You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by W Strater <ws...@yahoo.com> on 2005/11/15 13:37:19 UTC
Trouble verifying a SOAP message containing encrypted SAML Assertions
I am having trouble verifying a SOAP message
containing encrypted SAML Assertions. My SOAP message
is as follows.
The SOAP Envelope,
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/,
contains a SOAP Header and a SOAP Body.
The SOAP Header contains an enveloped Digital
Signature,
xmlns:ds="http://www.w3.org/2000/09/xmldsig#.
The SOAP Body contains a SAML Response,
xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
The SAML Response may contain an enveloped Digital
Signature,
xmlns:ds="http://www.w3.org/2000/09/xmldsig#.
The SAML Response contains multiple SAML Assertions,
xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion.
The SAML Assertion may be encrypted,
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#".
The SAML Assertion may contain an enveloped Digital
Signature,
xmlns:ds="http://www.w3.org/2000/09/xmldsig#.
One of the SAML Assertions contains SAML Attributes,
xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion.
The SAML Attribute may be encrypted,
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#".
All signatures are generated the same with a
transformation of
http://www.w3.org/2000/09/xmldsig#enveloped-signature
and http://www.w3.org/2001/10/xml-exc-c14n#.
All encryptions are done the same with a symmetrical
Triple DES key. The key is encrypted with a RSA public
key.
I am able to sign and verify the SAML Assertion, SAML
Response and SOAP Message. I am able to encrypt the
SAML Attribute, sign the SAML Assertion, encrypt the
SAML Assertion and then reverse the process
successfully.
I am UNABLE to verify a signed SAML Response or signed
SOAP Message if they contain an encrypted SAML
Assertion.
I have tried building the SOAP Message before signing
or encrypting and I have tried building the SOAP
Message as I sign and encrypt.
I am dealing with 5 name spaces. Each name space is
defined as needed and not on one common node.
Any suggestions?
Thanks, Wes.
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>rvheMzB8mH4ZHLw0OH2WizY3Ix0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
...
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
...
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
...
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<Response ID="ID_F1C909663FE3BF9"
IssueInstant="2005-11-14T14:10:12.758+00:00"
Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
<ns1:Issuer
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:entity"
xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">xxxxxx</ns1:Issuer>
<Status>
<StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</Status>
<EncryptedAssertion
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData
Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<xenc:CipherData>
...
</xenc:CipherData>
</xenc:EncryptedData>
<xenc:EncryptedKey
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<xenc:CipherData>
...
</xenc:CipherData>
</xenc:EncryptedKey>
</EncryptedAssertion>
<EncryptedAssertion
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData
Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<xenc:CipherData>
...
</xenc:CipherData>
</xenc:EncryptedData>
<xenc:EncryptedKey
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<xenc:CipherData>
...
</xenc:CipherData>
</xenc:EncryptedKey>
</EncryptedAssertion>
<EncryptedAssertion
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData
Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<xenc:CipherData>
...
</xenc:CipherData>
</xenc:EncryptedData>
<xenc:EncryptedKey
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<xenc:CipherData>
...
</xenc:CipherData>
</xenc:EncryptedKey>
</EncryptedAssertion>
</Response>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Re: Trouble verifying a SOAP message containing encrypted SAML Assertions
Posted by W Strater <ws...@yahoo.com>.
I will have to get back to you on this. I am in the process of refactoring the code.
Wes.
----- Original Message ----
From: Raul Benito <ra...@apache.org>
To: security-dev@xml.apache.org
Sent: Wednesday, March 15, 2006 5:02:11 AM
Subject: Re: Trouble verifying a SOAP message containing encrypted SAML Assertions
Hi Wes,
Do you still have this problem?
If so please create a bug report with a test case that shows the problem.
Thanks,
Raul
On 11/15/05, W Strater <ws...@yahoo.com> wrote:
> I am having trouble verifying a SOAP message
> containing encrypted SAML Assertions. My SOAP message
> is as follows.
>
> The SOAP Envelope,
> xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/,
> contains a SOAP Header and a SOAP Body.
>
> The SOAP Header contains an enveloped Digital
> Signature,
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#.
>
> The SOAP Body contains a SAML Response,
> xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
>
> The SAML Response may contain an enveloped Digital
> Signature,
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#.
>
> The SAML Response contains multiple SAML Assertions,
> xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion.
>
> The SAML Assertion may be encrypted,
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";.
>
> The SAML Assertion may contain an enveloped Digital
> Signature,
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#.
>
> One of the SAML Assertions contains SAML Attributes,
> xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion.
>
> The SAML Attribute may be encrypted,
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";.
>
> All signatures are generated the same with a
> transformation of
> http://www.w3.org/2000/09/xmldsig#enveloped-signature
> and http://www.w3.org/2001/10/xml-exc-c14n#.
>
> All encryptions are done the same with a symmetrical
> Triple DES key. The key is encrypted with a RSA public
> key.
>
> I am able to sign and verify the SAML Assertion, SAML
> Response and SOAP Message. I am able to encrypt the
> SAML Attribute, sign the SAML Assertion, encrypt the
> SAML Assertion and then reverse the process
> successfully.
>
> I am UNABLE to verify a signed SAML Response or signed
> SOAP Message if they contain an encrypted SAML
> Assertion.
>
> I have tried building the SOAP Message before signing
> or encrypting and I have tried building the SOAP
> Message as I sign and encrypt.
>
> I am dealing with 5 name spaces. Each name space is
> defined as needed and not on one common node.
>
> Any suggestions?
>
> Thanks, Wes.
>
> <SOAP-ENV:Envelope
> xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";>
> <SOAP-ENV:Header>
> <ds:Signature
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference URI="">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <ds:DigestValue>rvheMzB8mH4ZHLw0OH2WizY3Ix0=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
> ...
> </ds:SignatureValue>
> <ds:KeyInfo>
> <ds:X509Data>
> <ds:X509Certificate>
> ...
> </ds:X509Certificate>
> </ds:X509Data>
> <ds:KeyValue>
> <ds:RSAKeyValue>
> <ds:Modulus>
> ...
> </ds:Modulus>
> <ds:Exponent>AQAB</ds:Exponent>
> </ds:RSAKeyValue>
> </ds:KeyValue>
> </ds:KeyInfo>
> </ds:Signature>
> </SOAP-ENV:Header>
> <SOAP-ENV:Body>
> <Response ID="ID_F1C909663FE3BF9"
> IssueInstant="2005-11-14T14:10:12.758+00:00"
> Version="2.0"
> xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
> <ns1:Issuer
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:entity"
> xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">xxxxxx</ns1:Issuer>
> <Status>
> <StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
> </Status>
> <EncryptedAssertion
> xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> <xenc:EncryptedData
> Type="http://www.w3.org/2001/04/xmlenc#Element";
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
> <xenc:CipherData>
> ...
> </xenc:CipherData>
> </xenc:EncryptedData>
> <xenc:EncryptedKey
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
> <xenc:CipherData>
> ...
> </xenc:CipherData>
> </xenc:EncryptedKey>
> </EncryptedAssertion>
> <EncryptedAssertion
> xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> <xenc:EncryptedData
> Type="http://www.w3.org/2001/04/xmlenc#Element";
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
> <xenc:CipherData>
> ...
> </xenc:CipherData>
> </xenc:EncryptedData>
> <xenc:EncryptedKey
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
> <xenc:CipherData>
> ...
> </xenc:CipherData>
> </xenc:EncryptedKey>
> </EncryptedAssertion>
> <EncryptedAssertion
> xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> <xenc:EncryptedData
> Type="http://www.w3.org/2001/04/xmlenc#Element";
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
> <xenc:CipherData>
> ...
> </xenc:CipherData>
> </xenc:EncryptedData>
> <xenc:EncryptedKey
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
> <xenc:CipherData>
> ...
> </xenc:CipherData>
> </xenc:EncryptedKey>
> </EncryptedAssertion>
> </Response>
> </SOAP-ENV:Body>
> </SOAP-ENV:Envelope>
>
>
--
http://r-bg.com
Re: Trouble verifying a SOAP message containing encrypted SAML Assertions
Posted by Raul Benito <ra...@apache.org>.
Hi Wes,
Do you still have this problem?
If so please create a bug report with a test case that shows the problem.
Thanks,
Raul
On 11/15/05, W Strater <ws...@yahoo.com> wrote:
> I am having trouble verifying a SOAP message
> containing encrypted SAML Assertions. My SOAP message
> is as follows.
>
> The SOAP Envelope,
> xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/,
> contains a SOAP Header and a SOAP Body.
>
> The SOAP Header contains an enveloped Digital
> Signature,
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#.
>
> The SOAP Body contains a SAML Response,
> xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
>
> The SAML Response may contain an enveloped Digital
> Signature,
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#.
>
> The SAML Response contains multiple SAML Assertions,
> xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion.
>
> The SAML Assertion may be encrypted,
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#".
>
> The SAML Assertion may contain an enveloped Digital
> Signature,
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#.
>
> One of the SAML Assertions contains SAML Attributes,
> xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion.
>
> The SAML Attribute may be encrypted,
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#".
>
> All signatures are generated the same with a
> transformation of
> http://www.w3.org/2000/09/xmldsig#enveloped-signature
> and http://www.w3.org/2001/10/xml-exc-c14n#.
>
> All encryptions are done the same with a symmetrical
> Triple DES key. The key is encrypted with a RSA public
> key.
>
> I am able to sign and verify the SAML Assertion, SAML
> Response and SOAP Message. I am able to encrypt the
> SAML Attribute, sign the SAML Assertion, encrypt the
> SAML Assertion and then reverse the process
> successfully.
>
> I am UNABLE to verify a signed SAML Response or signed
> SOAP Message if they contain an encrypted SAML
> Assertion.
>
> I have tried building the SOAP Message before signing
> or encrypting and I have tried building the SOAP
> Message as I sign and encrypt.
>
> I am dealing with 5 name spaces. Each name space is
> defined as needed and not on one common node.
>
> Any suggestions?
>
> Thanks, Wes.
>
> <SOAP-ENV:Envelope
> xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
> <SOAP-ENV:Header>
> <ds:Signature
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference URI="">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <ds:DigestValue>rvheMzB8mH4ZHLw0OH2WizY3Ix0=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
> ...
> </ds:SignatureValue>
> <ds:KeyInfo>
> <ds:X509Data>
> <ds:X509Certificate>
> ...
> </ds:X509Certificate>
> </ds:X509Data>
> <ds:KeyValue>
> <ds:RSAKeyValue>
> <ds:Modulus>
> ...
> </ds:Modulus>
> <ds:Exponent>AQAB</ds:Exponent>
> </ds:RSAKeyValue>
> </ds:KeyValue>
> </ds:KeyInfo>
> </ds:Signature>
> </SOAP-ENV:Header>
> <SOAP-ENV:Body>
> <Response ID="ID_F1C909663FE3BF9"
> IssueInstant="2005-11-14T14:10:12.758+00:00"
> Version="2.0"
> xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
> <ns1:Issuer
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:entity"
> xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">xxxxxx</ns1:Issuer>
> <Status>
> <StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
> </Status>
> <EncryptedAssertion
> xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> <xenc:EncryptedData
> Type="http://www.w3.org/2001/04/xmlenc#Element"
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
> <xenc:CipherData>
> ...
> </xenc:CipherData>
> </xenc:EncryptedData>
> <xenc:EncryptedKey
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
> <xenc:CipherData>
> ...
> </xenc:CipherData>
> </xenc:EncryptedKey>
> </EncryptedAssertion>
> <EncryptedAssertion
> xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> <xenc:EncryptedData
> Type="http://www.w3.org/2001/04/xmlenc#Element"
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
> <xenc:CipherData>
> ...
> </xenc:CipherData>
> </xenc:EncryptedData>
> <xenc:EncryptedKey
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
> <xenc:CipherData>
> ...
> </xenc:CipherData>
> </xenc:EncryptedKey>
> </EncryptedAssertion>
> <EncryptedAssertion
> xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> <xenc:EncryptedData
> Type="http://www.w3.org/2001/04/xmlenc#Element"
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
> <xenc:CipherData>
> ...
> </xenc:CipherData>
> </xenc:EncryptedData>
> <xenc:EncryptedKey
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
> <xenc:CipherData>
> ...
> </xenc:CipherData>
> </xenc:EncryptedKey>
> </EncryptedAssertion>
> </Response>
> </SOAP-ENV:Body>
> </SOAP-ENV:Envelope>
>
>
--
http://r-bg.com