Colm - It looks like I have a solution for this. I had extracted some code to post to the OpenSAML list, and posted the problem over there. While waiting for something to happen, I tried a few things with the extracted code, mostly with no positive changes. But then I tried this change, and now I think the output looks correct:
protected final void addSignatureToAssertion( AssertionWrapper sa, Signature signature, String signatureDigestAlgorithm) { LOG.info("SIGTEST Replacement addSignatureToAssertion"); if ( sa.getXmlObject() instanceof SignableSAMLObject ) { SignableSAMLObject signableObject = (SignableSAMLObject) sa.getXmlObject(); signableObject.setSignature(signature); SAMLObjectContentReference contentRef = (SAMLObjectContentReference)signature.getContentReferences().get(0); contentRef.setDigestAlgorithm(signatureDigestAlgorithm); //signableObject.releaseChildrenDOM(true); //signableObject.releaseDOM(); } else { LOG.error("Attempt to sign an unsignable object " + sa.getXmlObject().getClass().getName()); } } This is just the AssertionWrapper.setSignature() method extracted into my local code base, with the releaseDOM lines commented out. I expected this to fail miserably with various exceptions. But instead, I got this (very trimmed) assertion back: <saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_5FFEE2CBDBBCD91A5A141277359654832" IssueInstant="2014-10-08T13:06:36.547Z" Issuer="SWIM-STS" MajorVersion="1" MinorVersion="1"> <saml1:Conditions>...</saml1:Conditions> <saml1:Advice> <saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_5FFEE2CBDBBCD91A5A141277359605611" IssueInstant="2014-10-08T13:06:36.055Z" Issuer="SWIM-STS" MajorVersion="1" MinorVersion="1"> <saml1:Conditions>...</saml1:Conditions> <saml1:AuthenticationStatement>...</saml1:AuthenticationStatement> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#_5FFEE2CBDBBCD91A5A141277359605611"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>hHfSTh/rgdxN5iGLNfJYxjI9YPowXPQsJ1sl3IH520U=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>...</ds:SignatureValue> <ds:KeyInfo>...</ds:KeyInfo> </ds:Signature> </saml1:Assertion> </saml1:Advice> <saml1:AuthenticationStatement>...</saml1:AuthenticationStatement> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#_5FFEE2CBDBBCD91A5A141277359654832"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>OoWn7FcGrYsFTCbO+DXVawtVcY9UhzqHvlEovFWds1U=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>...</ds:SignatureValue> <ds:KeyInfo>...</ds:KeyInfo> </ds:Signature> </saml1:Assertion> So I have not done enough analysis yet to figure out why this works or what sort of unintended consequences it may have, but for the moment, the output is more along the lines of what I expected. Thanx, Stephen W. Chappell -----Original Message----- From: Colm O hEigeartaigh [mailto:cohei...@apache.org] Sent: Monday, October 06, 2014 5:37 AM To: users@cxf.apache.org Subject: Re: Weird AssertionWrapper.signAssertion() problem I added support in WSS4J for creating SAML Assertions with "Advice" Elements - I can reproduce the issue you are seeing with the internal signature stuff: http://svn.apache.org/viewvc?view=revision&revision=r1629601 I recommend breaking it down into a testcase that uses just the OpenSAML APIs + send it to the OpenSAML dev list to see what they think. WSS4J is also using a slightly older version of OpenSAML so there is a possibility that it is a bug which has since been fixed. Colm. On Wed, Oct 1, 2014 at 2:18 PM, <stephen.ctr.chapp...@faa.gov> wrote: > In CXF 2.7.12, I'm having a weird problem when signing a SAML 1.1 > assertion, when the assertion contains another assertion in the Advice > element. All SAML assertions are required to be signed by the issuer, > including assertions embedded in the Advice element. But what is > happening is that when I sign the "outer" assertion, the > AssertionWrapper.signAssertion() method is stripping the digest and > signature values from the "inner" assertion in the Advice element. > > The signature line looks like this: > sa.signAssertion(issuerAlias, issuerPassword, > issuerCrypto, false, > "http://www.w3.org/2001/10/xml-exc-c14n#", > signatureAlgorithm, digestAlgorithm); > > Here is what the assertion looks like immediately before and after > this call, stripped down a bit for brevity. You can see in the second > assertion that the signature on the inner Advice/Assertion has been > changed - the digest method is changed, and the digest and signature > values have been removed. What is causing this, and how can I prevent > it? Any and all help would be appreciated, thanx! > > BEFORE: > > <saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332" > IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS" MajorVersion="1" > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"> > <saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z" > NotOnOrAfter="2014-10-01T13:03:16.748Z"> > ... > </saml1:Conditions> > <saml1:Advice> > <saml1:Assertion > AssertionID="_99B35E24E753D60162141216853713111" > IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS" MajorVersion="1" > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"> > <saml1:Conditions > NotBefore="2014-10-01T13:02:16.748Z" > NotOnOrAfter="2014-10-01T13:03:16.748Z"> > ... > </saml1:Conditions> > > <saml1:AuthenticationStatement > AuthenticationInstant="2014-10-01T13:02:16.748Z" > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI"> > > <saml1:Subject> > ... > > </saml1:Subject> > > </saml1:AuthenticationStatement> > <ds:Signature xmlns:ds=" > http://www.w3.org/2000/09/xmldsig#"> > > <ds:SignedInfo> > > <ds:CanonicalizationMethod Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"/> > > <ds:SignatureMethod Algorithm=" > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > > <ds:Reference URI="#_99B35E24E753D60162141216853713111"> > > <ds:Transforms> > > <ds:Transform Algorithm=" > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > > <ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"/> > > </ds:Transforms> > > <ds:DigestMethod Algorithm=" > http://www.w3.org/2001/04/xmlenc#sha256"/> > > > <ds:DigestValue>1EEQlsuneSKs81Hq+3lcqiKjOXMMNmbgVnZ0pFuIQOs=</ds:Diges > tValue> > > </ds:Reference> > > </ds:SignedInfo> > > <ds:SignatureValue>...</ds:SignatureValue> > > <ds:KeyInfo> > > <ds:X509Data> > > <ds:X509Certificate>...</ds:X509Certificate> > > </ds:X509Data> > > </ds:KeyInfo> > </ds:Signature> > </saml1:Assertion> > </saml1:Advice> > <saml1:AuthenticationStatement > AuthenticationInstant="2014-10-01T13:02:17.585Z" > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI"> > <saml1:Subject> > ... > </saml1:Subject> > </saml1:AuthenticationStatement> </saml1:Assertion> > > AFTER: > > <saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332" > IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS" MajorVersion="1" > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"> > <saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z" > NotOnOrAfter="2014-10-01T13:03:16.748Z"> > ... > </saml1:Conditions> > <saml1:Advice> > <saml1:Assertion > AssertionID="_99B35E24E753D60162141216853713111" > IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS" MajorVersion="1" > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"> > <saml1:Conditions > NotBefore="2014-10-01T13:02:16.748Z" > NotOnOrAfter="2014-10-01T13:03:16.748Z"> > ... > </saml1:Conditions> > > <saml1:AuthenticationStatement > AuthenticationInstant="2014-10-01T13:02:16.748Z" > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI"> > > <saml1:Subject> > ... > > </saml1:Subject> > > </saml1:AuthenticationStatement> > <ds:Signature xmlns:ds=" > http://www.w3.org/2000/09/xmldsig#"> > > <ds:SignedInfo> > > <ds:CanonicalizationMethod Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"/> > > <ds:SignatureMethod Algorithm=" > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > > <ds:Reference URI="#_99B35E24E753D60162141216853713111"> > > <ds:Transforms> > > <ds:Transform Algorithm=" > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > > <ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"/> > > </ds:Transforms> > > <ds:DigestMethod Algorithm=" > http://www.w3.org/2000/09/xmldsig#sha1"/> > > <ds:DigestValue/> > > </ds:Reference> > > </ds:SignedInfo> > > <ds:SignatureValue/> > > <ds:KeyInfo> > > <ds:X509Data> > > <ds:X509Certificate>...</ds:X509Certificate> > > </ds:X509Data> > > </ds:KeyInfo> > </ds:Signature> > </saml1:Assertion> > </saml1:Advice> > <saml1:AuthenticationStatement > AuthenticationInstant="2014-10-01T13:02:17.585Z" > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI"> > <saml1:Subject> > ... > </saml1:Subject> > </saml1:AuthenticationStatement> > <ds:Signature > xmlns:ds="http://www.w3.org/2000/09/xmldsig# > "> > <ds:SignedInfo> > > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > <ds:Reference > URI="#_99B35E24E753D60162141216853759332"> > > <ds:Transforms> > > <ds:Transform Algorithm=" > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > > </ds:Transforms> > > <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> > > <ds:DigestValue>OnmMYA4JG7RZRa1+NdrGAcHt5K03l1ZLCufXdF+qXmI=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue>...</ds:SignatureValue> > <ds:KeyInfo> > <ds:X509Data> > > <ds:X509Certificate>...</ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo> > </ds:Signature> > </saml1:Assertion> > > > Stephen W. Chappell > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com