You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by ja...@uk.bnpparibas.com on 2010/04/22 14:17:56 UTC
Rampart fails to extract KeyInfo from SAML assertion
Hello devs,
I sincerely hope you can help me. I'm working on an interop piece between
.NET 3.5, ADFS2 and Rampart 1.4. I am using the holder-of-key confirmation
method.
Rampart appears to process the SOAP request fine, including derived keys
etc but fails right towards the end of the processing chain with:
Caused by: org.apache.ws.security.WSSecurityException: General security
error (SAML token security failure)
at org.apache.ws.security.saml.SAMLUtil.getSAMLKeyInfo(
SAMLUtil.java:169)
at org.apache.ws.security.saml.SAMLUtil.getSAMLKeyInfo(
SAMLUtil.java:73)
at
org.apache.ws.security.processor.DerivedKeyTokenProcessor.extractSecret(
DerivedKeyTokenProcessor.java:170)
at
org.apache.ws.security.processor.DerivedKeyTokenProcessor.handleToken(
DerivedKeyTokenProcessor.java:74)
This occurs after Rampart has the clear text SAML assertion and is
attempting to extract the X509 reference from the KeyInfo block from the
saml subject:
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
</e:EncryptionMethod>
<KeyInfo>
<o:SecurityTokenReference xmlns:o="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
">
<X509Data>
<X509IssuerSerial>
<X509IssuerName>CN=Root
Agency</X509IssuerName>
<X509SerialNumber>
-147027885241304943914470421251724308948</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>
VvKoOwBHAOE0zndb3bpJ7IWU3gDP/IQSSE/ms92eTZPIWrD5r7AnfJ6pwd/bB31Cb7gEtV5zt5YLLozStzCRw901GHZDzAYfinh8hzXML+vT05m6ALce7y/PEvIlPZl7IXH0UI1pU01DbEheFjSixX1xzmkLou/XStY5WONVhok=
</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
It appears that the KeyInfo contructor is not populating the X509Datas
property correctly? This causes the ki.containsX509Data()to return false
and hence fail? This from within the SAMLUtil class:
Element e = samlSubj.getKeyInfo();
X509Certificate[] certs = null;
try {
KeyInfo ki = new KeyInfo(e, null);
if (ki.containsX509Data()) {
X509Data data = ki.itemX509Data(0);
XMLX509Certificate certElem = null;
if (data != null &&
data.containsCertificate()) {
certElem = data.itemCertificate(0);
}
if (certElem != null) {
X509Certificate cert =
certElem.getX509Certificate();
certs = new X509Certificate[1];
certs[0] = cert;
return new SAMLKeyInfo(assertion, certs);
}
}
Any help would be greatly appreciated!
Thanks,
Jason
___________________________________________________________
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is prohibited.
Please refer to http://www.bnpparibas.co.uk/en/information/legal_information.asp?Code=ECAS-845C5H for additional disclosures.
RE: Rampart fails to extract KeyInfo from SAML assertion
Posted by Martin Gainty <mg...@hotmail.com>.
Hi Jason-
the backend processing of keyInfo is identical to org.apache.rahas.impl.util.SAML2Utils.java getSAML2KeyInfo() method
(i have a snippet here to illustrate acquisition of a X509Certificate from a known keyInfoElement Element)
Note the delta is how Rampart acquires keyInfoElement which originates from the assertion as seen here
// extract the subject
Subject samlSubject = assertion.getSubject();
//Use samlSubject to acquire confirmation data, KeyInfoConfirmationDataType extends SubjectConfirmationData.
KeyInfoConfirmationDataType scData = (KeyInfoConfirmationDataType) subjectConf.getSubjectConfirmationData();
//Now that we have samlSubject use samlSubjec to acquire SAML specific XML representation of the keyInfo object
XMLObject KIElem = scData.getKeyInfos() != null ? (XMLObject) scData.getKeyInfos().get(0) : null;
Element keyInfoElement;
// Generate a DOM element from the XMLObject.
if (KIElem != null) {
// Set the "javax.xml.parsers.DocumentBuilderFactory" system property to make sure the endorsed JAXP
// implementation is picked over the default jaxp impl shipped with the JDK.
String jaxpProperty = System.getProperty("javax.xml.parsers.DocumentBuilderFactory");
System.setProperty("javax.xml.parsers.DocumentBuilderFactory", "org.apache.xerces.jaxp.DocumentBuilderFactoryImpl");
MarshallerFactory marshallerFactory = org.opensaml.xml.Configuration.getMarshallerFactory();
Marshaller marshaller = marshallerFactory.getMarshaller(KIElem);
//now finally acquire the keyInfoElement
keyInfoElement = marshaller.marshall(KIElem);
// Reset the sys. property to its previous value.
if (jaxpProperty == null) {
System.getProperties().remove("javax.xml.parsers.DocumentBuilderFactory");
} else {
System.setProperty("javax.xml.parsers.DocumentBuilderFactory", jaxpProperty);
}
} else {
throw new WSSecurityException(WSSecurityException.FAILURE,
"invalidSAML2Token", new Object[]{"for Signature (no key info element)"});
}
AttributeStatement attrStmt = assertion.getAttributeStatements().size() != 0 ?
(AttributeStatement) assertion.getAttributeStatements().get(0) : null;
AuthnStatement authnStmt = assertion.getAuthnStatements().size() != 0 ?
(AuthnStatement) assertion.getAuthnStatements().get(0) : null;
//symmetric key processing (bypassed in this testcase)
if (attrStmt != null) {
.................
}
//asymmetric key processing
else if (authnStmt != null) {
X509Certificate[] certs = null;
try {
KeyInfo ki = new KeyInfo(keyInfoElement, null);
d/l rampart and take a look at org.apache.rahas.impl.util.SAMLUtils
hth
Martin Gainty
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
> To: rampart-dev@ws.apache.org
> Subject: Rampart fails to extract KeyInfo from SAML assertion
> From: jason.rattos@uk.bnpparibas.com
> Date: Thu, 22 Apr 2010 13:17:56 +0100
>
> Hello devs,
>
> I sincerely hope you can help me. I'm working on an interop piece between
> .NET 3.5, ADFS2 and Rampart 1.4. I am using the holder-of-key confirmation
> method.
>
> Rampart appears to process the SOAP request fine, including derived keys
> etc but fails right towards the end of the processing chain with:
>
> Caused by: org.apache.ws.security.WSSecurityException: General security
> error (SAML token security failure)
> at org.apache.ws.security.saml.SAMLUtil.getSAMLKeyInfo(
> SAMLUtil.java:169)
> at org.apache.ws.security.saml.SAMLUtil.getSAMLKeyInfo(
> SAMLUtil.java:73)
> at
> org.apache.ws.security.processor.DerivedKeyTokenProcessor.extractSecret(
> DerivedKeyTokenProcessor.java:170)
> at
> org.apache.ws.security.processor.DerivedKeyTokenProcessor.handleToken(
> DerivedKeyTokenProcessor.java:74)
>
> This occurs after Rampart has the clear text SAML assertion and is
> attempting to extract the X509 reference from the KeyInfo block from the
> saml subject:
>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="
> http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="
> http://www.w3.org/2000/09/xmldsig#sha1"/>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> ">
> <X509Data>
> <X509IssuerSerial>
> <X509IssuerName>CN=Root
> Agency</X509IssuerName>
> <X509SerialNumber>
> -147027885241304943914470421251724308948</X509SerialNumber>
> </X509IssuerSerial>
> </X509Data>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>
> VvKoOwBHAOE0zndb3bpJ7IWU3gDP/IQSSE/ms92eTZPIWrD5r7AnfJ6pwd/bB31Cb7gEtV5zt5YLLozStzCRw901GHZDzAYfinh8hzXML+vT05m6ALce7y/PEvIlPZl7IXH0UI1pU01DbEheFjSixX1xzmkLou/XStY5WONVhok=
> </e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
>
> It appears that the KeyInfo contructor is not populating the X509Datas
> property correctly? This causes the ki.containsX509Data()to return false
> and hence fail? This from within the SAMLUtil class:
>
> Element e = samlSubj.getKeyInfo();
> X509Certificate[] certs = null;
> try {
> KeyInfo ki = new KeyInfo(e, null);
>
> if (ki.containsX509Data()) {
> X509Data data = ki.itemX509Data(0);
> XMLX509Certificate certElem = null;
> if (data != null &&
> data.containsCertificate()) {
> certElem = data.itemCertificate(0);
> }
> if (certElem != null) {
> X509Certificate cert =
> certElem.getX509Certificate();
> certs = new X509Certificate[1];
> certs[0] = cert;
> return new SAMLKeyInfo(assertion, certs);
> }
> }
>
> Any help would be greatly appreciated!
>
> Thanks,
> Jason
>
> ___________________________________________________________
> This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is prohibited.
>
> Please refer to http://www.bnpparibas.co.uk/en/information/legal_information.asp?Code=ECAS-845C5H for additional disclosures.
_________________________________________________________________
The New Busy is not the old busy. Search, chat and e-mail from your inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3