2

I have my own STS using Geneva framework. There is an endpoint with MutualCertificateBinding, as following

  • Using AsymmetricSecurityBindingElement
  • ProtectionLevel is Sign
  • Over https

I have copied a part of its wsdl as below for reference

<sp:AsymmetricBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
    <wsp:Policy>
        <sp:InitiatorToken>
            <wsp:Policy>
                <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                    <wsp:Policy>
                        <sp:WssX509V3Token10/>
                    </wsp:Policy>
                </sp:X509Token>
            </wsp:Policy>
        </sp:InitiatorToken>
        <sp:RecipientToken>
            <wsp:Policy>
                <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
                    <wsp:Policy>
                        <sp:WssX509V3Token10/>
                    </wsp:Policy>
                </sp:X509Token>
            </wsp:Policy>
        </sp:RecipientToken>
        ...
</sp:AsymmetricBinding>

I have made a C# client application negotiating security token from mySTS with Asymmetric key, UseKey is an X509Certificate. It works just fine.

I have also made a Java serlet call to mySTS directly to issue token, it use PublicKey type, UseKey is set to RST manually as an X509 certificate. It also works just fine, with following code snippet

SecurityTokenService sts = new SecurityTokenService(new URL(Constant.StsMexEndpointAddress));
IWSTrust13Sync stsService = sts.getMutualCertificateWithMessageSecurityBindingIWSTrust13Sync();
RequestSecurityTokenType rst = new RequestSecurityTokenType();
rst.getAny().add(getRequestTypeElement());
rst.getAny().add(getTokenTypeElement());
rst.getAny().add(getKeyTypeElement());
rst.getAny().add(getApplyToElement());
rst.getAny().add(getUseKeyElement());
return message;
token = stsService.trust13Issue(rst);

public static Element getUseKeyElement(){
//code to generate UseKey element manually, it is a BinarySecurityToken
}

Our client uses another Java servlet calling to a java service secured by mySTS. Metro will handle STS call automatically, below is how the java service's cofigured (using STS Issued Endorsing Token)

  • TokenType: 2.0
  • KeyType: public
  • KeySize:256

Below is code snippet to call to java service

STSIssuedTokenConfiguration config = new MySTSIssuesTokenConfiguration();
STSIssuedTokenFeature feature = new STSIssuedTokenFeature(config);

//Initialize UserContext service with STS configuration above
Service_Service service = new Service_Service();
Service stub = service.getServicePort(new WebServiceFeature[]{feature});
stub.ping();

STS throws exception when trying to resolve UseKey element. It looks like below

Handling an exception. Exception details: System.IdentityModel.Protocols.WSTrust.InvalidRequestException: ID3092: The specified UseKey 'SecurityKeyIdentifier
    (
    IsReadOnly = False,
    Count = 1,
    Clause[0] = RsaKeyIdentifierClause(Modulus = sH/OHZwDUBExFgbLTslliY4xH3jP63vQ1F3yKxwjcK3jfYeiM3IC6ag6RARLMdX3emhjMu2djCt+/eTB9nq2yMs51kesev23yfywjIkcpZI5c1yb3wL7I+Fh+aa+bDqo0VNjoCeHlevjTVxc82l+q5iPkTZJ7rfe+jZUfZNl+D8=, Exponent = AQAB)
    )
' cannot be resolved to a token that would prove the client's possession of the private key.
   at System.IdentityModel.Protocols.WSTrust.WSTrustSerializationHelper.ReadRSTXml(XmlReader reader, RequestSecurityToken rst, WSTrustSerializationContext context, WSTrustConstantsAdapter trustConstants)
   at System.IdentityModel.Protocols.WSTrust.WSTrust13RequestSerializer.ReadXmlElement(XmlReader reader, RequestSecurityToken rst, WSTrustSerializationContext context)
   at System....

I have tried to compare 2 messages sent from 2 Java servlets. One is generated programmatically sent by my servlet and another one is generated by Metro sent by my client's servlet, the only different thing I can see is about UseKey element The one of mine that works well 

<UseKey>
  <BinarySecurityToken:BinarySecurityToken
    xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:BinarySecurityToken="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:d5p1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIIDCTCCAfGgAw.....25C057w==
  </BinarySecurityToken:BinarySecurityToken>
</UseKey>

The one of my client that does not work (which is generated by metro framework) 

<trust:UseKey>
   <ns10:KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
       <KeyValue>
           <RSAKeyValue>
               <Modulus>sH/OHZwDUBExFgbLTsll...rfe+jZUfZNl+D8=</Modulus>
                  <Exponent>AQAB</Exponent>
            </RSAKeyValue>
        </KeyValue>
   </ns10:KeyInfo>
 </trust:UseKey>

AFAI can see, it was failed because STS cannot resolve UseKey element which is a RSA KeyValue, while its UseKeyResolver has only one X509SecurityTokenResolver initiated by request's InitiatorToken.

So my question is

  1. Is there anyway to set UseKey programmatically when calling to java service?
  2. Is there anyway to let STS resolve the UseKey element?
phuongle
  • 41
  • 5
  • Hi, You have tried UseKey with BinarySecurityToken approach and with KeyInfo approach. You get the exception "the specified usekey cannot be resolved to a token that would prove the client's possession of the private key" only for KeyInfo approach and not for BinarySecurityToken approach. However, I get the same exception for both approaches. Can you please let me know what needs to be set for BinarySecurityToken element? Is it the certificate text or something else? Also, did you sign the request sent to STS in some way? How did you make it work using BinarySecurityToken. – Bharath Apr 05 '17 at 12:07

0 Answers0