Hello devs,
I sincerely hope you can help me. I'm working on an interop piece between
.NET 3.5, ADFS2 and Rampart 1.4. I am using the holder-of-key confirmation
method.
Rampart appears to process the SOAP request fine, including derived keys
etc but fails right towards the end of the processing chain with:
Caused by: org.apache.ws.security.WSSecurityException: General security
error (SAML token security failure)
at org.apache.ws.security.saml.SAMLUtil.getSAMLKeyInfo(
SAMLUtil.java:169)
at org.apache.ws.security.saml.SAMLUtil.getSAMLKeyInfo(
SAMLUtil.java:73)
at
org.apache.ws.security.processor.DerivedKeyTokenProcessor.extractSecret(
DerivedKeyTokenProcessor.java:170)
at
org.apache.ws.security.processor.DerivedKeyTokenProcessor.handleToken(
DerivedKeyTokenProcessor.java:74)
This occurs after Rampart has the clear text SAML assertion and is
attempting to extract the X509 reference from the KeyInfo block from the
saml subject:
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
<e:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
<DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
</e:EncryptionMethod>
<KeyInfo>
<o:SecurityTokenReference xmlns:o="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
">
<X509Data>
<X509IssuerSerial>
<X509IssuerName>CN=Root
Agency</X509IssuerName>
<X509SerialNumber>
-147027885241304943914470421251724308948</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>
VvKoOwBHAOE0zndb3bpJ7IWU3gDP/IQSSE/ms92eTZPIWrD5r7AnfJ6pwd/bB31Cb7gEtV5zt5YLLozStzCRw901GHZDzAYfinh8hzXML+vT05m6ALce7y/PEvIlPZl7IXH0UI1pU01DbEheFjSixX1xzmkLou/XStY5WONVhok=
</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
It appears that the KeyInfo contructor is not populating the X509Datas
property correctly? This causes the ki.containsX509Data()to return false
and hence fail? This from within the SAMLUtil class:
Element e = samlSubj.getKeyInfo();
X509Certificate[] certs = null;
try {
KeyInfo ki = new KeyInfo(e, null);
if (ki.containsX509Data()) {
X509Data data = ki.itemX509Data(0);
XMLX509Certificate certElem = null;
if (data != null &&
data.containsCertificate()) {
certElem = data.itemCertificate(0);
}
if (certElem != null) {
X509Certificate cert =
certElem.getX509Certificate();
certs = new X509Certificate[1];
certs[0] = cert;
return new SAMLKeyInfo(assertion, certs);
}
}
Any help would be greatly appreciated!
Thanks,
Jason
___________________________________________________________
This e-mail may contain confidential and/or privileged information. If you are
not the intended recipient (or have received this e-mail in error) please
notify the sender immediately and delete this e-mail. Any unauthorised copying,
disclosure or distribution of the material in this e-mail is prohibited.
Please refer to
http://www.bnpparibas.co.uk/en/information/legal_information.asp?Code=ECAS-845C5H
for additional disclosures.
