Hi
It appears that a wrong DOM element was used to check the EncryptedKey
element which is actually a sibling of EncryptedData, not a child.
I know Colm has very extensively tested it against various IDPs but I
believe none of them were encrypting the SAMLP responses.
I've committed a possible fix. Can you please retry the snapshot ?
Cheers, Sergey
On 30/07/14 19:06, rathnapandi wrote:
Hi,
I am working on IDP initiated single sign on. while trying to decrypt the
encrypted SAML assertion, i am getting following exception.
org.apache.wss4j.common.ext.WSSecurityException: SAML token security failure
at
org.apache.cxf.rs.security.saml.sso.SAMLProtocolResponseValidator.decryptAssertion(SAMLProtocolResponseValidator.java:417)
at
org.apache.cxf.rs.security.saml.sso.SAMLProtocolResponseValidator.validateSamlResponse(SAMLProtocolResponseValidator.java:121)
at
org.apache.cxf.rs.security.saml.sso.SAMLResponseValidatorTest.testSignedResponse(SAMLResponseValidatorTest.java:293)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
at
org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at
org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
at
org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
at
org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
at
org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
at
org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
at
org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)
SAML Request:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
ID="e39bdc9e-6920-4894-9742-f56534aa870c"
InResponseTo="http://cxf.apache.org/saml";
IssueInstant="2014-07-30T00:12:08.486Z" Version="2.0">
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://cxf.apache.org/issuer</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
<ds:Reference
URI="#e39bdc9e-6920-4894-9742-f56534aa870c">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; />
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>1/IygBB7AS3HnpfezbRDVKV9rKo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>fF42I5HivEoC435ItcmlYGOZcOGdS+EJGGwYLdm7osNVx8fpMAr7x4coH6P18xrnBG7VxShNUdRCAHfGbInBOcI3D5gyN3IRJZxgnJkJ0MKSrEDvKTm2d/YtBD34Wt8ov0TwYYmranknhutIjcTmPzqtAY2SRU4iIaS+1oh6Ans=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICGjCCAYOgAwIBAgIESVRgATANBgkqhkiG9w0BAQUFADAzMRMwEQYDVQQKEwphcGFjaGUub3Jn
MQwwCgYDVQQLEwNlbmcxDjAMBgNVBAMTBWN4ZmNhMB4XDTcwMDEwMTAwMDAwMFoXDTM4MDExOTAz
MTQwN1owMzETMBEGA1UEChMKYXBhY2hlLm9yZzEMMAoGA1UECxMDZW5nMQ4wDAYDVQQDEwVhbGlj
ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCs
K8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfBEfIqwTR7vuihOxyNTwEzVwIJz
vo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzsCAwEAAaM7MDkwIQYD
VR0SBBowGIIWTk9UX0ZPUl9QUk9EVUNUSU9OX1VTRTAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJ
KoZIhvcNAQEFBQADgYEAhLwkm+8psKt4gnbikGzV0TgpSWGcWxWKBi+z8tI2n6hFA5v1jVHHa4G9
h3s0nxQ2TewzeR/k7gmgV2sI483NgrYHmTmLKaDBWza2pAuZuDhQH8GAEhJakFtKBP++EC9rNNpZ
nqqHxx3qb2tW25qRtBzDmK921gg9PMomMc7uqRQ=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:EncryptedAssertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Id="_5db2d7b21d83fd63ffcec446a2d45e9f"
Type="http://www.w3.org/2001/04/xmlenc#Element";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"; />
<ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:RetrievalMethod
Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey";
URI="#_fc396a1ca1321c7137314335ce6b32c3"
/>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>HVkriaqxkl1H9E/p68bSL2HOZGF7wzq2Dc8knEDAu7FHhJwaIGmPdEoh0ff2m4xkYmCJFQGsJu7iDuG48guU8E/gEVRaljRFrYfLJ3mWhPv99DvseZtX1DyQiu9ceiXfYIlXJ2QwKEqeEpEG8+myFQ/HpNlZ2Zxf9/Hs/TFUHlrv3QvF1toLgVmHLPlqojVvMy4pa5+pRpUx8qqxRlEVYGN2yrWUEom/HTPZ23N3Jrjfin6oiQo3ljCrysjZsO4v6R+BcmhDbyUT8bHZhUQ7AfygUV6QxKUwbUXZimL+YjwzCl3TXn/UuGJscsXNQmuKh5/yRntgzIMzc3kFq9d1V5e+opnVfJVxElK3xGCXbroS5/BgzYuHhu08OH93c5ekpIUtstNbdLDuJLiGUrwzkMEPtVTWepLLVYI8wV5S/fvTWqvtZa4fz9IE9QZ8QGkaI2rZKkRi/jXU1bkluXk0k1v2xxLQy2qofGzNvW7j5XyW3cdjISZECH/CRxq1vA2y9W2cqvivpmEd2h8qf+y6N2yYQZuc+yTCUNP63KT51ZP+vgSAtRZICHY7KGMK0/bS1UC2n6lEtVEJv3EztYprLiItApIafraDZZai0rjFxxXOwedaDdEhUXWMd7TReeNEPUTa3NzzWWxc6DWDnCOtdGHI5+m2msKs26a+Q1CW0OYyv083B0NXUi7OxGTxFyT2evfwSaEZlRUWqiipPwkvxr1VXE4/uiDjFm2yJc1a1nDKIx56MY5mVnJwk82xLyuQKjJW8KruD1ArxQn/HEwzmz7POPCy8rA/dEp8s83waJ/PyJbE2dnkroWjG4QeX3NDtmxuIdDGqSB7bdXl9eF4+0SDoWNbQQna30hmFyN6Z0Hl1S/xVK8lNOKMG5j4JNjyZoSDfnJJWQtbIB/OUxFhXTEwUIU5jwpnazTNy7oe+lwqPG5/s45zGZf54gAFSNhD5zpWMQFR1oZOFwYbO/
S
IwyoVUqPDpoS+nyMrwCeklklNs0c1dFAc4ZUzwRs5oqLxuW3wh+wqIFCoy+bOONYNdvnBgLfjSqczEPXZ/oNDlfGN9gwEtqn/ZrXG2wjic4lyU6jZbHKTPgQzVVvH+TS2NuVSez0fLbs+8gEU6Oc7zWeSm+D/xPNkRDOwJJJ4db801V7K2cE3lCrUyYaUPnLyKqd5E9vJL7KENehLJTEOGkP1dINt1Zmm2b3HUYB4ckgprND8x23ugNz3MAbuDklUvvGwUPT/T8hJsO5PXLF8X6NssiHYa12sGWEdsAZHx1pHBiIFG0iTacnTmJ5nxZ4mT1YadBkWtf3eo2VoDI1USaM=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<xenc:EncryptedKey
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Id="_fc396a1ca1321c7137314335ce6b32c3">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
<ds:DigestMethod
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
</xenc:EncryptionMethod>
<ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:X509Data>
<ds:X509Certificate>MIICozCCAYsCBgFHeaCnQzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpBeHdheSBDU09TMB4X
DTE0MDcyNzIxMDEwMFoXDTE5MDcyNzIxMDEwMFowFTETMBEGA1UEAxMKQXh3YXkgQ1NPUzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANEA0LYHjry0wGwrWGCxtN5fMJMESjKe2fjdnPqN
oOFxTqtubtLNFjo+1FIM6+zrerB0QbKMN6YJfJ9rUvWSullbx8cpfiGqU9PYtl5NKuu8sSUN4W3E
5jSK5j1Wab/Z1oliX3Vt4P/6r33RtrPtk7kcJR3T/fafYKY1L7hrEEK3TXp7hIddf8oPjAYVzK9q
VYNvU2jjR16CNkGjLqxCnW1JZQ704yuO9BfhYP0Z4QDvHQb5hbWox70T6/MIrZn/IofmotuwDWeV
J5wWmPXEAcitA1hIw0VKj4qiVAHUmA8ae88jQcMD/I10hJg9Hs4EXZTDIwr7hyLLaL19BeuYlWMC
AwEAATANBgkqhkiG9w0BAQUFAAOCAQEAZHrHcTqRiJ/5k4NmrCD5HIed1mLwbUxO63CkM/PYQVTG
tDn4zD8IjfqhjLNud7g53HjqIdu2Qi86+0ZVncQdMfX9X8y3pz42vfpFStqNt8ExxDZXdKW747AX
GzgLLT02AulArd5wd3y3qFJGfVkqvrSvuAtC6lE+TezMZQIAh5Lxa9EugFrG0llZvVDNg20iOr7y
HpVGyI3P82+krv1LhqhKuTJoH0vLaAQQxGxBWLhpsefIEAEPepDbz/fW0fGoQYTMmnY2nVFd1N4T
oKAVYsvYK14fPtUgx+lUyJaMfMFXX6babq2wctv18WkAolymV22ToHnEC/QdI6sszFBh2g==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>eJ7Ro0S+tyKFPfhlhzarGWJTLDVt/mE/V9ooLwlX91BM2GOfL6P+6WaHijY/oXjwKXBHQ36jM+1wIwEo5FWSQTCVaU4vsxpkyzz2XkHO1uvUHSXQo/Z6LIcBh2OfNXCET1vu+B7XHRmEQIeDg6hI3kUJTcIJ+VDtYTdtzF/OJMMLeypCIvyt1b2Z5xHVxYbaItdqQbQ/nNgJdUcYvlNj3J6ZmVxIekVHKhUVe6PWK/79v0VdPi2VBQ1b5ukkDalsH64irOjcXfeZe6N4Sxgw84gbF6X9qGHt738Fu5i3lcL0fwEz8BpRrpX1eMMIVZFKukUuocw6X8f0NwPjF7O3Sw==</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference
URI="#_5db2d7b21d83fd63ffcec446a2d45e9f" />
</xenc:ReferenceList>
</xenc:EncryptedKey>
</saml2:EncryptedAssertion>
</saml2p:Response>
Am i missing anything?
CXF Version: 3.1.0-SNAPSHOT
Thanks
Rathnapandi
--
View this message in context:
http://cxf.547215.n5.nabble.com/SAML2-0-Encrypted-assertion-is-not-working-tp5747089.html
Sent from the cxf-dev mailing list archive at Nabble.com.
