You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2012/06/21 10:45:44 UTC

[jira] [Resolved] (WSS-394) WSS4J is not handling X509Data inside SecurityTokenReference inside a KeyInfo

     [ https://issues.apache.org/jira/browse/WSS-394?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh resolved WSS-394.
-------------------------------------

    Resolution: Fixed
    
> WSS4J is not handling X509Data inside SecurityTokenReference inside a KeyInfo
> -----------------------------------------------------------------------------
>
>                 Key: WSS-394
>                 URL: https://issues.apache.org/jira/browse/WSS-394
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 1.6.6
>         Environment: .NET client, .NET STS, Java service, Windows 7.0
>            Reporter: Dan Taylor
>            Assignee: Colm O hEigeartaigh
>              Labels: KeyInfo, SecurityTokenReference, X509Data
>             Fix For: 1.6.7
>
>
> We have a .NET client using a .NET STS for authentication and authorization to our java service.  The .NET STS puts a SecurityTokenReference inside a KeyInfo element, with an X509Data inside the STR.  This causes an exception to be thrown: General security error (SAML token security failure).
> From debugging into the WSS4J source in the SAMLUtil.getCredentialFromKeyInfo method, keyInfoElement.getFirstChild() returns the SecurityTokenReference element.  Inside this element is the X509Data element, which should be handled correctly..
> From the WS-Security 1.1 (Web Services Security: SOAP Message Security 1.1) standard:
> Section 7.1: “All compliant implementations MUST be able to process a <wsse:SecurityTokenReference> element. This element can also be used as a direct child element of <ds:KeyInfo> to indicate a hint to retrieve the key information from a security token placed somewhere else. In particular, it is RECOMMENDED, when using XML Signature and XML Encryption, that a <wsse:SecurityTokenReference> element be placed inside a <ds:KeyInfo> to reference the security token used for the signature or encryption.”
> From the Web Services Security X.509 Certificate Token Profile 1.1) standard:
> Section 3.2: “In order to ensure a consistent processing model across all the token types supported by WSS: SOAP Message Security, the <wsse:SecurityTokenReference> element SHALL be used to specify all references to X.509 token types in signature or encryption elements that comply with this profile.”
> Sample SAMLToken:
> <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="SamlSecurityToken-db75ab81-fbe4-455b-ad51-99ff091f3981" Issuer="sts" IssueInstant="2012-06-12T15:25:49.393Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml:Conditions NotBefore="2012-06-12T15:25:49.393Z" NotOnOrAfter="2012-06-13T01:25:49.393Z"></saml:Conditions>
> <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2012-06-12T15:25:49.397Z">
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>LUoFbgeoVCjiW+xZxlOly2YtVbtK3a0ZDw0cpZAKyO9smgEcg5gf2bYzPurU6Khp3PHfKJJv0yIJP010v+qe80KTMOhxJ6EF8NKbg+rUXhKh1aFV1gDSECR6KiVoHmsfkzoJGvi2wG4QA6lyaUJ7FGFE/2udn/MOTocezqX2bpg=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> </saml:AuthenticationStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>LUoFbgeoVCjiW+xZxlOly2YtVbtK3a0ZDw0cpZAKyO9smgEcg5gf2bYzPurU6Khp3PHfKJJv0yIJP010v+qe80KTMOhxJ6EF8NKbg+rUXhKh1aFV1gDSECR6KiVoHmsfkzoJGvi2wG4QA6lyaUJ7FGFE/2udn/MOTocezqX2bpg=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="roles" AttributeNamespace="http://schemas.merge.com/icc/claims">
> <saml:AttributeValue>User</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>LUoFbgeoVCjiW+xZxlOly2YtVbtK3a0ZDw0cpZAKyO9smgEcg5gf2bYzPurU6Khp3PHfKJJv0yIJP010v+qe80KTMOhxJ6EF8NKbg+rUXhKh1aFV1gDSECR6KiVoHmsfkzoJGvi2wG4QA6lyaUJ7FGFE/2udn/MOTocezqX2bpg=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml:AttributeValue>test@merge.com</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>LUoFbgeoVCjiW+xZxlOly2YtVbtK3a0ZDw0cpZAKyO9smgEcg5gf2bYzPurU6Khp3PHfKJJv0yIJP010v+qe80KTMOhxJ6EF8NKbg+rUXhKh1aFV1gDSECR6KiVoHmsfkzoJGvi2wG4QA6lyaUJ7FGFE/2udn/MOTocezqX2bpg=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="privatepersonalidentitfier" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml:AttributeValue>55</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
> <Reference URI="#SamlSecurityToken-db75ab81-fbe4-455b-ad51-99ff091f3981">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> <DigestValue>P0aIAqKPikgPXLn4TfcF1z5ZmZo=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>fGTlN2CXzqSsdLS8pH4r3gqmwGTo40uqSvnioMd6bl/PdgAgLw0OtirVZFofVEQWQXY1yuGjzOX0w7CeyfjprOHf/bLphoem1oyjJe+QDCtKA41faXhXbJOEtbksdxqui+qU+YwqStbJJmi/F9yijjuwnuwbDhI48SqcdmZcsY8=</SignatureValue>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <X509Data>
> <X509IssuerSerial>
> <X509IssuerName>CN=SUNCA, OU=JWS, O=SUN, S=Some-State, C=AU</X509IssuerName>
> <X509SerialNumber>2</X509SerialNumber>
> </X509IssuerSerial>
> </X509Data>
> </o:SecurityTokenReference>
> </KeyInfo>
> </Signature>
> </saml:Assertion>

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org