Hi Stephen, This change breaks some of the SAML tests in WSS4J, so I can't apply it.
Colm. On Wed, Oct 8, 2014 at 2:21 PM, <stephen.ctr.chapp...@faa.gov> wrote: > Colm - > > It looks like I have a solution for this. I had extracted some code to > post to the OpenSAML list, and posted the problem over there. While waiting > for something to happen, I tried a few things with the extracted code, > mostly with no positive changes. But then I tried this change, and now I > think the output looks correct: > > protected final void addSignatureToAssertion( > AssertionWrapper sa, > Signature signature, > String signatureDigestAlgorithm) > { > LOG.info("SIGTEST Replacement addSignatureToAssertion"); > if ( sa.getXmlObject() instanceof SignableSAMLObject ) { > SignableSAMLObject signableObject = (SignableSAMLObject) > sa.getXmlObject(); > signableObject.setSignature(signature); > > SAMLObjectContentReference contentRef = > > (SAMLObjectContentReference)signature.getContentReferences().get(0); > contentRef.setDigestAlgorithm(signatureDigestAlgorithm); > > //signableObject.releaseChildrenDOM(true); > //signableObject.releaseDOM(); > } else { > LOG.error("Attempt to sign an unsignable object " + > sa.getXmlObject().getClass().getName()); > } > } > > This is just the AssertionWrapper.setSignature() method extracted into my > local code base, with the releaseDOM lines commented out. I expected this > to fail miserably with various exceptions. But instead, I got this (very > trimmed) assertion back: > > <saml1:Assertion > xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" > AssertionID="_5FFEE2CBDBBCD91A5A141277359654832" > IssueInstant="2014-10-08T13:06:36.547Z" Issuer="SWIM-STS" MajorVersion="1" > MinorVersion="1"> > <saml1:Conditions>...</saml1:Conditions> > <saml1:Advice> > <saml1:Assertion > xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" > AssertionID="_5FFEE2CBDBBCD91A5A141277359605611" > IssueInstant="2014-10-08T13:06:36.055Z" Issuer="SWIM-STS" MajorVersion="1" > MinorVersion="1"> > <saml1:Conditions>...</saml1:Conditions> > > <saml1:AuthenticationStatement>...</saml1:AuthenticationStatement> > <ds:Signature xmlns:ds=" > http://www.w3.org/2000/09/xmldsig#"> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > <ds:Reference > URI="#_5FFEE2CBDBBCD91A5A141277359605611"> > <ds:Transforms> > > <ds:Transform Algorithm=" > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > > <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> > > <ds:DigestValue>hHfSTh/rgdxN5iGLNfJYxjI9YPowXPQsJ1sl3IH520U=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > > <ds:SignatureValue>...</ds:SignatureValue> > <ds:KeyInfo>...</ds:KeyInfo> > </ds:Signature> > </saml1:Assertion> > </saml1:Advice> > > <saml1:AuthenticationStatement>...</saml1:AuthenticationStatement> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig# > "> > <ds:SignedInfo> > <ds:CanonicalizationMethod Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"/> > <ds:SignatureMethod Algorithm=" > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > <ds:Reference > URI="#_5FFEE2CBDBBCD91A5A141277359654832"> > <ds:Transforms> > <ds:Transform Algorithm=" > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > <ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transforms> > <ds:DigestMethod Algorithm=" > http://www.w3.org/2001/04/xmlenc#sha256"/> > > <ds:DigestValue>OoWn7FcGrYsFTCbO+DXVawtVcY9UhzqHvlEovFWds1U=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue>...</ds:SignatureValue> > <ds:KeyInfo>...</ds:KeyInfo> > </ds:Signature> > </saml1:Assertion> > > So I have not done enough analysis yet to figure out why this works or > what sort of unintended consequences it may have, but for the moment, the > output is more along the lines of what I expected. > > Thanx, > > Stephen W. Chappell > > -----Original Message----- > From: Colm O hEigeartaigh [mailto:cohei...@apache.org] > Sent: Monday, October 06, 2014 5:37 AM > To: users@cxf.apache.org > Subject: Re: Weird AssertionWrapper.signAssertion() problem > > I added support in WSS4J for creating SAML Assertions with "Advice" > Elements - I can reproduce the issue you are seeing with the internal > signature stuff: > > http://svn.apache.org/viewvc?view=revision&revision=r1629601 > > I recommend breaking it down into a testcase that uses just the OpenSAML > APIs + send it to the OpenSAML dev list to see what they think. WSS4J is > also using a slightly older version of OpenSAML so there is a possibility > that it is a bug which has since been fixed. > > Colm. > > On Wed, Oct 1, 2014 at 2:18 PM, <stephen.ctr.chapp...@faa.gov> wrote: > > > In CXF 2.7.12, I'm having a weird problem when signing a SAML 1.1 > > assertion, when the assertion contains another assertion in the Advice > > element. All SAML assertions are required to be signed by the issuer, > > including assertions embedded in the Advice element. But what is > > happening is that when I sign the "outer" assertion, the > > AssertionWrapper.signAssertion() method is stripping the digest and > > signature values from the "inner" assertion in the Advice element. > > > > The signature line looks like this: > > sa.signAssertion(issuerAlias, issuerPassword, > > issuerCrypto, false, > > "http://www.w3.org/2001/10/xml-exc-c14n#", > > signatureAlgorithm, digestAlgorithm); > > > > Here is what the assertion looks like immediately before and after > > this call, stripped down a bit for brevity. You can see in the second > > assertion that the signature on the inner Advice/Assertion has been > > changed - the digest method is changed, and the digest and signature > > values have been removed. What is causing this, and how can I prevent > > it? Any and all help would be appreciated, thanx! > > > > BEFORE: > > > > <saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332" > > IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS" > MajorVersion="1" > > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"> > > <saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z" > > NotOnOrAfter="2014-10-01T13:03:16.748Z"> > > ... > > </saml1:Conditions> > > <saml1:Advice> > > <saml1:Assertion > > AssertionID="_99B35E24E753D60162141216853713111" > > IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS" > MajorVersion="1" > > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"> > > <saml1:Conditions > > NotBefore="2014-10-01T13:02:16.748Z" > > NotOnOrAfter="2014-10-01T13:03:16.748Z"> > > ... > > </saml1:Conditions> > > > > <saml1:AuthenticationStatement > > AuthenticationInstant="2014-10-01T13:02:16.748Z" > > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI"> > > > > <saml1:Subject> > > ... > > > > </saml1:Subject> > > > > </saml1:AuthenticationStatement> > > <ds:Signature xmlns:ds=" > > http://www.w3.org/2000/09/xmldsig#"> > > > > <ds:SignedInfo> > > > > <ds:CanonicalizationMethod Algorithm=" > > http://www.w3.org/2001/10/xml-exc-c14n#"/> > > > > <ds:SignatureMethod Algorithm=" > > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > > > > <ds:Reference URI="#_99B35E24E753D60162141216853713111"> > > > > <ds:Transforms> > > > > <ds:Transform Algorithm=" > > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > > > > <ds:Transform Algorithm=" > > http://www.w3.org/2001/10/xml-exc-c14n#"/> > > > > </ds:Transforms> > > > > <ds:DigestMethod Algorithm=" > > http://www.w3.org/2001/04/xmlenc#sha256"/> > > > > > > <ds:DigestValue>1EEQlsuneSKs81Hq+3lcqiKjOXMMNmbgVnZ0pFuIQOs=</ds:Diges > > tValue> > > > > </ds:Reference> > > > > </ds:SignedInfo> > > > > <ds:SignatureValue>...</ds:SignatureValue> > > > > <ds:KeyInfo> > > > > <ds:X509Data> > > > > <ds:X509Certificate>...</ds:X509Certificate> > > > > </ds:X509Data> > > > > </ds:KeyInfo> > > </ds:Signature> > > </saml1:Assertion> > > </saml1:Advice> > > <saml1:AuthenticationStatement > > AuthenticationInstant="2014-10-01T13:02:17.585Z" > > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI"> > > <saml1:Subject> > > ... > > </saml1:Subject> > > </saml1:AuthenticationStatement> </saml1:Assertion> > > > > AFTER: > > > > <saml1:Assertion AssertionID="_99B35E24E753D60162141216853759332" > > IssueInstant="2014-10-01T13:02:17.592Z" Issuer="SWIM-STS" > MajorVersion="1" > > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"> > > <saml1:Conditions NotBefore="2014-10-01T13:02:17.585Z" > > NotOnOrAfter="2014-10-01T13:03:16.748Z"> > > ... > > </saml1:Conditions> > > <saml1:Advice> > > <saml1:Assertion > > AssertionID="_99B35E24E753D60162141216853713111" > > IssueInstant="2014-10-01T13:02:17.130Z" Issuer="SWIM-STS" > MajorVersion="1" > > MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"> > > <saml1:Conditions > > NotBefore="2014-10-01T13:02:16.748Z" > > NotOnOrAfter="2014-10-01T13:03:16.748Z"> > > ... > > </saml1:Conditions> > > > > <saml1:AuthenticationStatement > > AuthenticationInstant="2014-10-01T13:02:16.748Z" > > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI"> > > > > <saml1:Subject> > > ... > > > > </saml1:Subject> > > > > </saml1:AuthenticationStatement> > > <ds:Signature xmlns:ds=" > > http://www.w3.org/2000/09/xmldsig#"> > > > > <ds:SignedInfo> > > > > <ds:CanonicalizationMethod Algorithm=" > > http://www.w3.org/2001/10/xml-exc-c14n#"/> > > > > <ds:SignatureMethod Algorithm=" > > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > > > > <ds:Reference URI="#_99B35E24E753D60162141216853713111"> > > > > <ds:Transforms> > > > > <ds:Transform Algorithm=" > > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > > > > <ds:Transform Algorithm=" > > http://www.w3.org/2001/10/xml-exc-c14n#"/> > > > > </ds:Transforms> > > > > <ds:DigestMethod Algorithm=" > > http://www.w3.org/2000/09/xmldsig#sha1"/> > > > > <ds:DigestValue/> > > > > </ds:Reference> > > > > </ds:SignedInfo> > > > > <ds:SignatureValue/> > > > > <ds:KeyInfo> > > > > <ds:X509Data> > > > > <ds:X509Certificate>...</ds:X509Certificate> > > > > </ds:X509Data> > > > > </ds:KeyInfo> > > </ds:Signature> > > </saml1:Assertion> > > </saml1:Advice> > > <saml1:AuthenticationStatement > > AuthenticationInstant="2014-10-01T13:02:17.585Z" > > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI"> > > <saml1:Subject> > > ... > > </saml1:Subject> > > </saml1:AuthenticationStatement> > > <ds:Signature > > xmlns:ds="http://www.w3.org/2000/09/xmldsig# > > "> > > <ds:SignedInfo> > > > > <ds:CanonicalizationMethod Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"/> > > <ds:SignatureMethod > > Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > > <ds:Reference > > URI="#_99B35E24E753D60162141216853759332"> > > > > <ds:Transforms> > > > > <ds:Transform Algorithm=" > > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > > > > <ds:Transform > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > > > > </ds:Transforms> > > > > <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> > > > > > <ds:DigestValue>OnmMYA4JG7RZRa1+NdrGAcHt5K03l1ZLCufXdF+qXmI=</ds:DigestValue> > > </ds:Reference> > > </ds:SignedInfo> > > > <ds:SignatureValue>...</ds:SignatureValue> > > <ds:KeyInfo> > > <ds:X509Data> > > > > <ds:X509Certificate>...</ds:X509Certificate> > > </ds:X509Data> > > </ds:KeyInfo> > > </ds:Signature> > > </saml1:Assertion> > > > > > > Stephen W. Chappell > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com