I have problem with decryption of the received authentication response SAML message.
My app is connected with two IdP's of different types. Frist is ForgeRocks, OpenAM
and second Microsoft's ADFS server.
Both IdPs were provided with same service provider metadata document that contains same
certificate public keys for encyrption and signing.
Case 01
IdP : OpenAM, ForgeRock
Result : Process properly decryption and response.
Case 02
IdP : ADFS 2.0, Microsoft
Result : Failed decryption with error : CryptographicException, Bad Data.
Is it possible that encryption on IdP side is different for the same asymetric key pair ?
Or I am getting something wrong ?
As I see there are differences in EncryptedAssertion xml node. EncryptionMethod Algorithms are different.
Here are key nodes.
OpenAM, ForgeRock
<saml:EncryptedAssertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Type="http://www.w3.org/2001/04/xmlenc#Element"
>
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
/>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
ADFS 2.0, Microsoft
<EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
</e:EncryptionMethod>
<KeyInfo>
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=certName</ds:X509IssuerName>
<ds:X509SerialNumber>-18xxxxxx</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</KeyInfo>
<e:CipherData>
<e:CipherValue></e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue></xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
As I see there are differences on used encryption methods. Also in second case there is certificate's alias name and serial number. Also serial number has negative value (maybe because I am using self signed certificate).
Thanks,
You have this exception as in corresponding xml nodes there are no data to decrypt that's the reason:
<e:CipherData>
<e:CipherValue>No data!!!</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>No data!!!</xenc:CipherValue>
</xenc:CipherData>
Example how it should be:
<EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
</e:EncryptionMethod>
<KeyInfo>
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=name, O=Name, S=CA, C=us</ds:X509IssuerName>
<ds:X509SerialNumber>0</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</KeyInfo>
<e:CipherData>
<e:CipherValue>qSMgmgpO0+1vhdt5wvyhNT+uh3BhmOlFD4IiWTPoj2N90nOUzwEoEkWCuGzHDizxq6rvc5eoikjgcbz5TYFlIX+eizyxcJQFl02t... SOME VALUES HERE=</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>RSCxYAMJ7RaD+MtEcnmE9EwLmvDJgTsXx5MOKJYUJiAmQWziSLNolZQYt5xgUPHJaD+co/PoWwifWuobHdClFwBBMR/lAqWAHIQldP+ro ... SOME VALUES HERE=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</EncryptedAssertion>
Related
Is it possible to create a digital signature for a given xml document using command line in openssl?
Expectation
I'm interested in getting a value from command line that looks like below extracted from ds:SignatureValue
Signature Method: SHA1 with two transformations applied
ULNmpuKwXwHwqUMybbwnupC/y9WZo8hi0qy9S2GuWxSB8WVEyA7RB6Qy.........hSq5BVw==
Digital Signature for Reference only.
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pfx238f2615-2267-6ee6-efa9-24dd82d85764">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>6okYcbSa3y18LSbOBJTMMWN7/Rs=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue> <!-- how to compute this value -->
ULNmpuKwXwHwqUMybbwnupC/y9WZo8hi0qy9S2GuWxSB8WVEyA7RB6Qy.........hSq5BVw==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDuDCCAqACCQDpZiKUmwKtZTANBgkqhkiG9w0BAQsFADCBnTEL.......cBnjt9gNFVPaL7+/P+enkq9Vx0thQHUaI+ndr1gpZE=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
I've the keys (public/private) already generated.
My Attempts
openssl dgst -sha1 -sign ../keys/client.pem -out sign.sha1 response.xml
# readable base64
openssl enc -base64 -in sign.sha1 -out sign.sha1.base64
I'm referencing this tutorial https://opensource.com/article/19/6/cryptography-basics-openssl-part-2
I want call TravelItineraryAddInfo to add passenger to PNR, but api return error ENTRY VALID ONLY FOR SUBSCRIBER PNR , ERR.SWS.HOST.ERROR_IN_RESPONSE.
How can I fix this issue ?
My request
<TravelItineraryAddInfoRQ xmlns="http://webservices.sabre.com/sabreXML/2011/10" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" TimeStamp="2016-05-17T15:30:00-06:00" Version="2.2.0" ReturnHostCommand="false">
<AgencyInfo>
<Address>
<AddressLine>xxxx</AddressLine>
<CityName>xxx</CityName>
<CountryCode>XX</CountryCode>
<PostalCode>xxxx</PostalCode>
<StateCountyProv StateCode="xx"/>
<StreetNmbr>xx</StreetNmbr>
</Address>
</AgencyInfo>
<CustomerInfo>
<ContactNumbers>
<ContactNumber InsertAfter="0" LocationCode="VN" NameNumber="1.1" Phone="984163620" PhoneUseType="H"/>
</ContactNumbers>
<Email Address="xxx#gmail.com" LanguageOverride="O" NameNumber="1.1" Type="CC"/>
<PersonName Infant="false" NameNumber="1.1" PassengerType="ADT">
<GivenName>Smith</GivenName>
<Surname>TEST</Surname>
</PersonName>
</CustomerInfo>
This is response api:
<stl:SystemSpecificResults>
<stl:Message>.ENTRY VALID ONLY FOR SUBSCRIBER PNR</stl:Message>
<stl:ShortText>ERR.SWS.HOST.ERROR_IN_RESPONSE</stl:ShortText>
</stl:SystemSpecificResults>
</stl:Error>
I'm trying to get a document from Alfresco 5.2 using CMIS web services binding (http://server:8080/alfresco/cmisws/cmis?wsdl) and get an error.
Using the wireshark I found that the problem is that the alfresco in the response returns cmis:item element. But according to cmis 1.0 protocol it should not be returned. Why is this happening?
Request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="0">
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2017-10-06T15:33:27.634Z</wsu:Created>
</wsu:Timestamp>
<wsse:UsernameToken>
<wsse:Username>admin</wsse:Username>
<wsse:Password wsse:Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">0000</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<ns2:getTypeDescendants xmlns:ns2="http://docs.oasis-open.org/ns/cmis/messaging/200908/" xmlns="http://docs.oasis-open.org/ns/cmis/core/200908/">
<ns2:repositoryId>53131d3f-d80b-4964-87d9-08b614fe7861</ns2:repositoryId>
<ns2:depth>-1</ns2:depth>
<ns2:includePropertyDefinitions>false</ns2:includePropertyDefinitions>
</ns2:getTypeDescendants>
</soapenv:Body>
</soapenv:Envelope>
Response(part):
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<getTypeDescendantsResponse xmlns="http://docs.oasis-open.org/ns/cmis/messaging/200908/" xmlns:ns2="http://docs.oasis-open.org/ns/cmis/core/200908/">
<types>
<type xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns2:cmisTypeItemDefinitionType">
<ns2:id>cmis:item</ns2:id>
<ns2:localName>item</ns2:localName><ns2:localNamespace>http://www.alfresco.org/model/cmis/1.0/cs01</ns2:localNamespace>
<ns2:displayName>Item Type</ns2:displayName>
<ns2:queryName>cmis:item</ns2:queryName>
<ns2:description>CMIS Item</ns2:description>
<ns2:baseId>cmis:item</ns2:baseId>
<ns2:creatable>false</ns2:creatable>
<ns2:fileable>false</ns2:fileable>
<ns2:queryable>false</ns2:queryable>
<ns2:fulltextIndexed>true</ns2:fulltextIndexed>
<ns2:includedInSupertypeQuery>true</ns2:includedInSupertypeQuery>
<ns2:controllablePolicy>true</ns2:controllablePolicy>
<ns2:controllableACL>true</ns2:controllableACL>
</type>
Is there a SOAP API alternative for geo-autocomplete that is available in REST API? Is it EncodeDecodeLLSRQ? If so, it is always providing the below response when I try with the below provided request. I get the same response for the example provided in doc too.
<EncodeDecodeRS Version="2.0.0" xmlns="http://webservices.sabre.com/sabreXML/2011/10" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:stl="http://services.sabre.com/STL/v01">
<stl:ApplicationResults status="NotProcessed">
<stl:Error type="Application" timeStamp="2016-10-26T03:33:02-05:00">
<stl:SystemSpecificResults>
<stl:Message>Unexpected request processing error</stl:Message>
<stl:ShortText>ERR.SWS.PROVIDER.REQUEST_HANDLER_ERROR</stl:ShortText>
</stl:SystemSpecificResults>
</stl:Error>
</stl:ApplicationResults>
</EncodeDecodeRS>
Request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sec="http://schemas.xmlsoap.org/ws/2002/12/secext" xmlns:mes="http://www.ebxml.org/namespaces/messageHeader" xmlns:ns="http://webservices.sabre.com/sabreXML/2011/10">
<soapenv:Header>
<sec:Security>
<sec:BinarySecurityToken>--Token--</sec:BinarySecurityToken>
</sec:Security>
<mes:MessageHeader>
<mes:From>
<mes:PartyId>from</mes:PartyId>
</mes:From>
<mes:To>
<mes:PartyId>ws</mes:PartyId>
</mes:To>
<mes:CPAId>--CPAId--</mes:CPAId>
<mes:ConversationId>eservices#sabre.com</mes:ConversationId>
<mes:Action>EncodeDecodeLLSRQ</mes:Action>
<mes:MessageData>
<mes:MessageId>00000</mes:MessageId>
<mes:Timestamp>233</mes:Timestamp>
</mes:MessageData>
</mes:MessageHeader>
</soapenv:Header>
<soapenv:Body>
<ns:EncodeDecodeRQ Version="2.0.0">
<ns:Encode>
<ns:Address>
<ns:CityName>Atlanta</ns:CityName>
</ns:Address>
</ns:Encode>
</ns:EncodeDecodeRQ>
</soapenv:Body>
</soapenv:Envelope>
I don't think EncodeDecodeLLSRQ was designed to do what you're looking for but it might just work. For example, when entering an incomplete city name, the service will return a list of possible values.
RQ:
<CityName>MONTEV</CityName>
RS:
<Text>MVD MONTEVIDEO, URUGUAY</Text>
<Text>MVE MONTEVIDEO MN, MINNESOTA,USA</Text>
<Text>FMV MONTEVIDEO FLUVIA, URUGUAY</Text>
<Text>VDT MONTEVIDEO TC BUS, URUGUAY</Text>
Do you have access to SOAP API? If so, could you please share the complete RQ to see if there's something wrong there?
I'm pretty New to Java and Mulesoft, I have been working on one POC. It's nothing but capturing the Database Change Notification in Mule, where DB polling cannot be implemented due to performance issues & Datamapper cannot be used. Can anyone suggest me the right approach on this. Below is my sample code on which I have been working.
<db:oracle-config name="Oracle_Configuration" host="localhost" port="1521" instance="xe" user="HR" password="hr" doc:name="Oracle Configuration1"/>
<file:connector name="OutPutFile" autoDelete="false" streaming="true" validateConnections="true" doc:name="File" outputAppend="true" outputPattern="#[function:datestamp:dd-MM-yy]_#[function:systime].txt" dynamicNotification="true" writeToDirectory="C:\Users\IBM_ADMIN\MulesoftExamples"/>
<db:oracle-config name="Oracle_Configuration1" url="jdbc:thin.oracle://localhost:1521/HR" doc:name="Oracle Configuration1" transactionIsolation="READ_COMMITTED"/>
<http:request-config name="HTTP_Request_Configuration" host="localhost" port="1521" basePath="alertcapture" doc:name="HTTP Request Configuration"/>
<file:endpoint path="C:\Users\IBM_ADMIN\MulesoftExamples" outputPattern="#[function:datestamp:dd-MM-yy]_#[function:systime].txt" connector-ref="File" name="File" responseTimeout="10000" encoding="UTF-8" doc:name="File"/>
<flow name="alertcaptureFlow">
<poll doc:name="Poll">
<db:select config-ref="Oracle_Configuration" doc:name="ChangeNotify" target="#[flowVars.selectResult]" >
<db:parameterized-query><![CDATA[SELECT * FROM nfevents;]]></db:parameterized-query>
</db:select>
</poll>
<http:request config-ref="HTTP_Request_Configuration" path="/alertcapture/src/main/app" method="GET" doc:name="FetchData"/>
<file:outbound-endpoint path="/alertcapture/src/main/app" outputPattern="#[function:datestamp:dd-MM-yy]_#[function:systime].txt" connector-ref="OutPutFile" responseTimeout="10000" doc:name="Alertcapture" encoding="UTF-8" mimeType="text/xml" ref="File"/>
</flow>
>