[OPENAM-10330] only one X509Certificate element from Meta data is used for signature validation Created: 05/Jan/17  Updated: 20/Sep/19

Status: Open
Project: OpenAM
Component/s: CLI, SAML
Affects Version/s: 10.0.0, 10.0.1, 10.1.0-Xpress, 10.0.2, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Bernhard Thalmayr Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Mac OS X - 10.11.6

java version "1.8.0_111"
Java(TM) SE Runtime Environment (build 1.8.0_111-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.111-b14, mixed mode)

Apache Tomcat/8.0.24

OpenAM 13.0.0


Rank: 1|hzspyn:
Support Ticket IDs:

 Description   

Configure OpenAM as a SAML IdP and try to import the meta data of a remote SP which includes multiple X509Certificate Elements for signing as mentioned in https://www.w3.org/TR/xmldsig-core/#sec-X509Data.

E.g.

excerpt from SP meta data
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="testSP" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>
                      ....                 
                    </ds:X509Certificate>
                    <ds:X509Certificate>
                      ....                 
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </KeyDescriptor>
        <KeyDescriptor use="encryption">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>
                      ....                 
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </KeyDescriptor>
....

SAML-SP initiated SSO fails with

excerpt from OpenAM Federation debug log
libSAML2:01/05/2017 02:35:29:922 PM CET: Thread[http-nio-9090-exec-3,5,main]: TransactionId[e0c5ca31-8ab3-4d80-8be0-fc47ff649997-1227]
ERROR: FMSigProvider.verify: The cert contained in the document is NOT trusted
libSAML2:01/05/2017 02:35:29:922 PM CET: Thread[http-nio-9090-exec-3,5,main]: TransactionId[e0c5ca31-8ab3-4d80-8be0-fc47ff649997-1227]
ERROR: UtilProxySAMLAuthenticator.authenticate: authn request verification failed.
com.sun.identity.saml2.common.SAML2Exception: The signing certificate does not match what's defined in the entity metadata.
        at com.sun.identity.saml2.xmlsig.FMSigProvider.verify(FMSigProvider.java:317)
        at com.sun.identity.saml2.protocol.impl.RequestAbstractImpl.isSignatureValid(RequestAbstractImpl.java:313)
        at org.forgerock.openam.saml2.UtilProxySAMLAuthenticator.authenticate(UtilProxySAMLAuthenticator.java:182)
        at com.sun.identity.saml2.profile.IDPSSOFederate.process(IDPSSOFederate.java:233)
        at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:142)
        at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:102)
        at org.apache.jsp.saml2.jsp.idpSSOFederate_jsp._jspService(idpSSOFederate_jsp.java:176)
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
        at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438)
        at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396)
        at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340)

However the root cause is that com.sun.identity.saml2.key.KeyUtil.getVerificationCerts(RoleDescriptorType roleDescriptor, String entityID,String role) does not extract both certificates but only one.



 Comments   
Comment by Peter Major [X] (Inactive) [ 05/Jan/17 ]

As long as OpenAM extracted the certificate with "signing" use, the implementation is correct.

Comment by Bernhard Thalmayr [ 12/Jan/17 ]

Workaround: Instead of specifying multiple certificates via the X509Certificate element as mentioned in the XML-Signature spec multiple <KeyDescriptor use="signing"> elements can be used as mentioned in the SAML meta data spec.

However I still have the filling both ways should be possible.

Comment by Peter Major [X] (Inactive) [ 13/Jan/17 ]

Thanks for the comment, sadly I have overlooked that the first signing KeyDescriptor had 2 X509Certificate elements... According to saml-dev mailing list the best solution would be to follow the following profile:
https://wiki.oasis-open.org/security/SAML2MetadataIOP
Section 2.5.1 appears to cover this exact scenario.

Generated at Sat Feb 27 22:03:26 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.