[
https://issues.apache.org/jira/browse/WSS-497?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh closed WSS-497.
-----------------------------------
> Support for SAML 2.0 EncryptedAssertion Element
> -----------------------------------------------
>
> Key: WSS-497
> URL: https://issues.apache.org/jira/browse/WSS-497
> Project: WSS4J
> Issue Type: New Feature
> Components: WSS4J Core
> Affects Versions: 1.6.9, 1.6.13
> Environment: JBoss AS 7.1.3, JBoss EAP 6.1.0
> Reporter: M Kidd
> Assignee: Colm O hEigeartaigh
> Labels: features
> Fix For: 2.0.0, 1.6.16
>
>
> WSS4J cannot locate an Assertion via a SecurityTokenReference KeyIdentifier
> id when the Assertion is encrypted as an EncryptedAssertion element.
> {quote}
> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";>
> <soap:Header>
> <Action xmlns="http://www.w3.org/2005/08/addressing";>ActionXXXX</Action>
> <MessageID
> xmlns="http://www.w3.org/2005/08/addressing";>urn:uuid:f718f460-58a5-4aa5-a0ae-7e2a6d9dea8a</MessageID>
> <To
> xmlns="http://www.w3.org/2005/08/addressing";>https://xxxx:1234/catalog/xxxService-v1.0</To>
> <ReplyTo xmlns="http://www.w3.org/2005/08/addressing";>
> <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
> </ReplyTo>
> <wsse:Security soap:mustUnderstand="true"
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
> <wsu:Timestamp wsu:Id="TS-127">
> <wsu:Created>2014-04-22T13:00:42.301Z</wsu:Created>
> <wsu:Expires>2014-04-22T13:05:42.301Z</wsu:Expires>
> </wsu:Timestamp>
> <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element";
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
> <e:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference
> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
> <X509Data>
> <X509IssuerSerial>
> <X509IssuerName>.....</X509IssuerName>
> <X509SerialNumber>12345678</X509SerialNumber>
> </X509IssuerSerial>
> </X509Data>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>***MASKED***</e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> <xenc:CipherData>***MASKED***</xenc:CipherData>
> </xenc:EncryptedData>
> </EncryptedAssertion>
> <ds:Signature Id="SIG-128"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <ec:InclusiveNamespaces PrefixList="soap"
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:CanonicalizationMethod>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
> <ds:Reference URI="#TS-127">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <ec:InclusiveNamespaces PrefixList="wsse soap"
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>/wED0P+e1Hl79GX3yuHw/p/J2Vo=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>Wgp/uzeawdu8oh8bDObXIsXrTUw=</ds:SignatureValue>
> <ds:KeyInfo Id="KI-1603634465EB6A36DC1398171642303115">
> <SecurityTokenReference
> b:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
>
> xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
> xmlns:b="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";>
> <KeyIdentifier
> ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID";>_004e1ddf-d719-436b-bfb9-e833f482e4eb</KeyIdentifier>
> </SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> </soap:Body>
> </soap:Envelope>
> {quote}
> When the SecurityTokenReference is being parsed, it takes the KeyIdentifier
> value and looks for the associated Assertion id. If it cannot locate the
> Assertion, it currently falls back on invoking the CallbackHandler, seeking
> the SECRET_KEY.
> At some point prior to that parsing, I believe it should decrypt
> EncryptedAssertion elements, using the loaded certificates from the
> configured keystore, so the existing Assertion search logic can locate these
> Assertions.
> Stack Trace:
> org.apache.ws.security.WSSecurityException: General security error (SAML
> token security failure)
> at
> org.apache.ws.security.saml.SAMLUtil.getAssertionFromKeyIdentifier(SAMLUtil.java:127)
> [wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2]
> at
> org.apache.ws.security.str.SignatureSTRParser.parseSAMLKeyIdentifier(SignatureSTRParser.java:353)
> [wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2]
> at
> org.apache.ws.security.str.SignatureSTRParser.parseSecurityTokenReference(SignatureSTRParser.java:217)
> [wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2]
> at
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:169)
> [wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2]
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
> [wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2]
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:277)
> [cxf-rt-ws-security-2.6.6-redhat-3.jar:2.6.6-redhat-3]
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
