Invalid digest for sp:SignedSupportingTokens

[glassfishrobot]

Metro (2.1.1) client submits a request to a WCF/WIF web service (.NET 3.5) using a SAML 2 assertion (bearer confirmation) as a signed supporting token generated by a Metro STS (see WSDL).

In this scenario, the WCF service throws the following (inner) exception when validating the digest of the (STR) referenced SAML 2 assertion:

System.Security.Cryptography.CryptographicException, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 Digest verification failed for Reference '#uuid_835ea2da-79f7-4b30-8790-5c86943c3769'. where the element with ID: "uuid_835ea2da-79f7-4b30-8790-5c86943c3769" is the reference to the SecurityTokenReference element that references the SAML assertion. SOAP main signature references the attached SAML assertion using a SecurityTokenReference element via the STR-Transform in compliance with the WSS SAML Token Profile 1.1. In addition we tested the following scenarios: Metro client to Metro service (works) WCF client to WCF service (works) WCF client to Metro service (works) Metro client to WCF services (DOESN"T WORK) In all these additional scenarios (first three), digest and signature verification passes. (attached is Java code that allows digest validation). Furthermore, we modified the Metro source to eliminate STR-Trasform and directly sign the SAML assertion from the main signature (instead of using a SecurityTokenReference and the STR-Transform). With eliminated STR-Transform the Metro client can talk to WCF service with no problem, although now we are now not complying with the WSS SAML Token Profile 1.1\. This result suggests a problem in the Metro's generation of the SOAP message signature, specifically the signature of the signed supporting tokens using the STR dereference transform (STR-Transform). #### Environment Windows / Linux java version "1.6.0_22" Maven version: 2.0.9 Metro 2.1.1 .NET 3.5 #### Affected Versions [2.1.1]

[glassfishrobot]

Reported by bshrom

[glassfishrobot]

bshrom said: WS-Policy used on .NET WS side.

[glassfishrobot]

bshrom said: Wireshark capture of communication between Java client and .NET service

Java client log, includes communication between Java client and STS, and subsuquent communication between Java client and .NET service.

Test message for digest computation of the SAML assertion.

[glassfishrobot]

bshrom said: Signed SAML assertion test.

[glassfishrobot]

bshrom said: Small utility that creates a signature for the SAML assetion taken from the exchange sample.

Keypair that was used for signature.

[glassfishrobot]

@vbkumarjayanti said: Hi,

I looked at the m2client.log and looked at the Canonicalized SAML 2 assertion (at the bottom of the log file). I could not see anything obviously wrong at a first glance (will try to look again). But do you see anything wrong there ?. Can we get the Canonicalized SAML 2 assertion on the WCF side to see what is different ?. Would you know how to enable the Canonicalized output on WCF side ?.

Also i was not clear about the purpose of the following files : Validate.java test.xml SingedTest.xml

If you have a patch where Metro sends the SAML assertion signed without STR Transform do send it to us. We might as well provide a configurable option through which metro can send the SAML signed directly.

We have done an interop of our STR Transform with Oracle OWSM and did not find any interop issue.

Thanks for all the help.

[glassfishrobot]

@vbkumarjayanti said: Here is the canonicalized SAML assertion ( i have formatted it for better readability).

METROIDP xSm1Iyn+Z2GqO2USeyR3Fw3y/24= Gf7S+IfUpDjXVALlReSi+qzk/2Nf3qMrWUfu/hJ/7RuZa14g4aD9ZX61OWhW0DA2kyHnye1ODTLe hlSkUOTnD9T48u6N6zcSfPvDFtWSQbMhLb9CWnMU2UgrCguR79mX9O6xAONFckD53wdBOjfBqbiU VmeRTAbyvGWwjWNF9RhOx25yAWB+0RNJ4Dnq8j2EHsQ5Q/MPoyxkjVy6pkSqdcKbZpe6mjlwQSns c57tQERSETg75PWX1Aa8OYR24l3BDwWVPt8KgF1T2AUxF+roKwwydeAY3ZB9isSVU6VDmN5yS5LY ZXWK2flOiBPB7NaOoP+/9rpXFZbpIwLlXlks3w== MIIEITCCAwmgAwIBAgIJAI3592mD6VdYMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNVBAYTAlVTMQsw CQYDVQQIEwJHQTEOMAwGA1UEBxMFTWFjb24xDTALBgNVBAoTBENVUkUxEDAOBgNVBAMTB0NVUkVJ RFAxGzAZBgkqhkiG9w0BCQEWDGN1cmVAaWRwLm5ldDAeFw0xMTEyMDkxMzM0MThaFw0xNzA3MTgx MzM0MThaMGgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJHQTEOMAwGA1UEBxMFTWFjb24xDTALBgNV BAoTBENVUkUxEDAOBgNVBAMTB0NVUkVJRFAxGzAZBgkqhkiG9w0BCQEWDGN1cmVAaWRwLm5ldDCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKOhlvDMa4gQebapBgMwZhJH95D2pyPQdjzt hYUqEcqN0vxH2r32WKx9WOMyH2KTzrx6zv99K7nGfaJWPiHWybA9M3xYlHyWOhhPU8AWxXdsXpXF CGQEKELuCJ5URuKE1s4NiwmSmPdFb4qBXTzDPsHlXXB2WIb7+SXrljmuXRydChjvqLqY8fGpNmqA MH4EUHf33gy2oPuQ1GeU1l++/r5d4Ef45ciZ7J5p/VP5bh3djqlXgDyNBCQwwq6NsL6NunJtYuM4 83zVZuaQK9/tJ3TPLdw61l51/0SCBh447LnzbXpRtdlyHySCUIzrNxUc8ZLH2fV0V7plQNTsmtnO v9sCAwEAAaOBzTCByjAdBgNVHQ4EFgQU/oEiu29kMSjS5vmeivKqx3viuRUwgZoGA1UdIwSBkjCB j4AU/oEiu29kMSjS5vmeivKqx3viuRWhbKRqMGgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJHQTEO MAwGA1UEBxMFTWFjb24xDTALBgNVBAoTBENVUkUxEDAOBgNVBAMTB0NVUkVJRFAxGzAZBgkqhkiG 9w0BCQEWDGN1cmVAaWRwLm5ldIIJAI3592mD6VdYMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF BQADggEBAHFGZG80FTBX5/ZSEuf9+9NvS0xUAdKmFuEP2hDYtr9yDDdL8YTR7S7MMP/ihfe2VUS4 9ywo3B36shbFI0E3BSonixx56Iw1yE82TJdifX4UhdcK+ahF0jSa3UdD3KmBKQpQCdEwnJxTtMzt 14D8IBZLbfJkDhWtpBSBUB8uXrfx5Pec1FTkZVjCSKox4R0ypg6VZhC/xz0DajhLVAaPabJvpDfO yGjs9kBu74XwqujZ6Lo/triHe7YDIOyTsTqwmz3q+JDZthWG0yZsnuAiOLVE/hDEHvBlqdPEIR4x x4yMm9i0Vtl59OoyJwmAg0Ks+DI+gvYQi28Mj/24UmAo7NM= bob [http://ha50wsp:8081/UserConsumerProvider/CommercialVehicleCollisionPortType-SV.svc](http://ha50wsp:8081/UserConsumerProvider/CommercialVehicleCollisionPortType-SV.svc) Dundler Mifflin Michael Scott

[glassfishrobot]

bshrom said: test.xml - contains a saml2:Assertion captured over the wire (directly from the wireshark log)

Validate.java - takes test.xml and signs saml2:Assertion (we are interested mainly in digest value)

SingedTest.xml - an output from Validate.java, and contains a signature for saml2:Assertion

The purpose of the test is to compare manually calculated digest for saml2:Assertion with the one calculated by Metro and captured during the transmission.

The digest value for saml2:Assertion in SingedTest.xml (is direct) is different from value (through STR transform) calculated by Metro that was transmitted over the wire. It should be the same.

In our tests of WCF 3.5 on test.xml, digest value for saml2:Assertion is equal to the digest value manually calculated by Validate.java.

I will ask about getting Canonicalized output on WCF side.

Now, I have another question: does Oracle OWSM use Metro lib's under the hood?

[glassfishrobot]

@vbkumarjayanti said: So with the STR Dereference Transform we add an extra xmlns="" on the root element in the canonicalized output in this case. So i am not sure if your statement about "the Digest value for direct signing and through STR transform should be the same" is correct ?. Unless i am missing your point.

Please send us the Canonicalized output if you can.

[glassfishrobot]

symonchang said: This interop problem can be fixed in WCF, instead of Metro. Fixing it in Metro may cause interop problems with other major platforms, such as OWSM and WebLogic Server. Also, user can select other SAML scenarios instead of SAML 2.0 Bearer instead, such as SAML 1.1 Bearer, or SAML 2.0 Sender Vouch, etc.

[glassfishrobot]

File: curewsc-keystore.jks Attached By: bshrom

[glassfishrobot]

File: m2client.log Attached By: bshrom

[glassfishrobot]

File: signedtest.xml Attached By: bshrom

[glassfishrobot]

File: test-wireshark-capture.txt Attached By: bshrom

[glassfishrobot]

File: test.xml Attached By: bshrom

[glassfishrobot]

File: Validate.java Attached By: bshrom

[glassfishrobot]

File: ws-policy.xml Attached By: bshrom

[glassfishrobot]

Was assigned to symonchang

[glassfishrobot]

This issue was imported from java.net JIRA WSIT-1612