Dan Taylor created WSS-394:
------------------------------
Summary: WSS4J is not handling X509Data inside
SecurityTokenReference inside a KeyInfo
Key: WSS-394
URL: https://issues.apache.org/jira/browse/WSS-394
Project: WSS4J
Issue Type: Bug
Components: WSS4J Core
Affects Versions: 1.6.6
Environment: .NET client, .NET STS, Java service, Windows 7.0
Reporter: Dan Taylor
Assignee: Colm O hEigeartaigh
Fix For: 1.6.7
We have a .NET client using a .NET STS for authentication and authorization to
our java service. The .NET STS puts a SecurityTokenReference inside a KeyInfo
element, with an X509Data inside the STR. This causes an exception to be
thrown: General security error (SAML token security failure).
>From debugging into the WSS4J source in the SAMLUtil.getCredentialFromKeyInfo
>method, keyInfoElement.getFirstChild() returns the SecurityTokenReference
>element. Inside this element is the X509Data element, which should be handled
>correctly..
>From the WS-Security 1.1 (Web Services Security: SOAP Message Security 1.1)
>standard:
Section 7.1: “All compliant implementations MUST be able to process a
<wsse:SecurityTokenReference> element. This element can also be used as a
direct child element of <ds:KeyInfo> to indicate a hint to retrieve the key
information from a security token placed somewhere else. In particular, it is
RECOMMENDED, when using XML Signature and XML Encryption, that a
<wsse:SecurityTokenReference> element be placed inside a <ds:KeyInfo> to
reference the security token used for the signature or encryption.”
>From the Web Services Security X.509 Certificate Token Profile 1.1) standard:
Section 3.2: “In order to ensure a consistent processing model across all the
token types supported by WSS: SOAP Message Security, the
<wsse:SecurityTokenReference> element SHALL be used to specify all references
to X.509 token types in signature or encryption elements that comply with this
profile.”
Sample SAMLToken:
<saml:Assertion MajorVersion="1" MinorVersion="1"
AssertionID="SamlSecurityToken-db75ab81-fbe4-455b-ad51-99ff091f3981"
Issuer="sts" IssueInstant="2012-06-12T15:25:49.393Z"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2012-06-12T15:25:49.393Z"
NotOnOrAfter="2012-06-13T01:25:49.393Z"></saml:Conditions>
<saml:AuthenticationStatement
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"
AuthenticationInstant="2012-06-12T15:25:49.397Z">
<saml:Subject>
<saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">[email protected]</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
</e:EncryptionMethod>
<KeyInfo>
<o:SecurityTokenReference
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<o:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";>TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>LUoFbgeoVCjiW+xZxlOly2YtVbtK3a0ZDw0cpZAKyO9smgEcg5gf2bYzPurU6Khp3PHfKJJv0yIJP010v+qe80KTMOhxJ6EF8NKbg+rUXhKh1aFV1gDSECR6KiVoHmsfkzoJGvi2wG4QA6lyaUJ7FGFE/2udn/MOTocezqX2bpg=</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">[email protected]</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
</e:EncryptionMethod>
<KeyInfo>
<o:SecurityTokenReference
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<o:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";>TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>LUoFbgeoVCjiW+xZxlOly2YtVbtK3a0ZDw0cpZAKyO9smgEcg5gf2bYzPurU6Khp3PHfKJJv0yIJP010v+qe80KTMOhxJ6EF8NKbg+rUXhKh1aFV1gDSECR6KiVoHmsfkzoJGvi2wG4QA6lyaUJ7FGFE/2udn/MOTocezqX2bpg=</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="roles"
AttributeNamespace="http://schemas.merge.com/icc/claims";>
<saml:AttributeValue>User</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">[email protected]</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
</e:EncryptionMethod>
<KeyInfo>
<o:SecurityTokenReference
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<o:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";>TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>LUoFbgeoVCjiW+xZxlOly2YtVbtK3a0ZDw0cpZAKyO9smgEcg5gf2bYzPurU6Khp3PHfKJJv0yIJP010v+qe80KTMOhxJ6EF8NKbg+rUXhKh1aFV1gDSECR6KiVoHmsfkzoJGvi2wG4QA6lyaUJ7FGFE/2udn/MOTocezqX2bpg=</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="emailaddress"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
<saml:AttributeValue>[email protected]</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">[email protected]</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
</e:EncryptionMethod>
<KeyInfo>
<o:SecurityTokenReference
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<o:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";>TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>LUoFbgeoVCjiW+xZxlOly2YtVbtK3a0ZDw0cpZAKyO9smgEcg5gf2bYzPurU6Khp3PHfKJJv0yIJP010v+qe80KTMOhxJ6EF8NKbg+rUXhKh1aFV1gDSECR6KiVoHmsfkzoJGvi2wG4QA6lyaUJ7FGFE/2udn/MOTocezqX2bpg=</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="privatepersonalidentitfier"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
<saml:AttributeValue>55</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></CanonicalizationMethod>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod>
<Reference URI="#SamlSecurityToken-db75ab81-fbe4-455b-ad51-99ff091f3981">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transform>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
<DigestValue>P0aIAqKPikgPXLn4TfcF1z5ZmZo=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>fGTlN2CXzqSsdLS8pH4r3gqmwGTo40uqSvnioMd6bl/PdgAgLw0OtirVZFofVEQWQXY1yuGjzOX0w7CeyfjprOHf/bLphoem1oyjJe+QDCtKA41faXhXbJOEtbksdxqui+qU+YwqStbJJmi/F9yijjuwnuwbDhI48SqcdmZcsY8=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>CN=SUNCA, OU=JWS, O=SUN, S=Some-State, C=AU</X509IssuerName>
<X509SerialNumber>2</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</saml:Assertion>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
