Colm -
It looks like I have a solution for this. I had extracted some code to post to
the OpenSAML list, and posted the problem over there. While waiting for
something to happen, I tried a few things with the extracted code, mostly with
no positive changes. But then I tried this change, and now I think the output
looks correct:
protected final void addSignatureToAssertion(
AssertionWrapper sa,
Signature signature,
String signatureDigestAlgorithm)
{
LOG.info("SIGTEST Replacement addSignatureToAssertion");
if ( sa.getXmlObject() instanceof SignableSAMLObject ) {
SignableSAMLObject signableObject = (SignableSAMLObject)
sa.getXmlObject();
signableObject.setSignature(signature);
SAMLObjectContentReference contentRef =
(SAMLObjectContentReference)signature.getContentReferences().get(0);
contentRef.setDigestAlgorithm(signatureDigestAlgorithm);
//signableObject.releaseChildrenDOM(true);
//signableObject.releaseDOM();
} else {
LOG.error("Attempt to sign an unsignable object " +
sa.getXmlObject().getClass().getName());
}
}
This is just the AssertionWrapper.setSignature() method extracted into my local
code base, with the releaseDOM lines commented out. I expected this to fail
miserably with various exceptions. But instead, I got this (very trimmed)
assertion back:
<saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="_5FFEE2CBDBBCD91A5A141277359654832"
IssueInstant="2014-10-08T13:06:36.547Z" Issuer="SWIM-STS" MajorVersion="1"
MinorVersion="1">
<saml1:Conditions>...</saml1:Conditions>
<saml1:Advice>
<saml1:Assertion
xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="_5FFEE2CBDBBCD91A5A141277359605611"
IssueInstant="2014-10-08T13:06:36.055Z" Issuer="SWIM-STS" MajorVersion="1"
MinorVersion="1">
<saml1:Conditions>...</saml1:Conditions>
<saml1:AuthenticationStatement>...</saml1:AuthenticationStatement>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference
URI="#_5FFEE2CBDBBCD91A5A141277359605611">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>hHfSTh/rgdxN5iGLNfJYxjI9YPowXPQsJ1sl3IH520U=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>...</ds:KeyInfo>
</ds:Signature>
</saml1:Assertion>
</saml1:Advice>
<saml1:AuthenticationStatement>...</saml1:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference
URI="#_5FFEE2CBDBBCD91A5A141277359654832">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>OoWn7FcGrYsFTCbO+DXVawtVcY9UhzqHvlEovFWds1U=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>...</ds:KeyInfo>
</ds:Signature>
</saml1:Assertion>
So I have not done enough analysis yet to figure out why this works or what
sort of unintended consequences it may have, but for the moment, the output is
more along the lines of what I expected.
Thanx,
Stephen W. Chappell
-----Original Message-----
From: Colm O hEigeartaigh [mailto:[email protected]]
Sent: Monday, October 06, 2014 5:37 AM
To: [email protected]
Subject: Re: Weird AssertionWrapper.signAssertion() problem
I added support in WSS4J for creating SAML Assertions with "Advice"
Elements - I can reproduce the issue you are seeing with the internal signature
stuff:
http://svn.apache.org/viewvc?view=revision&revision=r1629601
I recommend breaking it down into a testcase that uses just the OpenSAML APIs +
send it to the OpenSAML dev list to see what they think. WSS4J is also using a
slightly older version of OpenSAML so there is a possibility that it is a bug
which has since been fixed.
Colm.
On Wed, Oct 1, 2014 at 2:18 PM, <[email protected]> wrote:
> In CXF 2.7.12, I'm having a weird problem when signing a SAML 1.1
> assertion, when the assertion contains another assertion in the Advice
> element. All SAML assertions are required to be signed by the issuer,
> including assertions embedded in the Advice element. But what is
> happening is that when I sign the "outer" assertion, the
> AssertionWrapper.signAssertion() method is stripping the digest and
> signature values from the "inner" assertion in the Advice element.
>
> The signature line looks like this:
> sa.signAssertion(issuerAlias, issuerPassword,
> issuerCrypto, false,
> "http://www.w3.org/2001/10/xml-exc-c14n#";,
> signatureAlgorithm, digestAlgorithm);
>
> Here is what the assertion looks like immediately before and after
> this call, stripped down a bit for brevity. You can see in the second
> assertion that the signature on the inner Advice/Assertion has been
> changed - the digest method is changed, and the digest and signature
> values have been removed. What is causing this, and how can I prevent
> it? Any and all help would be appreciated, thanx!
>
> BEFORE:
>
> <saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332"
> IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS" MajorVersion="1"
> MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z"
> NotOnOrAfter="2014-10-01T13:03:16.748Z">
> ...
> </saml1:Conditions>
> <saml1:Advice>
> <saml1:Assertion
> AssertionID="_99B35E24E753D60162141216853713111"
> IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS" MajorVersion="1"
> MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml1:Conditions
> NotBefore="2014-10-01T13:02:16.748Z"
> NotOnOrAfter="2014-10-01T13:03:16.748Z">
> ...
> </saml1:Conditions>
>
> <saml1:AuthenticationStatement
> AuthenticationInstant="2014-10-01T13:02:16.748Z"
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
>
> <saml1:Subject>
> ...
>
> </saml1:Subject>
>
> </saml1:AuthenticationStatement>
> <ds:Signature xmlns:ds="
> http://www.w3.org/2000/09/xmldsig#";>
>
> <ds:SignedInfo>
>
> <ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
> <ds:SignatureMethod Algorithm="
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
>
> <ds:Reference URI="#_99B35E24E753D60162141216853713111">
>
> <ds:Transforms>
>
> <ds:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>
> <ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
> </ds:Transforms>
>
> <ds:DigestMethod Algorithm="
> http://www.w3.org/2001/04/xmlenc#sha256"/>
>
>
> <ds:DigestValue>1EEQlsuneSKs81Hq+3lcqiKjOXMMNmbgVnZ0pFuIQOs=</ds:Diges
> tValue>
>
> </ds:Reference>
>
> </ds:SignedInfo>
>
> <ds:SignatureValue>...</ds:SignatureValue>
>
> <ds:KeyInfo>
>
> <ds:X509Data>
>
> <ds:X509Certificate>...</ds:X509Certificate>
>
> </ds:X509Data>
>
> </ds:KeyInfo>
> </ds:Signature>
> </saml1:Assertion>
> </saml1:Advice>
> <saml1:AuthenticationStatement
> AuthenticationInstant="2014-10-01T13:02:17.585Z"
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
> <saml1:Subject>
> ...
> </saml1:Subject>
> </saml1:AuthenticationStatement> </saml1:Assertion>
>
> AFTER:
>
> <saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332"
> IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS" MajorVersion="1"
> MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z"
> NotOnOrAfter="2014-10-01T13:03:16.748Z">
> ...
> </saml1:Conditions>
> <saml1:Advice>
> <saml1:Assertion
> AssertionID="_99B35E24E753D60162141216853713111"
> IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS" MajorVersion="1"
> MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml1:Conditions
> NotBefore="2014-10-01T13:02:16.748Z"
> NotOnOrAfter="2014-10-01T13:03:16.748Z">
> ...
> </saml1:Conditions>
>
> <saml1:AuthenticationStatement
> AuthenticationInstant="2014-10-01T13:02:16.748Z"
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
>
> <saml1:Subject>
> ...
>
> </saml1:Subject>
>
> </saml1:AuthenticationStatement>
> <ds:Signature xmlns:ds="
> http://www.w3.org/2000/09/xmldsig#";>
>
> <ds:SignedInfo>
>
> <ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
> <ds:SignatureMethod Algorithm="
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
>
> <ds:Reference URI="#_99B35E24E753D60162141216853713111">
>
> <ds:Transforms>
>
> <ds:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>
> <ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
> </ds:Transforms>
>
> <ds:DigestMethod Algorithm="
> http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <ds:DigestValue/>
>
> </ds:Reference>
>
> </ds:SignedInfo>
>
> <ds:SignatureValue/>
>
> <ds:KeyInfo>
>
> <ds:X509Data>
>
> <ds:X509Certificate>...</ds:X509Certificate>
>
> </ds:X509Data>
>
> </ds:KeyInfo>
> </ds:Signature>
> </saml1:Assertion>
> </saml1:Advice>
> <saml1:AuthenticationStatement
> AuthenticationInstant="2014-10-01T13:02:17.585Z"
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
> <saml1:Subject>
> ...
> </saml1:Subject>
> </saml1:AuthenticationStatement>
> <ds:Signature
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#
> ">
> <ds:SignedInfo>
>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> <ds:Reference
> URI="#_99B35E24E753D60162141216853759332">
>
> <ds:Transforms>
>
> <ds:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
> </ds:Transforms>
>
> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>
> <ds:DigestValue>OnmMYA4JG7RZRa1+NdrGAcHt5K03l1ZLCufXdF+qXmI=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>...</ds:SignatureValue>
> <ds:KeyInfo>
> <ds:X509Data>
>
> <ds:X509Certificate>...</ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
> </ds:Signature>
> </saml1:Assertion>
>
>
> Stephen W. Chappell
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
