'[jira] [Created] (WSS-497) Support for SAML 2.0 EncryptedAssertion Element'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xmlrpc-user
Subject:    [jira] [Created] (WSS-497) Support for SAML 2.0 EncryptedAssertion Element
From:       "M Kidd (JIRA)" <jira () apache ! org>
Date:       2014-04-22 14:54:20
Message-ID: JIRA.12709788.1398178383993.155056.1398178460391 () arcas
[Download RAW message or body]

M Kidd created WSS-497:
--------------------------

             Summary: Support for SAML 2.0 EncryptedAssertion Element
                 Key: WSS-497
                 URL: https://issues.apache.org/jira/browse/WSS-497
             Project: WSS4J
          Issue Type: New Feature
          Components: WSS4J Core
    Affects Versions: 1.6.15
         Environment: JBoss AS 7.1.3, JBoss EAP 6.1.0
            Reporter: M Kidd
            Assignee: Colm O hEigeartaigh
             Fix For: 1.6.16


WSS4J cannot locate an Assertion via a SecurityTokenReference KeyIdentifier id when \
the Assertion is encrypted as an EncryptedAssertion element.

{quote}
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
  <soap:Header>
    <Action xmlns="http://www.w3.org/2005/08/addressing">ActionXXXX</Action>
    <MessageID xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:f718f460-58a5-4aa5-a0ae-7e2a6d9dea8a</MessageID>
  <To xmlns="http://www.w3.org/2005/08/addressing">https://xxxx:1234/catalog/xxxService-v1.0</To>
  <ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
      <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
    </ReplyTo>
    <wsse:Security soap:mustUnderstand="true" \
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" \
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsu:Timestamp wsu:Id="TS-127">
        <wsu:Created>2014-04-22T13:00:42.301Z</wsu:Created>
        <wsu:Expires>2014-04-22T13:05:42.301Z</wsu:Expires>
      </wsu:Timestamp>
      <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" \
                xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
          <xenc:EncryptionMethod \
Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>  <KeyInfo \
xmlns="http://www.w3.org/2000/09/xmldsig#">  <e:EncryptedKey \
                xmlns:e="http://www.w3.org/2001/04/xmlenc#">
              <e:EncryptionMethod \
                Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
              </e:EncryptionMethod>
              <KeyInfo>
                <o:SecurityTokenReference \
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <X509Data>
                    <X509IssuerSerial>
                      <X509IssuerName>.....</X509IssuerName>
                      <X509SerialNumber>12345678</X509SerialNumber>
                    </X509IssuerSerial>
                  </X509Data>
                </o:SecurityTokenReference>
              </KeyInfo>
              <e:CipherData>***MASKED***</e:CipherData>
            </e:EncryptedKey>
          </KeyInfo>
          <xenc:CipherData>***MASKED***</xenc:CipherData>
        </xenc:EncryptedData>
      </EncryptedAssertion>
      <ds:Signature Id="SIG-128" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod \
                Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces PrefixList="soap" \
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>  </ds:CanonicalizationMethod>
          <ds:SignatureMethod \
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>  <ds:Reference \
URI="#TS-127">  <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces PrefixList="wsse soap" \
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>  </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>/wED0P+e1Hl79GX3yuHw/p/J2Vo=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>Wgp/uzeawdu8oh8bDObXIsXrTUw=</ds:SignatureValue>
        <ds:KeyInfo Id="KI-1603634465EB6A36DC1398171642303115">
          <SecurityTokenReference \
b:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" \
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" \
                xmlns:b="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
                
            <KeyIdentifier \
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_004e1ddf-d719-436b-bfb9-e833f482e4eb</KeyIdentifier>
  </SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
  </soap:Header>
  <soap:Body>
  </soap:Body>
</soap:Envelope>
{quote}

When the SecurityTokenReference is being parsed, it takes the KeyIdentifier value and \
looks for the associated Assertion id.  If it cannot locate the Assertion, it \
currently falls back on invoking the CallbackHandler, seeking the SECRET_KEY.

At some point prior to that parsing, I believe it should decrypt EncryptedAssertion \
elements, using the loaded certificates from the configured keystore, so the existing \
Assertion search logic can locate these Assertions.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic