RE: TLS 1.2 support

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

RE: TLS 1.2 support

Martin Gainty
so the  quick answer for TLS Authentication for Axis 2.1.6.2 seems to be "not yet implemented" 

*but* there is a workaround as  SAMLUtilsTest.java displayed below contains logic to trigger 
Holder-of-Key requirement, the message must be signed by a Signature using the Assertion's Subject certificate 
where 
Nota Bene: Holder-of-Key is created in getAssertion method of SAMLUtilsTest

/*
 * Copyright The Apache Software Foundation.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.apache.rahas.impl.util;

import junit.framework.Assert;
import junit.framework.TestCase;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.soap.SOAPEnvelope;
import org.apache.axis2.AxisFault;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.rahas.Rahas;
import org.apache.rahas.TrustException;
import org.apache.rahas.TrustUtil;
import org.apache.rahas.test.util.AbstractTestCase;
import org.apache.rahas.test.util.TestUtil;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.message.WSSecEncryptedKey;
import org.apache.ws.security.util.Base64;
import org.joda.time.DateTime;
import org.opensaml.Configuration;
import org.opensaml.saml1.core.*;
import org.opensaml.xml.io.MarshallerFactory;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.signature.X509Data;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.xml.sax.SAXException;

import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.OutputKeys;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import java.io.*;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;

/**
 * A test class for SAML 1 Token Issuer.
 */
public class SAMLUtilsTest extends AbstractTestCase {

    private static final Log log = LogFactory.getLog(SAMLUtilsTest.class);


    public void testSignAssertion() throws Exception {

//Build SAML 1.0 Assertion with required attributes (including Subject)
        Assertion assertion = getAssertion();

//Sign SAML assertion based on contents of src/test/resources/crypto.config
//obviously alias of apache and password of password will need to be changed
        SAMLUtils.signAssertion(assertion, TestUtil.getCrypto(), "apache", "password");

        //marshallerFactory.getMarshaller(assertion).marshall(assertion);

//verify SAML 1.0 assertion is valid DOM
        Assert.assertNotNull(assertion.getDOM());
        printElement(assertion.getDOM());

        boolean signatureFound = false;
        int numberOfNodes = assertion.getDOM().getChildNodes().getLength();
        for(int i=0; i < numberOfNodes; ++i) {

            OMElement n = (OMElement)assertion.getDOM().getChildNodes().item(i);

//verify signature is embedded in provided SAML 1.0 assertion
            if (n.getLocalName().equals("Signature")) {
                signatureFound = true;
                break;
            }
        }

        Assert.assertTrue("Signature not found.", signatureFound);
    }

    private Assertion getAssertion() throws Exception{

//create MemberLevel attribute change attrs to suit your Member Level
        Attribute attributeMemberLevel
                = SAMLUtils.createAttribute("MemberLevel", "http://www.oasis.open.org/Catalyst2002/attributes", "gold");

//create email attribute..change these attrs to provided cert owners email
        Attribute email
                = SAMLUtils.createAttribute("E-mail",
                "http://www.oasis.open.org/Catalyst2002/attributes",
                "[hidden email]");

//create X509 Subject ...these attributes need to correspond to actual entry in NameServer (e.g. LDAP)
        NameIdentifier nameIdentifier
                = SAMLUtils.createNamedIdentifier("joe,ou=people,ou=saml-demo,o=baltimore.com",
                                                    NameIdentifier.X509_SUBJECT);

//get X509 Certificate from the specified attrs
        X509Data x509Data = CommonUtil.createX509Data(getTestCertificate());

//extract KeyInfo struct from X509 Certificate
        org.opensaml.xml.signature.KeyInfo keyInfo = SAMLUtils.createKeyInfo(x509Data);

//get Subject from NameIdentifier namedentifier needs to correspond to actual entry in NameServer (e.g. LDAP)
        Subject subject
                = SAMLUtils.createSubject(nameIdentifier, "urn:oasis:names:tc:SAML:1.0:cm:holder-of-key", keyInfo);

//insert MemberLevel, email into AttributeStatement
        AttributeStatement attributeStatement
                = SAMLUtils.createAttributeStatement(subject, Arrays.asList(attributeMemberLevel, email));

//put AttributeStatement into List of AttributeStatements
        List<Statement> statements = new ArrayList<Statement>();
        statements.add(attributeStatement);

//assert URL, DateTime from and DateTime expiry and AttributeStatementList are not null
        Assertion assertion
                = SAMLUtils.createAssertion("www.opensaml.org", new DateTime(),
                new DateTime(2050, 1, 1, 0, 0, 0, 0), statements);

//return the assertion
        return assertion;

    }

/*get the X509 Cert based on
  predefined crypto algo (TestUtil.getCrypto) based on attributes supplied in src/test/resources/crypto.config
  predefined alias of 'apache'
*/
    private static X509Certificate getTestCertificate() throws IOException, WSSecurityException, TrustException {

        Crypto crypto =  TestUtil.getCrypto();

        return CommonUtil.getCertificateByAlias(crypto, "apache");
    }
}

Martin 
______________________________________________




From: [hidden email]
Date: Wed, 24 Aug 2016 13:48:08 +0100
Subject: Re: TLS 1.2 support
To: [hidden email]

WSS4J has some references to TLS in the comments, as security requirements may vary depending on whether a message was received over TLS or not. For example, if a SAML Assertion has a Holder-of-Key requirement, the message must be signed by a Signature using the Assertion's Subject certificate OR client authentication TLS must be used, where the client cert matches that of the SAML Assertion.

However, WSS4J delegates all requirements surrounding how messages are created and received, to the SOAP stack that is is use (CXF/Axis/etc). So if you want information on TLS support, please ask these projects instead.

Colm.

On Wed, Aug 24, 2016 at 1:39 PM, Martin Gainty <[hidden email]> wrote:
MG>axis-rampart 1.6.2 implements <wss4j.version>1.6.4</wss4j.version>

MG>if i grep experimental branch wss4j-1.6.19 

MG>org.apache.ws.security.conversation.dkalgo.P_SHA1.java where P_SHA1 is TLS  V 1.0 implementation?
/**
 *
 <pre>
 P_SHA-1 DEFINITION
 ==================
 <b>P_SHA-1(secret, seed)</b> =
 HMAC_SHA-1(secret, A(1) + seed) +
 HMAC_SHA-1(secret, A(2) + seed) +
 HMAC_SHA-1(secret, A(3) + seed) + ...
 <i>Where + indicates concatenation.</i>
 <br>
 A() is defined as:
 A(0) = seed
 A(i) = HMAC_SHA-1(secret, A(i-1))
 <br>
 <i>Source : RFC 2246 - The TLS Protocol Version 1.0
 Section 5. HMAC and the pseudorandom function</i>
 </pre>
 *
 * @author Ruchith Fernando
 */

MG>org.apache.ws.security.saml.ext.builder.SAML1Constants.java seems to contain authentication definition for RFC 2246 ?
/**
     * The authentication was performed using either the SSL or TLS protocol with certificate 
     * based client authentication. TLS is described in [RFC 2246].
     */
    public static final String AUTH_METHOD_TLS_CLIENT = "urn:ietf:rfc:2246";
MG>Nota Bene: RFC2246 is TLS 1.0


MG>org.apache.ws.security.message.token.UsernameToken seems to implement P_hash function for RFC 2246 (TLS v 1.0)?
    /**
     * P_hash as defined in RFC 2246 for TLS.
     * 
     * @param secret is the key for the HMAC
     * @param seed the seed value to start the generation - A(0)
     * @param mac the HMAC algorithm
     * @param required number of bytes to generate
     * @return a byte array that contains a secret key
     * @throws Exception
     */
    private static byte[] P_hash(
        byte[] secret, 
        byte[] seed, 
        Mac mac, 
        int required
    ) throws Exception {
        byte[] out = new byte[required];
        int offset = 0, tocpy;
        byte[] a, tmp;
        //
        // a(0) is the seed
        //
        a = seed;
        SecretKeySpec key = new SecretKeySpec(secret, "HMACSHA1");
        mac.init(key);
        while (required > 0) {
            mac.update(a);
            a = mac.doFinal();
            mac.update(a);
            mac.update(seed);
            tmp = mac.doFinal();
            tocpy = min(required, tmp.length);
            System.arraycopy(tmp, 0, out, offset, tocpy);
            offset += tocpy;
            required -= tocpy;
        }
        return out;
    }

MG>axis2-1.6.2 has no mention of AUTH_METHOD_TLS_CLIENT

MG>assuming AUTH_METHOD_TLS_CLIENT  (referenced in SAMLTokenProcessor) defined in WSS4J SAML1Constants for TLS v1.0

MG>would copying these RFC-2246  attributes/functions to RFC-5246 equivalents allow TLS V1.2 could be implemented?

MG>Suggestions on implementing TLS V1.2 eagerly solicited



From: [hidden email]
Date: Wed, 24 Aug 2016 09:55:46 +0100
Subject: Re: TLS 1.2 support
To: [hidden email]

Apache WSS4J does not implement TLS at all, it is solely an implementation of the WS-Security standards. Perhaps you want Apache CXF or Axis instead?

Colm.

On Fri, Aug 19, 2016 at 12:06 PM, Amit Lonkar <[hidden email]> wrote:
Anyone who could let me know the answer to the question below ?

Thanks
Amit


On Aug 18, 2016, at 5:16 AM, Martin Gainty <[hidden email]> wrote:


"Could you please let me know which version of wss4j implements TLSv1.2 (rfc5246)"

Please honour this question

Thank You,
Martin
______________________________________________ 
 _____ _          _____             _          _____     ___ _                        _____               _     _   _         
|_   _| |_ ___   |  _  |___ ___ ___| |_ ___   |   __|___|  _| |_ _ _ _ ___ ___ ___   |   __|___ _ _ ___ _| |___| |_|_|___ ___ 
  | | |   | -_|  |     | . | .'|  _|   | -_|  |__   | . |  _|  _| | | | .'|  _| -_|  |   __| . | | |   | . | .'|  _| | . |   |
  |_| |_|_|___|  |__|__|  _|__,|___|_|_|___|  |_____|___|_| |_| |_____|__,|_| |___|  |__|  |___|___|_|_|___|__,|_| |_|___|_|_|
                       |_|                                                                                                    




From: [hidden email]
Subject: TLS 1.2 support
Date: Tue, 16 Aug 2016 09:27:56 -0600
To: [hidden email]

Could you please let me know which version of wss4j implements TLSv1.2 (rfc5246)

Thanks
Amit




--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com