[
https://issues.apache.org/jira/browse/CXF-7578?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh updated CXF-7578:
-------------------------------------
Fix Version/s: 3.2.2
3.1.15
> WS-Trust Secured Request casts SecretKeySpec to PrivateKey
> ----------------------------------------------------------
>
> Key: CXF-7578
> URL: https://issues.apache.org/jira/browse/CXF-7578
> Project: CXF
> Issue Type: Bug
> Components: Soap Binding, STS
> Affects Versions: 3.2.1
> Environment: Apache cxf 3.2.1 + transitive gradle dependencies
> opensaml 3.1.1
> NetIQ IDM for SAML 2.0 and WS-TRUST STS
> Ps: with org.apache.cxf:cxf-bundle:2.7.18' this works, but does older
> versions of cxf do not support opensaml 3.1.1, which is required.
> Reporter: Lukas Noll
> Fix For: 3.1.15, 3.2.2
>
>
> Flow is:
> Set the STS Client for a SOAP-Context to request a Ws-Trust token for a
> already aquired SAML Assertion (ActsAs)
> STSClient retrieves the WS-Trust token alright, then tries to - a presume -
> sign the SOAP-request to die actual Service.
> This fails:
> {{Caused by: java.lang.ClassCastException: javax.crypto.spec.SecretKeySpec
> cannot be cast to java.security.PrivateKey
> at
> org.apache.xml.security.stax.impl.algorithms.PKISignatureAlgorithm.engineInitSign(PKISignatureAlgorithm.java:77)
> at
> org.apache.xml.security.stax.impl.processor.output.AbstractSignatureEndingOutputProcessor.processHeaderEvent(AbstractSignatureEndingOutputProcessor.java:141)
> at
> org.apache.wss4j.stax.impl.processor.output.WSSSignatureEndingOutputProcessor.processHeaderEvent(WSSSignatureEndingOutputProcessor.java:77)
> at
> org.apache.xml.security.stax.ext.AbstractBufferingOutputProcessor.flushBufferAndCallbackAfterHeader(AbstractBufferingOutputProcessor.java:68)
> at
> org.apache.wss4j.stax.impl.processor.output.WSSSignatureEndingOutputProcessor.flushBufferAndCallbackAfterHeader(WSSSignatureEndingOutputProcessor.java:284)
> at
> org.apache.xml.security.stax.ext.AbstractBufferingOutputProcessor.doFinal(AbstractBufferingOutputProcessor.java:54)
> at
> org.apache.xml.security.stax.impl.OutputProcessorChainImpl.doFinal(OutputProcessorChainImpl.java:225)
> at
> org.apache.xml.security.stax.ext.AbstractOutputProcessor.doFinal(AbstractOutputProcessor.java:140)
> at
> org.apache.xml.security.stax.impl.processor.output.AbstractSignatureOutputProcessor.doFinal(AbstractSignatureOutputProcessor.java:72)
> at
> org.apache.xml.security.stax.impl.OutputProcessorChainImpl.doFinal(OutputProcessorChainImpl.java:225)
> at
> org.apache.xml.security.stax.impl.XMLSecurityStreamWriter.close(XMLSecurityStreamWriter.java:192)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JStaxOutInterceptor$WSS4JStaxOutInterceptorInternal.handleMessageInternal(WSS4JStaxOutInterceptor.java:335)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JStaxOutInterceptor$WSS4JStaxOutInterceptorInternal.handleMessage(WSS4JStaxOutInterceptor.java:321)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279)
> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:139)
> }}
> The line in question does this:
> {{ signature.initSign((PrivateKey) signingKey);}}
> while signingKey always is set to a SecretKeySpec by cxf's
> {{AbstractSignatureEndingOutputProcessor, line 139
> Key key = wrappingSecurityToken.getSecretKey(sigAlgorithm);}}
> This is the WS-Trust token reply I recieve from the STS (Certificates are
> selfsigned, names and ruis are changed for this report):
> {{
> <S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope";
> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> xmlns:xs="http://www.w3.org/2001/XMLSchema";>
> <S:Header>
> <Action xmlns="http://www.w3.org/2005/08/addressing";
> xmlns:S="http://www.w3.org/2003/05/soap-envelope";
> S:mustUnderstand="true">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal</Action>
> <MessageID
> xmlns="http://www.w3.org/2005/08/addressing";>uuid:bfb37bd1-70a1-4c51-87d5-ea40f8162a0f</MessageID>
> <RelatesTo
> xmlns="http://www.w3.org/2005/08/addressing";>urn:uuid:55c8fc93-73d7-46c7-adcb-1e2ca9f34e16</RelatesTo>
> <To
> xmlns="http://www.w3.org/2005/08/addressing";>http://www.w3.org/2005/08/addressing/anonymous</To>
> <wsse:Security S:mustUnderstand="true">
> <wsu:Timestamp
> xmlns:ns15="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
> xmlns:ns14="http://schemas.xmlsoap.org/soap/envelope/"; wsu:Id="_1">
> <wsu:Created>2017-12-04T07:49:48Z</wsu:Created>
> <wsu:Expires>2017-12-04T07:54:48Z</wsu:Expires>
> </wsu:Timestamp>
> </wsse:Security>
> </S:Header>
> <S:Body>
> <trust:RequestSecurityTokenResponseCollection
> xmlns:ns10="http://www.w3.org/2000/09/xmldsig#";
> xmlns:ns13="http://www.w3.org/2001/10/xml-exc-c14n#";
> xmlns:ns4="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
> xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-trust/200512/";
> xmlns:ns9="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity";
> xmlns:sc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
> xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
> xmlns:wsa="http://www.w3.org/2005/08/addressing";
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
> xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust";
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
> <trust:RequestSecurityTokenResponse>
>
> <trust:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</trust:TokenType>
> <trust:RequestedSecurityToken>
> <saml2:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
> xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#";
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
> xmlns:xs="http://www.w3.org/2001/XMLSchema";
> ID="nstsb73a0e5a-1ec3-451b-89e1-07fb99b755e0"
> IssueInstant="2017-12-04T07:49:48.802Z" Version="2.0">
> <saml2:Issuer>NetIQ_STS</saml2:Issuer>
> <ds:Signature>
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference URI="#nstsb73a0e5a-1ec3-451b-89e1-07fb99b755e0">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <ds:DigestValue>kJMGItWGRm7klCMcQS4VprJromA=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
>
> <ds:SignatureValue>KMH1flkFYr/O5uUd/2AKzJ5iHeei5i1hBs+nbUFqmgRVPtW2OCxlrEq/qXBVhnS0mOIWdnJxE4q7
> N9aKXl7nQUAxkraNVYGSO5gCmaHdVKW/7V9w9bJn6xiNHA8gtzaKGQ8oaw5YqzlT9XN2Kt1+yPOE
> DYZTN0v6R0I3Cl1dFNXKX65A4pGdm32JXTS8XanvXfA2Fd0msh7NbAPLUDX4Noce7MOQRcKim67T
> obH72x8NIu7pQfj+crjIsPswgpYa9Q3uDvSAJqEI/aATd6LVWwnDmutmWLrSHglh/pT6Eo2xXAaY
> rtGxIj7RL5ccoTzUSM+z+mkZRAEX//CCfEViyQ==</ds:SignatureValue>
> <ds:KeyInfo>
> <ds:X509Data>
>
> <ds:X509Certificate>MIIE/jCCA+agAwIBAgIUb2yiaoR9iovKmsL3z7Z7Yc2J5GQwDQYJKoZIhvcNAQELBQAwODEaMBgG
> A1UECxMRT3JnYW5pemF0aW9uYWwgQ0ExGjAYBgNVBAoUEXNfYXBsX3ZtXzAwMV90cmVlMB4XDTE3
> MDcyNTEwMTEwMloXDTI3MDcyNTEwMTEwMlowIjEgMB4GA1UEAxMXcy1hcGwtdm0tMDAxLmNvcnBu
> ZXQuYXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqsyg1WKCTR+QVoZthSnqjIblW
> zd1Y5JMfI2hRoglgKn5odPuXvOtnbiqelKsmkyhgEXd83T0nHxNimONvT1Tp+/DE4egxSeBvuThM
> Z+C2+6gUpVk4TTYA42LTDedFyz5Dz+38ksTq/lHsha7E+dUStpC8qsQRNVSY99+KzeaB4TZB1vQa
> NX+/zYGEN62petbH31ByygowqrcPRVp2ciKIbUCKtvcNRo7CTd+dTBkApnB0l4Rjbnkt86HNlRkM
> jXY0NWEsDhPTuGBOmAn4llCwP7rXyKuscDA9rSuXR4CsFATYtTXMqTYzPq8+FRF0hH4O8gEfhbko
> MnfK6wxcNEHpAgMBAAGjggIUMIICEDAdBgNVHQ4EFgQUCsUhkj27mPP95ZSDKltZJ/NABjcwHwYD
> VR0jBBgwFoAUyrEJpJ0Xd/FawGIUHtNYF2CrVTgwggHMBgtghkgBhvg3AQkEAQSCAbswggG3BAIB
> AAEB/xMdTm92ZWxsIFNlY3VyaXR5IEF0dHJpYnV0ZSh0bSkWQ2h0dHA6Ly9kZXZlbG9wZXIubm92
> ZWxsLmNvbS9yZXBvc2l0b3J5L2F0dHJpYnV0ZXMvY2VydGF0dHJzX3YxMC5odG0wggFIoBoBAQAw
> CDAGAgEBAgFGMAgwBgIBAQIBCgIBaaEaAQEAMAgwBgIBAQIBADAIMAYCAQECAQACAQCiBgIBFwEB
> /6OCAQSgWAIBAgICAP8CAQADDQCAAAAAAAAAAAAAAAADCQCAAAAAAAAAADAYMBACAQACCH//////
> ////AQEAAgQG8N9IMBgwEAIBAAIIf/////////8BAQACBAbw30ihWAIBAgICAP8CAQADDQBAAAAA
> AAAAAAAAAAADCQBAAAAAAAAAADAYMBACAQACCH//////////AQEAAgQR/6pnMBgwEAIBAAIIf///
> //////8BAQACBBH/qmeiTjBMAgECAgEAAgIA/wMNAIAAAAAAAAAAAAAAAAMJAIAAAAAAAAAAMBIw
> EAIBAAIIf/////////8BAQAwEjAQAgEAAgh//////////wEBADANBgkqhkiG9w0BAQsFAAOCAQEA
> Ub6eSzBaltUcb/KmF08me9lRQMefYUR5ILaGMdvulo9KPESP6/PqsRQLWFHjsi6I8HRL5KdFarv/
> Niq1AJSSo+KOOKQSiwAMAo9F3jskGXCCmF5A3gBS+zu7FMt22D1l9bhtvjQoIXCpw7UXdeP/mUp9
> j2MJPa2Lsp+O1r3q6kv1NAjLwcO8uZjfTs+UF1zWkdffsEsudfYXfZjWtJ+2UUJDZbYjf1x5NbY2
> 8Ml+Uq51salIXddFYarLRRGiQcUr/8Of1uXkQyS8kyrnO4B+sWYgLrN/6z9ySRukabqtU5VqjV/9
> wvSJGKU2n0aSWynlR0ZqvSM6YbI0MXD4I+Gjxg==</ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
> </ds:Signature>
> <saml2:Subject>
> <saml2:NameID
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
> NameQualifier="https://CHANGED_FOR_BUGREPORT";>CHANGED_FOR_BUGREPORT</saml2:NameID>
> <saml2:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
> <saml2:SubjectConfirmationData
> xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance";
> ns6:type="saml2:KeyInfoConfirmationDataType">
> <ds:KeyInfo>
> <xenc:EncryptedKey>
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
> <ds:KeyInfo>
> <ds:X509Data>
> <ds:X509Certificate>
> MIICVjCCAb8CCAogFwUjESABMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAkRFMRwwGgYDVQQK
> ExNTQVAgVHJ1c3QgQ29tbXVuaXR5MRMwEQYDVQQLEwpTQVAgV2ViIEFTMRQwEgYDVQQLEwtJMDAy
> MDE2NzAwMzEYMBYGA1UEAwwPSTVTX1NTRkFfUzJTVlBFMB4XDTE3MDUyMzExMjAwMVoXDTM4MDEw
> MTAwMDAwMVowcDELMAkGA1UEBhMCREUxHDAaBgNVBAoTE1NBUCBUcnVzdCBDb21tdW5pdHkxEzAR
> BgNVBAsTClNBUCBXZWIgQVMxFDASBgNVBAsTC0kwMDIwMTY3MDAzMRgwFgYDVQQDDA9JNVNfU1NG
> QV9TMlNWUEUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM+Jmzrrty94qySuDx0rP39i9FOo
> L14KiKxqXER3dqBW0OhqqdOAutyvpZ9iqvJKn7LTIOUhDLe3LwwW2ZPv26albJXwzyEYrelFk/5S
> foHbEbyVquYnTYFrp8SY7KLxFRyLIYWnuINCPrRg2bB8vGanpQOok3hSqacC9ylNECkxAgMBAAEw
> DQYJKoZIhvcNAQELBQADgYEAl+YITTSNR0xq2Ca3z5ZRxKDcXC7sL5TikgNyW6gx8kFXQhl7tQHh
> fSq7xBRj8Wia3CXR3/iOzfV92apI2AFjmkx8vTQFUsE6cO4qofneHKc2bdZ7sf8dsnAf6Egss24W
> gUGkrsL4KNmq0Q4e6cI2EJwMs84VGp1pfD9PYZOpTm4=
> </ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
> <xenc:CipherData>
>
> <xenc:CipherValue>s5hm8saT/x2OS+hWg9AFp8AFKO0/jdnVslBqp27bPpViUHRPOvy7keQPb52W980NhFX3wHGmilmr
> DAPgd0JIH9H8+4ryV038Uw6zwgL+iMQjoWcYiVXFIYUB2b30yjZLoUVO1B8AghbTfBSo6QMKbUET
> 5KC1TLAVOff1dML9KZY=</xenc:CipherValue>
> </xenc:CipherData>
> </xenc:EncryptedKey>
> </ds:KeyInfo>
> </saml2:SubjectConfirmationData>
> </saml2:SubjectConfirmation>
> </saml2:Subject>
> <saml2:Conditions NotBefore="2017-12-04T07:49:48.802Z"
> NotOnOrAfter="2017-12-04T07:59:48.802Z">
> <saml2:AudienceRestriction>
>
> <saml2:Audience>https://sapwsi5s.sap.wst:9042/sap/bc/srt/rfc/wsv/ca_saf_ping/010/wsv_ca_saf_ping/insurance</saml2:Audience>
> </saml2:AudienceRestriction>
> </saml2:Conditions>
> <saml2:Advice/>
> <saml2:AuthnStatement AuthnInstant="2017-12-04T07:49:48.802Z">
> <saml2:AuthnContext>
>
> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:1.0:am:password</saml2:AuthnContextClassRef>
> </saml2:AuthnContext>
> </saml2:AuthnStatement>
> <saml2:AttributeStatement>
> <saml2:Attribute AttributeName="actor"
> AttributeNamespace="http://schemas.xmlsoap.com/ws/2009/09/identity/claims";
> Name="actor"
> NameFormat="http://schemas.xmlsoap.com/ws/2009/09/identity/claims";>
> <saml2:AttributeValue><Actor><saml2:Attribute
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" AttributeName="name"
> AttributeNamespace="http://schemas.xmlsoap.com/ws/2005/05/identity/claims";
> Name="name"
> NameFormat="http://schemas.xmlsoap.com/ws/2005/05/identity/claims";><saml2:AttributeValue>CHANGED_FOR_BUGREPORT</saml2:AttributeValue></saml2:Attribute></Actor></saml2:AttributeValue>
> </saml2:Attribute>
> </saml2:AttributeStatement>
> </saml2:Assertion>
> </trust:RequestedSecurityToken>
> <trust:RequestedAttachedReference>
> <wsse:SecurityTokenReference
> ns4:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";>
> <wsse:KeyIdentifier
> ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID";>nstsb73a0e5a-1ec3-451b-89e1-07fb99b755e0</wsse:KeyIdentifier>
> </wsse:SecurityTokenReference>
> </trust:RequestedAttachedReference>
> <trust:RequestedUnattachedReference>
> <wsse:SecurityTokenReference
> ns4:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";>
> <wsse:KeyIdentifier
> ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID";>nstsb73a0e5a-1ec3-451b-89e1-07fb99b755e0</wsse:KeyIdentifier>
> </wsse:SecurityTokenReference>
> </trust:RequestedUnattachedReference>
> <wsp:AppliesTo>
> <wsa:EndpointReference>
> <wsa:Address>https://CHANGED FOR BUGREPORT</wsa:Address>
> </wsa:EndpointReference>
> </wsp:AppliesTo>
> <trust:RequestedProofToken>
>
> <trust:ComputedKey>http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1</trust:ComputedKey>
> </trust:RequestedProofToken>
> <trust:Entropy>
> <trust:BinarySecret
> Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce";>1Ba5e6QgRN251mMBwLTSoUqwbHrmGGL+VXremIGnwZM=</trust:BinarySecret>
> </trust:Entropy>
> <trust:Lifetime>
> <wsu:Created>2017-12-04T07:52:04.948Z</wsu:Created>
> <wsu:Expires>2017-12-04T08:02:04.948Z</wsu:Expires>
> </trust:Lifetime>
> <trust:KeySize>256</trust:KeySize>
> </trust:RequestSecurityTokenResponse>
> </trust:RequestSecurityTokenResponseCollection>
> </S:Body>
> </S:Envelope>}}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
