Martin Gainty
2016-08-25 17:00:02 UTC
so the quick answer for TLS Authentication for Axis 2.1.6.2 seems to be "not yet implemented"
*but* there is a workaround as SAMLUtilsTest.java displayed below contains logic to trigger Holder-of-Key requirement, the message must be signed by a Signature using the Assertion's Subject certificate where Nota Bene: Holder-of-Key is created in getAssertion method of SAMLUtilsTest
/* * Copyright The Apache Software Foundation. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */
package org.apache.rahas.impl.util;
import junit.framework.Assert;import junit.framework.TestCase;import org.apache.axiom.om.OMElement;import org.apache.axiom.soap.SOAPEnvelope;import org.apache.axis2.AxisFault;import org.apache.commons.logging.Log;import org.apache.commons.logging.LogFactory;import org.apache.rahas.Rahas;import org.apache.rahas.TrustException;import org.apache.rahas.TrustUtil;import org.apache.rahas.test.util.AbstractTestCase;import org.apache.rahas.test.util.TestUtil;import org.apache.ws.security.WSSecurityException;import org.apache.ws.security.components.crypto.Crypto;import org.apache.ws.security.message.WSSecEncryptedKey;import org.apache.ws.security.util.Base64;import org.joda.time.DateTime;import org.opensaml.Configuration;import org.opensaml.saml1.core.*;import org.opensaml.xml.io.MarshallerFactory;import org.opensaml.xml.io.MarshallingException;import org.opensaml.xml.signature.X509Data;import org.w3c.dom.Document;import org.w3c.dom.Element;import org.xml.sax.SAXException;
import javax.xml.namespace.QName;import javax.xml.parsers.DocumentBuilder;import javax.xml.parsers.DocumentBuilderFactory;import javax.xml.parsers.ParserConfigurationException;import javax.xml.transform.OutputKeys;import javax.xml.transform.Transformer;import javax.xml.transform.TransformerException;import javax.xml.transform.TransformerFactory;import javax.xml.transform.dom.DOMSource;import javax.xml.transform.stream.StreamResult;import java.io.*;import java.security.SecureRandom;import java.security.cert.X509Certificate;import java.util.ArrayList;import java.util.Arrays;import java.util.List;
/** * A test class for SAML 1 Token Issuer. */public class SAMLUtilsTest extends AbstractTestCase {
private static final Log log = LogFactory.getLog(SAMLUtilsTest.class);
public void testSignAssertion() throws Exception {
//Build SAML 1.0 Assertion with required attributes (including Subject) Assertion assertion = getAssertion();
//Sign SAML assertion based on contents of src/test/resources/crypto.config//obviously alias of apache and password of password will need to be changed SAMLUtils.signAssertion(assertion, TestUtil.getCrypto(), "apache", "password");
//marshallerFactory.getMarshaller(assertion).marshall(assertion);
//verify SAML 1.0 assertion is valid DOM Assert.assertNotNull(assertion.getDOM()); printElement(assertion.getDOM());
boolean signatureFound = false; int numberOfNodes = assertion.getDOM().getChildNodes().getLength(); for(int i=0; i < numberOfNodes; ++i) {
OMElement n = (OMElement)assertion.getDOM().getChildNodes().item(i);
//verify signature is embedded in provided SAML 1.0 assertion if (n.getLocalName().equals("Signature")) { signatureFound = true; break; } }
Assert.assertTrue("Signature not found.", signatureFound); }
private Assertion getAssertion() throws Exception{
//create MemberLevel attribute change attrs to suit your Member Level Attribute attributeMemberLevel = SAMLUtils.createAttribute("MemberLevel", "http://www.oasis.open.org/Catalyst2002/attributes", "gold");
//create email attribute..change these attrs to provided cert owners email Attribute email = SAMLUtils.createAttribute("E-mail", "http://www.oasis.open.org/Catalyst2002/attributes", "***@yahoo.com");
//create X509 Subject ...these attributes need to correspond to actual entry in NameServer (e.g. LDAP) NameIdentifier nameIdentifier = SAMLUtils.createNamedIdentifier("joe,ou=people,ou=saml-demo,o=baltimore.com", NameIdentifier.X509_SUBJECT);
//get X509 Certificate from the specified attrs X509Data x509Data = CommonUtil.createX509Data(getTestCertificate());
//extract KeyInfo struct from X509 Certificate org.opensaml.xml.signature.KeyInfo keyInfo = SAMLUtils.createKeyInfo(x509Data);
//get Subject from NameIdentifier namedentifier needs to correspond to actual entry in NameServer (e.g. LDAP) Subject subject = SAMLUtils.createSubject(nameIdentifier, "urn:oasis:names:tc:SAML:1.0:cm:holder-of-key", keyInfo);
//insert MemberLevel, email into AttributeStatement AttributeStatement attributeStatement = SAMLUtils.createAttributeStatement(subject, Arrays.asList(attributeMemberLevel, email));
//put AttributeStatement into List of AttributeStatements List<Statement> statements = new ArrayList<Statement>(); statements.add(attributeStatement);
//assert URL, DateTime from and DateTime expiry and AttributeStatementList are not null Assertion assertion = SAMLUtils.createAssertion("www.opensaml.org", new DateTime(), new DateTime(2050, 1, 1, 0, 0, 0, 0), statements);
//return the assertion return assertion;
}
/*get the X509 Cert based on predefined crypto algo (TestUtil.getCrypto) based on attributes supplied in src/test/resources/crypto.config predefined alias of 'apache'*/ private static X509Certificate getTestCertificate() throws IOException, WSSecurityException, TrustException {
Crypto crypto = TestUtil.getCrypto();
return CommonUtil.getCertificateByAlias(crypto, "apache"); }}
Martin ______________________________________________
From: ***@apache.org
Date: Wed, 24 Aug 2016 13:48:08 +0100
Subject: Re: TLS 1.2 support
To: ***@ws.apache.org
WSS4J has some references to TLS in the comments, as security requirements may vary depending on whether a message was received over TLS or not. For example, if a SAML Assertion has a Holder-of-Key requirement, the message must be signed by a Signature using the Assertion's Subject certificate OR client authentication TLS must be used, where the client cert matches that of the SAML Assertion.
However, WSS4J delegates all requirements surrounding how messages are created and received, to the SOAP stack that is is use (CXF/Axis/etc). So if you want information on TLS support, please ask these projects instead.
Colm.
On Wed, Aug 24, 2016 at 1:39 PM, Martin Gainty <***@hotmail.com> wrote:
MG>axis-rampart 1.6.2 implements <wss4j.version>1.6.4</wss4j.version>
MG>if i grep experimental branch wss4j-1.6.19
MG>org.apache.ws.security.conversation.dkalgo.P_SHA1.java where P_SHA1 is TLS V 1.0 implementation?/** * <pre> P_SHA-1 DEFINITION ================== <b>P_SHA-1(secret, seed)</b> = HMAC_SHA-1(secret, A(1) + seed) + HMAC_SHA-1(secret, A(2) + seed) + HMAC_SHA-1(secret, A(3) + seed) + ... <i>Where + indicates concatenation.</i> <br> A() is defined as: A(0) = seed A(i) = HMAC_SHA-1(secret, A(i-1)) <br> <i>Source : RFC 2246 - The TLS Protocol Version 1.0 Section 5. HMAC and the pseudorandom function</i> </pre> * * @author Ruchith Fernando */
MG>org.apache.ws.security.saml.ext.builder.SAML1Constants.java seems to contain authentication definition for RFC 2246 ?/** * The authentication was performed using either the SSL or TLS protocol with certificate * based client authentication. TLS is described in [RFC 2246]. */ public static final String AUTH_METHOD_TLS_CLIENT = "urn:ietf:rfc:2246";MG>Nota Bene: RFC2246 is TLS 1.0
MG>org.apache.ws.security.message.token.UsernameToken seems to implement P_hash function for RFC 2246 (TLS v 1.0)? /** * P_hash as defined in RFC 2246 for TLS. * * @param secret is the key for the HMAC * @param seed the seed value to start the generation - A(0) * @param mac the HMAC algorithm * @param required number of bytes to generate * @return a byte array that contains a secret key * @throws Exception */ private static byte[] P_hash( byte[] secret, byte[] seed, Mac mac, int required ) throws Exception { byte[] out = new byte[required]; int offset = 0, tocpy; byte[] a, tmp; // // a(0) is the seed // a = seed; SecretKeySpec key = new SecretKeySpec(secret, "HMACSHA1"); mac.init(key); while (required > 0) { mac.update(a); a = mac.doFinal(); mac.update(a); mac.update(seed); tmp = mac.doFinal(); tocpy = min(required, tmp.length); System.arraycopy(tmp, 0, out, offset, tocpy); offset += tocpy; required -= tocpy; } return out; }
MG>axis2-1.6.2 has no mention of AUTH_METHOD_TLS_CLIENT
MG>assuming AUTH_METHOD_TLS_CLIENT (referenced in SAMLTokenProcessor) defined in WSS4J SAML1Constants for TLS v1.0
MG>would copying these RFC-2246 attributes/functions to RFC-5246 equivalents allow TLS V1.2 could be implemented?
MG>Suggestions on implementing TLS V1.2 eagerly solicited
From: ***@apache.org
Date: Wed, 24 Aug 2016 09:55:46 +0100
Subject: Re: TLS 1.2 support
To: ***@ws.apache.org
Apache WSS4J does not implement TLS at all, it is solely an implementation of the WS-Security standards. Perhaps you want Apache CXF or Axis instead?
Colm.
On Fri, Aug 19, 2016 at 12:06 PM, Amit Lonkar <***@yahoo.com> wrote:
Anyone who could let me know the answer to the question below ?
ThanksAmit
On Aug 18, 2016, at 5:16 AM, Martin Gainty <***@hotmail.com> wrote:
"Could you please let me know which version of wss4j implements TLSv1.2 (rfc5246)"
Please honour this question
Thank You,
Martin
______________________________________________
_____ _ _____ _ _____ ___ _ _____ _ _ _
|_ _| |_ ___ | _ |___ ___ ___| |_ ___ | __|___| _| |_ _ _ _ ___ ___ ___ | __|___ _ _ ___ _| |___| |_|_|___ ___
| | | | -_| | | . | .'| _| | -_| |__ | . | _| _| | | | .'| _| -_| | __| . | | | | . | .'| _| | . | |
|_| |_|_|___| |__|__| _|__,|___|_|_|___| |_____|___|_| |_| |_____|__,|_| |___| |__| |___|___|_|_|___|__,|_| |_|___|_|_|
|_|
From: ***@yahoo.com
Subject: TLS 1.2 support
Date: Tue, 16 Aug 2016 09:27:56 -0600
To: ***@ws.apache.org
Could you please let me know which version of wss4j implements TLSv1.2 (rfc5246)
ThanksAmit
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
*but* there is a workaround as SAMLUtilsTest.java displayed below contains logic to trigger Holder-of-Key requirement, the message must be signed by a Signature using the Assertion's Subject certificate where Nota Bene: Holder-of-Key is created in getAssertion method of SAMLUtilsTest
/* * Copyright The Apache Software Foundation. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */
package org.apache.rahas.impl.util;
import junit.framework.Assert;import junit.framework.TestCase;import org.apache.axiom.om.OMElement;import org.apache.axiom.soap.SOAPEnvelope;import org.apache.axis2.AxisFault;import org.apache.commons.logging.Log;import org.apache.commons.logging.LogFactory;import org.apache.rahas.Rahas;import org.apache.rahas.TrustException;import org.apache.rahas.TrustUtil;import org.apache.rahas.test.util.AbstractTestCase;import org.apache.rahas.test.util.TestUtil;import org.apache.ws.security.WSSecurityException;import org.apache.ws.security.components.crypto.Crypto;import org.apache.ws.security.message.WSSecEncryptedKey;import org.apache.ws.security.util.Base64;import org.joda.time.DateTime;import org.opensaml.Configuration;import org.opensaml.saml1.core.*;import org.opensaml.xml.io.MarshallerFactory;import org.opensaml.xml.io.MarshallingException;import org.opensaml.xml.signature.X509Data;import org.w3c.dom.Document;import org.w3c.dom.Element;import org.xml.sax.SAXException;
import javax.xml.namespace.QName;import javax.xml.parsers.DocumentBuilder;import javax.xml.parsers.DocumentBuilderFactory;import javax.xml.parsers.ParserConfigurationException;import javax.xml.transform.OutputKeys;import javax.xml.transform.Transformer;import javax.xml.transform.TransformerException;import javax.xml.transform.TransformerFactory;import javax.xml.transform.dom.DOMSource;import javax.xml.transform.stream.StreamResult;import java.io.*;import java.security.SecureRandom;import java.security.cert.X509Certificate;import java.util.ArrayList;import java.util.Arrays;import java.util.List;
/** * A test class for SAML 1 Token Issuer. */public class SAMLUtilsTest extends AbstractTestCase {
private static final Log log = LogFactory.getLog(SAMLUtilsTest.class);
public void testSignAssertion() throws Exception {
//Build SAML 1.0 Assertion with required attributes (including Subject) Assertion assertion = getAssertion();
//Sign SAML assertion based on contents of src/test/resources/crypto.config//obviously alias of apache and password of password will need to be changed SAMLUtils.signAssertion(assertion, TestUtil.getCrypto(), "apache", "password");
//marshallerFactory.getMarshaller(assertion).marshall(assertion);
//verify SAML 1.0 assertion is valid DOM Assert.assertNotNull(assertion.getDOM()); printElement(assertion.getDOM());
boolean signatureFound = false; int numberOfNodes = assertion.getDOM().getChildNodes().getLength(); for(int i=0; i < numberOfNodes; ++i) {
OMElement n = (OMElement)assertion.getDOM().getChildNodes().item(i);
//verify signature is embedded in provided SAML 1.0 assertion if (n.getLocalName().equals("Signature")) { signatureFound = true; break; } }
Assert.assertTrue("Signature not found.", signatureFound); }
private Assertion getAssertion() throws Exception{
//create MemberLevel attribute change attrs to suit your Member Level Attribute attributeMemberLevel = SAMLUtils.createAttribute("MemberLevel", "http://www.oasis.open.org/Catalyst2002/attributes", "gold");
//create email attribute..change these attrs to provided cert owners email Attribute email = SAMLUtils.createAttribute("E-mail", "http://www.oasis.open.org/Catalyst2002/attributes", "***@yahoo.com");
//create X509 Subject ...these attributes need to correspond to actual entry in NameServer (e.g. LDAP) NameIdentifier nameIdentifier = SAMLUtils.createNamedIdentifier("joe,ou=people,ou=saml-demo,o=baltimore.com", NameIdentifier.X509_SUBJECT);
//get X509 Certificate from the specified attrs X509Data x509Data = CommonUtil.createX509Data(getTestCertificate());
//extract KeyInfo struct from X509 Certificate org.opensaml.xml.signature.KeyInfo keyInfo = SAMLUtils.createKeyInfo(x509Data);
//get Subject from NameIdentifier namedentifier needs to correspond to actual entry in NameServer (e.g. LDAP) Subject subject = SAMLUtils.createSubject(nameIdentifier, "urn:oasis:names:tc:SAML:1.0:cm:holder-of-key", keyInfo);
//insert MemberLevel, email into AttributeStatement AttributeStatement attributeStatement = SAMLUtils.createAttributeStatement(subject, Arrays.asList(attributeMemberLevel, email));
//put AttributeStatement into List of AttributeStatements List<Statement> statements = new ArrayList<Statement>(); statements.add(attributeStatement);
//assert URL, DateTime from and DateTime expiry and AttributeStatementList are not null Assertion assertion = SAMLUtils.createAssertion("www.opensaml.org", new DateTime(), new DateTime(2050, 1, 1, 0, 0, 0, 0), statements);
//return the assertion return assertion;
}
/*get the X509 Cert based on predefined crypto algo (TestUtil.getCrypto) based on attributes supplied in src/test/resources/crypto.config predefined alias of 'apache'*/ private static X509Certificate getTestCertificate() throws IOException, WSSecurityException, TrustException {
Crypto crypto = TestUtil.getCrypto();
return CommonUtil.getCertificateByAlias(crypto, "apache"); }}
Martin ______________________________________________
From: ***@apache.org
Date: Wed, 24 Aug 2016 13:48:08 +0100
Subject: Re: TLS 1.2 support
To: ***@ws.apache.org
WSS4J has some references to TLS in the comments, as security requirements may vary depending on whether a message was received over TLS or not. For example, if a SAML Assertion has a Holder-of-Key requirement, the message must be signed by a Signature using the Assertion's Subject certificate OR client authentication TLS must be used, where the client cert matches that of the SAML Assertion.
However, WSS4J delegates all requirements surrounding how messages are created and received, to the SOAP stack that is is use (CXF/Axis/etc). So if you want information on TLS support, please ask these projects instead.
Colm.
On Wed, Aug 24, 2016 at 1:39 PM, Martin Gainty <***@hotmail.com> wrote:
MG>axis-rampart 1.6.2 implements <wss4j.version>1.6.4</wss4j.version>
MG>if i grep experimental branch wss4j-1.6.19
MG>org.apache.ws.security.conversation.dkalgo.P_SHA1.java where P_SHA1 is TLS V 1.0 implementation?/** * <pre> P_SHA-1 DEFINITION ================== <b>P_SHA-1(secret, seed)</b> = HMAC_SHA-1(secret, A(1) + seed) + HMAC_SHA-1(secret, A(2) + seed) + HMAC_SHA-1(secret, A(3) + seed) + ... <i>Where + indicates concatenation.</i> <br> A() is defined as: A(0) = seed A(i) = HMAC_SHA-1(secret, A(i-1)) <br> <i>Source : RFC 2246 - The TLS Protocol Version 1.0 Section 5. HMAC and the pseudorandom function</i> </pre> * * @author Ruchith Fernando */
MG>org.apache.ws.security.saml.ext.builder.SAML1Constants.java seems to contain authentication definition for RFC 2246 ?/** * The authentication was performed using either the SSL or TLS protocol with certificate * based client authentication. TLS is described in [RFC 2246]. */ public static final String AUTH_METHOD_TLS_CLIENT = "urn:ietf:rfc:2246";MG>Nota Bene: RFC2246 is TLS 1.0
MG>org.apache.ws.security.message.token.UsernameToken seems to implement P_hash function for RFC 2246 (TLS v 1.0)? /** * P_hash as defined in RFC 2246 for TLS. * * @param secret is the key for the HMAC * @param seed the seed value to start the generation - A(0) * @param mac the HMAC algorithm * @param required number of bytes to generate * @return a byte array that contains a secret key * @throws Exception */ private static byte[] P_hash( byte[] secret, byte[] seed, Mac mac, int required ) throws Exception { byte[] out = new byte[required]; int offset = 0, tocpy; byte[] a, tmp; // // a(0) is the seed // a = seed; SecretKeySpec key = new SecretKeySpec(secret, "HMACSHA1"); mac.init(key); while (required > 0) { mac.update(a); a = mac.doFinal(); mac.update(a); mac.update(seed); tmp = mac.doFinal(); tocpy = min(required, tmp.length); System.arraycopy(tmp, 0, out, offset, tocpy); offset += tocpy; required -= tocpy; } return out; }
MG>axis2-1.6.2 has no mention of AUTH_METHOD_TLS_CLIENT
MG>assuming AUTH_METHOD_TLS_CLIENT (referenced in SAMLTokenProcessor) defined in WSS4J SAML1Constants for TLS v1.0
MG>would copying these RFC-2246 attributes/functions to RFC-5246 equivalents allow TLS V1.2 could be implemented?
MG>Suggestions on implementing TLS V1.2 eagerly solicited
From: ***@apache.org
Date: Wed, 24 Aug 2016 09:55:46 +0100
Subject: Re: TLS 1.2 support
To: ***@ws.apache.org
Apache WSS4J does not implement TLS at all, it is solely an implementation of the WS-Security standards. Perhaps you want Apache CXF or Axis instead?
Colm.
On Fri, Aug 19, 2016 at 12:06 PM, Amit Lonkar <***@yahoo.com> wrote:
Anyone who could let me know the answer to the question below ?
ThanksAmit
On Aug 18, 2016, at 5:16 AM, Martin Gainty <***@hotmail.com> wrote:
"Could you please let me know which version of wss4j implements TLSv1.2 (rfc5246)"
Please honour this question
Thank You,
Martin
______________________________________________
_____ _ _____ _ _____ ___ _ _____ _ _ _
|_ _| |_ ___ | _ |___ ___ ___| |_ ___ | __|___| _| |_ _ _ _ ___ ___ ___ | __|___ _ _ ___ _| |___| |_|_|___ ___
| | | | -_| | | . | .'| _| | -_| |__ | . | _| _| | | | .'| _| -_| | __| . | | | | . | .'| _| | . | |
|_| |_|_|___| |__|__| _|__,|___|_|_|___| |_____|___|_| |_| |_____|__,|_| |___| |__| |___|___|_|_|___|__,|_| |_|___|_|_|
|_|
From: ***@yahoo.com
Subject: TLS 1.2 support
Date: Tue, 16 Aug 2016 09:27:56 -0600
To: ***@ws.apache.org
Could you please let me know which version of wss4j implements TLSv1.2 (rfc5246)
ThanksAmit
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com