-
1. Re: Need an Holder-Of-Key Subject Confirmation
sguilhen May 11, 2010 3:55 PM (in response to vivek_biswas)Hi Vivek,
A. You don't have to do anything at all. If the request contains a key type, then the STS is automatically going to generate a proof-of-possession token that will be included in your SubjectConfirmation and the SAML assertion will use the holder-of-key confirmation method.
B. It depends. What kind of info is that? Symmetric or Public (aka certificate)?
Stefan
-
2. Re: Need an Holder-Of-Key Subject Confirmation
vivek_biswas May 11, 2010 4:01 PM (in response to sguilhen)Great thanks Stefan for answering question A.
Regarding Question B. The info is a Public Key Certificate
-Vivek Biswas
-
3. Re: Need an Holder-Of-Key Subject Confirmation
vivek_biswas May 11, 2010 6:07 PM (in response to vivek_biswas)And by passing useKey with public certificate and setting the keytype to "http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey" . I got the holder-of-key working. Thanks Stefan once again
-Vivek Biswas
-
4. Re: Need an Holder-Of-Key Subject Confirmation
sguilhen May 12, 2010 9:45 AM (in response to vivek_biswas)Hi Vivek,
It's great to learn that it worked for you. I just realized I need to include a test case with Public Key Certificates. I'll add a doc later to show how to get an assertion with holder-of-key confirmation.
Just out of curiosity, did you put the whole certificate in the UseKey element or just the Public Key? I think it is possible to do both and I may need to improve the request handler a little bit to be more friendly when a public key is supplied.
Cheers,
Stefan
-
5. Re: Need an Holder-Of-Key Subject Confirmation
vivek_biswas May 12, 2010 12:53 PM (in response to sguilhen)Hi Stefan,
Here is a code snippet that will help you jumpstart with writing your UnitTest case .
//Setting the Key Type
URI uri = new URI(WSTrustConstants.KEY_TYPE_PUBLIC);
request.setKeyType(uri);
//Setting the public certificate
InputStream inStream = new FileInputStream("my_public_cert.cer");
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream);
org.picketlink.identity.xmlsec.w3.xmldsig.ObjectFactory factory = new org.picketlink.identity.xmlsec.w3.xmldsig.ObjectFactory();
UseKeyType useKeyType = new UseKeyType();
useKeyType.setAny(factory.createX509DataTypeX509Certificate(cert.getEncoded()));
request.setUseKey(useKeyType);
inStream.close();
------------------------------------------------------------------------------------------------------------------------------------------------------
Here is the output
<ns4:UseKey><ns6:X509Certificate xmlns:ns6="http://www.w3.org/2000/09/xmldsig#">.........MIII1MjE0MDM2ChMKQdggEiMA0GCSqcXmP</ns6:X509Certificate></ns4:UseKey>-------------------------------------------------------------------------------------------------------------------------------------------------------------------------This X509 certificate then get set in the Subject/SubjectConfirmationData<SubjectConfirmation Method='urn:oasis:names:tc:SAML:2.0:cm:holder-of-key'><SubjectConfirmationData xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:type='KeyInfoConfirmationDataType'><ns3:KeyInfo><ns6:X509Certificate xmlns:ns6='http://www.w3.org/2000/09/xmldsig#'>.......MIII1MjE0MDM2ChMKQdggEiMA0GCSqcXmP........</ns6:X509Certificate></ns3:KeyInfo></SubjectConfirmationData></SubjectConfirmation>--------------------------------------------------------------------------------------------------------------------------------------------------------------------
This exactly what I wanted. And I believe your request handler is perfect to do the requisite work
Cheers
Vivek
-
6. Re: Need an Holder-Of-Key Subject Confirmation
sguilhen May 12, 2010 2:31 PM (in response to vivek_biswas)1 of 1 people found this helpfulHi Vivek,
thanks for the test code. I'll update the STS testsuite to include it.
Regarding the certificate, I tried to make the request handler as flexible as possible so that any kind of content could be provided in the UseKey element. However, I was taking a look at the xmldsig schema and it looks like we are missing a X509Data element between KeyInfo and the X509Certificate. So perhaps instead of
<ns3:KeyInfo> <ns3:X509Certificate ...>.....</ns3:X509Certificate> </ns3:KeyInfo>
we should have
<ns3:KeyInfo> <ns3:X509Data> <ns3:X509Certificate...>...</ns3:X509Certificate> </ns3:X509Data> </ns3:KeyInfo>
So maybe I should check the content of UseKey and if a X509Certificate is found create a X509Data to hold it before inserting it into the KeyInfo.
Stefan
-
7. Re: Need an Holder-Of-Key Subject Confirmation
vivek_biswas May 12, 2010 3:36 PM (in response to sguilhen)Hi Stefan,
Good catch. We absolutely need the element <ns3:X509Data> after <ns3:KeyInfo>.
Is there any ETA on when we can get this fixed, so that I can align this with my project plan.
Cheers
Vivek Biswas
-
8. Re: Need an Holder-Of-Key Subject Confirmation
sguilhen May 12, 2010 5:19 PM (in response to vivek_biswas)Hi Vivek,
I'll fix this and include a test case showing how to use a certificate and a public key as proof-of-possession tokens. I think we can release picketlink CR4 next week but once I fix this issue I can attach a snapshot jar in this thread so you can test and use it until we perform the release.
Cheers,
Stefan
-
9. Re: Need an Holder-Of-Key Subject Confirmation
vivek_biswas May 12, 2010 5:22 PM (in response to sguilhen)Hi Stefan,
Perfect. Works for me.
Cheers
Vivek
-
10. Re: Need an Holder-Of-Key Subject Confirmation
sguilhen May 12, 2010 5:29 PM (in response to vivek_biswas)I've created a Jira for this: https://jira.jboss.org/jira/browse/PLFED-71
-
11. Re: Need an Holder-Of-Key Subject Confirmation
sguilhen May 19, 2010 2:26 PM (in response to vivek_biswas)1 of 1 people found this helpfulHi Vivek,
I've fixed this issue and now certificates are inserted in a X509Data element inside the KeyInfo. I'm attaching the current picketlink-fed.jar snapshot so you can try it.
Just a side note: when adding your certificate to the UseKey section of the WS-Trust request you should first encode it using Base 64 encoding. According to the XMLDSig specificiation, the contents of the X509Certificate element should be represented using Base64 encoding. We have a org.picketlink.identity.federation.core.util.Base64 class that you can use to achieve that:
// create a X509Certificate element with the Base64-encoded certificate. Certificate certificate = ....; byte[] base64EncodedCert = Base64.encodeBytes(certificate.getEncoded()).getBytes(); JAXBElement<byte[]> certElement = new org.picketlink.identity.xmlsec.w3.xmldsig.ObjectFactory() .createX509DataTypeX509Certificate(base64EncodedCert); // insert the encoded certificate into the UseKey element and set UseKey in the request. UseKeyType useKey = new UseKeyType(); useKey.setAny(certElement); request.setUseKey(useKey);
-
12. Re: Need an Holder-Of-Key Subject Confirmation
vivek_biswas May 19, 2010 3:27 PM (in response to sguilhen)Hi Stefan,
Thanks for doing the fix.
Cheers
Vivek