Hi Christian, I am not inclined to fix this issue in CXF/WSS4J, as it will involve changing how we use keystores for signature validation. It is quite unusual IMO to have a XML Signature without a KeyInfo pointing to the public key to use to validate the signature.
For different IdPs, I have tested (successfully) against WSo2's Identity Server, Josso, Shibboleth, Picketlink and OpenAM. Colm. On Wed, Nov 27, 2013 at 8:52 AM, Christian Metzler < [email protected]> wrote: > Hi Sergey, > > thanks for your reply. The problem seems to be in the > SAMLProtocolResponseValidator class. Overriding the methods you suggested > would not be sufficient. Instead I would have to write my own > SAMLProtocolResponseValidator and intantiate it in the > RequestAssertionConsumerService. > > The method which fails is the private > validateResponseSignature(...) > > which will do the following: > > samlKeyInfo = > SAMLUtil.getCredentialFromKeyInfo( > keyInfo.getDOM(), requestData, docInfo, > requestData.getWssConfig().isWsiBSPCompliant() > ); > > > Perhaps I should look for a different IDP implementation. I currently > tried to work with Mujina IDP for testing purposes. > Are there any suggestions, which IDP could work? I know your example works > with Shibboleth, but I think Shibboleth is hard to set up and configure for > testing purposes. Actually a IDP Mock would be really handsome... But I > could not find anything else than Mujina. > > > Kind regards, > > Christian > > > > Am 26.11.2013 22:56, schrieb Sergey Beryozkin: > > Hi >> >> Thanks for reporting the issue, appears to be a bug in CXF or at the >> lower level. I guess the KeyInfo is typically available on the WS path >> hence the issue arises when it is not included. >> >> I can suggest a workaround for now, till the problem has been resolved: >> >> RequestAssertionConsumerService validateSamlResponseProtocol and >> validateSamlSSOResponse methods are protected: I wonder if you can override >> the method where the problem occurs and do the manual validation for now or >> simply ignore the validation for now to get the POC done. >> >> >> >> HTH >> Sergey >> >> On 26/11/13 13:25, Christian Metzler wrote: >> >>> Hi, >>> >>> I am trying to implement a SAML Request Assertion Consumer Service >>> (RACS) with Apache CXF 2.7.7 >>> Unfortunately the response of my Identity Provider does not include a >>> keyInfo (which is defined optional in the SAML specification).This leads >>> to an exception when processing the response, because CXF tries to load >>> a DOM for the keyInfo. >>> >>> |java.lang.NullPointerException >>> at >>> org.apache.ws.security.saml.ext.AssertionWrapper.verifySignature(AssertionWrapper.java:536) >>> >>> >>> >>> | >>> >>> I have a valid keystore.properties file as well as the certificate on my >>> RACS site, but this does not chage the behaviour. Is this a bug in CXF >>> or did I miss something to set up for my RACS? >>> >>> That's my current configuration >>> >>> <bean id="consumerService" >>> class="org.apache.cxf.rs.security.saml.sso. >>> RequestAssertionConsumerService"> >>> >>> <property name="stateProvider" ref="stateManager" /> >>> <property name="enforceAssertionsSigned" value="false"/> >>> <property name="signaturePropertiesFile" >>> value="serviceKeystore.properties"/> >>> <property name="supportBase64Encoding" value="true" /> >>> </bean> >>> >>> And the response from my IDP is: >>> >>> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" >>> Destination="https://localhost:8181/CxfOAuthServer/racs/sso"; >>> ID="9ba6bc1d-178e-4c34-82ac-c7fb4482f339" >>> InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8" >>> IssueInstant="2013-11-26T09:46:48.020Z" >>> Version="2.0"> >>> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> >>> http://mock-idp</saml2:Issuer> >>> >>> <saml2p:Status> >>> <saml2p:StatusCode >>> Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> >>> </saml2p:Status> >>> <saml2:Assertion xmlns:saml2="urn:oasis:names: >>> tc:SAML:2.0:assertion" >>> ID="176247f7-0559-400c-8e5b-dafedbe5be4a" >>> IssueInstant="2013-11-26T09:46:48.008Z" >>> Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema";> >>> <saml2:Issuer >>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> >>> http://mock-idp</saml2:Issuer> >>> >>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>> <ds:SignedInfo> >>> <ds:CanonicalizationMethod >>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>> <ds:SignatureMethod >>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> >>> <ds:Reference URI="#176247f7-0559-400c-8e5b- >>> dafedbe5be4a"> >>> <ds:Transforms> >>> <ds:Transform >>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> >>> <ds:Transform >>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> >>> <ec:InclusiveNamespaces >>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; >>> PrefixList="xs" /> >>> </ds:Transform> >>> </ds:Transforms> >>> <ds:DigestMethod >>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> >>> <ds:DigestValue>d2VEe93L57zXiywl0rZxlMHE3Vw=</ds:DigestValue> >>> </ds:Reference> >>> </ds:SignedInfo> >>> <ds:SignatureValue>dFzHOV7wr1IfJoW+ZC71mXDuW4ZIj9pWyJftLfCldtCPTr >>> zVxnHBokmtlohxjlPf7M4Ox9wgnFXKlFUB5c6mHlRpG6cq4rcaYKGTf4eRU+ >>> oO54bdZ2tP5HBoZRgyd1lpZLnIG05f56vZEfALWFz2HYraC6Y6VKnwLXK6sc9frII=</ds:SignatureValue> >>> >>> >>> </ds:Signature> >>> <saml2:Subject> >>> <saml2:NameID >>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format: >>> unspecified">admin</saml2:NameID> >>> >>> <saml2:SubjectConfirmation >>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> >>> <saml2:SubjectConfirmationData >>> Address="127.0.0.1" >>> InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8" >>> NotOnOrAfter="2013-11-26T09:48:18.007Z" >>> Recipient="https://localhost:8181/CxfOAuthServer/racs/sso"; /> >>> </saml2:SubjectConfirmation> >>> </saml2:Subject> >>> <saml2:AuthnStatement AuthnInstant="2013-11-26T09:46:47.989Z"> >>> <saml2:AuthnContext> >>> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0: >>> ac:classes:Password</saml2:AuthnContextClassRef> >>> >>> <saml2:AuthenticatingAuthority>http://mock-idp</saml2:AuthenticatingAuthority> >>> >>> >>> </saml2:AuthnContext> >>> </saml2:AuthnStatement> >>> <saml2:AttributeStatement> >>> <saml2:Attribute Name="urn:mace:dir:attribute-def:uid"> >>> <saml2:AttributeValue >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >>> xsi:type="xs:string">admin</saml2:AttributeValue> >>> </saml2:Attribute> >>> <saml2:Attribute >>> Name="urn:oid:1.3.6.1.4.1.1076.20.100.10.10.1"> >>> <saml2:AttributeValue >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >>> xsi:type="xs:string">guest</saml2:AttributeValue> >>> </saml2:Attribute> >>> <saml2:Attribute Name="urn:mace:dir:attribute-def:sn"> >>> <saml2:AttributeValue >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >>> xsi:type="xs:string">Doe</saml2:AttributeValue> >>> </saml2:Attribute> >>> <saml2:Attribute Name="urn:mace:dir:attribute-def:mail"> >>> <saml2:AttributeValue >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >>> xsi:type="xs:string">[email protected]</saml2:AttributeValue> >>> </saml2:Attribute> >>> <saml2:Attribute >>> Name="urn:mace:dir:attribute-def:eduPersonPrincipalName"> >>> <saml2:AttributeValue >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >>> xsi:type="xs:string">[email protected]</saml2:AttributeValue> >>> </saml2:Attribute> >>> <saml2:Attribute >>> Name="urn:mace:dir:attribute-def:displayName"> >>> <saml2:AttributeValue >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >>> xsi:type="xs:string">admin</saml2:AttributeValue> >>> </saml2:Attribute> >>> <saml2:Attribute Name="urn:mace:dir:attribute- >>> def:givenName"> >>> <saml2:AttributeValue >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >>> xsi:type="xs:string">John</saml2:AttributeValue> >>> </saml2:Attribute> >>> <saml2:Attribute >>> Name="urn:mace:terena.org:attribute-def:schacHomeOrganization"> >>> <saml2:AttributeValue >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >>> xsi:type="xs:string">example.com</saml2:AttributeValue> >>> </saml2:Attribute> >>> <saml2:Attribute Name="urn:mace:dir:attribute-def:cn"> >>> <saml2:AttributeValue >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >>> xsi:type="xs:string">John Doe</saml2:AttributeValue> >>> </saml2:Attribute> >>> </saml2:AttributeStatement> >>> </saml2:Assertion> >>> </saml2p:Response> >>> >>> Thanks for your help. >>> >>> >> >> > > -- > *********************************************************************** > Christian Metzler * Software Developer > ABAS Software AG * Südendstraße 42 * 76135 Karlsruhe * GERMANY > Phone: +49(0)721-96723-0 * Fax: +49(0)721-96723-100 > http://www.abas-software.com * http://www.abas.de > Board of Directors / Vorstand: Werner Strub, Jürgen Nöding > Chairman Board of Directors / Vorstandsvorsitzender: Werner Strub > Chairman Supervisory Board / Aufsichtsratsvorsitzender: Udo Stößer > Registered Office / Sitz der Gesellschaft: Karlsruhe > Commercial Register / Handelsregister: HRB 107644 Amtsgericht Mannheim > *********************************************************************** > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
