[OpenSAML] Embedded SecurityTokenReference in EncryptedKey (Unsupported key identification)
160 views
Skip to first unread message
Enrique Sabatel
Mar 18, 2011, 7:26:11 AM3/18/11
to mace-open...@internet2.edu
I have generated and successfully validated a SAML token in which subjectconfirmation element is as follows:
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:2.0:cm:holder-of-key">
<saml2:SubjectConfirmationData NotBefore="2011-03-18T11:00:51.792Z" NotOnOrAfter="2011-03-18T11:05:51.792Z" xsi:type="saml2:KeyInfoConfirmationDataType">
<ds:KeyInfo>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EncKeyId-4A787BE16A9F37BE9712928485377682">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">t84A4I7a6WZYL3byvSUu6VLfEVA=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>U50IKQoPt58IsZYqAB3D/vrp4t7+JLBirUzYeXek7kKJhQR9ieX23OVEHmqLyl0FK76Nqc0Kl4SQ
Rnf71O69hRYZ1I8Zw/KIifONRftUt5hCoX7nFI5IPF3lElIgZVCMLvyHuIZvr6NGM3bXEfYIBaJh
QVNK2SMt3ZWi5CsJErM=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
</saml2:SubjectConfirmationData>
</saml2:SubjectConfirmation>
However, when i change the SecurityTokenReference to Embedded, like this:
<wsse:SecurityTokenReference>
<wsse:Embedded>
<wsse:BinarySecurityToken xmlns:wsu="http://schemas.xmlsoap.org/ws/2003/06/utility" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="SomeCert">MIIC....1M=</wsse:BinarySecurityToken>
</wsse:Embedded>
</wsse:SecurityTokenReference>
I get this error
An error was discovered processing the <wsse:Security> header (Unsupported key identification)
Shouldnt this kind of token reference be supported?? Or am i missing something?
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:2.0:cm:holder-of-key">
<saml2:SubjectConfirmationData NotBefore="2011-03-18T11:00:51.792Z" NotOnOrAfter="2011-03-18T11:05:51.792Z" xsi:type="saml2:KeyInfoConfirmationDataType">
<ds:KeyInfo>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EncKeyId-4A787BE16A9F37BE9712928485377682">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">t84A4I7a6WZYL3byvSUu6VLfEVA=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>U50IKQoPt58IsZYqAB3D/vrp4t7+JLBirUzYeXek7kKJhQR9ieX23OVEHmqLyl0FK76Nqc0Kl4SQ
Rnf71O69hRYZ1I8Zw/KIifONRftUt5hCoX7nFI5IPF3lElIgZVCMLvyHuIZvr6NGM3bXEfYIBaJh
QVNK2SMt3ZWi5CsJErM=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
</saml2:SubjectConfirmationData>
</saml2:SubjectConfirmation>
However, when i change the SecurityTokenReference to Embedded, like this:
<wsse:SecurityTokenReference>
<wsse:Embedded>
<wsse:BinarySecurityToken xmlns:wsu="http://schemas.xmlsoap.org/ws/2003/06/utility" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="SomeCert">MIIC....1M=</wsse:BinarySecurityToken>
</wsse:Embedded>
</wsse:SecurityTokenReference>
I get this error
An error was discovered processing the <wsse:Security> header (Unsupported key identification)
Shouldnt this kind of token reference be supported?? Or am i missing something?
Brent Putman
Mar 18, 2011, 2:26:41 PM3/18/11
to mace-open...@internet2.edu
On 3/18/11 7:26 AM, Enrique Sabatel wrote:
However, when i change the SecurityTokenReference to Embedded, like this:
<wsse:SecurityTokenReference>
<wsse:Embedded>
<wsse:BinarySecurityToken xmlns:wsu="http://schemas.xmlsoap.org/ws/2003/06/utility" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="SomeCert">MIIC....1M=</wsse:BinarySecurityToken>
</wsse:Embedded>
</wsse:SecurityTokenReference>
This ostensibly looks fine to me, although I'm not a WS-Security
guru.
I get this error
An error was discovered processing the <wsse:Security> header (Unsupported key identification)
Presumably this error is being generated by some code other than
OpenSAML, that is processing what you are creating? I can't find
that our code would ever emit such a message. Indeed, we don't
really have any support for WS-S processing, just for the XML-Java
bindings.
Shouldnt this kind of token reference be supported?? Or am i missing something?
AFAIK, it's legal (at least syntactically), but it's really probably
up to the profile (implicit or otherwise) that's implemented by the
recipient of the WS-S message that you are generating. You probably
need to ask them what they do and don't support.
Reply all
Reply to author
Forward
0 new messages