[
https://issues.apache.org/jira/browse/WSS-393?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh closed WSS-393.
-----------------------------------
> WSS4J is not handling KeyIdentifier inside SecurityTokenReference inside a
> KeyInfo
> ----------------------------------------------------------------------------------
>
> Key: WSS-393
> URL: https://issues.apache.org/jira/browse/WSS-393
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.6.6
> Environment: .NET client, .NET STS, Java service, Windows 7.0
> Reporter: Dan Taylor
> Assignee: Colm O hEigeartaigh
> Labels: KeyIdentifier, KeyInfo, SecurityTokenReference
> Fix For: 1.6.7
>
>
> We have a .NET client using a .NET STS for authentication and authorization
> to our java service. The .NET STS puts a SecurityTokenReference inside a
> KeyInfo element, with a KeyIdentifier inside the STR. This causes an
> exception to be thrown: General security error (SAML token security failure).
> From debugging into the WSS4J source in the SAMLUtil.getCredentialFromKeyInfo
> method, keyInfoElement.getFirstChild() returns the SecurityTokenReference
> element. Inside this element is the KeyIdentifier element, which isn't
> handled anywhere inside this method.
> From the WS-Security 1.1 (Web Services Security: SOAP Message Security 1.1)
> standard:
> Section 7.1: “All compliant implementations MUST be able to process a
> <wsse:SecurityTokenReference> element. This element can also be used as a
> direct child element of <ds:KeyInfo> to indicate a hint to retrieve the key
> information from a security token placed somewhere else. In particular, it is
> RECOMMENDED, when using XML Signature and XML Encryption, that a
> <wsse:SecurityTokenReference> element be placed inside a <ds:KeyInfo> to
> reference the security token used for the signature or encryption.”
> From the Web Services Security X.509 Certificate Token Profile 1.1) standard:
> Section 3.2: “In order to ensure a consistent processing model across all the
> token types supported by WSS: SOAP Message Security, the
> <wsse:SecurityTokenReference> element SHALL be used to specify all references
> to X.509 token types in signature or encryption elements that comply with
> this profile.”
> Sample SAMLToken:
> <saml:Assertion MajorVersion="1" MinorVersion="1"
> AssertionID="SamlSecurityToken-02c44f88-607f-4d46-ab2e-b8049904ff9c"
> Issuer="sts" IssueInstant="2012-06-13T18:08:07.710Z"
> xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml:Conditions NotBefore="2012-06-13T18:08:07.710Z"
> NotOnOrAfter="2012-06-14T04:08:07.710Z"></saml:Conditions>
> <saml:AuthenticationStatement
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"
> AuthenticationInstant="2012-06-13T18:08:07.713Z">
> <saml:Subject>
> <saml:NameIdentifier
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">t...@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
> <e:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference
> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
> <o:KeyIdentifier
> ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";>TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> </saml:AuthenticationStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">t...@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
> <e:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference
> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
> <o:KeyIdentifier
> ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";>TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="roles"
> AttributeNamespace="http://schemas.merge.com/icc/claims";>
> <saml:AttributeValue>User</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">t...@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
> <e:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference
> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
> <o:KeyIdentifier
> ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";>TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="emailaddress"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
> <saml:AttributeValue>t...@merge.com</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">t...@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
> <e:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference
> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
> <o:KeyIdentifier
> ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";>TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="privatepersonalidentitfier"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
> <saml:AttributeValue>55</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
> <SignedInfo>
> <CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></CanonicalizationMethod>
> <SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod>
> <Reference URI="#SamlSecurityToken-02c44f88-607f-4d46-ab2e-b8049904ff9c">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transform>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></Transform>
> </Transforms>
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
> <DigestValue>jzWAgfaALhUvXFSppZhviEw6cOs=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>tUgZygu5219bov276dy9YgS3BSdpgT2vd03MD44Ckd1EWV2u5o0Z2weycrVBH/7rbJB9F18mBHRUv4nve/1E0GI3Hqn4Ios0fOcNI2qsP9ETdv2PLoQU8S2gyupMQ4IEKPFjqdyXQP2nJduWLBVQgOAJcP+PCDyH2gWrTb/YJ1I=</SignatureValue>
> <KeyInfo>
> <o:SecurityTokenReference
> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
> <o:KeyIdentifier
> ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";>TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> </Signature>
> </saml:Assertion>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org
