Ok,
In the request there is a x509 certification. After i copy it, and write
the BEGIN-END certification thing around it, the openssl can parse it,
and show it as an certification. So there is a valid x509 certification
inside the <KeyInfo> element inside the <X509Data> element
(inside the <X509Certificate> element)
Can the KeyName and KeyValue does the mess?
Thanx
Csaba
On 2020-05-14 13:39, Colm O hEigeartaigh wrote:
Well getCerts() returns null as there is no certificate in the Assertion
KeyInfo, only a public key. getPublicKey() should not return null though.
Bear in mind that this public key must be contained in the local trust
store (embedded in a certificate), or signature verification will fail.
Colm.
On Thu, May 14, 2020 at 12:19 PM Tóth Csaba <[email protected]> wrote:
Hello!
Sorry, maybe I was wrong: It is processed, without any error, (I dotn
have stack trace), but
inside the
org.apache.cxf.ws.security.trust.STSSamlAssertionValidator.verifySignedAssertion
after the assertion.getSignatureKeyInfo().getCerts() I excepted an
X509Certificate[] (array, at least an empty one), but I get null.
So I think something is not processed well.
Thanx
Csaba
On 2020-05-14 13:12, Colm O hEigeartaigh wrote:
I imagine the problem is with the KeyValue, and not with the signature
algorithm. Why you say it can't process the SAML, what is the stacktrace
you are seeing?
Colm.
On Thu, May 14, 2020 at 12:05 PM Tóth Csaba <[email protected]> wrote:
Hello!
I have a system, what accept the request only with SAML token.
Its worked until the last request.
until now the SAML in the request:
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI=" ... ">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue> ... </ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue> ... </ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data> ...
but the last request contain different structure:
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#
">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI=" ... ">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue> ... </DigestValue>
</Reference>
</SignedInfo>
<SignatureValue> .... </SignatureValue>
<KeyInfo>
<KeyName> ... </KeyName>
<KeyValue>
<RSAKeyValue>
<Modulus>
...
</Modulus>
<Exponent>
...
</Exponent>
</RSAKeyValue>
</KeyValue>
<X509Data>
I noticed two difference between the two request:
1 - one signed with rsa-sha1 the second with rsa-sha256
2 - the second contain <KeyName> and <keyvalue>
At the validation proccess, inside the
org.apache.cxf.ws.security.trust.STSSamlAssertionValidator.verifySignedAssertion:
the SamlAssertionWrapper assertion has SAMLKeyInfo
(assertion.getSignatureKeyInfo() ) but the inside SAMLKeyInfo the
X509Certificate array is null
(not empty, simple null). I looking for the solution: why cant process
the SAML?
Thanx
Csaba
