[prev in list] [next in list] [prev in thread] [next in thread]
List: xmlrpc-user
Subject: [jira] [Created] (WSS-497) Support for SAML 2.0 EncryptedAssertion Element
From: "M Kidd (JIRA)" <jira () apache ! org>
Date: 2014-04-22 14:54:20
Message-ID: JIRA.12709788.1398178383993.155056.1398178460391 () arcas
[Download RAW message or body]
M Kidd created WSS-497:
--------------------------
Summary: Support for SAML 2.0 EncryptedAssertion Element
Key: WSS-497
URL: https://issues.apache.org/jira/browse/WSS-497
Project: WSS4J
Issue Type: New Feature
Components: WSS4J Core
Affects Versions: 1.6.15
Environment: JBoss AS 7.1.3, JBoss EAP 6.1.0
Reporter: M Kidd
Assignee: Colm O hEigeartaigh
Fix For: 1.6.16
WSS4J cannot locate an Assertion via a SecurityTokenReference KeyIdentifier id when \
the Assertion is encrypted as an EncryptedAssertion element.
{quote}
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<Action xmlns="http://www.w3.org/2005/08/addressing">ActionXXXX</Action>
<MessageID xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:f718f460-58a5-4aa5-a0ae-7e2a6d9dea8a</MessageID>
<To xmlns="http://www.w3.org/2005/08/addressing">https://xxxx:1234/catalog/xxxService-v1.0</To>
<ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
</ReplyTo>
<wsse:Security soap:mustUnderstand="true" \
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" \
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Timestamp wsu:Id="TS-127">
<wsu:Created>2014-04-22T13:00:42.301Z</wsu:Created>
<wsu:Expires>2014-04-22T13:05:42.301Z</wsu:Expires>
</wsu:Timestamp>
<EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" \
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod \
Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> <KeyInfo \
xmlns="http://www.w3.org/2000/09/xmldsig#"> <e:EncryptedKey \
xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod \
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
</e:EncryptionMethod>
<KeyInfo>
<o:SecurityTokenReference \
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<X509Data>
<X509IssuerSerial>
<X509IssuerName>.....</X509IssuerName>
<X509SerialNumber>12345678</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>***MASKED***</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
<xenc:CipherData>***MASKED***</xenc:CipherData>
</xenc:EncryptedData>
</EncryptedAssertion>
<ds:Signature Id="SIG-128" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod \
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soap" \
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:CanonicalizationMethod>
<ds:SignatureMethod \
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> <ds:Reference \
URI="#TS-127"> <ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="wsse soap" \
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>/wED0P+e1Hl79GX3yuHw/p/J2Vo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Wgp/uzeawdu8oh8bDObXIsXrTUw=</ds:SignatureValue>
<ds:KeyInfo Id="KI-1603634465EB6A36DC1398171642303115">
<SecurityTokenReference \
b:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" \
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" \
xmlns:b="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<KeyIdentifier \
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_004e1ddf-d719-436b-bfb9-e833f482e4eb</KeyIdentifier>
</SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soap:Header>
<soap:Body>
</soap:Body>
</soap:Envelope>
{quote}
When the SecurityTokenReference is being parsed, it takes the KeyIdentifier value and \
looks for the associated Assertion id. If it cannot locate the Assertion, it \
currently falls back on invoking the CallbackHandler, seeking the SECRET_KEY.
At some point prior to that parsing, I believe it should decrypt EncryptedAssertion \
elements, using the loaded certificates from the configured keystore, so the existing \
Assertion search logic can locate these Assertions.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic