You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by "S.Uthaiyashankar (JIRA)" <ji...@apache.org> on 2010/12/22 04:44:02 UTC
[jira] Updated: (RAMPART-295) Rampart failing to extract keyinfo
from SAML assertion
[ https://issues.apache.org/jira/browse/RAMPART-295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
S.Uthaiyashankar updated RAMPART-295:
-------------------------------------
Priority: Major (was: Blocker)
> Rampart failing to extract keyinfo from SAML assertion
> ------------------------------------------------------
>
> Key: RAMPART-295
> URL: https://issues.apache.org/jira/browse/RAMPART-295
> Project: Rampart
> Issue Type: Bug
> Affects Versions: 1.5
> Environment: Server: Tomcat 5.5.28, Axis 1.5.1, Rampart 1.5, Windows XP SP2
> Client: .NET WCF 3.5, Windows XP
> Reporter: Jason Rattos
> Assignee: Ruchith Udayanga Fernando
>
> Validation of a SAML 1.1 and 2.0 token is failing due to an inability to extract KeyInfo from the Subject of a SAML assertion. The issue appears to be independant of using SAML 1.1/2.0 or symmetric/asymmetric bindings.
> The extract of the SAML subject (symmetric binding) is as follows:
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos">DOMAIN\JOE</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <X509Data>
> <X509IssuerSerial>
> <X509IssuerName>CN=Root Agency</X509IssuerName>
> <X509SerialNumber>-147027885241304943914470421251724308948</X509SerialNumber>
> </X509IssuerSerial>
> </X509Data>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>YPzUKhWVjM56ugTvgLF8nbCULmITwiE2lGFWf5rsRwm7v+g/J2cswNJoK5oBpROUXJRV3P10PRtWloXNU3eR8kZRn7nutFp5iEpRW4FHcoRMTK3KHYILz7EaBwYsNaGJ45PD6IeJvjGb79/5N9boePWZBMl708vsXp63fXNbUPo=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> The extract of the SAML subject (asymmetric binding) is as follows:
> <Subject>
> <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos">DOMAIN\JOE</NameID>
> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
> <SubjectConfirmationData xmlns:a="http://www.w3.org/2001/XMLSchema-instance" a:type="KeyInfoConfirmationDataType">
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <KeyValue>
> <RSAKeyValue>
> <Modulus>qq45WmIc5AJQF8f06R8KMm9G4RsT4Vi9Xx5psYuyDzD1M7480CQ7dEmOLkYnOP/qwLNiKgvG/Xm2rGYf1fgQD+dH+jwoirACflwEGUk7nU88mZOeJwqfXq4oWdsGVAMREyJQnW2q5+KJQt6/Pt3UBWquTvJnwes9/0WrQUAUX9s=</Modulus>
> <Exponent>AQAB</Exponent>
> </RSAKeyValue>
> </KeyValue>
> </KeyInfo>
> </SubjectConfirmationData>
> </SubjectConfirmation>
> </Subject>
> In both cases the SAMUtil.java (as part of WSSJ-1.5.8) fails to extract the certificate info. The following lines are an extract from the source code for which this is failing:
> Element e = samlSubj.getKeyInfo();
> X509Certificate[] certs = null;
> try {
> KeyInfo ki = new KeyInfo(e, null);
> if (ki.containsX509Data()) {
> X509Data data = ki.itemX509Data(0);
> XMLX509Certificate certElem = null;
> In both use cases the ki instance return false for ki.containsX509Data() and hence the processing fails.
> In an attempt to see whether the KeyInfo constructor limited itself to certain types of certificate references, I manually modified the SAML assertion subject using TCPMon to include the X509 Base64 representation of the certificate as follows and found that this actually works, as a result of the ki.containsX509Data() statement returns true:
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos">DOMAIN\JOE</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <X509Data>
> <X509Certificate>MIIBsTCCAV+gAwIBAgIQKCrSOt8UsKxIAPFEMK316zAJBgUrDgMCHQUAMBYxFDASBgNVBAMTC1Jvb3QgQWdlbmN5MB4XDTA4MDgxMzE1MDkyM1oXDTM5MTIzMTIzNTk1OVowFDESMBAGA1UEAxMJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEhqjNMe8M8CA0yGX1pUlJZ4r5WKvQfJ6k8DPBR/VGcvbWPBeiHRjBhH5I5kszg04on8M+FFg0RkW1cfmQRc8kf1XLudHdBUxJx3nfLXH2OscsxQkgcNfdvo5/GCewDIRHMxI+2TO9tgLP6SEJBdprO/55q8t4k/VW4Yi9u9/2VQIDAQABo0swSTBHBgNVHQEEQDA+gBAS5AktBh0dTwCNYSHcFmRjoRgwFjEUMBIGA1UEAxMLUm9vdCBBZ2VuY3mCEAY3bACqAGSKEc+41KpcNfQwCQYFKw4DAh0FAANBAEWsx9wociNjb8uidCy6WRHfS8qhIYjSbgGCYL8/bZ0Xoc8ETPOgZsnD0zSgLuWj7tlY0cHNtY4Nvu8tRo/U2ts=</X509Certificate>
> </X509Data>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> Have previously submitted this an email request directly to rampart-dev but thought it best to formally raise the issue here as it's blocking any further use of rampart for this particular project.
> Thanks,
> Jason
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org