Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10330

only one X509Certificate element from Meta data is used for signature validation

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 10.0.0, 10.0.1, 10.1.0-Xpress, 10.0.2, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0
    • Fix Version/s: None
    • Component/s: CLI, SAML
    • Labels:
    • Environment:
    • Support Ticket IDs:

      Description

      Configure OpenAM as a SAML IdP and try to import the meta data of a remote SP which includes multiple X509Certificate Elements for signing as mentioned in https://www.w3.org/TR/xmldsig-core/#sec-X509Data.

      E.g.

      excerpt from SP meta data
      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      <EntityDescriptor entityID="testSP" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
          <SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
              <KeyDescriptor use="signing">
                  <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                      <ds:X509Data>
                          <ds:X509Certificate>
                            ....                 
                          </ds:X509Certificate>
                          <ds:X509Certificate>
                            ....                 
                          </ds:X509Certificate>
                      </ds:X509Data>
                  </ds:KeyInfo>
              </KeyDescriptor>
              <KeyDescriptor use="encryption">
                  <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                      <ds:X509Data>
                          <ds:X509Certificate>
                            ....                 
                          </ds:X509Certificate>
                      </ds:X509Data>
                  </ds:KeyInfo>
              </KeyDescriptor>
      ....
      

      SAML-SP initiated SSO fails with

      excerpt from OpenAM Federation debug log
      libSAML2:01/05/2017 02:35:29:922 PM CET: Thread[http-nio-9090-exec-3,5,main]: TransactionId[e0c5ca31-8ab3-4d80-8be0-fc47ff649997-1227]
      ERROR: FMSigProvider.verify: The cert contained in the document is NOT trusted
      libSAML2:01/05/2017 02:35:29:922 PM CET: Thread[http-nio-9090-exec-3,5,main]: TransactionId[e0c5ca31-8ab3-4d80-8be0-fc47ff649997-1227]
      ERROR: UtilProxySAMLAuthenticator.authenticate: authn request verification failed.
      com.sun.identity.saml2.common.SAML2Exception: The signing certificate does not match what's defined in the entity metadata.
              at com.sun.identity.saml2.xmlsig.FMSigProvider.verify(FMSigProvider.java:317)
              at com.sun.identity.saml2.protocol.impl.RequestAbstractImpl.isSignatureValid(RequestAbstractImpl.java:313)
              at org.forgerock.openam.saml2.UtilProxySAMLAuthenticator.authenticate(UtilProxySAMLAuthenticator.java:182)
              at com.sun.identity.saml2.profile.IDPSSOFederate.process(IDPSSOFederate.java:233)
              at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:142)
              at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:102)
              at org.apache.jsp.saml2.jsp.idpSSOFederate_jsp._jspService(idpSSOFederate_jsp.java:176)
              at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
              at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438)
              at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396)
              at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340)
      

      However the root cause is that com.sun.identity.saml2.key.KeyUtil.getVerificationCerts(RoleDescriptorType roleDescriptor, String entityID,String role) does not extract both certificates but only one.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              bthalmayr Bernhard Thalmayr
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: