In CXF 2.7.12, I'm having a weird problem when signing a SAML 1.1 assertion,
when the assertion contains another assertion in the Advice element. All SAML
assertions are required to be signed by the issuer, including assertions
embedded in the Advice element. But what is happening is that when I sign the
"outer" assertion, the AssertionWrapper.signAssertion() method is stripping the
digest and signature values from the "inner" assertion in the Advice element.
The signature line looks like this:
sa.signAssertion(issuerAlias, issuerPassword, issuerCrypto, false,
"http://www.w3.org/2001/10/xml-exc-c14n#";, signatureAlgorithm,
digestAlgorithm);
Here is what the assertion looks like immediately before and after this call,
stripped down a bit for brevity. You can see in the second assertion that the
signature on the inner Advice/Assertion has been changed - the digest method is
changed, and the digest and signature values have been removed. What is causing
this, and how can I prevent it? Any and all help would be appreciated, thanx!
BEFORE:
<saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332"
IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS" MajorVersion="1"
MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
<saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z"
NotOnOrAfter="2014-10-01T13:03:16.748Z">
...
</saml1:Conditions>
<saml1:Advice>
<saml1:Assertion
AssertionID="_99B35E24E753D60162141216853713111"
IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS" MajorVersion="1"
MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
<saml1:Conditions
NotBefore="2014-10-01T13:02:16.748Z" NotOnOrAfter="2014-10-01T13:03:16.748Z">
...
</saml1:Conditions>
<saml1:AuthenticationStatement
AuthenticationInstant="2014-10-01T13:02:16.748Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
<saml1:Subject>
...
</saml1:Subject>
</saml1:AuthenticationStatement>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_99B35E24E753D60162141216853713111">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>1EEQlsuneSKs81Hq+3lcqiKjOXMMNmbgVnZ0pFuIQOs=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml1:Assertion>
</saml1:Advice>
<saml1:AuthenticationStatement
AuthenticationInstant="2014-10-01T13:02:17.585Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
<saml1:Subject>
...
</saml1:Subject>
</saml1:AuthenticationStatement>
</saml1:Assertion>
AFTER:
<saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332"
IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS" MajorVersion="1"
MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
<saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z"
NotOnOrAfter="2014-10-01T13:03:16.748Z">
...
</saml1:Conditions>
<saml1:Advice>
<saml1:Assertion
AssertionID="_99B35E24E753D60162141216853713111"
IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS" MajorVersion="1"
MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
<saml1:Conditions
NotBefore="2014-10-01T13:02:16.748Z" NotOnOrAfter="2014-10-01T13:03:16.748Z">
...
</saml1:Conditions>
<saml1:AuthenticationStatement
AuthenticationInstant="2014-10-01T13:02:16.748Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
<saml1:Subject>
...
</saml1:Subject>
</saml1:AuthenticationStatement>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_99B35E24E753D60162141216853713111">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue/>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue/>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml1:Assertion>
</saml1:Advice>
<saml1:AuthenticationStatement
AuthenticationInstant="2014-10-01T13:02:17.585Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
<saml1:Subject>
...
</saml1:Subject>
</saml1:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference
URI="#_99B35E24E753D60162141216853759332">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>OnmMYA4JG7RZRa1+NdrGAcHt5K03l1ZLCufXdF+qXmI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml1:Assertion>
Stephen W. Chappell
