Well, what I got back from the OpenSAML list is not helpful. This is what they
had to say:
"it looks questionable to me that you're dropping the DOM at the end, because I
don't recall the Java code ever having full round trip fidelity when the DOM
isn't cached, particularly when signatures are involved"
But obviously, WSS4J relies on that behavior. And when I don’t release the DOM,
then I have other issues downstream in another module
("org.opensaml.xml.XMLRuntimeException: DOM Element node adoption failed" when
I use WSSecSignatureSAML to build a message signature).
So, there must be another answer, so I will keep looking.
Stephen W. Chappell
-----Original Message-----
From: Chappell, Stephen CTR (FAA)
Sent: Thursday, October 09, 2014 8:03 AM
To: [email protected]; [email protected]
Subject: RE: Weird AssertionWrapper.signAssertion() problem
Yeah, I was afraid of something like that. It's caused a few problems here and
there elsewhere in my code as well. Back to the drawing board, I suppose...
Stephen W. Chappell
-----Original Message-----
From: Colm O hEigeartaigh [mailto:[email protected]]
Sent: Thursday, October 09, 2014 5:07 AM
To: [email protected]
Subject: Re: Weird AssertionWrapper.signAssertion() problem
Hi Stephen,
This change breaks some of the SAML tests in WSS4J, so I can't apply it.
Colm.
On Wed, Oct 8, 2014 at 2:21 PM, <[email protected]> wrote:
> Colm -
>
> It looks like I have a solution for this. I had extracted some code to
> post to the OpenSAML list, and posted the problem over there. While
> waiting for something to happen, I tried a few things with the
> extracted code, mostly with no positive changes. But then I tried this
> change, and now I think the output looks correct:
>
> protected final void addSignatureToAssertion(
> AssertionWrapper sa,
> Signature signature,
> String signatureDigestAlgorithm)
> {
> LOG.info("SIGTEST Replacement addSignatureToAssertion");
> if ( sa.getXmlObject() instanceof SignableSAMLObject ) {
> SignableSAMLObject signableObject = (SignableSAMLObject)
> sa.getXmlObject();
> signableObject.setSignature(signature);
>
> SAMLObjectContentReference contentRef =
>
> (SAMLObjectContentReference)signature.getContentReferences().get(0);
> contentRef.setDigestAlgorithm(signatureDigestAlgorithm);
>
> //signableObject.releaseChildrenDOM(true);
> //signableObject.releaseDOM();
> } else {
> LOG.error("Attempt to sign an unsignable object " +
> sa.getXmlObject().getClass().getName());
> }
> }
>
> This is just the AssertionWrapper.setSignature() method extracted into
> my local code base, with the releaseDOM lines commented out. I
> expected this to fail miserably with various exceptions. But instead,
> I got this (very
> trimmed) assertion back:
>
> <saml1:Assertion
> xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
> AssertionID="_5FFEE2CBDBBCD91A5A141277359654832"
> IssueInstant="2014-10-08T13:06:36.547Z" Issuer="SWIM-STS" MajorVersion="1"
> MinorVersion="1">
> <saml1:Conditions>...</saml1:Conditions>
> <saml1:Advice>
> <saml1:Assertion
> xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
> AssertionID="_5FFEE2CBDBBCD91A5A141277359605611"
> IssueInstant="2014-10-08T13:06:36.055Z" Issuer="SWIM-STS" MajorVersion="1"
> MinorVersion="1">
>
> <saml1:Conditions>...</saml1:Conditions>
>
> <saml1:AuthenticationStatement>...</saml1:AuthenticationStatement>
> <ds:Signature xmlns:ds="
> http://www.w3.org/2000/09/xmldsig#";>
> <ds:SignedInfo>
>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> <ds:Reference
> URI="#_5FFEE2CBDBBCD91A5A141277359605611">
>
> <ds:Transforms>
>
> <ds:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
> </ds:Transforms>
>
> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>
> <ds:DigestValue>hHfSTh/rgdxN5iGLNfJYxjI9YPowXPQsJ1sl3IH520U=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
>
> <ds:SignatureValue>...</ds:SignatureValue>
> <ds:KeyInfo>...</ds:KeyInfo>
> </ds:Signature>
> </saml1:Assertion>
> </saml1:Advice>
>
> <saml1:AuthenticationStatement>...</saml1:AuthenticationStatement>
> <ds:Signature
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#
> ">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> <ds:Reference
> URI="#_5FFEE2CBDBBCD91A5A141277359654832">
> <ds:Transforms>
> <ds:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="
> http://www.w3.org/2001/04/xmlenc#sha256"/>
>
> <ds:DigestValue>OoWn7FcGrYsFTCbO+DXVawtVcY9UhzqHvlEovFWds1U=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>...</ds:SignatureValue>
> <ds:KeyInfo>...</ds:KeyInfo>
> </ds:Signature>
> </saml1:Assertion>
>
> So I have not done enough analysis yet to figure out why this works or
> what sort of unintended consequences it may have, but for the moment,
> the output is more along the lines of what I expected.
>
> Thanx,
>
> Stephen W. Chappell
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:[email protected]]
> Sent: Monday, October 06, 2014 5:37 AM
> To: [email protected]
> Subject: Re: Weird AssertionWrapper.signAssertion() problem
>
> I added support in WSS4J for creating SAML Assertions with "Advice"
> Elements - I can reproduce the issue you are seeing with the internal
> signature stuff:
>
> http://svn.apache.org/viewvc?view=revision&revision=r1629601
>
> I recommend breaking it down into a testcase that uses just the
> OpenSAML APIs + send it to the OpenSAML dev list to see what they
> think. WSS4J is also using a slightly older version of OpenSAML so
> there is a possibility that it is a bug which has since been fixed.
>
> Colm.
>
> On Wed, Oct 1, 2014 at 2:18 PM, <[email protected]> wrote:
>
> > In CXF 2.7.12, I'm having a weird problem when signing a SAML 1.1
> > assertion, when the assertion contains another assertion in the
> > Advice element. All SAML assertions are required to be signed by the
> > issuer, including assertions embedded in the Advice element. But
> > what is happening is that when I sign the "outer" assertion, the
> > AssertionWrapper.signAssertion() method is stripping the digest and
> > signature values from the "inner" assertion in the Advice element.
> >
> > The signature line looks like this:
> > sa.signAssertion(issuerAlias, issuerPassword,
> > issuerCrypto, false,
> > "http://www.w3.org/2001/10/xml-exc-c14n#";,
> > signatureAlgorithm, digestAlgorithm);
> >
> > Here is what the assertion looks like immediately before and after
> > this call, stripped down a bit for brevity. You can see in the
> > second assertion that the signature on the inner Advice/Assertion
> > has been changed - the digest method is changed, and the digest and
> > signature values have been removed. What is causing this, and how
> > can I prevent it? Any and all help would be appreciated, thanx!
> >
> > BEFORE:
> >
> > <saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332"
> > IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS"
> MajorVersion="1"
> > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> > <saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z"
> > NotOnOrAfter="2014-10-01T13:03:16.748Z">
> > ...
> > </saml1:Conditions>
> > <saml1:Advice>
> > <saml1:Assertion
> > AssertionID="_99B35E24E753D60162141216853713111"
> > IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS"
> MajorVersion="1"
> > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> > <saml1:Conditions
> > NotBefore="2014-10-01T13:02:16.748Z"
> > NotOnOrAfter="2014-10-01T13:03:16.748Z">
> > ...
> > </saml1:Conditions>
> >
> > <saml1:AuthenticationStatement
> > AuthenticationInstant="2014-10-01T13:02:16.748Z"
> > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
> >
> > <saml1:Subject>
> > ...
> >
> > </saml1:Subject>
> >
> > </saml1:AuthenticationStatement>
> > <ds:Signature xmlns:ds="
> > http://www.w3.org/2000/09/xmldsig#";>
> >
> > <ds:SignedInfo>
> >
> > <ds:CanonicalizationMethod Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >
> > <ds:SignatureMethod Algorithm="
> > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> >
> > <ds:Reference URI="#_99B35E24E753D60162141216853713111">
> >
> > <ds:Transforms>
> >
> > <ds:Transform Algorithm="
> > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> >
> > <ds:Transform Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >
> > </ds:Transforms>
> >
> > <ds:DigestMethod Algorithm="
> > http://www.w3.org/2001/04/xmlenc#sha256"/>
> >
> >
> > <ds:DigestValue>1EEQlsuneSKs81Hq+3lcqiKjOXMMNmbgVnZ0pFuIQOs=</ds:Dig
> > es
> > tValue>
> >
> > </ds:Reference>
> >
> > </ds:SignedInfo>
> >
> > <ds:SignatureValue>...</ds:SignatureValue>
> >
> > <ds:KeyInfo>
> >
> > <ds:X509Data>
> >
> > <ds:X509Certificate>...</ds:X509Certificate>
> >
> > </ds:X509Data>
> >
> > </ds:KeyInfo>
> > </ds:Signature>
> > </saml1:Assertion>
> > </saml1:Advice>
> > <saml1:AuthenticationStatement
> > AuthenticationInstant="2014-10-01T13:02:17.585Z"
> > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
> > <saml1:Subject>
> > ...
> > </saml1:Subject>
> > </saml1:AuthenticationStatement> </saml1:Assertion>
> >
> > AFTER:
> >
> > <saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332"
> > IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS"
> MajorVersion="1"
> > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> > <saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z"
> > NotOnOrAfter="2014-10-01T13:03:16.748Z">
> > ...
> > </saml1:Conditions>
> > <saml1:Advice>
> > <saml1:Assertion
> > AssertionID="_99B35E24E753D60162141216853713111"
> > IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS"
> MajorVersion="1"
> > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> > <saml1:Conditions
> > NotBefore="2014-10-01T13:02:16.748Z"
> > NotOnOrAfter="2014-10-01T13:03:16.748Z">
> > ...
> > </saml1:Conditions>
> >
> > <saml1:AuthenticationStatement
> > AuthenticationInstant="2014-10-01T13:02:16.748Z"
> > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
> >
> > <saml1:Subject>
> > ...
> >
> > </saml1:Subject>
> >
> > </saml1:AuthenticationStatement>
> > <ds:Signature xmlns:ds="
> > http://www.w3.org/2000/09/xmldsig#";>
> >
> > <ds:SignedInfo>
> >
> > <ds:CanonicalizationMethod Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >
> > <ds:SignatureMethod Algorithm="
> > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> >
> > <ds:Reference URI="#_99B35E24E753D60162141216853713111">
> >
> > <ds:Transforms>
> >
> > <ds:Transform Algorithm="
> > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> >
> > <ds:Transform Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >
> > </ds:Transforms>
> >
> > <ds:DigestMethod Algorithm="
> > http://www.w3.org/2000/09/xmldsig#sha1"/>
> >
> > <ds:DigestValue/>
> >
> > </ds:Reference>
> >
> > </ds:SignedInfo>
> >
> > <ds:SignatureValue/>
> >
> > <ds:KeyInfo>
> >
> > <ds:X509Data>
> >
> > <ds:X509Certificate>...</ds:X509Certificate>
> >
> > </ds:X509Data>
> >
> > </ds:KeyInfo>
> > </ds:Signature>
> > </saml1:Assertion>
> > </saml1:Advice>
> > <saml1:AuthenticationStatement
> > AuthenticationInstant="2014-10-01T13:02:17.585Z"
> > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
> > <saml1:Subject>
> > ...
> > </saml1:Subject>
> > </saml1:AuthenticationStatement>
> > <ds:Signature
> > xmlns:ds="http://www.w3.org/2000/09/xmldsig#
> > ">
> > <ds:SignedInfo>
> >
> > <ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
> > <ds:SignatureMethod
> > Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> > <ds:Reference
> > URI="#_99B35E24E753D60162141216853759332">
> >
> > <ds:Transforms>
> >
> > <ds:Transform Algorithm="
> > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> >
> > <ds:Transform
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >
> > </ds:Transforms>
> >
> > <ds:DigestMethod
> > Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
> >
> >
> <ds:DigestValue>OnmMYA4JG7RZRa1+NdrGAcHt5K03l1ZLCufXdF+qXmI=</ds:Diges
> tValue>
> > </ds:Reference>
> > </ds:SignedInfo>
> >
> <ds:SignatureValue>...</ds:SignatureValue>
> > <ds:KeyInfo>
> > <ds:X509Data>
> >
> > <ds:X509Certificate>...</ds:X509Certificate>
> > </ds:X509Data>
> > </ds:KeyInfo>
> > </ds:Signature>
> > </saml1:Assertion>
> >
> >
> > Stephen W. Chappell
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
