Re: Signing SAML assertions for OWSM policies

[Shwetank]

On 11-04-2012 19:33, Colm O hEigeartaigh wrote:
You need to set SecurityConstants.SELF_SIGN_SAML_ASSERTION to "true"
in your configuration (and define the appropriate CallbackHandler and
crypto property tags):
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?view=markup

Colm.

On Wed, Apr 11, 2012 at 2:40 PM, Shwetank<shwetan...@imaginea.com>  wrote:
Hi

Pardon me if i break a rule or two of mailing-list directives.
I seek help on how to sign SAML 1.1 assertion with CXF 2.5.2 for
holder-of-key confirmation method:

a) an OWSM policy
wss10_saml_hok_token_with_message_protection_service_policy is applied to a
test service
b) the policy and wsdl look like following

<?xml version="1.0"?>
<definitions xmlns="http://schemas.xmlsoap.org/wsdl/";
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
xmlns:tns="http://owsm.test.wsa.bf.hs.com/";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"; name="POManagerService"
targetNamespace="http://owsm.test.wsa.bf.hs.com/";>
<wsp:Policy
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
wsu:Id="POManagerPort_Fault_Policy"/>
<wsp:Policy
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
wsu:Id="POManagerPort_Input_Policy">
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body/>
<sp:Header Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
<sp:Header Name="fmw-context"
Namespace="http://xmlns.oracle.com/fmw/context/1.0"/>
</sp:SignedParts>
<sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body/>
<sp:Header Name="fmw-context"
Namespace="http://xmlns.oracle.com/fmw/context/1.0"/>
</sp:EncryptedParts>
</wsp:Policy>
<wsp:Policy
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
wsu:Id="POManagerPort_Output_Policy">
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body/>
</sp:EncryptedParts>
</wsp:Policy>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
xmlns:oralgp="http://schemas.oracle.com/ws/2006/01/loggingpolicy";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy";
xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy";
wsu:Id="wss10_saml_hok_token_with_message_protection_service_policy">
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:SamlToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:WssSamlV11Token10/>
</wsp:Policy>
</sp:SamlToken>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";>
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy/>
</sp:Wss10>
</wsp:Policy>
<types>
<xsd:schema>
<xsd:import namespace="http://owsm.test.wsa.bf.hs.com/";
schemaLocation="http://server:7001/testwebservice/POManagerPort?xsd=1"/>
</xsd:schema>
</types>
<message name="createOrder">
<part name="parameters" element="tns:createOrder"/>
</message>
<message name="createOrderResponse">
<part name="parameters" element="tns:createOrderResponse"/>
</message>
<portType name="POManager">
<operation name="createOrder">
<input message="tns:createOrder"/>
<output message="tns:createOrderResponse"/>
</operation>
</portType>
<binding name="POManagerPortBinding" type="tns:POManager">
<soap:binding style="document"
transport="http://schemas.xmlsoap.org/soap/http"/>
<wsp:PolicyReference
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
URI="#wss10_saml_hok_token_with_message_protection_service_policy"
wsdl:required="false"/>
<operation name="createOrder">
<soap:operation soapAction=""/>
<input>
<soap:body use="literal"/>
<wsp:PolicyReference
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
URI="#POManagerPort_Input_Policy" wsdl:required="false"/>
</input>
<output>
<soap:body use="literal"/>
<wsp:PolicyReference
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
URI="#POManagerPort_Output_Policy" wsdl:required="false"/>
</output>
</operation>
</binding>
<service name="POManagerService">
<port name="POManagerPort" binding="tns:POManagerPortBinding">
<soap:address location="http://server:7001/testwebservice/POManagerPort"/>
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing";>
<wsa:Address xmlns:wsa="http://www.w3.org/2005/08/addressing";>
http://server:7001/testwebservice/POManagerPort
</wsa:Address>
<wsid:Identity
xmlns:wsid="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity";>
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";>
<dsig:X509Data>
<dsig:X509Certificate>
................
</dsig:X509Certificate>
<dsig:X509IssuerSerial>
<dsig:X509IssuerName>
.........
</dsig:X509IssuerName>
<dsig:X509SerialNumber>-....</dsig:X509SerialNumber>
</dsig:X509IssuerSerial>
<dsig:X509SubjectName>
.......
</dsig:X509SubjectName>
</dsig:X509Data>
</dsig:KeyInfo>
</wsid:Identity>
</wsa:EndpointReference>
</port>
</service>
</definitions>



c) following is message generated by cxf2.5.2 for this policy

<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<soap:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
soap:mustUnderstand="1">
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
wsu:Id="BC59F58138560D687613341497540725">MIIB+DCCAaICCQCbeQ7C1MJrOTANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAkFQMQwwCgYDVQQHEwNIWUQxEDAOBgNVBAoTB3ByYW1hdGkxEDAOBgNVBAsTB3ByYW1hdGkxEjAQBgNVBAMTCXNvYWJwbS12bTEgMB4GCSqGSIb3DQEJARYRZW1haWxAcHJhbWF0aS5jb20wHhcNMTIwNDEwMTI1OTA0WhcNMTMwNDEwMTI1OTA0WjCBgjELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAkFQMQwwCgYDVQQHEwNIWUQxEDAOBgNVBAoTB3ByYW1hdGkxEDAOBgNVBAsTB3ByYW1hdGkxEjAQBgNVBAMTCXNvYWJwbS12bTEgMB4GCSqGSIb3DQEJARYRZW1haWxAcHJhbWF0aS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1ZwvGTS5gxDgGjoHuaqY9dh26un58rF3YFpuNY6F9JROBooMmbEWAWlvN+kjrEBhoQhTMbnwp8Sa+sPxOI+b8QIDAQABMA0GCSqGSIb3DQEBBQUAA0EAIlGPjJUTytuNsfeIy+dPFAT6XXN6sbiTTcFmhGUtP8q3XJRQCFlMKqFrWP/SVck8PPdH6fSO8EzOLLOYF5dkPQ==</wsse:BinarySecurityToken>
<wsu:Timestamp wsu:Id="TS-1">
<wsu:Created>2012-04-11T13:06:42.679Z</wsu:Created>
<wsu:Expires>2012-04-11T13:11:42.679Z</wsu:Expires>
</wsu:Timestamp>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Id="EK-BC59F58138560D687613341497540724">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#BC59F58138560D687613341497540725"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>tUjFXfI6BPNO78XzWGThNnCvXloGK001IPwzMiEdz4XAuz86gaCCTJ5+KBVKTsMhGxXOVNaOWTeLo3VzMKYWPA==</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#ED-3"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
AssertionID="_BC59F58138560D687613341496647771"
IssueInstant="2012-04-11T13:07:44.551Z" Issuer="www.oracle.com"
MajorVersion="1" MinorVersion="1" xsi:type="saml1:AssertionType">
<saml1:Conditions NotBefore="2012-04-11T13:07:44.838Z"
NotOnOrAfter="2012-04-11T13:12:44.838Z"/>
<saml1:AttributeStatement>
<saml1:Subject>
<saml1:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="www.oracle.com">weblogic</saml1:NameIdentifier>
<saml1:SubjectConfirmation>
<saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml1:ConfirmationMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:X509Data>
<ds:X509Certificate>........................</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</saml1:SubjectConfirmation>
</saml1:Subject>
<saml1:Attribute AttributeName="subject-role"
AttributeNamespace="http://custom-ns";>
<saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema";
xsi:type="xs:string">system-user</saml1:AttributeValue>
</saml1:Attribute>
</saml1:AttributeStatement>
</saml1:Assertion>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="SIG-2">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#TS-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>/LPHR8sX+ptPaN8+iZYQxYwffG8=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#Id-26930486">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>ej9eQZSJOyVu6TgV8MO/exfxCeA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>uBvdcZ7jkAty14s0tdMKGvI4z1lCbWDo2RQEWjJ9t6z9vASoB98l4NeshQz96JWDqpGFgb4wd93/f9ra0Y68xA==</ds:SignatureValue>
<ds:KeyInfo Id="KI-BC59F58138560D687613341497504882">
<wsse:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";
wsu:Id="STR-BC59F58138560D687613341497504923">
<wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID";>_BC59F58138560D687613341496647771</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soap:Header>
<soap:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Id-26930486">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Id="ED-3"
Type="http://www.w3.org/2001/04/xmlenc#Content";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";>
<wsse:Reference URI="#EK-BC59F58138560D687613341497540724"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>.............................</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
</soap:Envelope>


d) and i receive following error from OWSM (oracle web services manager)

Policy compliance failure: Header/Element
NS=urn:oasis:names:tc:SAML:1.0:assertion; LocalName=Assertion must be signed
[WSM_PolicyName:
oracle/wss10_saml_hok_token_with_message_protection_service_policy] The
signed message elements or parts do not comply with the policy.


i seek help to understand which part of the message is not being signed..and
why..or how could i sign it.
am using the SamlCallbackHandler (supplied with tests) to add attributes

following is the callbackhandler code if that may help

///////////////////////////////////////////////////////////////////////////////
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
    for (int i = 0; i<  callbacks.length; i++)
      if ((callbacks[i] instanceof SAMLCallback)) {
        SAMLCallback callback = (SAMLCallback)callbacks[i];
        if (this.saml2) {
          callback.setSamlVersion(SAMLVersion.VERSION_20);
        }
        callback.setIssuer("www.oracle.com");
        String subjectName = "weblogic";
        String subjectQualifier = "www.oracle.com";

        SubjectBean subjectBean = new SubjectBean(subjectName,
subjectQualifier, this.confirmationMethod);

        if
(("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key".equals(this.confirmationMethod))
||
("urn:oasis:names:tc:SAML:1.0:cm:holder-of-key".equals(this.confirmationMethod)))
{
          try
          {
            KeyInfoBean keyInfo = createKeyInfo();
            subjectBean.setKeyInfo(keyInfo);
          } catch (Exception ex) {
            throw new IOException("Problem creating KeyInfo: " +
ex.getMessage());
          }
        }

        callback.setSubject(subjectBean);

        AttributeStatementBean attrBean = new AttributeStatementBean();
        attrBean.setSubject(subjectBean);

        AttributeBean attributeBean = new AttributeBean();
        if (this.saml2) {
          attributeBean.setQualifiedName("subject-role");
        } else {
          attributeBean.setSimpleName("subject-role");
          attributeBean.setQualifiedName("http://custom-ns";);
        }

  attributeBean.setAttributeValues(Collections.singletonList("system-user"));
        attrBean.setSamlAttributes(Collections.singletonList(attributeBean));

  callback.setAttributeStatementData(Collections.singletonList(attrBean));
      }
  }

  protected KeyInfoBean createKeyInfo() throws Exception
  {
    Crypto crypto = CryptoFactory.getInstance("signature.properties");

    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias("myprivate");
    X509Certificate[] certs = crypto.getX509Certificates(cryptoType);

    KeyInfoBean keyInfo = new KeyInfoBean();
    keyInfo.setCertificate(certs[0]);
    keyInfo.setCertIdentifer(KeyInfoBean.CERT_IDENTIFIER.X509_CERT);

    return keyInfo;
  }

//////////////////////////////////////////////////////////////////////////////




i did use that as well..but that would rather add a certificate to 
Signature..and nothing else is the motive because we are claiming to use 
a self signed certificate for sending message.
however, the problem here is with response not containing any certificate.
please help me understand what keystore/truststore configuration would 
it require (if that is the problem at all). for now i have configured a 
custom identity/trust using a certificate/private key which i generated 
adding myself as a CA.
Please suggest what more would it need..

thanks for replying!