0 Replies Latest reply on Jul 8, 2010 4:24 PM by Stefan Guilhen

    XML signature problem on AS5.x/JBWS Metro

    Stefan Guilhen Apprentice

      I've just finished writting the first batch of integration tests for PicketLink STS. The tests are executed on top of each of our WS stacks (Native, Metro, CXF) to make sure the STS works on all available stacks. The problem is that I've run into an issue with the Metro stack on JBAS 5.1.0.

       

      In a nutshell, PicketLink STS issues XML security tokens that are signed before being returned to the client. Future token validation is carried by validating the XML digital signature, so any changes to the original token are detected and reject by the STS.

       

      When Native or CXF are used, all validation tests work fine. However, when Metro is used, the XML token is modified before reaching the STS, which causes the validation to fail. This error can only be seen on JBAS 5.x - when I tried using JBAS 6.0.0.Mx the tests passed.

       

      To make it easier to visualize what is going on, I've run tcpmon to intercept the SOAP validation message in transit (that is, after it has left the client app and before it has reached the application server). This is what we see:

       

      <?xml version="1.0" ?>
      <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
        <S:Body>
          <ns4:RequestSecurityToken xmlns="http://www.w3.org/2005/08/addressing" xmlns:ns2="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ns4="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:ns5="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns6="http://www.w3.org/2000/09/xmldsig#" Context="context">
            <ns4:TokenType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Status</ns4:TokenType>
            <ns4:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Validate</ns4:RequestType>
            <ns4:ValidateTarget>
              <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2001/04/xmlenc#" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#" ID="ID_c9458564-ad83-4425-9c43-a6f07e2cbf8e" IssueInstant="2010-07-08T19:59:33.929Z" Version="2.0">
                <Issuer>PicketLinkSTS</Issuer>
                <Subject>
                  <NameID NameQualifier="urn:picketlink:identity-federation">admin</NameID>
                  <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
                </Subject>
                <Conditions NotBefore="2010-07-08T19:59:33.929Z" NotOnOrAfter="2010-07-08T21:59:33.929Z"/>
                <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
                  <SignedInfo>
                    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
                    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                    <Reference URI="#ID_c9458564-ad83-4425-9c43-a6f07e2cbf8e">
                      <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                      </Transforms>
                      <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                      <DigestValue>VyefDXKFBEHvX3pPJFNDGCODII8=</DigestValue>
                    </Reference>
                  </SignedInfo>
                  <SignatureValue>WQNgkKj7OEtglN39VLcS0doOvcXN0sDJ2rUlWjX/64mN+npi8Zj6dFAvUqE1eEMreR+eGW7Gcg0/
      9U0S7L9Jnw6fKOLdeWqJS1WciLNeRiwej49W5w+GlAKLpYxJRZbxIQrV9c72IjZNafoAJlymkQcy
      jl7Dmpbw3tHTpMkjv78=</SignatureValue>
                  <KeyInfo>
                    <KeyValue>
                      <RSAKeyValue>
                        <Modulus>suGIyhVTbFvDwZdx8Av62zmP+aGOlsBN8WUE3eEEcDtOIZgO78SImMQGwB2C0eIVMhiLRzVPqoW1
      dCPAveTm653zHOmubaps1fY0lLJDSZbTbhjeYhoQmmaBro/tDpVw5lKJns2qVnMuRK19ju2dxpKw
      lYGGtrP5VQv00dfNPbs=</Modulus>
                        <Exponent>AQAB</Exponent>
                      </RSAKeyValue>
                    </KeyValue>
                  </KeyInfo>
                </Signature>
              </Assertion>
            </ns4:ValidateTarget>
          </ns4:RequestSecurityToken>
        </S:Body>
      </S:Envelope>
      

       

      When the STS receive the message (a Source instance), we print it. This is what we get:

       

      <ns4:RequestSecurityToken xmlns:ns4="http://docs.oasis-open.org/ws-sx/ws-trust/200512" Context="context">
        <ns4:TokenType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Status</ns4:TokenType>
        <ns4:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Validate</ns4:RequestType>
        <ns4:ValidateTarget>
          <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_c9458564-ad83-4425-9c43-a6f07e2cbf8e" IssueInstant="2010-07-08T19:59:33.929Z" Version="2.0">
            <Issuer>PicketLinkSTS</Issuer>
            <Subject> 
              <NameID NameQualifier="urn:picketlink:identity-federation">admin</NameID>
              <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
            </Subject>
            <Conditions NotBefore="2010-07-08T19:59:33.929Z" NotOnOrAfter="2010-07-08T21:59:33.929Z"/>
            <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
              <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
                <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <Reference URI="#ID_c9458564-ad83-4425-9c43-a6f07e2cbf8e">
                  <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                  </Transforms>
                  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                  <DigestValue>VyefDXKFBEHvX3pPJFNDGCODII8=</DigestValue>
                </Reference>
              </SignedInfo>
              <SignatureValue>WQNgkKj7OEtglN39VLcS0doOvcXN0sDJ2rUlWjX/64mN+npi8Zj6dFAvUqE1eEMreR+eGW7Gcg0/
      9U0S7L9Jnw6fKOLdeWqJS1WciLNeRiwej49W5w+GlAKLpYxJRZbxIQrV9c72IjZNafoAJlymkQcy
      jl7Dmpbw3tHTpMkjv78=</SignatureValue>
              <KeyInfo>
                <KeyValue>
                  <RSAKeyValue>
                    <Modulus>suGIyhVTbFvDwZdx8Av62zmP+aGOlsBN8WUE3eEEcDtOIZgO78SImMQGwB2C0eIVMhiLRzVPqoW1
      dCPAveTm653zHOmubaps1fY0lLJDSZbTbhjeYhoQmmaBro/tDpVw5lKJns2qVnMuRK19ju2dxpKw
      lYGGtrP5VQv00dfNPbs=</Modulus>
                    <Exponent>AQAB</Exponent>
                  </RSAKeyValue>
                </KeyValue>
              </KeyInfo>
            </Signature>
          </Assertion>
        </ns4:ValidateTarget>
      </ns4:RequestSecurityToken>
      

       

      Notice all unused namespace declarations were removed after the message arrived at the application server, including the namespace declarations in the Assertion element, which is a signed element. As expected, XML signature validation fails because the signed content has been modified.

       

      This is the message that is received by the STS when we use JBAS 6.0.0.Mx:

       

      <ns4:RequestSecurityToken xmlns:ns4="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns="http://www.w3.org/2005/08/addressing" xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns2="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ns5="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns6="http://www.w3.org/2000/09/xmldsig#" Context="context" xmlns:xml="http://www.w3.org/XML/1998/namespace">
        <ns4:TokenType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Status</ns4:TokenType>
        <ns4:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Validate</ns4:RequestType>
        <ns4:ValidateTarget>
          <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2001/04/xmlenc#" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#" ID="ID_756ea775-ea57-4c86-8eb6-67675ed685f8" IssueInstant="2010-07-08T13:48:39.812Z" Version="2.0">
            <Issuer>PicketLinkSTS</Issuer>
            <Subject>
              <NameID NameQualifier="urn:picketlink:identity-federation">admin</NameID>
              <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
            </Subject>
            <Conditions NotBefore="2010-07-08T13:48:39.812Z" NotOnOrAfter="2010-07-08T15:48:39.812Z"/>
            <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
              <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
                <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <Reference URI="#ID_756ea775-ea57-4c86-8eb6-67675ed685f8">
                  <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                  </Transforms>
                  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                  <DigestValue>i1VrPtLaQorvzRorXFjWinrDgaE=</DigestValue>
                </Reference>
              </SignedInfo>
              <SignatureValue>BHUo6+88uRpJ95JhXaDDc1ZNUcG+LWYkABjKYWFq9WkOd6ouFGAidFaBRdRGfVjte8B18rddaOZR
      p+eRSF0Bf/4eXRZzDIK4a7D1i4Eg06vbet1pZZiB00Sga9cnpVmUtoqcXZhJ4VOSddUt8tw/q5kG
      bhqxCfxHjeDtzHWAbzs=</SignatureValue>
              <KeyInfo>
                <KeyValue>
                  <RSAKeyValue>
                    <Modulus>suGIyhVTbFvDwZdx8Av62zmP+aGOlsBN8WUE3eEEcDtOIZgO78SImMQGwB2C0eIVMhiLRzVPqoW1
      dCPAveTm653zHOmubaps1fY0lLJDSZbTbhjeYhoQmmaBro/tDpVw5lKJns2qVnMuRK19ju2dxpKw
      lYGGtrP5VQv00dfNPbs=</Modulus>
                    <Exponent>AQAB</Exponent>
                  </RSAKeyValue>
                </KeyValue>
              </KeyInfo>
            </Signature>
          </Assertion>
        </ns4:ValidateTarget>
      </ns4:RequestSecurityToken>
      

       

      As we can see, on AS 6 none of the unused namespaces were removed, preserving the original Assertion element. In this case, as expected, signature validation succeeds.

       

      So I'm guessing the Metro runtime may be normalizing the document when creating the Source instance on AS 5.x and the normalization is removing the unused namespaces. Does anybody know where this might be happening and how it can be fixed?

       

      PS: I'm using the very same JBossWS Metro version on AS5.1.0 and AS6 (3.3.1.GA).