Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
3.2.1
-
None
-
Unknown
Description
Flow is:
Set the STS Client for a SOAP-Context to request a Ws-Trust token for a already aquired SAML Assertion (ActsAs)
STSClient retrieves the WS-Trust token alright, then tries to - a presume - sign the SOAP-request to die actual Service.
This fails:
{{Caused by: java.lang.ClassCastException: javax.crypto.spec.SecretKeySpec cannot be cast to java.security.PrivateKey
at org.apache.xml.security.stax.impl.algorithms.PKISignatureAlgorithm.engineInitSign(PKISignatureAlgorithm.java:77)
at org.apache.xml.security.stax.impl.processor.output.AbstractSignatureEndingOutputProcessor.processHeaderEvent(AbstractSignatureEndingOutputProcessor.java:141)
at org.apache.wss4j.stax.impl.processor.output.WSSSignatureEndingOutputProcessor.processHeaderEvent(WSSSignatureEndingOutputProcessor.java:77)
at org.apache.xml.security.stax.ext.AbstractBufferingOutputProcessor.flushBufferAndCallbackAfterHeader(AbstractBufferingOutputProcessor.java:68)
at org.apache.wss4j.stax.impl.processor.output.WSSSignatureEndingOutputProcessor.flushBufferAndCallbackAfterHeader(WSSSignatureEndingOutputProcessor.java:284)
at org.apache.xml.security.stax.ext.AbstractBufferingOutputProcessor.doFinal(AbstractBufferingOutputProcessor.java:54)
at org.apache.xml.security.stax.impl.OutputProcessorChainImpl.doFinal(OutputProcessorChainImpl.java:225)
at org.apache.xml.security.stax.ext.AbstractOutputProcessor.doFinal(AbstractOutputProcessor.java:140)
at org.apache.xml.security.stax.impl.processor.output.AbstractSignatureOutputProcessor.doFinal(AbstractSignatureOutputProcessor.java:72)
at org.apache.xml.security.stax.impl.OutputProcessorChainImpl.doFinal(OutputProcessorChainImpl.java:225)
at org.apache.xml.security.stax.impl.XMLSecurityStreamWriter.close(XMLSecurityStreamWriter.java:192)
at org.apache.cxf.ws.security.wss4j.WSS4JStaxOutInterceptor$WSS4JStaxOutInterceptorInternal.handleMessageInternal(WSS4JStaxOutInterceptor.java:335)
at org.apache.cxf.ws.security.wss4j.WSS4JStaxOutInterceptor$WSS4JStaxOutInterceptorInternal.handleMessage(WSS4JStaxOutInterceptor.java:321)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:139)
}}
The line in question does this:
{{ signature.initSign((PrivateKey) signingKey);}}
while signingKey always is set to a SecretKeySpec by cxf's {{AbstractSignatureEndingOutputProcessor, line 139
Key key = wrappingSecurityToken.getSecretKey(sigAlgorithm);}}
This is the WS-Trust token reply I recieve from the STS (Certificates are selfsigned, names and ruis are changed for this report):
{{
<S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<S:Header>
<Action xmlns="http://www.w3.org/2005/08/addressing" xmlns:S="http://www.w3.org/2003/05/soap-envelope" S:mustUnderstand="true">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal</Action>
<MessageID xmlns="http://www.w3.org/2005/08/addressing">uuid:bfb37bd1-70a1-4c51-87d5-ea40f8162a0f</MessageID>
<RelatesTo xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:55c8fc93-73d7-46c7-adcb-1e2ca9f34e16</RelatesTo>
<To xmlns="http://www.w3.org/2005/08/addressing">http://www.w3.org/2005/08/addressing/anonymous</To>
<wsse:Security S:mustUnderstand="true">
<wsu:Timestamp xmlns:ns15="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:ns14="http://schemas.xmlsoap.org/soap/envelope/" wsu:Id="_1">
<wsu:Created>2017-12-04T07:49:48Z</wsu:Created>
<wsu:Expires>2017-12-04T07:54:48Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</S:Header>
<S:Body>
<trust:RequestSecurityTokenResponseCollection xmlns:ns10="http://www.w3.org/2000/09/xmldsig#" xmlns:ns13="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ns4="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-trust/200512/" xmlns:ns9="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity" xmlns:sc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<trust:RequestSecurityTokenResponse>
<trust:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</trust:TokenType>
<trust:RequestedSecurityToken>
<saml2:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="nstsb73a0e5a-1ec3-451b-89e1-07fb99b755e0" IssueInstant="2017-12-04T07:49:48.802Z" Version="2.0">
<saml2:Issuer>NetIQ_STS</saml2:Issuer>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#nstsb73a0e5a-1ec3-451b-89e1-07fb99b755e0">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>kJMGItWGRm7klCMcQS4VprJromA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>KMH1flkFYr/O5uUd/2AKzJ5iHeei5i1hBs+nbUFqmgRVPtW2OCxlrEq/qXBVhnS0mOIWdnJxE4q7
N9aKXl7nQUAxkraNVYGSO5gCmaHdVKW/7V9w9bJn6xiNHA8gtzaKGQ8oaw5YqzlT9XN2Kt1+yPOE
DYZTN0v6R0I3Cl1dFNXKX65A4pGdm32JXTS8XanvXfA2Fd0msh7NbAPLUDX4Noce7MOQRcKim67T
obH72x8NIu7pQfj+crjIsPswgpYa9Q3uDvSAJqEI/aATd6LVWwnDmutmWLrSHglh/pT6Eo2xXAaY
rtGxIj7RL5ccoTzUSM+z+mkZRAEX//CCfEViyQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIE/jCCA+agAwIBAgIUb2yiaoR9iovKmsL3z7Z7Yc2J5GQwDQYJKoZIhvcNAQELBQAwODEaMBgG
A1UECxMRT3JnYW5pemF0aW9uYWwgQ0ExGjAYBgNVBAoUEXNfYXBsX3ZtXzAwMV90cmVlMB4XDTE3
MDcyNTEwMTEwMloXDTI3MDcyNTEwMTEwMlowIjEgMB4GA1UEAxMXcy1hcGwtdm0tMDAxLmNvcnBu
ZXQuYXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqsyg1WKCTR+QVoZthSnqjIblW
zd1Y5JMfI2hRoglgKn5odPuXvOtnbiqelKsmkyhgEXd83T0nHxNimONvT1Tp+/DE4egxSeBvuThM
Z+C2+6gUpVk4TTYA42LTDedFyz5Dz+38ksTq/lHsha7E+dUStpC8qsQRNVSY99+KzeaB4TZB1vQa
NX+/zYGEN62petbH31ByygowqrcPRVp2ciKIbUCKtvcNRo7CTd+dTBkApnB0l4Rjbnkt86HNlRkM
jXY0NWEsDhPTuGBOmAn4llCwP7rXyKuscDA9rSuXR4CsFATYtTXMqTYzPq8+FRF0hH4O8gEfhbko
MnfK6wxcNEHpAgMBAAGjggIUMIICEDAdBgNVHQ4EFgQUCsUhkj27mPP95ZSDKltZJ/NABjcwHwYD
VR0jBBgwFoAUyrEJpJ0Xd/FawGIUHtNYF2CrVTgwggHMBgtghkgBhvg3AQkEAQSCAbswggG3BAIB
AAEB/xMdTm92ZWxsIFNlY3VyaXR5IEF0dHJpYnV0ZSh0bSkWQ2h0dHA6Ly9kZXZlbG9wZXIubm92
ZWxsLmNvbS9yZXBvc2l0b3J5L2F0dHJpYnV0ZXMvY2VydGF0dHJzX3YxMC5odG0wggFIoBoBAQAw
CDAGAgEBAgFGMAgwBgIBAQIBCgIBaaEaAQEAMAgwBgIBAQIBADAIMAYCAQECAQACAQCiBgIBFwEB
/6OCAQSgWAIBAgICAP8CAQADDQCAAAAAAAAAAAAAAAADCQCAAAAAAAAAADAYMBACAQACCH//////
////AQEAAgQG8N9IMBgwEAIBAAIIf/////////8BAQACBAbw30ihWAIBAgICAP8CAQADDQBAAAAA
AAAAAAAAAAADCQBAAAAAAAAAADAYMBACAQACCH//////////AQEAAgQR/6pnMBgwEAIBAAIIf///
//////8BAQACBBH/qmeiTjBMAgECAgEAAgIA/wMNAIAAAAAAAAAAAAAAAAMJAIAAAAAAAAAAMBIw
EAIBAAIIf/////////8BAQAwEjAQAgEAAgh//////////wEBADANBgkqhkiG9w0BAQsFAAOCAQEA
Ub6eSzBaltUcb/KmF08me9lRQMefYUR5ILaGMdvulo9KPESP6/PqsRQLWFHjsi6I8HRL5KdFarv/
Niq1AJSSo+KOOKQSiwAMAo9F3jskGXCCmF5A3gBS+zu7FMt22D1l9bhtvjQoIXCpw7UXdeP/mUp9
j2MJPa2Lsp+O1r3q6kv1NAjLwcO8uZjfTs+UF1zWkdffsEsudfYXfZjWtJ+2UUJDZbYjf1x5NbY2
8Ml+Uq51salIXddFYarLRRGiQcUr/8Of1uXkQyS8kyrnO4B+sWYgLrN/6z9ySRukabqtU5VqjV/9
wvSJGKU2n0aSWynlR0ZqvSM6YbI0MXD4I+Gjxg==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="https://CHANGED_FOR_BUGREPORT">CHANGED_FOR_BUGREPORT</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml2:SubjectConfirmationData xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" ns6:type="saml2:KeyInfoConfirmationDataType">
<ds:KeyInfo>
<xenc:EncryptedKey>
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICVjCCAb8CCAogFwUjESABMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAkRFMRwwGgYDVQQK
ExNTQVAgVHJ1c3QgQ29tbXVuaXR5MRMwEQYDVQQLEwpTQVAgV2ViIEFTMRQwEgYDVQQLEwtJMDAy
MDE2NzAwMzEYMBYGA1UEAwwPSTVTX1NTRkFfUzJTVlBFMB4XDTE3MDUyMzExMjAwMVoXDTM4MDEw
MTAwMDAwMVowcDELMAkGA1UEBhMCREUxHDAaBgNVBAoTE1NBUCBUcnVzdCBDb21tdW5pdHkxEzAR
BgNVBAsTClNBUCBXZWIgQVMxFDASBgNVBAsTC0kwMDIwMTY3MDAzMRgwFgYDVQQDDA9JNVNfU1NG
QV9TMlNWUEUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM+Jmzrrty94qySuDx0rP39i9FOo
L14KiKxqXER3dqBW0OhqqdOAutyvpZ9iqvJKn7LTIOUhDLe3LwwW2ZPv26albJXwzyEYrelFk/5S
foHbEbyVquYnTYFrp8SY7KLxFRyLIYWnuINCPrRg2bB8vGanpQOok3hSqacC9ylNECkxAgMBAAEw
DQYJKoZIhvcNAQELBQADgYEAl+YITTSNR0xq2Ca3z5ZRxKDcXC7sL5TikgNyW6gx8kFXQhl7tQHh
fSq7xBRj8Wia3CXR3/iOzfV92apI2AFjmkx8vTQFUsE6cO4qofneHKc2bdZ7sf8dsnAf6Egss24W
gUGkrsL4KNmq0Q4e6cI2EJwMs84VGp1pfD9PYZOpTm4=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>s5hm8saT/x2OS+hWg9AFp8AFKO0/jdnVslBqp27bPpViUHRPOvy7keQPb52W980NhFX3wHGmilmr
DAPgd0JIH9H8+4ryV038Uw6zwgL+iMQjoWcYiVXFIYUB2b30yjZLoUVO1B8AghbTfBSo6QMKbUET
5KC1TLAVOff1dML9KZY=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
</saml2:SubjectConfirmationData>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2017-12-04T07:49:48.802Z" NotOnOrAfter="2017-12-04T07:59:48.802Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://sapwsi5s.sap.wst:9042/sap/bc/srt/rfc/wsv/ca_saf_ping/010/wsv_ca_saf_ping/insurance</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:Advice/>
<saml2:AuthnStatement AuthnInstant="2017-12-04T07:49:48.802Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:1.0:am:password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute AttributeName="actor" AttributeNamespace="http://schemas.xmlsoap.com/ws/2009/09/identity/claims" Name="actor" NameFormat="http://schemas.xmlsoap.com/ws/2009/09/identity/claims">
<saml2:AttributeValue><Actor><saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" AttributeName="name" AttributeNamespace="http://schemas.xmlsoap.com/ws/2005/05/identity/claims" Name="name" NameFormat="http://schemas.xmlsoap.com/ws/2005/05/identity/claims"><saml2:AttributeValue>CHANGED_FOR_BUGREPORT</saml2:AttributeValue></saml2:Attribute></Actor></saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</trust:RequestedSecurityToken>
<trust:RequestedAttachedReference>
<wsse:SecurityTokenReference ns4:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">nstsb73a0e5a-1ec3-451b-89e1-07fb99b755e0</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</trust:RequestedAttachedReference>
<trust:RequestedUnattachedReference>
<wsse:SecurityTokenReference ns4:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">nstsb73a0e5a-1ec3-451b-89e1-07fb99b755e0</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</trust:RequestedUnattachedReference>
<wsp:AppliesTo>
<wsa:EndpointReference>
<wsa:Address>https://CHANGED FOR BUGREPORT</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<trust:RequestedProofToken>
<trust:ComputedKey>http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1</trust:ComputedKey>
</trust:RequestedProofToken>
<trust:Entropy>
<trust:BinarySecret Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">1Ba5e6QgRN251mMBwLTSoUqwbHrmGGL+VXremIGnwZM=</trust:BinarySecret>
</trust:Entropy>
<trust:Lifetime>
<wsu:Created>2017-12-04T07:52:04.948Z</wsu:Created>
<wsu:Expires>2017-12-04T08:02:04.948Z</wsu:Expires>
</trust:Lifetime>
<trust:KeySize>256</trust:KeySize>
</trust:RequestSecurityTokenResponse>
</trust:RequestSecurityTokenResponseCollection>
</S:Body>
</S:Envelope>}}