Uploaded image for project: 'WSS4J'
  1. WSS4J
  2. WSS-497

Support for SAML 2.0 EncryptedAssertion Element

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.6.9, 1.6.13
    • 2.0.0, 1.6.16
    • WSS4J Core
    • JBoss AS 7.1.3, JBoss EAP 6.1.0

    Description

      WSS4J cannot locate an Assertion via a SecurityTokenReference KeyIdentifier id when the Assertion is encrypted as an EncryptedAssertion element.

      <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
      <soap:Header>
      <Action xmlns="http://www.w3.org/2005/08/addressing">ActionXXXX</Action>
      <MessageID xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:f718f460-58a5-4aa5-a0ae-7e2a6d9dea8a</MessageID>
      <To xmlns="http://www.w3.org/2005/08/addressing">https://xxxx:1234/catalog/xxxService-v1.0</To>
      <ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
      <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
      </ReplyTo>
      <wsse:Security soap:mustUnderstand="true" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <wsu:Timestamp wsu:Id="TS-127">
      <wsu:Created>2014-04-22T13:00:42.301Z</wsu:Created>
      <wsu:Expires>2014-04-22T13:05:42.301Z</wsu:Expires>
      </wsu:Timestamp>
      <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
      <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
      <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
      <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
      <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      </e:EncryptionMethod>
      <KeyInfo>
      <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <X509Data>
      <X509IssuerSerial>
      <X509IssuerName>.....</X509IssuerName>
      <X509SerialNumber>12345678</X509SerialNumber>
      </X509IssuerSerial>
      </X509Data>
      </o:SecurityTokenReference>
      </KeyInfo>
      <e:CipherData>**MASKED**</e:CipherData>
      </e:EncryptedKey>
      </KeyInfo>
      <xenc:CipherData>**MASKED**</xenc:CipherData>
      </xenc:EncryptedData>
      </EncryptedAssertion>
      <ds:Signature Id="SIG-128" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
      <ec:InclusiveNamespaces PrefixList="soap" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </ds:CanonicalizationMethod>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
      <ds:Reference URI="#TS-127">
      <ds:Transforms>
      <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
      <ec:InclusiveNamespaces PrefixList="wsse soap" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </ds:Transform>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <ds:DigestValue>/wED0P+e1Hl79GX3yuHw/p/J2Vo=</ds:DigestValue>
      </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>Wgp/uzeawdu8oh8bDObXIsXrTUw=</ds:SignatureValue>
      <ds:KeyInfo Id="KI-1603634465EB6A36DC1398171642303115">
      <SecurityTokenReference b:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:b="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
      <KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_004e1ddf-d719-436b-bfb9-e833f482e4eb</KeyIdentifier>
      </SecurityTokenReference>
      </ds:KeyInfo>
      </ds:Signature>
      </wsse:Security>
      </soap:Header>
      <soap:Body>
      </soap:Body>
      </soap:Envelope>

      When the SecurityTokenReference is being parsed, it takes the KeyIdentifier value and looks for the associated Assertion id. If it cannot locate the Assertion, it currently falls back on invoking the CallbackHandler, seeking the SECRET_KEY.

      At some point prior to that parsing, I believe it should decrypt EncryptedAssertion elements, using the loaded certificates from the configured keystore, so the existing Assertion search logic can locate these Assertions.

      Stack Trace:
      org.apache.ws.security.WSSecurityException: General security error (SAML token security failure)
      at org.apache.ws.security.saml.SAMLUtil.getAssertionFromKeyIdentifier(SAMLUtil.java:127) [wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2]
      at org.apache.ws.security.str.SignatureSTRParser.parseSAMLKeyIdentifier(SignatureSTRParser.java:353) [wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2]
      at org.apache.ws.security.str.SignatureSTRParser.parseSecurityTokenReference(SignatureSTRParser.java:217) [wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2]
      at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:169) [wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2]
      at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396) [wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2]
      at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:277) [cxf-rt-ws-security-2.6.6-redhat-3.jar:2.6.6-redhat-3]

      Attachments

        Activity

          People

            coheigea Colm O hEigeartaigh
            samhain M Kidd
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: