12 Replies Latest reply: May 19, 2010 3:27 PM by Vivek Biswas RSS

Need an Holder-Of-Key Subject Confirmation

Vivek Biswas Newbie

Hi,

 

  By default, picketlink does SubjectConfirmation using urn:oasis:names:tc:SAML:2.0:cm:bearer. I need to implement Holder-Of-Key Subject Confirmation where in I need to pass my own keyInfo element. Can you help me with 2 things

A. How to configure PicketLink STS for Holder-of-Key Subject Confirmation

B. How can I pass my own KeyInfo element which will get set at saml2:Subject\saml2:SubjectConfirmation\keyInfo.

 

Thanks

Vivek Biswas

  • 1. Re: Need an Holder-Of-Key Subject Confirmation
    Stefan Guilhen Apprentice

    Hi Vivek,

     

    A. You don't have to do anything at all. If the request contains a key type, then the STS is automatically going to generate a proof-of-possession token that will be included in your SubjectConfirmation and the SAML assertion will use the holder-of-key confirmation method.

     

    B. It depends. What kind of info is that? Symmetric or Public (aka certificate)?

     

    Stefan

  • 2. Re: Need an Holder-Of-Key Subject Confirmation
    Vivek Biswas Newbie

    Great thanks Stefan for answering question A.

     

    Regarding Question B. The info is a Public Key Certificate

     

    -Vivek Biswas

  • 3. Re: Need an Holder-Of-Key Subject Confirmation
    Vivek Biswas Newbie

    And by passing useKey with public certificate and setting the keytype to "http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey" . I got the holder-of-key working. Thanks Stefan once again

     

    -Vivek Biswas

  • 4. Re: Need an Holder-Of-Key Subject Confirmation
    Stefan Guilhen Apprentice

    Hi Vivek,

     

    It's great to learn that it worked for you. I just realized I need to include a test case with Public Key Certificates. I'll add a doc later to show how to get an assertion with holder-of-key confirmation.

     

    Just out of curiosity, did you put the whole certificate in the UseKey element or just the Public Key? I think it is possible to do both and I may need to improve the request handler a little bit to be more friendly when a public key is supplied.

     

    Cheers,

    Stefan

  • 5. Re: Need an Holder-Of-Key Subject Confirmation
    Vivek Biswas Newbie

    Hi Stefan,

     

      Here is a code snippet that will help you jumpstart with writing your UnitTest case .

    //Setting the Key Type

    URI uri = new URI(WSTrustConstants.KEY_TYPE_PUBLIC);

    request.setKeyType(uri);

     

    //Setting the public certificate

     

    InputStream inStream = new FileInputStream("my_public_cert.cer");

    CertificateFactory cf = CertificateFactory.getInstance("X.509");

    X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream);

    org.picketlink.identity.xmlsec.w3.xmldsig.ObjectFactory factory = new org.picketlink.identity.xmlsec.w3.xmldsig.ObjectFactory();

     

    UseKeyType useKeyType = new UseKeyType();

    useKeyType.setAny(factory.createX509DataTypeX509Certificate(cert.getEncoded()));

    request.setUseKey(useKeyType);

     

    inStream.close();

     

    ------------------------------------------------------------------------------------------------------------------------------------------------------

    Here is the output

     

              <ns4:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</ns4:KeyType>
                <ns4:UseKey>
                   <ns6:X509Certificate xmlns:ns6="http://www.w3.org/2000/09/xmldsig#">.........MIII1MjE0MDM2ChMKQdggEiMA0GCSqcXmP</ns6:X509Certificate>
                </ns4:UseKey>
    -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    This X509 certificate then get set in the Subject/SubjectConfirmationData
       <SubjectConfirmation Method='urn:oasis:names:tc:SAML:2.0:cm:holder-of-key'>
                            <SubjectConfirmationData xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:type='KeyInfoConfirmationDataType'>
                               <ns3:KeyInfo>
                                  <ns6:X509Certificate xmlns:ns6='http://www.w3.org/2000/09/xmldsig#'>.......MIII1MjE0MDM2ChMKQdggEiMA0GCSqcXmP........</ns6:X509Certificate>
                               </ns3:KeyInfo>
                            </SubjectConfirmationData>
        </SubjectConfirmation>

     

    --------------------------------------------------------------------------------------------------------------------------------------------------------------------

     

    This exactly what I wanted. And I believe your request handler is perfect to do the requisite work

     

    Cheers

    Vivek

  • 6. Re: Need an Holder-Of-Key Subject Confirmation
    Stefan Guilhen Apprentice

    Hi Vivek,

     

    thanks for the test code. I'll update the STS testsuite to include it.

     

    Regarding the certificate, I tried to make the request handler as flexible as possible so that any kind of content could be provided in the UseKey element. However, I was taking a look at the xmldsig schema and it looks like we are missing a X509Data element between KeyInfo and the X509Certificate. So perhaps instead of

     

    <ns3:KeyInfo>
       <ns3:X509Certificate ...>.....</ns3:X509Certificate>
    </ns3:KeyInfo>
    

     

    we should have

     

    <ns3:KeyInfo>
       <ns3:X509Data>
          <ns3:X509Certificate...>...</ns3:X509Certificate>
       </ns3:X509Data>
    </ns3:KeyInfo>
    

     

    So maybe I should check the content of UseKey and if a X509Certificate is found create a X509Data to hold it before inserting it into the KeyInfo.

     

    Stefan

  • 7. Re: Need an Holder-Of-Key Subject Confirmation
    Vivek Biswas Newbie

    Hi Stefan,


      Good catch. We absolutely need the element <ns3:X509Data> after  <ns3:KeyInfo>.


    Is there any ETA on when we can get this fixed, so that I can align this with my project plan.


    Cheers

    Vivek Biswas


  • 8. Re: Need an Holder-Of-Key Subject Confirmation
    Stefan Guilhen Apprentice

    Hi Vivek,

     

    I'll fix this and include a test case showing how to use a certificate and a public key as proof-of-possession tokens. I think we can release picketlink CR4 next week but once I fix this issue I can attach a snapshot jar in this thread so you can test and use it until we perform the release.

     

    Cheers,

    Stefan

  • 9. Re: Need an Holder-Of-Key Subject Confirmation
    Vivek Biswas Newbie

    Hi Stefan,

     

    Perfect. Works for me.

     

    Cheers

    Vivek

  • 11. Re: Need an Holder-Of-Key Subject Confirmation
    Stefan Guilhen Apprentice

    Hi Vivek,

     

    I've fixed this issue and now certificates are inserted in a X509Data element inside the KeyInfo. I'm attaching the current picketlink-fed.jar snapshot so you can try it.

     

    Just a side note: when adding your certificate to the UseKey section of the WS-Trust request you should first encode it using Base 64 encoding. According to the XMLDSig specificiation, the contents of the X509Certificate element should be represented using Base64 encoding. We have a org.picketlink.identity.federation.core.util.Base64 class that you can use to achieve that:

     

    // create a X509Certificate element with the Base64-encoded certificate.
    Certificate certificate = ....;
    byte[] base64EncodedCert = Base64.encodeBytes(certificate.getEncoded()).getBytes();
    JAXBElement<byte[]> certElement = new org.picketlink.identity.xmlsec.w3.xmldsig.ObjectFactory()
                .createX509DataTypeX509Certificate(base64EncodedCert);
    
    // insert the encoded certificate into the UseKey element and set UseKey in the request.
    UseKeyType useKey = new UseKeyType();
    useKey.setAny(certElement);
    request.setUseKey(useKey);
    
  • 12. Re: Need an Holder-Of-Key Subject Confirmation
    Vivek Biswas Newbie

    Hi Stefan,

     

      Thanks for doing the fix.

     

    Cheers

    Vivek