[jira] [Updated] (WSS-497) Support for SAML 2.0 EncryptedAssertion Element

M Kidd (JIRA) Tue, 22 Apr 2014 08:42:38 -0700

     [ 
https://issues.apache.org/jira/browse/WSS-497?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


M Kidd updated WSS-497:
-----------------------

    Description: 
WSS4J cannot locate an Assertion via a SecurityTokenReference KeyIdentifier id 
when the Assertion is encrypted as an EncryptedAssertion element.

{quote}
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";>
  <soap:Header>
    <Action xmlns="http://www.w3.org/2005/08/addressing";>ActionXXXX</Action>
    <MessageID 
xmlns="http://www.w3.org/2005/08/addressing";>urn:uuid:f718f460-58a5-4aa5-a0ae-7e2a6d9dea8a</MessageID>
    <To 
xmlns="http://www.w3.org/2005/08/addressing";>https://xxxx:1234/catalog/xxxService-v1.0</To>
    <ReplyTo xmlns="http://www.w3.org/2005/08/addressing";>
      <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
    </ReplyTo>
    <wsse:Security soap:mustUnderstand="true" 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
      <wsu:Timestamp wsu:Id="TS-127">
        <wsu:Created>2014-04-22T13:00:42.301Z</wsu:Created>
        <wsu:Expires>2014-04-22T13:05:42.301Z</wsu:Expires>
      </wsu:Timestamp>
      <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"; 
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
          <xenc:EncryptionMethod 
Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
            <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
              <e:EncryptionMethod 
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
                <DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
              </e:EncryptionMethod>
              <KeyInfo>
                <o:SecurityTokenReference 
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
                  <X509Data>
                    <X509IssuerSerial>
                      <X509IssuerName>.....</X509IssuerName>
                      <X509SerialNumber>12345678</X509SerialNumber>
                    </X509IssuerSerial>
                  </X509Data>
                </o:SecurityTokenReference>
              </KeyInfo>
              <e:CipherData>***MASKED***</e:CipherData>
            </e:EncryptedKey>
          </KeyInfo>
          <xenc:CipherData>***MASKED***</xenc:CipherData>
        </xenc:EncryptedData>
      </EncryptedAssertion>
      <ds:Signature Id="SIG-128" xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
        <ds:SignedInfo>
          <ds:CanonicalizationMethod 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
            <ec:InclusiveNamespaces PrefixList="soap" 
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </ds:CanonicalizationMethod>
          <ds:SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
          <ds:Reference URI="#TS-127">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
                <ec:InclusiveNamespaces PrefixList="wsse soap" 
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>/wED0P+e1Hl79GX3yuHw/p/J2Vo=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>Wgp/uzeawdu8oh8bDObXIsXrTUw=</ds:SignatureValue>
        <ds:KeyInfo Id="KI-1603634465EB6A36DC1398171642303115">
          <SecurityTokenReference 
b:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
 
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
 xmlns:b="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";>
            <KeyIdentifier 
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID";>_004e1ddf-d719-436b-bfb9-e833f482e4eb</KeyIdentifier>
          </SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
  </soap:Header>
  <soap:Body>
  </soap:Body>
</soap:Envelope>
{quote}

When the SecurityTokenReference is being parsed, it takes the KeyIdentifier 
value and looks for the associated Assertion id.  If it cannot locate the 
Assertion, it currently falls back on invoking the CallbackHandler, seeking the 
SECRET_KEY.

At some point prior to that parsing, I believe it should decrypt 
EncryptedAssertion elements, using the loaded certificates from the configured 
keystore, so the existing Assertion search logic can locate these Assertions.

Stack Trace:
org.apache.ws.security.WSSecurityException: General security error (SAML token 
security failure)
        at 
org.apache.ws.security.saml.SAMLUtil.getAssertionFromKeyIdentifier(SAMLUtil.java:127)
 [wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2]
        at 
org.apache.ws.security.str.SignatureSTRParser.parseSAMLKeyIdentifier(SignatureSTRParser.java:353)
 [wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2]
        at 
org.apache.ws.security.str.SignatureSTRParser.parseSecurityTokenReference(SignatureSTRParser.java:217)
 [wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2]
        at 
org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:169)
 [wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2]
        at 
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
 [wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2]
        at 
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:277)
 [cxf-rt-ws-security-2.6.6-redhat-3.jar:2.6.6-redhat-3]

  was:
WSS4J cannot locate an Assertion via a SecurityTokenReference KeyIdentifier id 
when the Assertion is encrypted as an EncryptedAssertion element.

{quote}
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";>
  <soap:Header>
    <Action xmlns="http://www.w3.org/2005/08/addressing";>ActionXXXX</Action>
    <MessageID 
xmlns="http://www.w3.org/2005/08/addressing";>urn:uuid:f718f460-58a5-4aa5-a0ae-7e2a6d9dea8a</MessageID>
    <To 
xmlns="http://www.w3.org/2005/08/addressing";>https://xxxx:1234/catalog/xxxService-v1.0</To>
    <ReplyTo xmlns="http://www.w3.org/2005/08/addressing";>
      <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
    </ReplyTo>
    <wsse:Security soap:mustUnderstand="true" 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
      <wsu:Timestamp wsu:Id="TS-127">
        <wsu:Created>2014-04-22T13:00:42.301Z</wsu:Created>
        <wsu:Expires>2014-04-22T13:05:42.301Z</wsu:Expires>
      </wsu:Timestamp>
      <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"; 
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
          <xenc:EncryptionMethod 
Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
            <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
              <e:EncryptionMethod 
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
                <DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
              </e:EncryptionMethod>
              <KeyInfo>
                <o:SecurityTokenReference 
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
                  <X509Data>
                    <X509IssuerSerial>
                      <X509IssuerName>.....</X509IssuerName>
                      <X509SerialNumber>12345678</X509SerialNumber>
                    </X509IssuerSerial>
                  </X509Data>
                </o:SecurityTokenReference>
              </KeyInfo>
              <e:CipherData>***MASKED***</e:CipherData>
            </e:EncryptedKey>
          </KeyInfo>
          <xenc:CipherData>***MASKED***</xenc:CipherData>
        </xenc:EncryptedData>
      </EncryptedAssertion>
      <ds:Signature Id="SIG-128" xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
        <ds:SignedInfo>
          <ds:CanonicalizationMethod 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
            <ec:InclusiveNamespaces PrefixList="soap" 
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </ds:CanonicalizationMethod>
          <ds:SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
          <ds:Reference URI="#TS-127">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
                <ec:InclusiveNamespaces PrefixList="wsse soap" 
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>/wED0P+e1Hl79GX3yuHw/p/J2Vo=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>Wgp/uzeawdu8oh8bDObXIsXrTUw=</ds:SignatureValue>
        <ds:KeyInfo Id="KI-1603634465EB6A36DC1398171642303115">
          <SecurityTokenReference 
b:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
 
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
 xmlns:b="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";>
            <KeyIdentifier 
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID";>_004e1ddf-d719-436b-bfb9-e833f482e4eb</KeyIdentifier>
          </SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
  </soap:Header>
  <soap:Body>
  </soap:Body>
</soap:Envelope>
{quote}

When the SecurityTokenReference is being parsed, it takes the KeyIdentifier 
value and looks for the associated Assertion id.  If it cannot locate the 
Assertion, it currently falls back on invoking the CallbackHandler, seeking the 
SECRET_KEY.

At some point prior to that parsing, I believe it should decrypt 
EncryptedAssertion elements, using the loaded certificates from the configured 
keystore, so the existing Assertion search logic can locate these Assertions.


> Support for SAML 2.0 EncryptedAssertion Element
> -----------------------------------------------
>
>                 Key: WSS-497
>                 URL: https://issues.apache.org/jira/browse/WSS-497
>             Project: WSS4J
>          Issue Type: New Feature
>          Components: WSS4J Core
>    Affects Versions: 1.6.15
>         Environment: JBoss AS 7.1.3, JBoss EAP 6.1.0
>            Reporter: M Kidd
>            Assignee: Colm O hEigeartaigh
>              Labels: features
>
> WSS4J cannot locate an Assertion via a SecurityTokenReference KeyIdentifier 
> id when the Assertion is encrypted as an EncryptedAssertion element.
> {quote}
> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";>
>   <soap:Header>
>     <Action xmlns="http://www.w3.org/2005/08/addressing";>ActionXXXX</Action>
>     <MessageID 
> xmlns="http://www.w3.org/2005/08/addressing";>urn:uuid:f718f460-58a5-4aa5-a0ae-7e2a6d9dea8a</MessageID>
>     <To 
> xmlns="http://www.w3.org/2005/08/addressing";>https://xxxx:1234/catalog/xxxService-v1.0</To>
>     <ReplyTo xmlns="http://www.w3.org/2005/08/addressing";>
>       <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
>     </ReplyTo>
>     <wsse:Security soap:mustUnderstand="true" 
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>  
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
>       <wsu:Timestamp wsu:Id="TS-127">
>         <wsu:Created>2014-04-22T13:00:42.301Z</wsu:Created>
>         <wsu:Expires>2014-04-22T13:05:42.301Z</wsu:Expires>
>       </wsu:Timestamp>
>       <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
>         <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"; 
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
>           <xenc:EncryptionMethod 
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
>           <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
>             <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
>               <e:EncryptionMethod 
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
>                 <DigestMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>               </e:EncryptionMethod>
>               <KeyInfo>
>                 <o:SecurityTokenReference 
> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
>                   <X509Data>
>                     <X509IssuerSerial>
>                       <X509IssuerName>.....</X509IssuerName>
>                       <X509SerialNumber>12345678</X509SerialNumber>
>                     </X509IssuerSerial>
>                   </X509Data>
>                 </o:SecurityTokenReference>
>               </KeyInfo>
>               <e:CipherData>***MASKED***</e:CipherData>
>             </e:EncryptedKey>
>           </KeyInfo>
>           <xenc:CipherData>***MASKED***</xenc:CipherData>
>         </xenc:EncryptedData>
>       </EncryptedAssertion>
>       <ds:Signature Id="SIG-128" 
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>         <ds:SignedInfo>
>           <ds:CanonicalizationMethod 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
>             <ec:InclusiveNamespaces PrefixList="soap" 
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>           </ds:CanonicalizationMethod>
>           <ds:SignatureMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
>           <ds:Reference URI="#TS-127">
>             <ds:Transforms>
>               <ds:Transform 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
>                 <ec:InclusiveNamespaces PrefixList="wsse soap" 
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>               </ds:Transform>
>             </ds:Transforms>
>             <ds:DigestMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>             <ds:DigestValue>/wED0P+e1Hl79GX3yuHw/p/J2Vo=</ds:DigestValue>
>           </ds:Reference>
>         </ds:SignedInfo>
>         <ds:SignatureValue>Wgp/uzeawdu8oh8bDObXIsXrTUw=</ds:SignatureValue>
>         <ds:KeyInfo Id="KI-1603634465EB6A36DC1398171642303115">
>           <SecurityTokenReference 
> b:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
>  
> xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>  xmlns:b="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";>
>             <KeyIdentifier 
> ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID";>_004e1ddf-d719-436b-bfb9-e833f482e4eb</KeyIdentifier>
>           </SecurityTokenReference>
>         </ds:KeyInfo>
>       </ds:Signature>
>     </wsse:Security>
>   </soap:Header>
>   <soap:Body>
>   </soap:Body>
> </soap:Envelope>
> {quote}
> When the SecurityTokenReference is being parsed, it takes the KeyIdentifier 
> value and looks for the associated Assertion id.  If it cannot locate the 
> Assertion, it currently falls back on invoking the CallbackHandler, seeking 
> the SECRET_KEY.
> At some point prior to that parsing, I believe it should decrypt 
> EncryptedAssertion elements, using the loaded certificates from the 
> configured keystore, so the existing Assertion search logic can locate these 
> Assertions.
> Stack Trace:
> org.apache.ws.security.WSSecurityException: General security error (SAML 
> token security failure)
>         at 
> org.apache.ws.security.saml.SAMLUtil.getAssertionFromKeyIdentifier(SAMLUtil.java:127)
>  [wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2]
>         at 
> org.apache.ws.security.str.SignatureSTRParser.parseSAMLKeyIdentifier(SignatureSTRParser.java:353)
>  [wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2]
>         at 
> org.apache.ws.security.str.SignatureSTRParser.parseSecurityTokenReference(SignatureSTRParser.java:217)
>  [wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2]
>         at 
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:169)
>  [wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2]
>         at 
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
>  [wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2]
>         at 
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:277)
>  [cxf-rt-ws-security-2.6.6-redhat-3.jar:2.6.6-redhat-3]



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Updated] (WSS-497) Support for SAML 2.0 EncryptedAssertion Element

Reply via email to