[ https://issues.apache.org/jira/browse/WSS-393?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh closed WSS-393. ----------------------------------- > WSS4J is not handling KeyIdentifier inside SecurityTokenReference inside a > KeyInfo > ---------------------------------------------------------------------------------- > > Key: WSS-393 > URL: https://issues.apache.org/jira/browse/WSS-393 > Project: WSS4J > Issue Type: Bug > Components: WSS4J Core > Affects Versions: 1.6.6 > Environment: .NET client, .NET STS, Java service, Windows 7.0 > Reporter: Dan Taylor > Assignee: Colm O hEigeartaigh > Labels: KeyIdentifier, KeyInfo, SecurityTokenReference > Fix For: 1.6.7 > > > We have a .NET client using a .NET STS for authentication and authorization > to our java service. The .NET STS puts a SecurityTokenReference inside a > KeyInfo element, with a KeyIdentifier inside the STR. This causes an > exception to be thrown: General security error (SAML token security failure). > From debugging into the WSS4J source in the SAMLUtil.getCredentialFromKeyInfo > method, keyInfoElement.getFirstChild() returns the SecurityTokenReference > element. Inside this element is the KeyIdentifier element, which isn't > handled anywhere inside this method. > From the WS-Security 1.1 (Web Services Security: SOAP Message Security 1.1) > standard: > Section 7.1: “All compliant implementations MUST be able to process a > <wsse:SecurityTokenReference> element. This element can also be used as a > direct child element of <ds:KeyInfo> to indicate a hint to retrieve the key > information from a security token placed somewhere else. In particular, it is > RECOMMENDED, when using XML Signature and XML Encryption, that a > <wsse:SecurityTokenReference> element be placed inside a <ds:KeyInfo> to > reference the security token used for the signature or encryption.” > From the Web Services Security X.509 Certificate Token Profile 1.1) standard: > Section 3.2: “In order to ensure a consistent processing model across all the > token types supported by WSS: SOAP Message Security, the > <wsse:SecurityTokenReference> element SHALL be used to specify all references > to X.509 token types in signature or encryption elements that comply with > this profile.” > Sample SAMLToken: > <saml:Assertion MajorVersion="1" MinorVersion="1" > AssertionID="SamlSecurityToken-02c44f88-607f-4d46-ab2e-b8049904ff9c" > Issuer="sts" IssueInstant="2012-06-13T18:08:07.710Z" > xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> > <saml:Conditions NotBefore="2012-06-13T18:08:07.710Z" > NotOnOrAfter="2012-06-14T04:08:07.710Z"></saml:Conditions> > <saml:AuthenticationStatement > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" > AuthenticationInstant="2012-06-13T18:08:07.713Z"> > <saml:Subject> > <saml:NameIdentifier > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">t...@merge.com</saml:NameIdentifier> > <saml:SubjectConfirmation> > <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod> > <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> > <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"> > <e:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> > <DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod> > </e:EncryptionMethod> > <KeyInfo> > <o:SecurityTokenReference > xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> > <o:KeyIdentifier > ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier> > </o:SecurityTokenReference> > </KeyInfo> > <e:CipherData> > <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue> > </e:CipherData> > </e:EncryptedKey> > </KeyInfo> > </saml:SubjectConfirmation> > </saml:Subject> > </saml:AuthenticationStatement> > <saml:AttributeStatement> > <saml:Subject> > <saml:NameIdentifier > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">t...@merge.com</saml:NameIdentifier> > <saml:SubjectConfirmation> > <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod> > <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> > <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"> > <e:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> > <DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod> > </e:EncryptionMethod> > <KeyInfo> > <o:SecurityTokenReference > xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> > <o:KeyIdentifier > ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier> > </o:SecurityTokenReference> > </KeyInfo> > <e:CipherData> > <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue> > </e:CipherData> > </e:EncryptedKey> > </KeyInfo> > </saml:SubjectConfirmation> > </saml:Subject> > <saml:Attribute AttributeName="roles" > AttributeNamespace="http://schemas.merge.com/icc/claims"> > <saml:AttributeValue>User</saml:AttributeValue> > </saml:Attribute> > </saml:AttributeStatement> > <saml:AttributeStatement> > <saml:Subject> > <saml:NameIdentifier > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">t...@merge.com</saml:NameIdentifier> > <saml:SubjectConfirmation> > <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod> > <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> > <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"> > <e:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> > <DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod> > </e:EncryptionMethod> > <KeyInfo> > <o:SecurityTokenReference > xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> > <o:KeyIdentifier > ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier> > </o:SecurityTokenReference> > </KeyInfo> > <e:CipherData> > <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue> > </e:CipherData> > </e:EncryptedKey> > </KeyInfo> > </saml:SubjectConfirmation> > </saml:Subject> > <saml:Attribute AttributeName="emailaddress" > AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"> > <saml:AttributeValue>t...@merge.com</saml:AttributeValue> > </saml:Attribute> > </saml:AttributeStatement> > <saml:AttributeStatement> > <saml:Subject> > <saml:NameIdentifier > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">t...@merge.com</saml:NameIdentifier> > <saml:SubjectConfirmation> > <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod> > <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> > <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"> > <e:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> > <DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod> > </e:EncryptionMethod> > <KeyInfo> > <o:SecurityTokenReference > xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> > <o:KeyIdentifier > ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier> > </o:SecurityTokenReference> > </KeyInfo> > <e:CipherData> > <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue> > </e:CipherData> > </e:EncryptedKey> > </KeyInfo> > </saml:SubjectConfirmation> > </saml:Subject> > <saml:Attribute AttributeName="privatepersonalidentitfier" > AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"> > <saml:AttributeValue>55</saml:AttributeValue> > </saml:Attribute> > </saml:AttributeStatement> > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> > <SignedInfo> > <CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod> > <SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod> > <Reference URI="#SamlSecurityToken-02c44f88-607f-4d46-ab2e-b8049904ff9c"> > <Transforms> > <Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform> > <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform> > </Transforms> > <DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod> > <DigestValue>jzWAgfaALhUvXFSppZhviEw6cOs=</DigestValue> > </Reference> > </SignedInfo> > <SignatureValue>tUgZygu5219bov276dy9YgS3BSdpgT2vd03MD44Ckd1EWV2u5o0Z2weycrVBH/7rbJB9F18mBHRUv4nve/1E0GI3Hqn4Ios0fOcNI2qsP9ETdv2PLoQU8S2gyupMQ4IEKPFjqdyXQP2nJduWLBVQgOAJcP+PCDyH2gWrTb/YJ1I=</SignatureValue> > <KeyInfo> > <o:SecurityTokenReference > xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> > <o:KeyIdentifier > ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier> > </o:SecurityTokenReference> > </KeyInfo> > </Signature> > </saml:Assertion> -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org For additional commands, e-mail: dev-h...@ws.apache.org