:Advice>
> > <saml1:AuthenticationStatement
> > AuthenticationInstant="2014-10-01T13:02:17.585Z"
> > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
> > <saml1:Subject>
> > ...
> > </saml1:Subject>
> > </saml1:AuthenticationStatement> </saml1:Assertion>
> >
> > AFTER:
> >
> > <saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332"
> > IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS"
> MajorVersion="1"
> > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> > <saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z"
> > NotOnOrAfter="2014-10-01T13:03:16.748Z">
> > ...
> > </saml1:Conditions>
> > <saml1:Advice>
> > <saml1:Assertion
> > AssertionID="_99B35E24E753D60162141216853713111"
> > IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS"
> MajorVersion="1"
> > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> > <saml1:Conditions
> > NotBefore="2014-10-01T13:02:16.748Z"
> > NotOnOrAfter="2014-10-01T13:03:16.748Z">
> > ...
> > </saml1:Conditions>
> >
> > <saml1:AuthenticationStatement
> > AuthenticationInstant="2014-10-01T13:02:16.748Z"
> > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
> >
> > <saml1:Subject>
> > ...
> >
> > </saml1:Subject>
> >
> > </saml1:AuthenticationStatement>
> > <ds:Signature xmlns:ds="
> > http://www.w3.org/2000/09/xmldsig#">
> >
> > <ds:SignedInfo>
> >
> > <ds:CanonicalizationMethod Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >
> > <ds:SignatureMethod Algorithm="
> > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> >
> > <ds:Reference URI="#_99B35E24E753D60162141216853713111">
> >
> > <ds:Transforms>
> >
> > <ds:Transform Algorithm="
> > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> >
> > <ds:Transform Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >
> > </ds:Transforms>
> >
> > <ds:DigestMethod Algorithm="
> > http://www.w3.org/2000/09/xmldsig#sha1"/>
> >
> > <ds:DigestValue/>
> >
> > </ds:Reference>
> >
> > </ds:SignedInfo>
> >
> > <ds:SignatureValue/>
> >
> > <ds:KeyInfo>
> >
> > <ds:X509Data>
> >
> > <ds:X509Certificate>...</ds:X509Certificate>
> >
> > </ds:X509Data>
> >
> > </ds:KeyInfo>
> > </ds:Signature>
> > </saml1:Assertion>
> > </saml1:Advice>
> > <saml1:AuthenticationStatement
> > AuthenticationInstant="2014-10-01T13:02:17.585Z"
> > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
> > <saml1:Subject>
> > ...
> > </saml1:Subject>
> > </saml1:AuthenticationStatement>
> > <ds:Signature
> > xmlns:ds="http://www.w3.org/2000/09/xmldsig#
> > ">
> > <ds:SignedInfo>
> >
> > <ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
> > <ds:SignatureMethod
> > Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> > <ds:Reference
> > URI="#_99B35E24E753D60162141216853759332">
> >
> > <ds:Transforms>
> >
> > <ds:Transform Algorithm="
> > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> >
> > <ds:Transform
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >
> > </ds:Transforms>
> >
> > <ds:DigestMethod
> > Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
> >
> >
> <ds:DigestValue>OnmMYA4JG7RZRa1+NdrGAcHt5K03l1ZLCufXdF+qXmI=</ds:Diges
> tValue>
> > </ds:Reference>
> > </ds:SignedInfo>
> >
> <ds:SignatureValue>...</ds:SignatureValue>
> > <ds:KeyInfo>
> > <ds:X509Data>
> >
> > <ds:X509Certificate>...</ds:X509Certificate>
> > </ds:X509Data>
> > </ds:KeyInfo>
> > </ds:Signature>
> > </saml1:Assertion>
> >
> >
> > Stephen W. Chappell
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
RE: Weird AssertionWrapper.signAssertion() problem
Posted by St...@faa.gov.
Yeah, I was afraid of something like that. It's caused a few problems here and there elsewhere in my code as well. Back to the drawing board, I suppose...
Stephen W. Chappell
-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Thursday, October 09, 2014 5:07 AM
To: users@cxf.apache.org
Subject: Re: Weird AssertionWrapper.signAssertion() problem
Hi Stephen,
This change breaks some of the SAML tests in WSS4J, so I can't apply it.
Colm.
On Wed, Oct 8, 2014 at 2:21 PM, <St...@faa.gov> wrote:
> Colm -
>
> It looks like I have a solution for this. I had extracted some code to
> post to the OpenSAML list, and posted the problem over there. While
> waiting for something to happen, I tried a few things with the
> extracted code, mostly with no positive changes. But then I tried this
> change, and now I think the output looks correct:
>
> protected final void addSignatureToAssertion(
> AssertionWrapper sa,
> Signature signature,
> String signatureDigestAlgorithm)
> {
> LOG.info("SIGTEST Replacement addSignatureToAssertion");
> if ( sa.getXmlObject() instanceof SignableSAMLObject ) {
> SignableSAMLObject signableObject = (SignableSAMLObject)
> sa.getXmlObject();
> signableObject.setSignature(signature);
>
> SAMLObjectContentReference contentRef =
>
> (SAMLObjectContentReference)signature.getContentReferences().get(0);
> contentRef.setDigestAlgorithm(signatureDigestAlgorithm);
>
> //signableObject.releaseChildrenDOM(true);
> //signableObject.releaseDOM();
> } else {
> LOG.error("Attempt to sign an unsignable object " +
> sa.getXmlObject().getClass().getName());
> }
> }
>
> This is just the AssertionWrapper.setSignature() method extracted into
> my local code base, with the releaseDOM lines commented out. I
> expected this to fail miserably with various exceptions. But instead,
> I got this (very
> trimmed) assertion back:
>
> <saml1:Assertion
> xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
> AssertionID="_5FFEE2CBDBBCD91A5A141277359654832"
> IssueInstant="2014-10-08T13:06:36.547Z" Issuer="SWIM-STS" MajorVersion="1"
> MinorVersion="1">
> <saml1:Conditions>...</saml1:Conditions>
> <saml1:Advice>
> <saml1:Assertion
> xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
> AssertionID="_5FFEE2CBDBBCD91A5A141277359605611"
> IssueInstant="2014-10-08T13:06:36.055Z" Issuer="SWIM-STS" MajorVersion="1"
> MinorVersion="1">
>
> <saml1:Conditions>...</saml1:Conditions>
>
> <saml1:AuthenticationStatement>...</saml1:AuthenticationStatement>
> <ds:Signature xmlns:ds="
> http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> <ds:Reference
> URI="#_5FFEE2CBDBBCD91A5A141277359605611">
>
> <ds:Transforms>
>
> <ds:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
>
> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>
> <ds:DigestValue>hHfSTh/rgdxN5iGLNfJYxjI9YPowXPQsJ1sl3IH520U=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
>
> <ds:SignatureValue>...</ds:SignatureValue>
> <ds:KeyInfo>...</ds:KeyInfo>
> </ds:Signature>
> </saml1:Assertion>
> </saml1:Advice>
>
> <saml1:AuthenticationStatement>...</saml1:AuthenticationStatement>
> <ds:Signature
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#
> ">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> <ds:Reference
> URI="#_5FFEE2CBDBBCD91A5A141277359654832">
> <ds:Transforms>
> <ds:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="
> http://www.w3.org/2001/04/xmlenc#sha256"/>
>
> <ds:DigestValue>OoWn7FcGrYsFTCbO+DXVawtVcY9UhzqHvlEovFWds1U=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>...</ds:SignatureValue>
> <ds:KeyInfo>...</ds:KeyInfo>
> </ds:Signature>
> </saml1:Assertion>
>
> So I have not done enough analysis yet to figure out why this works or
> what sort of unintended consequences it may have, but for the moment,
> the output is more along the lines of what I expected.
>
> Thanx,
>
> Stephen W. Chappell
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Monday, October 06, 2014 5:37 AM
> To: users@cxf.apache.org
> Subject: Re: Weird AssertionWrapper.signAssertion() problem
>
> I added support in WSS4J for creating SAML Assertions with "Advice"
> Elements - I can reproduce the issue you are seeing with the internal
> signature stuff:
>
> http://svn.apache.org/viewvc?view=revision&revision=r1629601
>
> I recommend breaking it down into a testcase that uses just the
> OpenSAML APIs + send it to the OpenSAML dev list to see what they
> think. WSS4J is also using a slightly older version of OpenSAML so
> there is a possibility that it is a bug which has since been fixed.
>
> Colm.
>
> On Wed, Oct 1, 2014 at 2:18 PM, <St...@faa.gov> wrote:
>
> > In CXF 2.7.12, I'm having a weird problem when signing a SAML 1.1
> > assertion, when the assertion contains another assertion in the
> > Advice element. All SAML assertions are required to be signed by the
> > issuer, including assertions embedded in the Advice element. But
> > what is happening is that when I sign the "outer" assertion, the
> > AssertionWrapper.signAssertion() method is stripping the digest and
> > signature values from the "inner" assertion in the Advice element.
> >
> > The signature line looks like this:
> > sa.signAssertion(issuerAlias, issuerPassword,
> > issuerCrypto, false,
> > "http://www.w3.org/2001/10/xml-exc-c14n#",
> > signatureAlgorithm, digestAlgorithm);
> >
> > Here is what the assertion looks like immediately before and after
> > this call, stripped down a bit for brevity. You can see in the
> > second assertion that the signature on the inner Advice/Assertion
> > has been changed - the digest method is changed, and the digest and
> > signature values have been removed. What is causing this, and how
> > can I prevent it? Any and all help would be appreciated, thanx!
> >
> > BEFORE:
> >
> > <saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332"
> > IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS"
> MajorVersion="1"
> > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> > <saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z"
> > NotOnOrAfter="2014-10-01T13:03:16.748Z">
> > ...
> > </saml1:Conditions>
> > <saml1:Advice>
> > <saml1:Assertion
> > AssertionID="_99B35E24E753D60162141216853713111"
> > IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS"
> MajorVersion="1"
> > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> > <saml1:Conditions
> > NotBefore="2014-10-01T13:02:16.748Z"
> > NotOnOrAfter="2014-10-01T13:03:16.748Z">
> > ...
> > </saml1:Conditions>
> >
> > <saml1:AuthenticationStatement
> > AuthenticationInstant="2014-10-01T13:02:16.748Z"
> > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
> >
> > <saml1:Subject>
> > ...
> >
> > </saml1:Subject>
> >
> > </saml1:AuthenticationStatement>
> > <ds:Signature xmlns:ds="
> > http://www.w3.org/2000/09/xmldsig#">
> >
> > <ds:SignedInfo>
> >
> > <ds:CanonicalizationMethod Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >
> > <ds:SignatureMethod Algorithm="
> > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> >
> > <ds:Reference URI="#_99B35E24E753D60162141216853713111">
> >
> > <ds:Transforms>
> >
> > <ds:Transform Algorithm="
> > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> >
> > <ds:Transform Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >
> > </ds:Transforms>
> >
> > <ds:DigestMethod Algorithm="
> > http://www.w3.org/2001/04/xmlenc#sha256"/>
> >
> >
> > <ds:DigestValue>1EEQlsuneSKs81Hq+3lcqiKjOXMMNmbgVnZ0pFuIQOs=</ds:Dig
> > es
> > tValue>
> >
> > </ds:Reference>
> >
> > </ds:SignedInfo>
> >
> > <ds:SignatureValue>...</ds:SignatureValue>
> >
> > <ds:KeyInfo>
> >
> > <ds:X509Data>
> >
> > <ds:X509Certificate>...</ds:X509Certificate>
> >
> > </ds:X509Data>
> >
> > </ds:KeyInfo>
> > </ds:Signature>
> > </saml1:Assertion>
> > </saml1:Advice>
> > <saml1:AuthenticationStatement
> > AuthenticationInstant="2014-10-01T13:02:17.585Z"
> > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
> > <saml1:Subject>
> > ...
> > </saml1:Subject>
> > </saml1:AuthenticationStatement> </saml1:Assertion>
> >
> > AFTER:
> >
> > <saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332"
> > IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS"
> MajorVersion="1"
> > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> > <saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z"
> > NotOnOrAfter="2014-10-01T13:03:16.748Z">
> > ...
> > </saml1:Conditions>
> > <saml1:Advice>
> > <saml1:Assertion
> > AssertionID="_99B35E24E753D60162141216853713111"
> > IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS"
> MajorVersion="1"
> > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> > <saml1:Conditions
> > NotBefore="2014-10-01T13:02:16.748Z"
> > NotOnOrAfter="2014-10-01T13:03:16.748Z">
> > ...
> > </saml1:Conditions>
> >
> > <saml1:AuthenticationStatement
> > AuthenticationInstant="2014-10-01T13:02:16.748Z"
> > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
> >
> > <saml1:Subject>
> > ...
> >
> > </saml1:Subject>
> >
> > </saml1:AuthenticationStatement>
> > <ds:Signature xmlns:ds="
> > http://www.w3.org/2000/09/xmldsig#">
> >
> > <ds:SignedInfo>
> >
> > <ds:CanonicalizationMethod Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >
> > <ds:SignatureMethod Algorithm="
> > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> >
> > <ds:Reference URI="#_99B35E24E753D60162141216853713111">
> >
> > <ds:Transforms>
> >
> > <ds:Transform Algorithm="
> > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> >
> > <ds:Transform Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >
> > </ds:Transforms>
> >
> > <ds:DigestMethod Algorithm="
> > http://www.w3.org/2000/09/xmldsig#sha1"/>
> >
> > <ds:DigestValue/>
> >
> > </ds:Reference>
> >
> > </ds:SignedInfo>
> >
> > <ds:SignatureValue/>
> >
> > <ds:KeyInfo>
> >
> > <ds:X509Data>
> >
> > <ds:X509Certificate>...</ds:X509Certificate>
> >
> > </ds:X509Data>
> >
> > </ds:KeyInfo>
> > </ds:Signature>
> > </saml1:Assertion>
> > </saml1:Advice>
> > <saml1:AuthenticationStatement
> > AuthenticationInstant="2014-10-01T13:02:17.585Z"
> > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
> > <saml1:Subject>
> > ...
> > </saml1:Subject>
> > </saml1:AuthenticationStatement>
> > <ds:Signature
> > xmlns:ds="http://www.w3.org/2000/09/xmldsig#
> > ">
> > <ds:SignedInfo>
> >
> > <ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
> > <ds:SignatureMethod
> > Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> > <ds:Reference
> > URI="#_99B35E24E753D60162141216853759332">
> >
> > <ds:Transforms>
> >
> > <ds:Transform Algorithm="
> > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> >
> > <ds:Transform
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >
> > </ds:Transforms>
> >
> > <ds:DigestMethod
> > Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
> >
> >
> <ds:DigestValue>OnmMYA4JG7RZRa1+NdrGAcHt5K03l1ZLCufXdF+qXmI=</ds:Diges
> tValue>
> > </ds:Reference>
> > </ds:SignedInfo>
> >
> <ds:SignatureValue>...</ds:SignatureValue>
> > <ds:KeyInfo>
> > <ds:X509Data>
> >
> > <ds:X509Certificate>...</ds:X509Certificate>
> > </ds:X509Data>
> > </ds:KeyInfo>
> > </ds:Signature>
> > </saml1:Assertion>
> >
> >
> > Stephen W. Chappell
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Weird AssertionWrapper.signAssertion() problem
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Stephen,
This change breaks some of the SAML tests in WSS4J, so I can't apply it.
Colm.
On Wed, Oct 8, 2014 at 2:21 PM, <St...@faa.gov> wrote:
> Colm -
>
> It looks like I have a solution for this. I had extracted some code to
> post to the OpenSAML list, and posted the problem over there. While waiting
> for something to happen, I tried a few things with the extracted code,
> mostly with no positive changes. But then I tried this change, and now I
> think the output looks correct:
>
> protected final void addSignatureToAssertion(
> AssertionWrapper sa,
> Signature signature,
> String signatureDigestAlgorithm)
> {
> LOG.info("SIGTEST Replacement addSignatureToAssertion");
> if ( sa.getXmlObject() instanceof SignableSAMLObject ) {
> SignableSAMLObject signableObject = (SignableSAMLObject)
> sa.getXmlObject();
> signableObject.setSignature(signature);
>
> SAMLObjectContentReference contentRef =
>
> (SAMLObjectContentReference)signature.getContentReferences().get(0);
> contentRef.setDigestAlgorithm(signatureDigestAlgorithm);
>
> //signableObject.releaseChildrenDOM(true);
> //signableObject.releaseDOM();
> } else {
> LOG.error("Attempt to sign an unsignable object " +
> sa.getXmlObject().getClass().getName());
> }
> }
>
> This is just the AssertionWrapper.setSignature() method extracted into my
> local code base, with the releaseDOM lines commented out. I expected this
> to fail miserably with various exceptions. But instead, I got this (very
> trimmed) assertion back:
>
> <saml1:Assertion
> xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
> AssertionID="_5FFEE2CBDBBCD91A5A141277359654832"
> IssueInstant="2014-10-08T13:06:36.547Z" Issuer="SWIM-STS" MajorVersion="1"
> MinorVersion="1">
> <saml1:Conditions>...</saml1:Conditions>
> <saml1:Advice>
> <saml1:Assertion
> xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
> AssertionID="_5FFEE2CBDBBCD91A5A141277359605611"
> IssueInstant="2014-10-08T13:06:36.055Z" Issuer="SWIM-STS" MajorVersion="1"
> MinorVersion="1">
> <saml1:Conditions>...</saml1:Conditions>
>
> <saml1:AuthenticationStatement>...</saml1:AuthenticationStatement>
> <ds:Signature xmlns:ds="
> http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> <ds:Reference
> URI="#_5FFEE2CBDBBCD91A5A141277359605611">
> <ds:Transforms>
>
> <ds:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>
> <ds:DigestValue>hHfSTh/rgdxN5iGLNfJYxjI9YPowXPQsJ1sl3IH520U=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
>
> <ds:SignatureValue>...</ds:SignatureValue>
> <ds:KeyInfo>...</ds:KeyInfo>
> </ds:Signature>
> </saml1:Assertion>
> </saml1:Advice>
>
> <saml1:AuthenticationStatement>...</saml1:AuthenticationStatement>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#
> ">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> <ds:Reference
> URI="#_5FFEE2CBDBBCD91A5A141277359654832">
> <ds:Transforms>
> <ds:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="
> http://www.w3.org/2001/04/xmlenc#sha256"/>
>
> <ds:DigestValue>OoWn7FcGrYsFTCbO+DXVawtVcY9UhzqHvlEovFWds1U=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>...</ds:SignatureValue>
> <ds:KeyInfo>...</ds:KeyInfo>
> </ds:Signature>
> </saml1:Assertion>
>
> So I have not done enough analysis yet to figure out why this works or
> what sort of unintended consequences it may have, but for the moment, the
> output is more along the lines of what I expected.
>
> Thanx,
>
> Stephen W. Chappell
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Monday, October 06, 2014 5:37 AM
> To: users@cxf.apache.org
> Subject: Re: Weird AssertionWrapper.signAssertion() problem
>
> I added support in WSS4J for creating SAML Assertions with "Advice"
> Elements - I can reproduce the issue you are seeing with the internal
> signature stuff:
>
> http://svn.apache.org/viewvc?view=revision&revision=r1629601
>
> I recommend breaking it down into a testcase that uses just the OpenSAML
> APIs + send it to the OpenSAML dev list to see what they think. WSS4J is
> also using a slightly older version of OpenSAML so there is a possibility
> that it is a bug which has since been fixed.
>
> Colm.
>
> On Wed, Oct 1, 2014 at 2:18 PM, <St...@faa.gov> wrote:
>
> > In CXF 2.7.12, I'm having a weird problem when signing a SAML 1.1
> > assertion, when the assertion contains another assertion in the Advice
> > element. All SAML assertions are required to be signed by the issuer,
> > including assertions embedded in the Advice element. But what is
> > happening is that when I sign the "outer" assertion, the
> > AssertionWrapper.signAssertion() method is stripping the digest and
> > signature values from the "inner" assertion in the Advice element.
> >
> > The signature line looks like this:
> > sa.signAssertion(issuerAlias, issuerPassword,
> > issuerCrypto, false,
> > "http://www.w3.org/2001/10/xml-exc-c14n#",
> > signatureAlgorithm, digestAlgorithm);
> >
> > Here is what the assertion looks like immediately before and after
> > this call, stripped down a bit for brevity. You can see in the second
> > assertion that the signature on the inner Advice/Assertion has been
> > changed - the digest method is changed, and the digest and signature
> > values have been removed. What is causing this, and how can I prevent
> > it? Any and all help would be appreciated, thanx!
> >
> > BEFORE:
> >
> > <saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332"
> > IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS"
> MajorVersion="1"
> > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> > <saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z"
> > NotOnOrAfter="2014-10-01T13:03:16.748Z">
> > ...
> > </saml1:Conditions>
> > <saml1:Advice>
> > <saml1:Assertion
> > AssertionID="_99B35E24E753D60162141216853713111"
> > IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS"
> MajorVersion="1"
> > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> > <saml1:Conditions
> > NotBefore="2014-10-01T13:02:16.748Z"
> > NotOnOrAfter="2014-10-01T13:03:16.748Z">
> > ...
> > </saml1:Conditions>
> >
> > <saml1:AuthenticationStatement
> > AuthenticationInstant="2014-10-01T13:02:16.748Z"
> > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
> >
> > <saml1:Subject>
> > ...
> >
> > </saml1:Subject>
> >
> > </saml1:AuthenticationStatement>
> > <ds:Signature xmlns:ds="
> > http://www.w3.org/2000/09/xmldsig#">
> >
> > <ds:SignedInfo>
> >
> > <ds:CanonicalizationMethod Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >
> > <ds:SignatureMethod Algorithm="
> > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> >
> > <ds:Reference URI="#_99B35E24E753D60162141216853713111">
> >
> > <ds:Transforms>
> >
> > <ds:Transform Algorithm="
> > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> >
> > <ds:Transform Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >
> > </ds:Transforms>
> >
> > <ds:DigestMethod Algorithm="
> > http://www.w3.org/2001/04/xmlenc#sha256"/>
> >
> >
> > <ds:DigestValue>1EEQlsuneSKs81Hq+3lcqiKjOXMMNmbgVnZ0pFuIQOs=</ds:Diges
> > tValue>
> >
> > </ds:Reference>
> >
> > </ds:SignedInfo>
> >
> > <ds:SignatureValue>...</ds:SignatureValue>
> >
> > <ds:KeyInfo>
> >
> > <ds:X509Data>
> >
> > <ds:X509Certificate>...</ds:X509Certificate>
> >
> > </ds:X509Data>
> >
> > </ds:KeyInfo>
> > </ds:Signature>
> > </saml1:Assertion>
> > </saml1:Advice>
> > <saml1:AuthenticationStatement
> > AuthenticationInstant="2014-10-01T13:02:17.585Z"
> > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
> > <saml1:Subject>
> > ...
> > </saml1:Subject>
> > </saml1:AuthenticationStatement> </saml1:Assertion>
> >
> > AFTER:
> >
> > <saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332"
> > IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS"
> MajorVersion="1"
> > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> > <saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z"
> > NotOnOrAfter="2014-10-01T13:03:16.748Z">
> > ...
> > </saml1:Conditions>
> > <saml1:Advice>
> > <saml1:Assertion
> > AssertionID="_99B35E24E753D60162141216853713111"
> > IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS"
> MajorVersion="1"
> > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> > <saml1:Conditions
> > NotBefore="2014-10-01T13:02:16.748Z"
> > NotOnOrAfter="2014-10-01T13:03:16.748Z">
> > ...
> > </saml1:Conditions>
> >
> > <saml1:AuthenticationStatement
> > AuthenticationInstant="2014-10-01T13:02:16.748Z"
> > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
> >
> > <saml1:Subject>
> > ...
> >
> > </saml1:Subject>
> >
> > </saml1:AuthenticationStatement>
> > <ds:Signature xmlns:ds="
> > http://www.w3.org/2000/09/xmldsig#">
> >
> > <ds:SignedInfo>
> >
> > <ds:CanonicalizationMethod Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >
> > <ds:SignatureMethod Algorithm="
> > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> >
> > <ds:Reference URI="#_99B35E24E753D60162141216853713111">
> >
> > <ds:Transforms>
> >
> > <ds:Transform Algorithm="
> > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> >
> > <ds:Transform Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >
> > </ds:Transforms>
> >
> > <ds:DigestMethod Algorithm="
> > http://www.w3.org/2000/09/xmldsig#sha1"/>
> >
> > <ds:DigestValue/>
> >
> > </ds:Reference>
> >
> > </ds:SignedInfo>
> >
> > <ds:SignatureValue/>
> >
> > <ds:KeyInfo>
> >
> > <ds:X509Data>
> >
> > <ds:X509Certificate>...</ds:X509Certificate>
> >
> > </ds:X509Data>
> >
> > </ds:KeyInfo>
> > </ds:Signature>
> > </saml1:Assertion>
> > </saml1:Advice>
> > <saml1:AuthenticationStatement
> > AuthenticationInstant="2014-10-01T13:02:17.585Z"
> > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
> > <saml1:Subject>
> > ...
> > </saml1:Subject>
> > </saml1:AuthenticationStatement>
> > <ds:Signature
> > xmlns:ds="http://www.w3.org/2000/09/xmldsig#
> > ">
> > <ds:SignedInfo>
> >
> > <ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
> > <ds:SignatureMethod
> > Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> > <ds:Reference
> > URI="#_99B35E24E753D60162141216853759332">
> >
> > <ds:Transforms>
> >
> > <ds:Transform Algorithm="
> > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> >
> > <ds:Transform
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >
> > </ds:Transforms>
> >
> > <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
> >
> >
> <ds:DigestValue>OnmMYA4JG7RZRa1+NdrGAcHt5K03l1ZLCufXdF+qXmI=</ds:DigestValue>
> > </ds:Reference>
> > </ds:SignedInfo>
> >
> <ds:SignatureValue>...</ds:SignatureValue>
> > <ds:KeyInfo>
> > <ds:X509Data>
> >
> > <ds:X509Certificate>...</ds:X509Certificate>
> > </ds:X509Data>
> > </ds:KeyInfo>
> > </ds:Signature>
> > </saml1:Assertion>
> >
> >
> > Stephen W. Chappell
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
RE: Weird AssertionWrapper.signAssertion() problem
Posted by St...@faa.gov.
Colm -
It looks like I have a solution for this. I had extracted some code to post to the OpenSAML list, and posted the problem over there. While waiting for something to happen, I tried a few things with the extracted code, mostly with no positive changes. But then I tried this change, and now I think the output looks correct:
protected final void addSignatureToAssertion(
AssertionWrapper sa,
Signature signature,
String signatureDigestAlgorithm)
{
LOG.info("SIGTEST Replacement addSignatureToAssertion");
if ( sa.getXmlObject() instanceof SignableSAMLObject ) {
SignableSAMLObject signableObject = (SignableSAMLObject) sa.getXmlObject();
signableObject.setSignature(signature);
SAMLObjectContentReference contentRef =
(SAMLObjectContentReference)signature.getContentReferences().get(0);
contentRef.setDigestAlgorithm(signatureDigestAlgorithm);
//signableObject.releaseChildrenDOM(true);
//signableObject.releaseDOM();
} else {
LOG.error("Attempt to sign an unsignable object " + sa.getXmlObject().getClass().getName());
}
}
This is just the AssertionWrapper.setSignature() method extracted into my local code base, with the releaseDOM lines commented out. I expected this to fail miserably with various exceptions. But instead, I got this (very trimmed) assertion back:
<saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_5FFEE2CBDBBCD91A5A141277359654832" IssueInstant="2014-10-08T13:06:36.547Z" Issuer="SWIM-STS" MajorVersion="1" MinorVersion="1">
<saml1:Conditions>...</saml1:Conditions>
<saml1:Advice>
<saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_5FFEE2CBDBBCD91A5A141277359605611" IssueInstant="2014-10-08T13:06:36.055Z" Issuer="SWIM-STS" MajorVersion="1" MinorVersion="1">
<saml1:Conditions>...</saml1:Conditions>
<saml1:AuthenticationStatement>...</saml1:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_5FFEE2CBDBBCD91A5A141277359605611">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>hHfSTh/rgdxN5iGLNfJYxjI9YPowXPQsJ1sl3IH520U=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>...</ds:KeyInfo>
</ds:Signature>
</saml1:Assertion>
</saml1:Advice>
<saml1:AuthenticationStatement>...</saml1:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_5FFEE2CBDBBCD91A5A141277359654832">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>OoWn7FcGrYsFTCbO+DXVawtVcY9UhzqHvlEovFWds1U=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>...</ds:KeyInfo>
</ds:Signature>
</saml1:Assertion>
So I have not done enough analysis yet to figure out why this works or what sort of unintended consequences it may have, but for the moment, the output is more along the lines of what I expected.
Thanx,
Stephen W. Chappell
-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Monday, October 06, 2014 5:37 AM
To: users@cxf.apache.org
Subject: Re: Weird AssertionWrapper.signAssertion() problem
I added support in WSS4J for creating SAML Assertions with "Advice"
Elements - I can reproduce the issue you are seeing with the internal signature stuff:
http://svn.apache.org/viewvc?view=revision&revision=r1629601
I recommend breaking it down into a testcase that uses just the OpenSAML APIs + send it to the OpenSAML dev list to see what they think. WSS4J is also using a slightly older version of OpenSAML so there is a possibility that it is a bug which has since been fixed.
Colm.
On Wed, Oct 1, 2014 at 2:18 PM, <St...@faa.gov> wrote:
> In CXF 2.7.12, I'm having a weird problem when signing a SAML 1.1
> assertion, when the assertion contains another assertion in the Advice
> element. All SAML assertions are required to be signed by the issuer,
> including assertions embedded in the Advice element. But what is
> happening is that when I sign the "outer" assertion, the
> AssertionWrapper.signAssertion() method is stripping the digest and
> signature values from the "inner" assertion in the Advice element.
>
> The signature line looks like this:
> sa.signAssertion(issuerAlias, issuerPassword,
> issuerCrypto, false,
> "http://www.w3.org/2001/10/xml-exc-c14n#",
> signatureAlgorithm, digestAlgorithm);
>
> Here is what the assertion looks like immediately before and after
> this call, stripped down a bit for brevity. You can see in the second
> assertion that the signature on the inner Advice/Assertion has been
> changed - the digest method is changed, and the digest and signature
> values have been removed. What is causing this, and how can I prevent
> it? Any and all help would be appreciated, thanx!
>
> BEFORE:
>
> <saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332"
> IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS" MajorVersion="1"
> MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z"
> NotOnOrAfter="2014-10-01T13:03:16.748Z">
> ...
> </saml1:Conditions>
> <saml1:Advice>
> <saml1:Assertion
> AssertionID="_99B35E24E753D60162141216853713111"
> IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS" MajorVersion="1"
> MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml1:Conditions
> NotBefore="2014-10-01T13:02:16.748Z"
> NotOnOrAfter="2014-10-01T13:03:16.748Z">
> ...
> </saml1:Conditions>
>
> <saml1:AuthenticationStatement
> AuthenticationInstant="2014-10-01T13:02:16.748Z"
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
>
> <saml1:Subject>
> ...
>
> </saml1:Subject>
>
> </saml1:AuthenticationStatement>
> <ds:Signature xmlns:ds="
> http://www.w3.org/2000/09/xmldsig#">
>
> <ds:SignedInfo>
>
> <ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
> <ds:SignatureMethod Algorithm="
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
>
> <ds:Reference URI="#_99B35E24E753D60162141216853713111">
>
> <ds:Transforms>
>
> <ds:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>
> <ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
> </ds:Transforms>
>
> <ds:DigestMethod Algorithm="
> http://www.w3.org/2001/04/xmlenc#sha256"/>
>
>
> <ds:DigestValue>1EEQlsuneSKs81Hq+3lcqiKjOXMMNmbgVnZ0pFuIQOs=</ds:Diges
> tValue>
>
> </ds:Reference>
>
> </ds:SignedInfo>
>
> <ds:SignatureValue>...</ds:SignatureValue>
>
> <ds:KeyInfo>
>
> <ds:X509Data>
>
> <ds:X509Certificate>...</ds:X509Certificate>
>
> </ds:X509Data>
>
> </ds:KeyInfo>
> </ds:Signature>
> </saml1:Assertion>
> </saml1:Advice>
> <saml1:AuthenticationStatement
> AuthenticationInstant="2014-10-01T13:02:17.585Z"
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
> <saml1:Subject>
> ...
> </saml1:Subject>
> </saml1:AuthenticationStatement> </saml1:Assertion>
>
> AFTER:
>
> <saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332"
> IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS" MajorVersion="1"
> MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z"
> NotOnOrAfter="2014-10-01T13:03:16.748Z">
> ...
> </saml1:Conditions>
> <saml1:Advice>
> <saml1:Assertion
> AssertionID="_99B35E24E753D60162141216853713111"
> IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS" MajorVersion="1"
> MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml1:Conditions
> NotBefore="2014-10-01T13:02:16.748Z"
> NotOnOrAfter="2014-10-01T13:03:16.748Z">
> ...
> </saml1:Conditions>
>
> <saml1:AuthenticationStatement
> AuthenticationInstant="2014-10-01T13:02:16.748Z"
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
>
> <saml1:Subject>
> ...
>
> </saml1:Subject>
>
> </saml1:AuthenticationStatement>
> <ds:Signature xmlns:ds="
> http://www.w3.org/2000/09/xmldsig#">
>
> <ds:SignedInfo>
>
> <ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
> <ds:SignatureMethod Algorithm="
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
>
> <ds:Reference URI="#_99B35E24E753D60162141216853713111">
>
> <ds:Transforms>
>
> <ds:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>
> <ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
> </ds:Transforms>
>
> <ds:DigestMethod Algorithm="
> http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <ds:DigestValue/>
>
> </ds:Reference>
>
> </ds:SignedInfo>
>
> <ds:SignatureValue/>
>
> <ds:KeyInfo>
>
> <ds:X509Data>
>
> <ds:X509Certificate>...</ds:X509Certificate>
>
> </ds:X509Data>
>
> </ds:KeyInfo>
> </ds:Signature>
> </saml1:Assertion>
> </saml1:Advice>
> <saml1:AuthenticationStatement
> AuthenticationInstant="2014-10-01T13:02:17.585Z"
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
> <saml1:Subject>
> ...
> </saml1:Subject>
> </saml1:AuthenticationStatement>
> <ds:Signature
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#
> ">
> <ds:SignedInfo>
>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> <ds:Reference
> URI="#_99B35E24E753D60162141216853759332">
>
> <ds:Transforms>
>
> <ds:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
> </ds:Transforms>
>
> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>
> <ds:DigestValue>OnmMYA4JG7RZRa1+NdrGAcHt5K03l1ZLCufXdF+qXmI=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>...</ds:SignatureValue>
> <ds:KeyInfo>
> <ds:X509Data>
>
> <ds:X509Certificate>...</ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
> </ds:Signature>
> </saml1:Assertion>
>
>
> Stephen W. Chappell
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Weird AssertionWrapper.signAssertion() problem
Posted by Colm O hEigeartaigh <co...@apache.org>.
I added support in WSS4J for creating SAML Assertions with "Advice"
Elements - I can reproduce the issue you are seeing with the internal
signature stuff:
http://svn.apache.org/viewvc?view=revision&revision=r1629601
I recommend breaking it down into a testcase that uses just the OpenSAML
APIs + send it to the OpenSAML dev list to see what they think. WSS4J is
also using a slightly older version of OpenSAML so there is a possibility
that it is a bug which has since been fixed.
Colm.
On Wed, Oct 1, 2014 at 2:18 PM, <St...@faa.gov> wrote:
> In CXF 2.7.12, I'm having a weird problem when signing a SAML 1.1
> assertion, when the assertion contains another assertion in the Advice
> element. All SAML assertions are required to be signed by the issuer,
> including assertions embedded in the Advice element. But what is happening
> is that when I sign the "outer" assertion, the
> AssertionWrapper.signAssertion() method is stripping the digest and
> signature values from the "inner" assertion in the Advice element.
>
> The signature line looks like this:
> sa.signAssertion(issuerAlias, issuerPassword, issuerCrypto,
> false,
> "http://www.w3.org/2001/10/xml-exc-c14n#",
> signatureAlgorithm, digestAlgorithm);
>
> Here is what the assertion looks like immediately before and after this
> call, stripped down a bit for brevity. You can see in the second assertion
> that the signature on the inner Advice/Assertion has been changed - the
> digest method is changed, and the digest and signature values have been
> removed. What is causing this, and how can I prevent it? Any and all help
> would be appreciated, thanx!
>
> BEFORE:
>
> <saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332"
> IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS" MajorVersion="1"
> MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z"
> NotOnOrAfter="2014-10-01T13:03:16.748Z">
> ...
> </saml1:Conditions>
> <saml1:Advice>
> <saml1:Assertion
> AssertionID="_99B35E24E753D60162141216853713111"
> IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS" MajorVersion="1"
> MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml1:Conditions
> NotBefore="2014-10-01T13:02:16.748Z"
> NotOnOrAfter="2014-10-01T13:03:16.748Z">
> ...
> </saml1:Conditions>
>
> <saml1:AuthenticationStatement
> AuthenticationInstant="2014-10-01T13:02:16.748Z"
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
>
> <saml1:Subject>
> ...
>
> </saml1:Subject>
>
> </saml1:AuthenticationStatement>
> <ds:Signature xmlns:ds="
> http://www.w3.org/2000/09/xmldsig#">
>
> <ds:SignedInfo>
>
> <ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
> <ds:SignatureMethod Algorithm="
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
>
> <ds:Reference URI="#_99B35E24E753D60162141216853713111">
>
> <ds:Transforms>
>
> <ds:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>
> <ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
> </ds:Transforms>
>
> <ds:DigestMethod Algorithm="
> http://www.w3.org/2001/04/xmlenc#sha256"/>
>
>
> <ds:DigestValue>1EEQlsuneSKs81Hq+3lcqiKjOXMMNmbgVnZ0pFuIQOs=</ds:DigestValue>
>
> </ds:Reference>
>
> </ds:SignedInfo>
>
> <ds:SignatureValue>...</ds:SignatureValue>
>
> <ds:KeyInfo>
>
> <ds:X509Data>
>
> <ds:X509Certificate>...</ds:X509Certificate>
>
> </ds:X509Data>
>
> </ds:KeyInfo>
> </ds:Signature>
> </saml1:Assertion>
> </saml1:Advice>
> <saml1:AuthenticationStatement
> AuthenticationInstant="2014-10-01T13:02:17.585Z"
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
> <saml1:Subject>
> ...
> </saml1:Subject>
> </saml1:AuthenticationStatement>
> </saml1:Assertion>
>
> AFTER:
>
> <saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332"
> IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS" MajorVersion="1"
> MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z"
> NotOnOrAfter="2014-10-01T13:03:16.748Z">
> ...
> </saml1:Conditions>
> <saml1:Advice>
> <saml1:Assertion
> AssertionID="_99B35E24E753D60162141216853713111"
> IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS" MajorVersion="1"
> MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml1:Conditions
> NotBefore="2014-10-01T13:02:16.748Z"
> NotOnOrAfter="2014-10-01T13:03:16.748Z">
> ...
> </saml1:Conditions>
>
> <saml1:AuthenticationStatement
> AuthenticationInstant="2014-10-01T13:02:16.748Z"
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
>
> <saml1:Subject>
> ...
>
> </saml1:Subject>
>
> </saml1:AuthenticationStatement>
> <ds:Signature xmlns:ds="
> http://www.w3.org/2000/09/xmldsig#">
>
> <ds:SignedInfo>
>
> <ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
> <ds:SignatureMethod Algorithm="
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
>
> <ds:Reference URI="#_99B35E24E753D60162141216853713111">
>
> <ds:Transforms>
>
> <ds:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>
> <ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
> </ds:Transforms>
>
> <ds:DigestMethod Algorithm="
> http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <ds:DigestValue/>
>
> </ds:Reference>
>
> </ds:SignedInfo>
>
> <ds:SignatureValue/>
>
> <ds:KeyInfo>
>
> <ds:X509Data>
>
> <ds:X509Certificate>...</ds:X509Certificate>
>
> </ds:X509Data>
>
> </ds:KeyInfo>
> </ds:Signature>
> </saml1:Assertion>
> </saml1:Advice>
> <saml1:AuthenticationStatement
> AuthenticationInstant="2014-10-01T13:02:17.585Z"
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
> <saml1:Subject>
> ...
> </saml1:Subject>
> </saml1:AuthenticationStatement>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#
> ">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> <ds:Reference
> URI="#_99B35E24E753D60162141216853759332">
>
> <ds:Transforms>
>
> <ds:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
> </ds:Transforms>
>
> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>
> <ds:DigestValue>OnmMYA4JG7RZRa1+NdrGAcHt5K03l1ZLCufXdF+qXmI=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>...</ds:SignatureValue>
> <ds:KeyInfo>
> <ds:X509Data>
>
> <ds:X509Certificate>...</ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
> </ds:Signature>
> </saml1:Assertion>
>
>
> Stephen W. Chappell
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com