Hi Jason-
the backend processing of keyInfo is identical to
org.apache.rahas.impl.util.SAML2Utils.java getSAML2KeyInfo() method
(i have a snippet here to illustrate acquisition of a X509Certificate from a
known keyInfoElement Element)
Note the delta is how Rampart acquires keyInfoElement which originates from the
assertion as seen here
// extract the subject
Subject samlSubject = assertion.getSubject();
//Use samlSubject to acquire confirmation data,
KeyInfoConfirmationDataType extends SubjectConfirmationData.
KeyInfoConfirmationDataType scData =
(KeyInfoConfirmationDataType) subjectConf.getSubjectConfirmationData();
//Now that we have samlSubject use samlSubjec to acquire SAML
specific XML representation of the keyInfo object
XMLObject KIElem = scData.getKeyInfos() != null ? (XMLObject)
scData.getKeyInfos().get(0) : null;
Element keyInfoElement;
// Generate a DOM element from the XMLObject.
if (KIElem != null) {
// Set the "javax.xml.parsers.DocumentBuilderFactory"
system property to make sure the endorsed JAXP
// implementation is picked over the default jaxp impl
shipped with the JDK.
String jaxpProperty =
System.getProperty("javax.xml.parsers.DocumentBuilderFactory");
System.setProperty("javax.xml.parsers.DocumentBuilderFactory",
"org.apache.xerces.jaxp.DocumentBuilderFactoryImpl");
MarshallerFactory marshallerFactory =
org.opensaml.xml.Configuration.getMarshallerFactory();
Marshaller marshaller =
marshallerFactory.getMarshaller(KIElem);
//now finally acquire the keyInfoElement
keyInfoElement = marshaller.marshall(KIElem);
// Reset the sys. property to its previous value.
if (jaxpProperty == null) {
System.getProperties().remove("javax.xml.parsers.DocumentBuilderFactory");
} else {
System.setProperty("javax.xml.parsers.DocumentBuilderFactory", jaxpProperty);
}
} else {
throw new WSSecurityException(WSSecurityException.FAILURE,
"invalidSAML2Token", new Object[]{"for Signature
(no key info element)"});
}
AttributeStatement attrStmt =
assertion.getAttributeStatements().size() != 0 ?
(AttributeStatement)
assertion.getAttributeStatements().get(0) : null;
AuthnStatement authnStmt =
assertion.getAuthnStatements().size() != 0 ?
(AuthnStatement) assertion.getAuthnStatements().get(0)
: null;
//symmetric key processing (bypassed in this testcase)
if (attrStmt != null) {
.................
}
//asymmetric key processing
else if (authnStmt != null) {
X509Certificate[] certs = null;
try {
KeyInfo ki = new KeyInfo(keyInfoElement, null);
d/l rampart and take a look at org.apache.rahas.impl.util.SAMLUtils
hth
Martin Gainty
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung.
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est
interdite. Ce message sert à l'information seulement et n'aura pas n'importe
quel effet légalement obligatoire. Étant donné que les email peuvent facilement
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité
pour le contenu fourni.
> To: [email protected]
> Subject: Rampart fails to extract KeyInfo from SAML assertion
> From: [email protected]
> Date: Thu, 22 Apr 2010 13:17:56 +0100
>
> Hello devs,
>
> I sincerely hope you can help me. I'm working on an interop piece between
> .NET 3.5, ADFS2 and Rampart 1.4. I am using the holder-of-key confirmation
> method.
>
> Rampart appears to process the SOAP request fine, including derived keys
> etc but fails right towards the end of the processing chain with:
>
> Caused by: org.apache.ws.security.WSSecurityException: General security
> error (SAML token security failure)
> at org.apache.ws.security.saml.SAMLUtil.getSAMLKeyInfo(
> SAMLUtil.java:169)
> at org.apache.ws.security.saml.SAMLUtil.getSAMLKeyInfo(
> SAMLUtil.java:73)
> at
> org.apache.ws.security.processor.DerivedKeyTokenProcessor.extractSecret(
> DerivedKeyTokenProcessor.java:170)
> at
> org.apache.ws.security.processor.DerivedKeyTokenProcessor.handleToken(
> DerivedKeyTokenProcessor.java:74)
>
> This occurs after Rampart has the clear text SAML assertion and is
> attempting to extract the X509 reference from the KeyInfo block from the
> saml subject:
>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
> <e:EncryptionMethod Algorithm="
> http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
> <DigestMethod Algorithm="
> http://www.w3.org/2000/09/xmldsig#sha1"/>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> ">
> <X509Data>
> <X509IssuerSerial>
> <X509IssuerName>CN=Root
> Agency</X509IssuerName>
> <X509SerialNumber>
> -147027885241304943914470421251724308948</X509SerialNumber>
> </X509IssuerSerial>
> </X509Data>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>
> VvKoOwBHAOE0zndb3bpJ7IWU3gDP/IQSSE/ms92eTZPIWrD5r7AnfJ6pwd/bB31Cb7gEtV5zt5YLLozStzCRw901GHZDzAYfinh8hzXML+vT05m6ALce7y/PEvIlPZl7IXH0UI1pU01DbEheFjSixX1xzmkLou/XStY5WONVhok=
> </e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
>
> It appears that the KeyInfo contructor is not populating the X509Datas
> property correctly? This causes the ki.containsX509Data()to return false
> and hence fail? This from within the SAMLUtil class:
>
> Element e = samlSubj.getKeyInfo();
> X509Certificate[] certs = null;
> try {
> KeyInfo ki = new KeyInfo(e, null);
>
> if (ki.containsX509Data()) {
> X509Data data = ki.itemX509Data(0);
> XMLX509Certificate certElem = null;
> if (data != null &&
> data.containsCertificate()) {
> certElem = data.itemCertificate(0);
> }
> if (certElem != null) {
> X509Certificate cert =
> certElem.getX509Certificate();
> certs = new X509Certificate[1];
> certs[0] = cert;
> return new SAMLKeyInfo(assertion, certs);
> }
> }
>
> Any help would be greatly appreciated!
>
> Thanks,
> Jason
>
> ___________________________________________________________
> This e-mail may contain confidential and/or privileged information. If you
> are not the intended recipient (or have received this e-mail in error) please
> notify the sender immediately and delete this e-mail. Any unauthorised
> copying, disclosure or distribution of the material in this e-mail is
> prohibited.
>
> Please refer to
> http://www.bnpparibas.co.uk/en/information/legal_information.asp?Code=ECAS-845C5H
> for additional disclosures.
_________________________________________________________________
The New Busy is not the old busy. Search, chat and e-mail from your inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3
