I added support in WSS4J for creating SAML Assertions with "Advice" Elements - I can reproduce the issue you are seeing with the internal signature stuff:
http://svn.apache.org/viewvc?view=revision&revision=r1629601 I recommend breaking it down into a testcase that uses just the OpenSAML APIs + send it to the OpenSAML dev list to see what they think. WSS4J is also using a slightly older version of OpenSAML so there is a possibility that it is a bug which has since been fixed. Colm. On Wed, Oct 1, 2014 at 2:18 PM, <stephen.ctr.chapp...@faa.gov> wrote: > In CXF 2.7.12, I'm having a weird problem when signing a SAML 1.1 > assertion, when the assertion contains another assertion in the Advice > element. All SAML assertions are required to be signed by the issuer, > including assertions embedded in the Advice element. But what is happening > is that when I sign the "outer" assertion, the > AssertionWrapper.signAssertion() method is stripping the digest and > signature values from the "inner" assertion in the Advice element. > > The signature line looks like this: > sa.signAssertion(issuerAlias, issuerPassword, issuerCrypto, > false, > "http://www.w3.org/2001/10/xml-exc-c14n#", > signatureAlgorithm, digestAlgorithm); > > Here is what the assertion looks like immediately before and after this > call, stripped down a bit for brevity. You can see in the second assertion > that the signature on the inner Advice/Assertion has been changed - the > digest method is changed, and the digest and signature values have been > removed. What is causing this, and how can I prevent it? Any and all help > would be appreciated, thanx! > > BEFORE: > > <saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332" > IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS" MajorVersion="1" > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"> > <saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z" > NotOnOrAfter="2014-10-01T13:03:16.748Z"> > ... > </saml1:Conditions> > <saml1:Advice> > <saml1:Assertion > AssertionID="_99B35E24E753D60162141216853713111" > IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS" MajorVersion="1" > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"> > <saml1:Conditions > NotBefore="2014-10-01T13:02:16.748Z" > NotOnOrAfter="2014-10-01T13:03:16.748Z"> > ... > </saml1:Conditions> > > <saml1:AuthenticationStatement > AuthenticationInstant="2014-10-01T13:02:16.748Z" > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI"> > > <saml1:Subject> > ... > > </saml1:Subject> > > </saml1:AuthenticationStatement> > <ds:Signature xmlns:ds=" > http://www.w3.org/2000/09/xmldsig#"> > > <ds:SignedInfo> > > <ds:CanonicalizationMethod Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"/> > > <ds:SignatureMethod Algorithm=" > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > > <ds:Reference URI="#_99B35E24E753D60162141216853713111"> > > <ds:Transforms> > > <ds:Transform Algorithm=" > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > > <ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"/> > > </ds:Transforms> > > <ds:DigestMethod Algorithm=" > http://www.w3.org/2001/04/xmlenc#sha256"/> > > > <ds:DigestValue>1EEQlsuneSKs81Hq+3lcqiKjOXMMNmbgVnZ0pFuIQOs=</ds:DigestValue> > > </ds:Reference> > > </ds:SignedInfo> > > <ds:SignatureValue>...</ds:SignatureValue> > > <ds:KeyInfo> > > <ds:X509Data> > > <ds:X509Certificate>...</ds:X509Certificate> > > </ds:X509Data> > > </ds:KeyInfo> > </ds:Signature> > </saml1:Assertion> > </saml1:Advice> > <saml1:AuthenticationStatement > AuthenticationInstant="2014-10-01T13:02:17.585Z" > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI"> > <saml1:Subject> > ... > </saml1:Subject> > </saml1:AuthenticationStatement> > </saml1:Assertion> > > AFTER: > > <saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332" > IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS" MajorVersion="1" > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"> > <saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z" > NotOnOrAfter="2014-10-01T13:03:16.748Z"> > ... > </saml1:Conditions> > <saml1:Advice> > <saml1:Assertion > AssertionID="_99B35E24E753D60162141216853713111" > IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS" MajorVersion="1" > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"> > <saml1:Conditions > NotBefore="2014-10-01T13:02:16.748Z" > NotOnOrAfter="2014-10-01T13:03:16.748Z"> > ... > </saml1:Conditions> > > <saml1:AuthenticationStatement > AuthenticationInstant="2014-10-01T13:02:16.748Z" > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI"> > > <saml1:Subject> > ... > > </saml1:Subject> > > </saml1:AuthenticationStatement> > <ds:Signature xmlns:ds=" > http://www.w3.org/2000/09/xmldsig#"> > > <ds:SignedInfo> > > <ds:CanonicalizationMethod Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"/> > > <ds:SignatureMethod Algorithm=" > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > > <ds:Reference URI="#_99B35E24E753D60162141216853713111"> > > <ds:Transforms> > > <ds:Transform Algorithm=" > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > > <ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"/> > > </ds:Transforms> > > <ds:DigestMethod Algorithm=" > http://www.w3.org/2000/09/xmldsig#sha1"/> > > <ds:DigestValue/> > > </ds:Reference> > > </ds:SignedInfo> > > <ds:SignatureValue/> > > <ds:KeyInfo> > > <ds:X509Data> > > <ds:X509Certificate>...</ds:X509Certificate> > > </ds:X509Data> > > </ds:KeyInfo> > </ds:Signature> > </saml1:Assertion> > </saml1:Advice> > <saml1:AuthenticationStatement > AuthenticationInstant="2014-10-01T13:02:17.585Z" > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI"> > <saml1:Subject> > ... > </saml1:Subject> > </saml1:AuthenticationStatement> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig# > "> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > <ds:Reference > URI="#_99B35E24E753D60162141216853759332"> > > <ds:Transforms> > > <ds:Transform Algorithm=" > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > > <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > > </ds:Transforms> > > <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> > > <ds:DigestValue>OnmMYA4JG7RZRa1+NdrGAcHt5K03l1ZLCufXdF+qXmI=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue>...</ds:SignatureValue> > <ds:KeyInfo> > <ds:X509Data> > > <ds:X509Certificate>...</ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo> > </ds:Signature> > </saml1:Assertion> > > > Stephen W. Chappell > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com