[
https://issues.apache.org/jira/browse/RAMPART-295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12974034#action_12974034
]
S.Uthaiyashankar commented on RAMPART-295:
------------------------------------------
This is WSS4J issue. Moving to WSS4J project.
> Rampart failing to extract keyinfo from SAML assertion
> ------------------------------------------------------
>
> Key: RAMPART-295
> URL: https://issues.apache.org/jira/browse/RAMPART-295
> Project: Rampart
> Issue Type: Bug
> Affects Versions: 1.5
> Environment: Server: Tomcat 5.5.28, Axis 1.5.1, Rampart 1.5, Windows
> XP SP2
> Client: .NET WCF 3.5, Windows XP
> Reporter: Jason Rattos
> Assignee: Ruchith Udayanga Fernando
> Priority: Blocker
>
> Validation of a SAML 1.1 and 2.0 token is failing due to an inability to
> extract KeyInfo from the Subject of a SAML assertion. The issue appears to be
> independant of using SAML 1.1/2.0 or symmetric/asymmetric bindings.
> The extract of the SAML subject (symmetric binding) is as follows:
> <saml:Subject>
> <saml:NameIdentifier
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos">DOMAIN\JOE</saml:NameIdentifier>
> <saml:SubjectConfirmation>
>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo
> xmlns="http://www.w3.org/2000/09/xmldsig#";>
> <e:EncryptedKey
> xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
> <e:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> </e:EncryptionMethod>
> <KeyInfo>
>
> <o:SecurityTokenReference
> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
> <X509Data>
>
> <X509IssuerSerial>
>
> <X509IssuerName>CN=Root Agency</X509IssuerName>
>
> <X509SerialNumber>-147027885241304943914470421251724308948</X509SerialNumber>
>
> </X509IssuerSerial>
> </X509Data>
>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
>
> <e:CipherValue>YPzUKhWVjM56ugTvgLF8nbCULmITwiE2lGFWf5rsRwm7v+g/J2cswNJoK5oBpROUXJRV3P10PRtWloXNU3eR8kZRn7nutFp5iEpRW4FHcoRMTK3KHYILz7EaBwYsNaGJ45PD6IeJvjGb79/5N9boePWZBMl708vsXp63fXNbUPo=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> The extract of the SAML subject (asymmetric binding) is as follows:
> <Subject>
> <NameID
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos">DOMAIN\JOE</NameID>
> <SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
> <SubjectConfirmationData
> xmlns:a="http://www.w3.org/2001/XMLSchema-instance";
> a:type="KeyInfoConfirmationDataType">
> <KeyInfo
> xmlns="http://www.w3.org/2000/09/xmldsig#";>
> <KeyValue>
> <RSAKeyValue>
>
> <Modulus>qq45WmIc5AJQF8f06R8KMm9G4RsT4Vi9Xx5psYuyDzD1M7480CQ7dEmOLkYnOP/qwLNiKgvG/Xm2rGYf1fgQD+dH+jwoirACflwEGUk7nU88mZOeJwqfXq4oWdsGVAMREyJQnW2q5+KJQt6/Pt3UBWquTvJnwes9/0WrQUAUX9s=</Modulus>
>
> <Exponent>AQAB</Exponent>
> </RSAKeyValue>
> </KeyValue>
> </KeyInfo>
> </SubjectConfirmationData>
> </SubjectConfirmation>
> </Subject>
> In both cases the SAMUtil.java (as part of WSSJ-1.5.8) fails to extract the
> certificate info. The following lines are an extract from the source code for
> which this is failing:
> Element e = samlSubj.getKeyInfo();
> X509Certificate[] certs = null;
> try {
> KeyInfo ki = new KeyInfo(e, null);
> if (ki.containsX509Data()) {
> X509Data data = ki.itemX509Data(0);
> XMLX509Certificate certElem = null;
> In both use cases the ki instance return false for ki.containsX509Data() and
> hence the processing fails.
> In an attempt to see whether the KeyInfo constructor limited itself to
> certain types of certificate references, I manually modified the SAML
> assertion subject using TCPMon to include the X509 Base64 representation of
> the certificate as follows and found that this actually works, as a result of
> the ki.containsX509Data() statement returns true:
> <saml:Subject>
> <saml:NameIdentifier
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos">DOMAIN\JOE</saml:NameIdentifier>
> <saml:SubjectConfirmation>
>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo
> xmlns="http://www.w3.org/2000/09/xmldsig#";>
> <X509Data>
>
> <X509Certificate>MIIBsTCCAV+gAwIBAgIQKCrSOt8UsKxIAPFEMK316zAJBgUrDgMCHQUAMBYxFDASBgNVBAMTC1Jvb3QgQWdlbmN5MB4XDTA4MDgxMzE1MDkyM1oXDTM5MTIzMTIzNTk1OVowFDESMBAGA1UEAxMJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEhqjNMe8M8CA0yGX1pUlJZ4r5WKvQfJ6k8DPBR/VGcvbWPBeiHRjBhH5I5kszg04on8M+FFg0RkW1cfmQRc8kf1XLudHdBUxJx3nfLXH2OscsxQkgcNfdvo5/GCewDIRHMxI+2TO9tgLP6SEJBdprO/55q8t4k/VW4Yi9u9/2VQIDAQABo0swSTBHBgNVHQEEQDA+gBAS5AktBh0dTwCNYSHcFmRjoRgwFjEUMBIGA1UEAxMLUm9vdCBBZ2VuY3mCEAY3bACqAGSKEc+41KpcNfQwCQYFKw4DAh0FAANBAEWsx9wociNjb8uidCy6WRHfS8qhIYjSbgGCYL8/bZ0Xoc8ETPOgZsnD0zSgLuWj7tlY0cHNtY4Nvu8tRo/U2ts=</X509Certificate>
> </X509Data>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> Have previously submitted this an email request directly to rampart-dev but
> thought it best to formally raise the issue here as it's blocking any further
> use of rampart for this particular project.
> Thanks,
> Jason
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
