Uploaded image for project: 'WSS4J'
  1. WSS4J
  2. WSS-394

WSS4J is not handling X509Data inside SecurityTokenReference inside a KeyInfo

    XMLWordPrintableJSON

Details

    Description

      We have a .NET client using a .NET STS for authentication and authorization to our java service. The .NET STS puts a SecurityTokenReference inside a KeyInfo element, with an X509Data inside the STR. This causes an exception to be thrown: General security error (SAML token security failure).

      From debugging into the WSS4J source in the SAMLUtil.getCredentialFromKeyInfo method, keyInfoElement.getFirstChild() returns the SecurityTokenReference element. Inside this element is the X509Data element, which should be handled correctly..

      From the WS-Security 1.1 (Web Services Security: SOAP Message Security 1.1) standard:

      Section 7.1: “All compliant implementations MUST be able to process a <wsse:SecurityTokenReference> element. This element can also be used as a direct child element of <ds:KeyInfo> to indicate a hint to retrieve the key information from a security token placed somewhere else. In particular, it is RECOMMENDED, when using XML Signature and XML Encryption, that a <wsse:SecurityTokenReference> element be placed inside a <ds:KeyInfo> to reference the security token used for the signature or encryption.”

      From the Web Services Security X.509 Certificate Token Profile 1.1) standard:

      Section 3.2: “In order to ensure a consistent processing model across all the token types supported by WSS: SOAP Message Security, the <wsse:SecurityTokenReference> element SHALL be used to specify all references to X.509 token types in signature or encryption elements that comply with this profile.”

      Sample SAMLToken:

      <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="SamlSecurityToken-db75ab81-fbe4-455b-ad51-99ff091f3981" Issuer="sts" IssueInstant="2012-06-12T15:25:49.393Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
      <saml:Conditions NotBefore="2012-06-12T15:25:49.393Z" NotOnOrAfter="2012-06-13T01:25:49.393Z"></saml:Conditions>
      <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2012-06-12T15:25:49.397Z">
      <saml:Subject>
      <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
      <saml:SubjectConfirmation>
      <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
      <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
      <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
      <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
      </e:EncryptionMethod>
      <KeyInfo>
      <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
      </o:SecurityTokenReference>
      </KeyInfo>
      <e:CipherData>
      <e:CipherValue>LUoFbgeoVCjiW+xZxlOly2YtVbtK3a0ZDw0cpZAKyO9smgEcg5gf2bYzPurU6Khp3PHfKJJv0yIJP010v+qe80KTMOhxJ6EF8NKbg+rUXhKh1aFV1gDSECR6KiVoHmsfkzoJGvi2wG4QA6lyaUJ7FGFE/2udn/MOTocezqX2bpg=</e:CipherValue>
      </e:CipherData>
      </e:EncryptedKey>
      </KeyInfo>
      </saml:SubjectConfirmation>
      </saml:Subject>
      </saml:AuthenticationStatement>
      <saml:AttributeStatement>
      <saml:Subject>
      <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
      <saml:SubjectConfirmation>
      <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
      <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
      <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
      <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
      </e:EncryptionMethod>
      <KeyInfo>
      <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
      </o:SecurityTokenReference>
      </KeyInfo>
      <e:CipherData>
      <e:CipherValue>LUoFbgeoVCjiW+xZxlOly2YtVbtK3a0ZDw0cpZAKyO9smgEcg5gf2bYzPurU6Khp3PHfKJJv0yIJP010v+qe80KTMOhxJ6EF8NKbg+rUXhKh1aFV1gDSECR6KiVoHmsfkzoJGvi2wG4QA6lyaUJ7FGFE/2udn/MOTocezqX2bpg=</e:CipherValue>
      </e:CipherData>
      </e:EncryptedKey>
      </KeyInfo>
      </saml:SubjectConfirmation>
      </saml:Subject>
      <saml:Attribute AttributeName="roles" AttributeNamespace="http://schemas.merge.com/icc/claims">
      <saml:AttributeValue>User</saml:AttributeValue>
      </saml:Attribute>
      </saml:AttributeStatement>
      <saml:AttributeStatement>
      <saml:Subject>
      <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
      <saml:SubjectConfirmation>
      <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
      <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
      <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
      <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
      </e:EncryptionMethod>
      <KeyInfo>
      <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
      </o:SecurityTokenReference>
      </KeyInfo>
      <e:CipherData>
      <e:CipherValue>LUoFbgeoVCjiW+xZxlOly2YtVbtK3a0ZDw0cpZAKyO9smgEcg5gf2bYzPurU6Khp3PHfKJJv0yIJP010v+qe80KTMOhxJ6EF8NKbg+rUXhKh1aFV1gDSECR6KiVoHmsfkzoJGvi2wG4QA6lyaUJ7FGFE/2udn/MOTocezqX2bpg=</e:CipherValue>
      </e:CipherData>
      </e:EncryptedKey>
      </KeyInfo>
      </saml:SubjectConfirmation>
      </saml:Subject>
      <saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
      <saml:AttributeValue>test@merge.com</saml:AttributeValue>
      </saml:Attribute>
      </saml:AttributeStatement>
      <saml:AttributeStatement>
      <saml:Subject>
      <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
      <saml:SubjectConfirmation>
      <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
      <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
      <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
      <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
      </e:EncryptionMethod>
      <KeyInfo>
      <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
      </o:SecurityTokenReference>
      </KeyInfo>
      <e:CipherData>
      <e:CipherValue>LUoFbgeoVCjiW+xZxlOly2YtVbtK3a0ZDw0cpZAKyO9smgEcg5gf2bYzPurU6Khp3PHfKJJv0yIJP010v+qe80KTMOhxJ6EF8NKbg+rUXhKh1aFV1gDSECR6KiVoHmsfkzoJGvi2wG4QA6lyaUJ7FGFE/2udn/MOTocezqX2bpg=</e:CipherValue>
      </e:CipherData>
      </e:EncryptedKey>
      </KeyInfo>
      </saml:SubjectConfirmation>
      </saml:Subject>
      <saml:Attribute AttributeName="privatepersonalidentitfier" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
      <saml:AttributeValue>55</saml:AttributeValue>
      </saml:Attribute>
      </saml:AttributeStatement>
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
      <SignedInfo>
      <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
      <Reference URI="#SamlSecurityToken-db75ab81-fbe4-455b-ad51-99ff091f3981">
      <Transforms>
      <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
      <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
      </Transforms>
      <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
      <DigestValue>P0aIAqKPikgPXLn4TfcF1z5ZmZo=</DigestValue>
      </Reference>
      </SignedInfo>
      <SignatureValue>fGTlN2CXzqSsdLS8pH4r3gqmwGTo40uqSvnioMd6bl/PdgAgLw0OtirVZFofVEQWQXY1yuGjzOX0w7CeyfjprOHf/bLphoem1oyjJe+QDCtKA41faXhXbJOEtbksdxqui+qU+YwqStbJJmi/F9yijjuwnuwbDhI48SqcdmZcsY8=</SignatureValue>
      <KeyInfo>
      <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <X509Data>
      <X509IssuerSerial>
      <X509IssuerName>CN=SUNCA, OU=JWS, O=SUN, S=Some-State, C=AU</X509IssuerName>
      <X509SerialNumber>2</X509SerialNumber>
      </X509IssuerSerial>
      </X509Data>
      </o:SecurityTokenReference>
      </KeyInfo>
      </Signature>
      </saml:Assertion>

      Attachments

        Activity

          People

            coheigea Colm O hEigeartaigh
            dan.taylor Dan Taylor
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: