ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <j...@apache.org>
Subject [jira] [Closed] (WSS-497) Support for SAML 2.0 EncryptedAssertion Element
Date Tue, 06 May 2014 09:11:16 GMT

     [ https://issues.apache.org/jira/browse/WSS-497?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Colm O hEigeartaigh closed WSS-497.
-----------------------------------


> Support for SAML 2.0 EncryptedAssertion Element
> -----------------------------------------------
>
>                 Key: WSS-497
>                 URL: https://issues.apache.org/jira/browse/WSS-497
>             Project: WSS4J
>          Issue Type: New Feature
>          Components: WSS4J Core
>    Affects Versions: 1.6.9, 1.6.13
>         Environment: JBoss AS 7.1.3, JBoss EAP 6.1.0
>            Reporter: M Kidd
>            Assignee: Colm O hEigeartaigh
>              Labels: features
>             Fix For: 2.0.0, 1.6.16
>
>
> WSS4J cannot locate an Assertion via a SecurityTokenReference KeyIdentifier id when the
Assertion is encrypted as an EncryptedAssertion element.
> {quote}
> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
>   <soap:Header>
>     <Action xmlns="http://www.w3.org/2005/08/addressing">ActionXXXX</Action>
>     <MessageID xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:f718f460-58a5-4aa5-a0ae-7e2a6d9dea8a</MessageID>
>     <To xmlns="http://www.w3.org/2005/08/addressing">https://xxxx:1234/catalog/xxxService-v1.0</To>
>     <ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
>       <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
>     </ReplyTo>
>     <wsse:Security soap:mustUnderstand="true" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
>       <wsu:Timestamp wsu:Id="TS-127">
>         <wsu:Created>2014-04-22T13:00:42.301Z</wsu:Created>
>         <wsu:Expires>2014-04-22T13:05:42.301Z</wsu:Expires>
>       </wsu:Timestamp>
>       <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
>         <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
>           <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
>           <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>             <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
>               <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
>                 <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>               </e:EncryptionMethod>
>               <KeyInfo>
>                 <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>                   <X509Data>
>                     <X509IssuerSerial>
>                       <X509IssuerName>.....</X509IssuerName>
>                       <X509SerialNumber>12345678</X509SerialNumber>
>                     </X509IssuerSerial>
>                   </X509Data>
>                 </o:SecurityTokenReference>
>               </KeyInfo>
>               <e:CipherData>***MASKED***</e:CipherData>
>             </e:EncryptedKey>
>           </KeyInfo>
>           <xenc:CipherData>***MASKED***</xenc:CipherData>
>         </xenc:EncryptedData>
>       </EncryptedAssertion>
>       <ds:Signature Id="SIG-128" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>         <ds:SignedInfo>
>           <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>             <ec:InclusiveNamespaces PrefixList="soap" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>           </ds:CanonicalizationMethod>
>           <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
>           <ds:Reference URI="#TS-127">
>             <ds:Transforms>
>               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>                 <ec:InclusiveNamespaces PrefixList="wsse soap" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>               </ds:Transform>
>             </ds:Transforms>
>             <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>             <ds:DigestValue>/wED0P+e1Hl79GX3yuHw/p/J2Vo=</ds:DigestValue>
>           </ds:Reference>
>         </ds:SignedInfo>
>         <ds:SignatureValue>Wgp/uzeawdu8oh8bDObXIsXrTUw=</ds:SignatureValue>
>         <ds:KeyInfo Id="KI-1603634465EB6A36DC1398171642303115">
>           <SecurityTokenReference b:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:b="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
>             <KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_004e1ddf-d719-436b-bfb9-e833f482e4eb</KeyIdentifier>
>           </SecurityTokenReference>
>         </ds:KeyInfo>
>       </ds:Signature>
>     </wsse:Security>
>   </soap:Header>
>   <soap:Body>
>   </soap:Body>
> </soap:Envelope>
> {quote}
> When the SecurityTokenReference is being parsed, it takes the KeyIdentifier value and
looks for the associated Assertion id.  If it cannot locate the Assertion, it currently falls
back on invoking the CallbackHandler, seeking the SECRET_KEY.
> At some point prior to that parsing, I believe it should decrypt EncryptedAssertion elements,
using the loaded certificates from the configured keystore, so the existing Assertion search
logic can locate these Assertions.
> Stack Trace:
> org.apache.ws.security.WSSecurityException: General security error (SAML token security
failure)
>         at org.apache.ws.security.saml.SAMLUtil.getAssertionFromKeyIdentifier(SAMLUtil.java:127)
[wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2]
>         at org.apache.ws.security.str.SignatureSTRParser.parseSAMLKeyIdentifier(SignatureSTRParser.java:353)
[wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2]
>         at org.apache.ws.security.str.SignatureSTRParser.parseSecurityTokenReference(SignatureSTRParser.java:217)
[wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2]
>         at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:169)
[wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2]
>         at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
[wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2]
>         at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:277)
[cxf-rt-ws-security-2.6.6-redhat-3.jar:2.6.6-redhat-3]



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message