'[jira] [Closed] (WSS-393) WSS4J is not handling KeyIdentifier inside SecurityTokenReference inside a'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xmlrpc-dev
Subject:    [jira] [Closed] (WSS-393) WSS4J is not handling KeyIdentifier inside SecurityTokenReference inside a
From:       "Colm O hEigeartaigh (JIRA)" <jira () apache ! org>
Date:       2012-07-31 16:37:35
Message-ID: 465003772.122060.1343752655464.JavaMail.jiratomcat () issues-vm
[Download RAW message or body]


     [ https://issues.apache.org/jira/browse/WSS-393?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel \
]

Colm O hEigeartaigh closed WSS-393.
-----------------------------------

    
> WSS4J is not handling KeyIdentifier inside SecurityTokenReference inside a KeyInfo
> ----------------------------------------------------------------------------------
> 
> Key: WSS-393
> URL: https://issues.apache.org/jira/browse/WSS-393
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.6.6
> Environment: .NET client, .NET STS, Java service, Windows 7.0
> Reporter: Dan Taylor
> Assignee: Colm O hEigeartaigh
> Labels: KeyIdentifier, KeyInfo, SecurityTokenReference
> Fix For: 1.6.7
> 
> 
> We have a .NET client using a .NET STS for authentication and authorization to our \
> java service.  The .NET STS puts a SecurityTokenReference inside a KeyInfo element, \
> with a KeyIdentifier inside the STR.  This causes an exception to be thrown: \
> General security error (SAML token security failure). From debugging into the WSS4J \
> source in the SAMLUtil.getCredentialFromKeyInfo method, \
> keyInfoElement.getFirstChild() returns the SecurityTokenReference element.  Inside \
> this element is the KeyIdentifier element, which isn't handled anywhere inside this \
> method. From the WS-Security 1.1 (Web Services Security: SOAP Message Security 1.1) \
> standard: Section 7.1: "All compliant implementations MUST be able to process a \
> <wsse:SecurityTokenReference> element. This element can also be used as a direct \
> child element of <ds:KeyInfo> to indicate a hint to retrieve the key information \
> from a security token placed somewhere else. In particular, it is RECOMMENDED, when \
> using XML Signature and XML Encryption, that a <wsse:SecurityTokenReference> \
> element be placed inside a <ds:KeyInfo> to reference the security token used for \
> the signature or encryption." From the Web Services Security X.509 Certificate \
> Token Profile 1.1) standard: Section 3.2: "In order to ensure a consistent \
> processing model across all the token types supported by WSS: SOAP Message \
> Security, the <wsse:SecurityTokenReference> element SHALL be used to specify all \
> references to X.509 token types in signature or encryption elements that comply \
> with this profile." Sample SAMLToken:
> <saml:Assertion MajorVersion="1" MinorVersion="1" \
> AssertionID="SamlSecurityToken-02c44f88-607f-4d46-ab2e-b8049904ff9c" Issuer="sts" \
> IssueInstant="2012-06-13T18:08:07.710Z" \
> xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <saml:Conditions \
> NotBefore="2012-06-13T18:08:07.710Z" \
> NotOnOrAfter="2012-06-14T04:08:07.710Z"></saml:Conditions> \
> <saml:AuthenticationStatement \
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" \
> AuthenticationInstant="2012-06-13T18:08:07.713Z"> <saml:Subject>
> <saml:NameIdentifier \
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
>  <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
>  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference \
> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>  <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
>  </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxR \
> pp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
>  </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> </saml:AuthenticationStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier \
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
>  <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
>  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference \
> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>  <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
>  </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxR \
> pp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
>  </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="roles" \
> AttributeNamespace="http://schemas.merge.com/icc/claims"> \
> <saml:AttributeValue>User</saml:AttributeValue> </saml:Attribute>
> </saml:AttributeStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier \
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
>  <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
>  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference \
> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>  <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
>  </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxR \
> pp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
>  </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="emailaddress" \
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"> \
> <saml:AttributeValue>test@merge.com</saml:AttributeValue> </saml:Attribute>
> </saml:AttributeStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier \
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
>  <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
>  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference \
> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>  <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
>  </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxR \
> pp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
>  </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="privatepersonalidentitfier" \
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"> \
> <saml:AttributeValue>55</saml:AttributeValue> </saml:Attribute>
> </saml:AttributeStatement>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod \
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod> \
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
>  <Reference URI="#SamlSecurityToken-02c44f88-607f-4d46-ab2e-b8049904ff9c">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
>  <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> <DigestValue>jzWAgfaALhUvXFSppZhviEw6cOs=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>tUgZygu5219bov276dy9YgS3BSdpgT2vd03MD44Ckd1EWV2u5o0Z2weycrVBH/7rbJB9 \
> F18mBHRUv4nve/1E0GI3Hqn4Ios0fOcNI2qsP9ETdv2PLoQU8S2gyupMQ4IEKPFjqdyXQP2nJduWLBVQgOAJcP+PCDyH2gWrTb/YJ1I=</SignatureValue>
>  <KeyInfo>
> <o:SecurityTokenReference \
> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>  <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
>  </o:SecurityTokenReference>
> </KeyInfo>
> </Signature>
> </saml:Assertion>

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: \
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more \
information on JIRA, see: http://www.atlassian.com/software/jira



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic