Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13577

xmlsec 2.1.1.jar used in AM6 have issues when linebreaks enabled

    Details

    • Sprint:
      AM Sustaining Sprint 55, AM Sustaining Sprint 56
    • Story Points:
      1
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No

      Description

      Bug description

      The xmlsec library used (in AM6 ----AME-15681----) which is 2.1.1 causes issues when the ignorelinebreak is enabled. This causes Certificate or Base64 payload to be generated with

      <ds:X509Certificate>
      MIIDYTCCAkmgAwIBAgIEFt4OQjANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJVSzEQMA4GA1UE&#13;
      CBMHQnJpc3RvbDEQMA4GA1UEBxMHQnJpc3RvbDESMBAGA1UEChMJRm9yZ2VSb2NrMQswCQYDVQQL&#13;
      EwJBTTENMAsGA1UEAxMEdGVzdDAeFw0xODA0MDMxNDIwNThaFw0yODAzMzExNDIwNThaMGExCzAJ&#13;
      BgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlG&#13;
      b3JnZVJvY2sxCzAJBgNVBAsTAkFNMQ0wCwYDVQQDEwR0ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOC&#13;
      AQ8AMIIBCgKCAQEAi7t6m4d/02dZ8dOe+DFcuUYiOWueHlNkFwdUfOs06eUETOV6Y9WCXu3D71db&#13;
      F0Fhou69ez5c3HAZrSVS2qC1Htw9NkVlLDeED7qwQQMmSr7RFYNQ6BYekAtn/ScFHpq8Tx4BzhcD&#13;
      b6P0+PHCo+bkQedxwhbMD412KSM2UAV

      Alternative interpretation: With this issue when using -Dorg.apache.xml.security.ignoreLineBreaks=true, the Base64 cert/signature still have line breaks (ie does not seem to work. which may be needed for other SP) (So a library upgrade is needed).

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Enable -Dorg.apache.xml.security.ignoreLineBreaks=true or -Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true to JVM settings
      2. Setup a SAML2 federation with Response signing
      3. Enable Message debug
      4. Perform a SAML2 SP initiated login
      5. Observe the IDP Federation logs for the certificate displaying LF as
      Expected behaviour
      Correctly setting the response without &#13; (and all the Base64 content in the XML signature is one long string)
      
      Current behaviour
      See that the debug logs as well as the HTTP SAML2 response payload have &#13;
      

      Work around

      a) Maybe replace xmlsec-2.1.1.jar with xmlsec-2.1.2.jar (when -Dorg.apache.xml.security.ignoreLineBreaks=true

      Tested this this works.

      b) Try to see sure none of the settings Dorg.apache.xml.internal.security.ignoreLineBreaks=false or Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=false (but these later xmlsec still sends linebreaks) actually. (This may not work since xmlsec 2.1.1 always add when this is so) this does not seems to not have issues the but it seem for Forgerock AM<->AM (IDP/SP) this is not causing issues as it seems AM can handle this but other vendor SP may not like this. For some SP that is non-permissive, because of the they may not work and maybe need to see if setting the above true changes things - Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true or -Dorg.apache.xml.security.ignoreLineBreaks=true.

       

      Code analysis

      xmlsec changes. See https://issues.jboss.org/browse/WFLY-9892 and also xmlsec bug https://issues.apache.org/jira/browse/SANTUARIO-482. But with the fix in 2.1.2 and the switch this should address the issue

      Things that need to be done

      May need to have some documentation or decision what to do to ensure this options is more known (DOC bug after this)

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                adam.heath Adam Heath
                Reporter:
                chee-weng.chea C-Weng C
              • Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: