12 Replies Latest reply: May 19, 2010 3:27 PM by Vivek Biswas RSS

    Need an Holder-Of-Key Subject Confirmation

    Vivek Biswas Newbie

      Hi,

       

        By default, picketlink does SubjectConfirmation using urn:oasis:names:tc:SAML:2.0:cm:bearer. I need to implement Holder-Of-Key Subject Confirmation where in I need to pass my own keyInfo element. Can you help me with 2 things

      A. How to configure PicketLink STS for Holder-of-Key Subject Confirmation

      B. How can I pass my own KeyInfo element which will get set at saml2:Subject\saml2:SubjectConfirmation\keyInfo.

       

      Thanks

      Vivek Biswas

        • 1. Re: Need an Holder-Of-Key Subject Confirmation
          Stefan Guilhen Apprentice

          Hi Vivek,

           

          A. You don't have to do anything at all. If the request contains a key type, then the STS is automatically going to generate a proof-of-possession token that will be included in your SubjectConfirmation and the SAML assertion will use the holder-of-key confirmation method.

           

          B. It depends. What kind of info is that? Symmetric or Public (aka certificate)?

           

          Stefan

          • 2. Re: Need an Holder-Of-Key Subject Confirmation
            Vivek Biswas Newbie

            Great thanks Stefan for answering question A.

             

            Regarding Question B. The info is a Public Key Certificate

             

            -Vivek Biswas

            • 3. Re: Need an Holder-Of-Key Subject Confirmation
              Vivek Biswas Newbie

              And by passing useKey with public certificate and setting the keytype to "http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey" . I got the holder-of-key working. Thanks Stefan once again

               

              -Vivek Biswas

              • 4. Re: Need an Holder-Of-Key Subject Confirmation
                Stefan Guilhen Apprentice

                Hi Vivek,

                 

                It's great to learn that it worked for you. I just realized I need to include a test case with Public Key Certificates. I'll add a doc later to show how to get an assertion with holder-of-key confirmation.

                 

                Just out of curiosity, did you put the whole certificate in the UseKey element or just the Public Key? I think it is possible to do both and I may need to improve the request handler a little bit to be more friendly when a public key is supplied.

                 

                Cheers,

                Stefan

                • 5. Re: Need an Holder-Of-Key Subject Confirmation
                  Vivek Biswas Newbie

                  Hi Stefan,

                   

                    Here is a code snippet that will help you jumpstart with writing your UnitTest case .

                  //Setting the Key Type

                  URI uri = new URI(WSTrustConstants.KEY_TYPE_PUBLIC);

                  request.setKeyType(uri);

                   

                  //Setting the public certificate

                   

                  InputStream inStream = new FileInputStream("my_public_cert.cer");

                  CertificateFactory cf = CertificateFactory.getInstance("X.509");

                  X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream);

                  org.picketlink.identity.xmlsec.w3.xmldsig.ObjectFactory factory = new org.picketlink.identity.xmlsec.w3.xmldsig.ObjectFactory();

                   

                  UseKeyType useKeyType = new UseKeyType();

                  useKeyType.setAny(factory.createX509DataTypeX509Certificate(cert.getEncoded()));

                  request.setUseKey(useKeyType);

                   

                  inStream.close();

                   

                  ------------------------------------------------------------------------------------------------------------------------------------------------------

                  Here is the output

                   

                            <ns4:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</ns4:KeyType>
                              <ns4:UseKey>
                                 <ns6:X509Certificate xmlns:ns6="http://www.w3.org/2000/09/xmldsig#">.........MIII1MjE0MDM2ChMKQdggEiMA0GCSqcXmP</ns6:X509Certificate>
                              </ns4:UseKey>
                  -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
                  This X509 certificate then get set in the Subject/SubjectConfirmationData
                     <SubjectConfirmation Method='urn:oasis:names:tc:SAML:2.0:cm:holder-of-key'>
                                          <SubjectConfirmationData xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:type='KeyInfoConfirmationDataType'>
                                             <ns3:KeyInfo>
                                                <ns6:X509Certificate xmlns:ns6='http://www.w3.org/2000/09/xmldsig#'>.......MIII1MjE0MDM2ChMKQdggEiMA0GCSqcXmP........</ns6:X509Certificate>
                                             </ns3:KeyInfo>
                                          </SubjectConfirmationData>
                      </SubjectConfirmation>

                   

                  --------------------------------------------------------------------------------------------------------------------------------------------------------------------

                   

                  This exactly what I wanted. And I believe your request handler is perfect to do the requisite work

                   

                  Cheers

                  Vivek

                  • 6. Re: Need an Holder-Of-Key Subject Confirmation
                    Stefan Guilhen Apprentice

                    Hi Vivek,

                     

                    thanks for the test code. I'll update the STS testsuite to include it.

                     

                    Regarding the certificate, I tried to make the request handler as flexible as possible so that any kind of content could be provided in the UseKey element. However, I was taking a look at the xmldsig schema and it looks like we are missing a X509Data element between KeyInfo and the X509Certificate. So perhaps instead of

                     

                    <ns3:KeyInfo>
                       <ns3:X509Certificate ...>.....</ns3:X509Certificate>
                    </ns3:KeyInfo>
                    

                     

                    we should have

                     

                    <ns3:KeyInfo>
                       <ns3:X509Data>
                          <ns3:X509Certificate...>...</ns3:X509Certificate>
                       </ns3:X509Data>
                    </ns3:KeyInfo>
                    

                     

                    So maybe I should check the content of UseKey and if a X509Certificate is found create a X509Data to hold it before inserting it into the KeyInfo.

                     

                    Stefan

                    • 7. Re: Need an Holder-Of-Key Subject Confirmation
                      Vivek Biswas Newbie

                      Hi Stefan,


                        Good catch. We absolutely need the element <ns3:X509Data> after  <ns3:KeyInfo>.


                      Is there any ETA on when we can get this fixed, so that I can align this with my project plan.


                      Cheers

                      Vivek Biswas


                      • 8. Re: Need an Holder-Of-Key Subject Confirmation
                        Stefan Guilhen Apprentice

                        Hi Vivek,

                         

                        I'll fix this and include a test case showing how to use a certificate and a public key as proof-of-possession tokens. I think we can release picketlink CR4 next week but once I fix this issue I can attach a snapshot jar in this thread so you can test and use it until we perform the release.

                         

                        Cheers,

                        Stefan

                        • 9. Re: Need an Holder-Of-Key Subject Confirmation
                          Vivek Biswas Newbie

                          Hi Stefan,

                           

                          Perfect. Works for me.

                           

                          Cheers

                          Vivek

                          • 11. Re: Need an Holder-Of-Key Subject Confirmation
                            Stefan Guilhen Apprentice

                            Hi Vivek,

                             

                            I've fixed this issue and now certificates are inserted in a X509Data element inside the KeyInfo. I'm attaching the current picketlink-fed.jar snapshot so you can try it.

                             

                            Just a side note: when adding your certificate to the UseKey section of the WS-Trust request you should first encode it using Base 64 encoding. According to the XMLDSig specificiation, the contents of the X509Certificate element should be represented using Base64 encoding. We have a org.picketlink.identity.federation.core.util.Base64 class that you can use to achieve that:

                             

                            // create a X509Certificate element with the Base64-encoded certificate.
                            Certificate certificate = ....;
                            byte[] base64EncodedCert = Base64.encodeBytes(certificate.getEncoded()).getBytes();
                            JAXBElement<byte[]> certElement = new org.picketlink.identity.xmlsec.w3.xmldsig.ObjectFactory()
                                        .createX509DataTypeX509Certificate(base64EncodedCert);
                            
                            // insert the encoded certificate into the UseKey element and set UseKey in the request.
                            UseKeyType useKey = new UseKeyType();
                            useKey.setAny(certElement);
                            request.setUseKey(useKey);
                            
                            • 12. Re: Need an Holder-Of-Key Subject Confirmation
                              Vivek Biswas Newbie

                              Hi Stefan,

                               

                                Thanks for doing the fix.

                               

                              Cheers

                              Vivek