In CXF 2.7.12, I'm having a weird problem when signing a SAML 1.1 assertion, when the assertion contains another assertion in the Advice element. All SAML assertions are required to be signed by the issuer, including assertions embedded in the Advice element. But what is happening is that when I sign the "outer" assertion, the AssertionWrapper.signAssertion() method is stripping the digest and signature values from the "inner" assertion in the Advice element.
The signature line looks like this: sa.signAssertion(issuerAlias, issuerPassword, issuerCrypto, false, "http://www.w3.org/2001/10/xml-exc-c14n#", signatureAlgorithm, digestAlgorithm); Here is what the assertion looks like immediately before and after this call, stripped down a bit for brevity. You can see in the second assertion that the signature on the inner Advice/Assertion has been changed - the digest method is changed, and the digest and signature values have been removed. What is causing this, and how can I prevent it? Any and all help would be appreciated, thanx! BEFORE: <saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332" IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS" MajorVersion="1" MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"> <saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z" NotOnOrAfter="2014-10-01T13:03:16.748Z"> ... </saml1:Conditions> <saml1:Advice> <saml1:Assertion AssertionID="_99B35E24E753D60162141216853713111" IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS" MajorVersion="1" MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"> <saml1:Conditions NotBefore="2014-10-01T13:02:16.748Z" NotOnOrAfter="2014-10-01T13:03:16.748Z"> ... </saml1:Conditions> <saml1:AuthenticationStatement AuthenticationInstant="2014-10-01T13:02:16.748Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI"> <saml1:Subject> ... </saml1:Subject> </saml1:AuthenticationStatement> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#_99B35E24E753D60162141216853713111"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>1EEQlsuneSKs81Hq+3lcqiKjOXMMNmbgVnZ0pFuIQOs=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>...</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>...</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> </saml1:Assertion> </saml1:Advice> <saml1:AuthenticationStatement AuthenticationInstant="2014-10-01T13:02:17.585Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI"> <saml1:Subject> ... </saml1:Subject> </saml1:AuthenticationStatement> </saml1:Assertion> AFTER: <saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332" IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS" MajorVersion="1" MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"> <saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z" NotOnOrAfter="2014-10-01T13:03:16.748Z"> ... </saml1:Conditions> <saml1:Advice> <saml1:Assertion AssertionID="_99B35E24E753D60162141216853713111" IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS" MajorVersion="1" MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"> <saml1:Conditions NotBefore="2014-10-01T13:02:16.748Z" NotOnOrAfter="2014-10-01T13:03:16.748Z"> ... </saml1:Conditions> <saml1:AuthenticationStatement AuthenticationInstant="2014-10-01T13:02:16.748Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI"> <saml1:Subject> ... </saml1:Subject> </saml1:AuthenticationStatement> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#_99B35E24E753D60162141216853713111"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue/> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue/> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>...</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> </saml1:Assertion> </saml1:Advice> <saml1:AuthenticationStatement AuthenticationInstant="2014-10-01T13:02:17.585Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI"> <saml1:Subject> ... </saml1:Subject> </saml1:AuthenticationStatement> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#_99B35E24E753D60162141216853759332"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>OnmMYA4JG7RZRa1+NdrGAcHt5K03l1ZLCufXdF+qXmI=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>...</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>...</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> </saml1:Assertion> Stephen W. Chappell