Tuesday, January 24, 2012
Apache Santuario (XML Security for Java) 1.5.0 released
Apache Santuario (XML Security for Java) 1.5.0 has been released. It can be downloaded here. Please read the release notes (collated from my previous blog entries) if you are planning to upgrade.
Friday, January 13, 2012
Apache Santuario (XML Security for Java) 1.5.0 RC2
I posted a RC1 for Apache Santuario (XML Security for Java) almost a month ago now. Since then, a large number of changes have been made to address some inconsistencies in RC1 as well to add some new functionality. The RC2 release is available here. Please download it and post any issues that are found to the mailing list. The changes compared to the RC1 release (documented here) are as follows:
1) Support for RSA-OAEP key transport algorithms with strong digests
The 1.4.x releases only support using SHA-1 with the RSA-OAEP key transport algorithm for encryption and decryption. The 1.5.0 RC2 release supports stronger digests using the ds:DigestMethod child of xenc:EncrytionMethod. In addition, it fully supports the xenc11:MGF Algorithm as documented in the XML Encryption 1.1 specification.
To test this functionality, all of the XML Encryption 1.1 Key Wrapping test-cases have been implemented, both for encryption and decryption. These tests also serve to better test the support for GCM algorithms in the 1.5.0 release. Support for 192 bit AES-GCM was added as part of this work.
2) Major changes to how Elements are resolved
The release notes for RC1 described how the IdResolver no longer searches the current Document for an Element matching the requested Id in certain "known" namespaces, and instead how it was the responsibility of the user to register Elements by Id in the IdResolver (or via setIdAttributeNS if using the JSR-105 API), if they are required as part of the signature validation process.
In RC2, the static cache of Id->Elements that was maintained in the IdResolver has been removed. Instead, the ResourceResolver implementations that are responsible for resolving same-Document URI references resolve Elements by querying Document.getElementById(). The IdResolver has been deprecated, so that it is no longer possible to register an Element by Id, and the "get" methods simply delegate to the DOM call above.
So what does this mean for the user? The user is now responsible for registering any same-Document Elements by Id, which must be resolved as part of the signature creation/validation process. This can be done in two ways:
A Signature Wrapping attack can occur when a malicious entity duplicates some signed Element in a document, and then modifies the content of the duplicated Element, but keeps the same Id. If the signature validation process only finds the initial Element, then signature validation will pass, and the user might be fooled into thinking that the modified Element has been signed, as it has the same Id as the original validated Element.
The implication of this attack is that it is vital that the user checks that the Elements that were signed correspond to the Elements that he/she expects to be signed. In other words, the Elements that were signed should be located in a specific "known" place in the Document. The best way of facilitating this check is to make sure that the signature validation process returns the Elements that it validated. The JSR-105 API supports this via the "javax.xml.crypto.dsig.cacheReference" boolean property, that can be set on the context.
However, the older XMLSignature, which pre-dates the JSR-105 API, did not include this functionality. This has been fixed in the RC2 release, e.g.:
XMLSignature signature = ...
// Perform validation and then...
SignedInfo signedInfo = signature.getSignedInfo();
for (int i = 0; i < signedInfo.getLength(); i++) {
Reference reference = signedInfo.item(i);
ReferenceData refData = reference.getReferenceData();
....
}
ReferenceData is a new interface that duplicates the way the JSR-105 API returns references. Three different implementations have been provided depending on whether the dereferenced Element is a NodeSet, Element or OctetStream.
Finally, some new functionality has been added when secure validation is enabled, to ensure that when an Element is de-referenced via Document.getElementById() (as described above), no other Element in the tree has an Attribute that is also registered as an Id with the same value. This is done via a tree search, and guarantees that the Element retrieved via the getElementById call is unique in the Document (something that is not guaranteed by the contract of getElementById). However note that another Element could still exist in the tree with a matching Id in another namespace.
1) Support for RSA-OAEP key transport algorithms with strong digests
The 1.4.x releases only support using SHA-1 with the RSA-OAEP key transport algorithm for encryption and decryption. The 1.5.0 RC2 release supports stronger digests using the ds:DigestMethod child of xenc:EncrytionMethod. In addition, it fully supports the xenc11:MGF Algorithm as documented in the XML Encryption 1.1 specification.
To test this functionality, all of the XML Encryption 1.1 Key Wrapping test-cases have been implemented, both for encryption and decryption. These tests also serve to better test the support for GCM algorithms in the 1.5.0 release. Support for 192 bit AES-GCM was added as part of this work.
2) Major changes to how Elements are resolved
The release notes for RC1 described how the IdResolver no longer searches the current Document for an Element matching the requested Id in certain "known" namespaces, and instead how it was the responsibility of the user to register Elements by Id in the IdResolver (or via setIdAttributeNS if using the JSR-105 API), if they are required as part of the signature validation process.
In RC2, the static cache of Id->Elements that was maintained in the IdResolver has been removed. Instead, the ResourceResolver implementations that are responsible for resolving same-Document URI references resolve Elements by querying Document.getElementById(). The IdResolver has been deprecated, so that it is no longer possible to register an Element by Id, and the "get" methods simply delegate to the DOM call above.
So what does this mean for the user? The user is now responsible for registering any same-Document Elements by Id, which must be resolved as part of the signature creation/validation process. This can be done in two ways:
- Using the DOM APIs: Element.setIdAttribute*
- Using the JSR-105 API: DOMCryptoContext.setIdAttributeNS
A Signature Wrapping attack can occur when a malicious entity duplicates some signed Element in a document, and then modifies the content of the duplicated Element, but keeps the same Id. If the signature validation process only finds the initial Element, then signature validation will pass, and the user might be fooled into thinking that the modified Element has been signed, as it has the same Id as the original validated Element.
The implication of this attack is that it is vital that the user checks that the Elements that were signed correspond to the Elements that he/she expects to be signed. In other words, the Elements that were signed should be located in a specific "known" place in the Document. The best way of facilitating this check is to make sure that the signature validation process returns the Elements that it validated. The JSR-105 API supports this via the "javax.xml.crypto.dsig.cacheReference" boolean property, that can be set on the context.
However, the older XMLSignature, which pre-dates the JSR-105 API, did not include this functionality. This has been fixed in the RC2 release, e.g.:
XMLSignature signature = ...
// Perform validation and then...
SignedInfo signedInfo = signature.getSignedInfo();
for (int i = 0; i < signedInfo.getLength(); i++) {
Reference reference = signedInfo.item(i);
ReferenceData refData = reference.getReferenceData();
....
}
ReferenceData is a new interface that duplicates the way the JSR-105 API returns references. Three different implementations have been provided depending on whether the dereferenced Element is a NodeSet, Element or OctetStream.
Finally, some new functionality has been added when secure validation is enabled, to ensure that when an Element is de-referenced via Document.getElementById() (as described above), no other Element in the tree has an Attribute that is also registered as an Id with the same value. This is done via a tree search, and guarantees that the Element retrieved via the getElementById call is unique in the Document (something that is not guaranteed by the contract of getElementById). However note that another Element could still exist in the tree with a matching Id in another namespace.
Apache CXF 2.5.1 STS updates
Last year I wrote a series of blog posts (starting here) documenting the Security Token Service (STS) implementation included as part of Apache CXF 2.5.0. Apache CXF 2.5.1 was released
a few weeks ago, and includes a number of bug fixes and improvements to
the STS. In this post I'll document the more important changes.
1) Support to configure keystores per SAML realm
In CXF 2.5.0 it was possible to sign an issued SAML Token using a different private key per realm, by setting the "signatureAlias" property of the SAMLRealm class. However, the signature alias is used with a single KeyStore, which is shared across all realms. This problem has been fixed in CXF 2.5.1, where it is now possible to also configure a keystore to use per-realm.
2) Support to handle claims per realm
In CXF 2.5.1 support has been added to handle claims per-realm. The ClaimsHandler interface has been updated to so that the current realm and WebServiceContext object are available when retrieving claim values. This means that any custom ClaimsHandler implementation based on CXF 2.5.0 must be updated to reflect the changed method signature.
3) Support validating a token per realm
In CXF 2.5.0 the current realm is ignored when validating a token. In CXF 2.5.1, support has been added to include the current realm when querying a TokenValidator implementation to see if it can "handle" a given token. In addition, all TokenValidator implementations that ship with the STS return a Principal as part of the TokenValidatorResponse object, regardless of whether validation was successful or not.
4) OnBehalfOf Token Validation
In CXF 2.5.0 the responsibility for validating "OnBehalfOf" tokens was delegated to the TokenProvider implementation. In CXF 2.5.1, OnBehalfOf Token Validation has been moved to the TokenIssueOperation, and so OnBehalfOf Tokens are validated for all subsequent TokenProviders. This validation is achieved by querying a list of TokenValidator implementations to see if any can validate the received token. If validation is successful, then the state of the ReceivedToken (VALID, INVALID, NONE) is updated to reflect this. If no TokenValidator implementation exists that can validate the OnBehalfOf token, then the token has a state set to INVALID. Identity Mapping also now applies to the (VALID) OnBehalfOf Token.
5) Support for OnBehalfOf in the SAMLTokenProvider
In CXF 2.5.0, the SAMLTokenProvider can issue a SAML token based on the authenticated principal associated with the request, e.g. the principal associated with the security token in the WS-Security header. It does not support the scenario that a client is requesting a SAML token "OnBehalfOf" another SAML Token, in other words that the principal name associated with the "OnBehalfOf" token is used as the subject name of the issued SAML token. This functionality has been added in CXF 2.5.1.
6) Validate SAML Conditions against the current time
Support has been added to validate the Conditions of a received SAML Token against the current time.
1) Support to configure keystores per SAML realm
In CXF 2.5.0 it was possible to sign an issued SAML Token using a different private key per realm, by setting the "signatureAlias" property of the SAMLRealm class. However, the signature alias is used with a single KeyStore, which is shared across all realms. This problem has been fixed in CXF 2.5.1, where it is now possible to also configure a keystore to use per-realm.
2) Support to handle claims per realm
In CXF 2.5.1 support has been added to handle claims per-realm. The ClaimsHandler interface has been updated to so that the current realm and WebServiceContext object are available when retrieving claim values. This means that any custom ClaimsHandler implementation based on CXF 2.5.0 must be updated to reflect the changed method signature.
3) Support validating a token per realm
In CXF 2.5.0 the current realm is ignored when validating a token. In CXF 2.5.1, support has been added to include the current realm when querying a TokenValidator implementation to see if it can "handle" a given token. In addition, all TokenValidator implementations that ship with the STS return a Principal as part of the TokenValidatorResponse object, regardless of whether validation was successful or not.
4) OnBehalfOf Token Validation
In CXF 2.5.0 the responsibility for validating "OnBehalfOf" tokens was delegated to the TokenProvider implementation. In CXF 2.5.1, OnBehalfOf Token Validation has been moved to the TokenIssueOperation, and so OnBehalfOf Tokens are validated for all subsequent TokenProviders. This validation is achieved by querying a list of TokenValidator implementations to see if any can validate the received token. If validation is successful, then the state of the ReceivedToken (VALID, INVALID, NONE) is updated to reflect this. If no TokenValidator implementation exists that can validate the OnBehalfOf token, then the token has a state set to INVALID. Identity Mapping also now applies to the (VALID) OnBehalfOf Token.
5) Support for OnBehalfOf in the SAMLTokenProvider
In CXF 2.5.0, the SAMLTokenProvider can issue a SAML token based on the authenticated principal associated with the request, e.g. the principal associated with the security token in the WS-Security header. It does not support the scenario that a client is requesting a SAML token "OnBehalfOf" another SAML Token, in other words that the principal name associated with the "OnBehalfOf" token is used as the subject name of the issued SAML token. This functionality has been added in CXF 2.5.1.
6) Validate SAML Conditions against the current time
Support has been added to validate the Conditions of a received SAML Token against the current time.
Subscribe to:
Posts (Atom)