1SMIME TOOL (merged with ZXID.org project since 2009)
229.10.1999, 17.11.1999, Sampo Kellomaki <sampo@iki.fi>
3
4NOTE: This is still highly experimental code and build system has not been
5 perfected yet. No Windows build is known to exist (contributions?).
6
7OFFICIAL WEB SITE
8 http://zxid.org/Net_SSLeay/smime.html
9
10BUILDING
11
12 (build and install OpenSSL-0.9.4, from www.openssl.org)
13 tar xzf smime-0.7.tgz
14 cd smime-0.7
15 cons smime # get cons from http://www.dsmit.com/cons/
16 cons SMIMEutil.so # build the perl module (optional)
17 ./smime -help # shows quick usage
18 ./smime -dv ../smime-0.7.tgz
19 (cut my certificate and distribution signature from the web
20 site and paste to stdin)
21
22TUTORIAL PART 1: SIGNING AND ENCRYPTING
23
24 First you need to have certicate and private key in pem format. To
25 produce them, use openssl tool or export them from your browser.
26 I illustrate the latter method first, because I'm going to use
27 Netscape browser for interoperability testing later. You can
28 peek at TUTORIAL PART3, Key generation if you need to do this
29 yourself.
30
31 - Go to security info dialog in Netscape browser.
32 - From Certificates-Yours export your certificate (if you
33 don't have a certificate installed yet, read the FAQs and mailing
34 list archieves at www.openssl.org), save it as me.p12. It
35 will ask for password to protect your private key.
36
37 openssl pkcs12 -clcerts <me.p12 >me.pem
38 - it will ask for the password to open your private key and
39 then asks you to invent a new password that will be
40 used to protect your private key in pem format
41
42 more me.pem
43
44 You should see something like this:
45
46Bag Attributes
47 friendlyName: your@email.com
48 localKeyID: F3 85 A8 4B DA 39 B6 40 6B D6 20 01 39 46 6A 94 47 9D 2C 0F
49Key Attributes: <No Attributes>
50-----BEGIN RSA PRIVATE KEY-----
51Proc-Type: 4,ENCRYPTED
52DEK-Info: DES-EDE3-CBC,541E04862A13F6B1
53
548+2vo6Iz49uj/Mf31JTgaRuIq9ueHsknsHXhmXp7s1BmS8xulT22Zzpdh6g1yqAO
55(snip)XeQsZrWykdWvN2qGu/cNa2HnUQAG0p25tNZ3CKmqpJBVg0RXr20JlQ==
56-----END RSA PRIVATE KEY-----
57Bag Attributes
58 friendlyName: your@email.com
59 localKeyID: F3 85 A8 4B DA 39 B6 40 6B D6 20 01 39 46 6A 94 47 9D 2C 0F
60subject=/C=PT/L=City/O=Company/OU=Dept/CN=Your Name/Email=your@email.com
61issuer= /C=PT/L=City/O=Your CA/OU=Personal Certs/CN=End user CA/Email=certifier@ca.com
62-----BEGIN CERTIFICATE-----
63MIIDEzCCAnygAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBlTELMAkGA1UEBhMCUFQx
64(snip)Tj0JYGZMzSUfzOG3wajK6B39d6EyXK8=
65-----END CERTIFICATE-----
66
67 Ok. Now you are all set to use smime tool. First lets create
68 simple mime entity (see RFC1521 for definition):
69
70 echo foo | ./smime -mime text/plain | tee foo.mime
71
72Signing
73 Now, let's sign it:
74
75 ./smime -s me.pem password <foo.mime | tee foo.smime
76
77 And send it:
78
79 ./send.pl 'Sig test' your@email.com your@email.com <foo.smime
80
81 Now go to your email reading software (Netscape Communicator suggested
82 for this exercise) and read the mail you just sent. It should display
83 as signed. In the previous command the second argument is the
84 From: header which must match friendlyname/EMAIL in me.pem
85
86 You can repeat this success using following pipeline:
87
88 echo foo | ./smime -mime text/plain | ./smime -s me.pem password \
89 | ./send.pl 'Sig test' your@email.com your@email.com
90
91 (Note how \ is used for folding the lines. In reality you should
92 type all the stuff in one line.)
93
94Clear signing
95 The previous method produces a base64 blob that you probaly would not
96 like to send to a news group. Clear signing allows mail to be read
97 even if the reader is not S/MIME aware:
98
99 echo foo | ./smime -mime text/plain | ./smime -cs me.pem password \
100 | ./send.pl 'Sig test' your@email.com your@email.com
101
102 Note how the message has "foo" visible. Now go read this with your
103 mail reader. It should also display as signed. If not, then its
104 possible that canonization was not correctly done. That might even
105 be an error in my part.
106
107Encrypting
108 To encrypt you need to know recipient's cert. Here I use our own
109 because its by definition already installed in our browser.
110
111 echo foo | ./smime -mime text/plain | ./smime -e me.pem \
112 | ./send.pl 'Enc test' your@email.com your@email.com
113
114 Now you should be able to read your mail (it may ask for a password
115 to open your private key) and see the message in plain text, but
116 marked as encrypted.
117
118Signing and Encrypting
119 Next we'll first sign a message and then wrap it in encryption. This
120 is the usual way and hides the signatories from eavesdroppers:
121
122 echo foo | ./smime -mime text/plain | ./smime -cs me.pem password \
123 | ./smime -e me.pem | ./send.pl 'test' your@email.com your@email.com
124
125 Again your mail reader should show the message marked as
126 Encrypted and Signed.
127
128Encrypting and Signing
129 The other way is to first encrypt and then sign the encrypted
130 message. This might be useful in some automated context where a robot
131 would verify the signature but the robot should not be allowed to see
132 the message:
133
134 echo foo | ./smime -mime text/plain | ./smime -e me.pem \
135 | ./smime -cs me.pem password \
136 | ./send.pl 'Enc test' your@email.com your@email.com
137
138 Now Netscape shows two icons: one saying "Signed" and placed near
139 the headers. Other icon that says "Encrypted" appears in the
140 content area.
141
142 In fact S/MIME specification allows arbitrary nesting of encryptions
143 and signatures, what ever your application may need.
144
145Multipart content
146 Now for the final part that is not really S/MIME specific, but
147 nice to have. You can first compose a normal mime multipart message,
148 possibly even containing some encrypted components and some not.
149 Try this:
150
151 echo bar | ./smime -m image/gif some.gif \
152 | ./smime -cs me.pem password | ./smime -e me.pem \
153 | ./send.pl 'Enc test' your@email.com your@email.com
154
155 Now you should see signed and encrypted message with an image
156 attached. The multipart functionality implemented by -m is very
157 basic and by no means anything generic. Its only a demonstration.
158
159TUTORIAL PART 2: DECRYPTING AND VERIFYING SIGNATURES
160
161Decrypting
162 To demonstrate decrypting, I'll cut the mail from the loop. Basically
163 I'll demonstrate introperability with myself. If you want to try
164 interoperability with Netscape, you can use Netscape to send mail
165 and grab it from mail spool and then feed it into pipeline. As this
166 is a bit messy and might involve editing the file manually, I
167 wont go into that now. Here's a simple encryption - decryption:
168
169 echo foo | ./smime -mime text/plain | ./smime -e me.pem \
170 | tee foo.p7m | ./smime -d me.pem passwd
171
172 foo wrapped in mime headers should come out. I also used tee(1) to
173 put the encrypted form in a file in case I also want to verify
174 it with Netscape
175
176 ./send.pl 'Enc test' your@email.com your@email.com <foo.p7m
177
178 or in qmail
179
180 /var/qmail/bin/qmail-inject your@email.com < foo.p7m
181
182 This is most convenient method because it allows you to import
183 certificates belonging to others than yourself and still
184 deliver mail to yourself. You want this, because you will soon
185 discover that Netscape can hold in its certificate database
186 only one certificate per email address (or is it distinguished name?)
187 and if that one "slot" is occupied, say, in "People" section, then
188 you can't import it any more to "Yours" section. Hence the solution
189 is to use different email address (and friendly name) every
190 single time.
191
192Verifying signature
193 Due to somewhat incomplete nature of OpenSSL-0.9.4 PKCS7 signature
194 verification code, I have implemented my own signature verfication
195 scheme that works in five steps
196
197 1. find out who signed the message
198 2. verify message signature using signer's certificate
199 3. find out who certified the signer's certificate
200 4. verify signer's cert using certifier's cert
201 5. repeat 3. & 4. until at root of the chain
202
203 This has the advantage that there are less obscure stuff and
204 assumptions hidden inside the program, i.e. user must understand
205 what signature and certificate verification is all about and
206 you get to observe every step of the way. The down side is that
207 its less automatic. In my particular application this does not
208 happen to be a problem because I have out of band information
209 about who is supposed to have signed what.
210
211 Here we go: lets produce a signature to play with
212
213 echo foo | ./smime -mime text/plain | tee foo.mime \
214 | ./smime -s me.pem password | tee foo.p7m
215
216 Now see who signed it
217
218 ./smime -qs < foo.p7m
219
220 Now I assume that I have some way of finding the certificate using
221 the issuer DN and serial number returned in the previous step. These
222 two pieces of information constitute unique ID for a certificate.
223 Perhaps I keep my certs in LDAP or some other database. Anyway,
224 assume the certificate is found, then
225
226 ./smime -v me.pem <foo.p7m | tee foo2.mime
227 diff foo.mime foo2.mime # just to check!
228
229 Note that diff may show white space differences (try diff -b) because
230 line endings in your mime message were canonized to CRLF for signing.
231 This is mandated by S/MIME specification.
232
233 Now proceed with verifying the certificate:
234
235 ./smime -qc <me.pem
236
237 Now out of band means are used to find the signer's certificate. Then
238 to check that the signature matches:
239
240 ./smime -vc ca.pem <me.pem
241
242Verifying clear signature
243 (does not currently work :-(
244
245Under construction: chain verification (does not currently work)
246 mkdir certs
247 cd certs
248 cp ../me.pem .
249 ../hash-certs.pl *.pem
250 cd ..
251 echo foo | ./smime -mime text/plain | ./smime -s me.pem password \
252 | ./smime -v
253
254TUTORIAL PART 3: A KEY GENERATION METHOD
255
256Bootstrapping a simple public key infrastructure
257
258 Suppose entity M is funding projects and needs to have all project
259 leaders (Ps) sign a contract specifying responsibilities. M
260 distributes a simple application that incorporates the smime tool. Ps
261 use the application to sign the contracts and send them electronically
262 to M. If irregularities develop, M sues P to court and uses the
263 digitally signed contract as evidence. For this to work
264
265 I. M must convince the court that the system does not have
266 technical flaws that could work in his favor. This proof
267 is much easier with digital signatures than with systems
268 that depend on procedural integrity (e.g. passwords over
269 SSL protected connection may prove at the moment the
270 intention of P, but when document is recovered from backup
271 10 years later, all procedural proofs vanish)
272
273 II. P's signature must be as valid as paper and ink
274 1. P's real world identity must be connected to
275 digital signature
276 2. P must have understood what it means to sign
277 contract digitally
278 3. P must have sufficient integrity or the system
279 must technically guarantee that P's private
280 key could not have been used by any one else
281 4. P must have acted by free will and in full powers
282 of mind
283 5. law must not prohibit digital signature
284
285 M needs to establish a simple public key infrastructure. I propose
286 that the application generates key pairs for P's and sends
287 certification requests, further, it also prints the certification
288 request in paper form including,
289
290 - fingerprint of public key (as number and as bar code)
291 - full dump of public key and all attributes appearing
292 in the certification request
293 - legal language to guarantee 2. & 3. (on point 3 we rely
294 on integrity)
295 - details of conventional identification of P
296 - space for signature
297
298 With this paper P goes to some commonly agreed and trustworthy
299 notary. This could be notary public or it could be some trusted
300 administrative organ in P's organization. It could even be M, but
301 that would cause a bureaucracy bottle neck at M, and hence increase
302 costs of the solution.
303
304 P signs the paper and proves his identity in presence of the notary
305 who confirms the act. The paper is sent to M. This takes care of
306 1. and 4. As paper contract about use of digital signatures now
307 exists between M and P, 5. is only of concern if it explicitly
308 nullifies such contract (or if court practice still does not consider
309 digital signature valid?).
310
311 Finally paper arrives to M where a clerk processes it (the bar
312 code helps here). He finds the certification request from data base
313 and sees that it matches the paper and issues a digital cerificate
314 that is immediately placed on a public server for everybody to
315 see. The paper is securely archieved forever.
316
317 Once the certificate is publically available, signing and verifying
318 contracts using it is trivial and can even be done between P and
319 some other party than M (e.g. certificate could be used for email).
320
321 However, to bootstrap the system it should, ideally, be possible
322 to sign your first contract even without waiting for the
323 certification to happen. After all, the impulse for P to adhere
324 to PKI of M came from needing to sign a contract (dead line for
325 research proposals may be very close). The contract would be
326 in signed, but not verified status until the certification happens.
327
328 Here the OpenSSL (or PKCS7?) does not serve us well, because it needs
329 a certificate even for the signing operation, although common
330 sense says that the private key and attributes of certification
331 request (ok, you can't know what serial number will be assigned)
332 should be enough. I solve this problem by signing the first contract
333 with a self signed certificate. Although this is quite suboptimal,
334 it allows me to get going without hacking OpenSSL innards too much.
335 Only complication arises from needing to establish that also the
336 certified public key is able to decrypt the hash of the signed
337 material.
338
339Key generation
340
341 Smime tool contains simple key generation command that will
342 make certification request as well as self signed cert. This
343 is bit simplistic and really geared towards my particular application
344 as the X509v3 certificate options are hardwired. Be sure to read
345 the source code to check they are the way you want.
346
347 echo "commonName=Joe Smith|emailAddress=joe@test.com" \
348 | ./smime -kg "description=foo" passwd req.pem >priv_ss.pem
349
350 The stuff that is echoed to stdin is your distinguished name. You
351 must use long forms of attribute name and you can only use attributes
352 known to OpenSSL.
353
354 *** How to specify cn as needed by SSL certs?
355
356 The req.pem should be sent to certification authority for signing.
357 Meanwhile you can use the self signed certificate which was output
358 to stdout, here priv_ss.pem. Note that the private key is also
359 output to the stdout so do not give that file to anyone. If you need
360 to give the certificate, you should edit a copy of priv_ss.pem
361 and remove the private key.
362
363 To be able to import your private key and certificate to Netscape
364 you can use
365
366 ./smime -pem-p12 you@test.com passwd pw-for-p12 <priv_ss.pem >me.p12
367
368 The first argument (the email address) is the friendly name. Netscape
369 appears to match this against From mail header when verifying
370 signatures. For minimum troubles you should keep this equal to
371 emailAddress field of your certificate.
372
373Being a certificate authority
374
375 Once you have made your req.pem, you can send it to some commercial
376 certification authority or you can just be your own. The CA
377 functionality of smime tool is not very complete. Basically
378 it allows you to do the crypto part (signing certificate request with
379 CA's private key) but you must manually do book keeping to ensure
380 uniqueness of serial numbers and to make sure you do not issue the
381 same certificate twice, etc.
382
383 Here's how you'd sign a request (you probably used -kg to make
384 the CA's certificate):
385
386 ./smime -ca ca-id.pem very-secret 1 <req.pem >cert.pem
387
388 The number one is the serial number. As I said, you should do
389 bookkeeping to ensure you never reuse a serial number. Many
390 systems depend on being uniquely able to identify certificate
391 by its issuing authority and serial number. A certificate
392 authority that can not guarantee uniqueness of serial numbers is
393 not trustworthy.
394
395 Please note that the -ca hard wires all X509v3 options and extensions.
396 Be sure to read the source to check they are the way you want them.
397
398TUTORIAL PART 4: SIGNING AND VERIFYING SOFTWARE DISTRIBUTIONS
399
400 smime tool has detached signature feature which is meant for
401 signing and verifying software distributions. Here's how. First
402 make yourself an identity
403
404 echo 'commonName=my dist key|emailAddress=you@test.com' \
405 | ./smime -kg '' pw dist-req.pem >dist-id.pem
406
407 Now open dist-id.pem in editor and save the certificate part as
408 dist-cert.pem. Pubish dist-cert.pem on your web site.
409
410 Then sign your software package
411
412 ./smime -ds dist-id.pem pw <your-dist-1.00.tgz >your-dist-1.00.sig
413
414 I suggest convention of naming the signature file with same name
415 as the tarball, but extension `.sig'. Now put the .sig file
416 available where ever you put your tarball. You should also publish
417 it on your web site so people can get it even if they forgot to
418 download the .sig file.
419
420 Or you could produce a combination signature and certificate file
421 and put that available on your website
422
423 ./smime -ds dist-id.pem pw <your-dist-1.00.tgz \
424 | cat - dist-cert.pem >your-dist-1.00.sigcert
425
426 To verify a distribution signature one would say
427
428 ./smime -dv your-dist-1.00.tgz
429 (cut certificate and distribution signature from the web
430 site and paste to stdin)
431
432 The dv looks for the -----BEGIN/END CERTIFICATE----- separator to
433 figure out where the certificate ends and signature starts.
434
435 If you already had the .sig or the certificate you could just say
436
437 cat dist-cert.pem your-dist-1.00.sig | ./smime -dv your-dist-1.00.tgz
438
439 (OK, PGP already exists to do this stuff, but I always found it
440 quite messy to deal with detached signatures in PGP. I'm sure
441 poor usability leads to less people verifying the signatures.)
442
443SMIMEUTIL LIBRARY AND PERL MODULE
444
445 The smimeutil library is documented in smimeutil.h, see smime.c
446 for some examples of usage. The SMIMEUtil:: perl module is
447 not currently documented. For usage examples see test.pl.
448
449CAVEATS
450 For signing to work correctly, your mime entity must be canonized
451 the same way as the recipient will canonize it. In general this
452 means that you must use CRLF as line termination and must include
453 all headers.
454
455 If you are clear signing, then you may want to consult RFC2311 for
456 some ways the message might get ruined (e.g. changes in whitespace).
457 In my experience most important requirement seems to be to not
458 use any trailing whitespace. YMMV.
459
460 For signatures to verify correctly, the From: header of the mail
461 must be equal to "friendlyname:" and EMAIL fields in your cert.
462
463 When encrypting, do not forget to wrap your message in mime entity.
464 If you don't, ./smime -d will silently return emptiness, Netscape
465 reports "improperly formatted DER-encoded message". This
466 will _not_ work:
467
468 echo "foo" | ./smime -e me.pem | ./smime -d me.pem secret # WRONG!
469
470SECURITY CAVEATS
471 Passing passwords on command line is insecure. The smime tool is
472 intended more as a demonstration than a production tool. See
473 pass-password.pl for an example how to use file descriptor to
474 pass the passwords more securely.
475
476 smimeutil.c compiles by default to use DES-EDE3-CBC cipher which
477 is not known by export versions of many browsers. See around
478 line 400 in smime-enc.c if you need to change this. Be ware that
479 RC2-40-CBC can be cracked in real time by trivial resources.
480 Never-the-less its the only cipher that interoperates with all
481 versions of browsers.
482
483 Randomnumbers are not (yet) initialized as they should.
484
485 Certificate verification scheme puts the burden of verification
486 on user. For example, the user must notice if purported CA certificate
487 has X509v3 attribute that forbids it from being CA cert.
488
489TIP
490 You can use Netscape to encrypt and sign messages and then look
491 at them in mail spool. This way you see their raw structure before
492 any mail reader gets to interpret it. This is the best way to
493 debug differences between what you produce and what is presumably
494 standards compatible.
495
496TO DO
497 Parsing mime messages in robust and fully correct way
498
499BUGS
500 Due to the way the API is defined all stuff is kept in memory. While
501 this is simple and easy, you might get into trouble with large files.
502 I'd say the memory consumption will not exceed five times the file
503 size, but don't bet on it.
504
505 Signature verification in perl module still needs some work.
506
507SEE ALSO
508 RFC1521 (MIME)
509 RFC2111 (S/MIME v2)
510 *** RFCXXXX (S/MIME v3)
511 http://www.openssl.org
512 http://zxid.org/Net_SSLeay/smime.html (this stuff)
513
514USAGE
515 (reproduced from ./smime -help)
516
517 ./smime -cs private password <mime-entity >smime # clear sign
518 ./smime -cv cert <smime-entity >data # verify clear sig
519 ./smime -ds private passwd <file >smime-sig # make detached sig
520 ./smime -dv file <smime-sig-entity # verify detached
521 ./smime -s private password <mime-entity >smime # sign
522 ./smime -qs <smime-entity >signing-cert-info # find out who signed
523 ./smime -v cert <smime-entity >signer-dn # verify signature
524
525 ./smime -vc cacert <cert # verify certificate
526
527 ./smime -e public <mime-entity >smime-ent # encrypt
528 ./smime -d private password <smime-entity >mime # decrypt
529
530 ./smime -qr <req.pem # Query all you can about request
531 ./smime -qc <cert.pem # Query all you can about certificate
532 ./smime -ca ca_cert passwd serial <req.pem >cert.pem # sign a req
533
534 ./smime -p12-pem p12pw pempw <x.p12 >x.pem # convert PKCS12 to pem
535 ./smime -pem-p12 frindly@name.com pempw p12pw <x.pem >x.p12
536
537 ./smime -m type1 file1 type2 file2 type3 file3 <text # make multipart
538 ./smime -m image/gif foo.gif <message | ./smime -s private pass >smime
539
540 ./smime -kg attr passwd req.pem <dn >priv_ss.pem # keygen
541
542 ./smime -base64 <file >file.base64
543 ./smime -unbase64 <file.base64 >file
544 ./smime -mime text/plain <file >mime-entity
545 ./smime -mime_base64 image/gif <file.gif >mime-entity
546 ./smime -split dirprefix <multipart # splits multipart
547 ./smime -base64 <in | ./smime -unbase64 >out
548 ./smime -cat <in >out # copy input to output using slurp and barf
549
550 ./smime -kg 'description=Test' secret req.pem <me.dn >ss.pem
551
552--Sampo
553
1README.zxid
2###########
3<<author: Sampo Kellom�ki (sampo@iki.fi)>>
4<<cvsid: $Id: README.zxid,v 1.125 2009-11-24 23:53:40 sampo Exp $>>
5<<class: article!a4paper!!ZXID 23>>
6
7See INSTALL.zxid for installation and quick tutorial.
8
9<<abstract:
10
11ZXID.org Identity Management toolkit implements standalone SAML 2.0,
12Liberty ID-WSF 2.0, and XACML 2.0 stacks and aims at implementing all popular
13federation, SSO, and ID Web Services protocols. It is a C implementation
14with minimal external dependencies - OpenSSL, CURL, and zlib -
15ensuring easy deployment (no DLLhell). Due to its small footprint and
16efficient and accurate schema driven implementation, it is suitable
17for embedded and high volume applications. Language bindings to all
18popular highlevel languages such as PHP, Perl, and Java, are provided
19via SWIG. ZXID implements, as of Nov 2011, SP, IdP, WSC, WSP,
20Discovery, PEP, and PDP roles. ZXID is the reference implementation
21of the core security architecture of the TAS3.eu project.\\\\
22
23ZXID.org ist eine C-Bibliothek, die den vollst�ndigen SAML
242.0-Stack implementiert und alle popul�ren
25Identit�tsverwaltungs-Protokolle wie Liberty ID-FF 1.2,
26WS-Federation, WS-Trust und ID-Webservices wie Liberty ID-WSF 1.1 und
272.0 implementieren will. Sie beruht auf Schema-basierter
28Code-Erzeugung, woraus eine genaue Implementation resultiert. SWIG
29wird verwendet, um Schnittstellen zu Skriptsprachen wie Perl, PHP und
30Python sowie zu Java bereitzustellen. Sie kann als SP, IdP, WSC,
31WSP, Discovery, PEP, und PDP fungieren.\\\\
32
33A biblioteca de gest�o de identidades ZXID.org � uma
34implementa��o, em C, das normas SAML 2.0, Liberty ID-WSF 2.0 e
35XACML 2.0 com depend�ncias externas m�nimas - OpenSSL, CURL, e
36zlib - facilitando uma implanta��o f�cil sem "inferno dos
37DLL". Sendo econ�mica em consumo de recursos � indicada para
38aplica��es embutidas ou de grande volume e performance. A
39biblioteca � disponibilizada para todos os linguagens de
40programa��o de alto n�vel como, p.ex., PHP, Perl, e Java,
41atravez de interf�ces SWIG. ZXID de hoje (Nov 2011) pode funcionar
42nos papeis SP (Provedor de Servi�os), IdP (Provedor de Identidade),
43WSC (Cliente de Servi�os Web) WSP (Provedor de Servi�os Web),
44Discovery (descobrimento de servi�os), PEP (controlo de acesso), e
45PDP (decis�o de acesso). ZXID � a implementa��o de refer�ncia
46do parte seguran�a do projecto TAS3.eu.\\\\
47
48La librer�a de gesti�n de identidades ZXID.org es una
49implementaci�n en C de las normas SAML 2.0, Liberty ID-WSF 2.0, y
50XACML 2.0 con dependencias externas m�nimas - OpenSSL, CURL, y zlib
51- que elimina el "Infierno DLL" en su implantaci�n. Como ZXID es
52muy econ�mica, es apta para aplicaciones embebidas o de gran
53volumen y envergadura. Los lenguajes de programaci�n de alto nivel,
54como Perl, PHP, y Java, son soportados con generador de interfaces
55SWIG. Hoy (Nov 2011) el ZXID soporta los roles SP (proveedor de
56servicios), IdP (proveedor de identidades), WSC (cliente de los
57servicios web) WSP (proveedor de servicios web), Discovery
58(descubrimeinto de servicios), PEP (copntrolo de acesso), y PDP
59(decici�nes de acesso). ZXID es el implementaci�n de referencia
60de parte seguridad de proyecto TAS3.eu.\\\\
61
62ZXID.org on verkkohenkil�llisyyden ja -tunnisteiden
63hallintakirjasto joka tukee SAML 2.0 (sis��nkirjaantuminen),
64Liberty ID-WSF 2.0 (henkil�llisyyteen pohjautuvat webbipalvelut),
65ja XACML 2.0 (k�ytt�oikeuksien hallinta) standardeja. ZXID
66vaatii vain OpenSSL, CURL ja zlib kirjastot joten se v�ltt��
67"DLL helvetti"-ongelman. Skemapohjaisena C toteutuksena se on tarkka
68ja taloudellinen ja kelpaa sulautettuihin ja eritt�in kovaa
69suorituskyky� vaativiin sovelluksiin. Se tukee korkeantason
70kieli� - kuten Perli�, PHP:t�, CSharp:ia, ja Javaa - SWIG
71generoiduin rajapinnoin. ZXID tukee (Marraskuu 2011) SP
72(palveluntarjoaja), IdP (henkil�llisyydenvarmentaja), WSC
73(webbipalvelunkutsuja), WSP (webbipalveluntarjoaja), Discovery
74(webbipalveluiden l�yt�minen), PEP (k�ytt�oikeuden
75tarkistus), ja PDP (k�ytt�oikeuden p��t�s) rooleja.
76ZXID on TAS3.eu projektin referenssi toteutus turvallisuus- ja
77luottamusteknologioissa.
78
79>>
80
81<<maketoc: 1>>
82
831 Other Documentation
84=====================
85
86This README.zxid is in process of being rewritten and restructured.
87A lot of the material has moved to specific files, which
88you should read.
89
90* <<link:mod_auth_saml.html: mod_auth_saml>> Apache
91 module documentation: SSO without programming.
92* <<link:zxid-simple.html: zxid_simple()>> Easy API for SAML
93* <<link:zxid-raw.html: ZXID Raw API>>: Program like
94 the pros (and fix your own problems). See also <<link:../ref/html/index.html: Function Reference>>
95* <<link:zxid-wsf.html: ZXID ID-WSF API>>: Make Identity Web Services Calls using ID-WSF
96* <<link:zxid-install.html: ZXID Compilation and Installation>>: Compile
97 and install from source or package. See also <<link:html/INSTALL.zxid.html: INSTALL.zxid>>
98 for quick overview.
99* <<link:zxid-conf.html: ZXID Configuration Reference>>: Nitty gritty
100 on all options.
101* <<link:zxid-cot.html: ZXID Circle of Trust Reference>>: How to
102 set up the Circle of Trust, i.e. the partners your web site works with.
103* <<link:zxid-log.html: ZXID Logging Reference>>: ZXID digitally signed logging facility
104* <<link:zxid-java.html: javazxid>>: Using ZXID from Java
105* <<link:zxid-perl.html: Net::SAML>>: Using ZXID from Perl
106* <<link:zxid-php.html: php_zxid>>: Using ZXID from PHP
107* <<link:zxid-idp.html: IdP>>: Configuring zxididp
108* <<link:zxid-faq.html: FAQ>>: Frequently Asked Questions
109* <<link:../README.smime: README.smime>>: Crypto and Cert Tutorial
110
111* zxid.user@lists.unh.edu mailing list
112
1132 ZXID Project
114==============
115
116Web site:: http://zxid.org/
117License:: Open source: Apache 2, see License chapter and file COPYING
118
119Immediate goal: build a SAML 2.0 SP and ID-WSF 2.0 WSC
120
121Goals of ZXID project include
122
123* SOAP 1.1 support (done)
124* SAML 2.0 compliance
125 - SP role (done)
126 - IdP role (done)
127* Liberty ID-FF 1.2 support
128 - SP
129 - IdP
130 - SAML 1.1
131* Liberty ID-WSF 1.1 support
132 - Discovery bootstrap
133 - Discovery WSC
134 - ID-DAP WSC
135 - ID-DAP WSP
136* Liberty ID-WSF 2.0 support
137 - Discovery bootstrap (done)
138 - Discovery WSC (done)
139 - Discovery WSP (done)
140 - ID-DAP WSC (done)
141 - ID-DAP WSP (done)
142
143<<table: ZXID Platform Support
144Platform Native Cross Compile Notes
145=============== ========== ================ ================================
146Linux-ix86 gcc-3.4.6 n/a Development platform
147Solaris 8-sparc gcc-3.4.6 Linux gcc-3.4.6 Fully functional
148Windows 2000 - Linux gcc-3.4.6 Poorly tested
149xBSD/Unix gcc-3.4.6 n/a C core tested, language bindings not tested
150>>
151
152<<table: ZXID Feature and Language Support (version number indicates last testing)
153Feature C mod_perl mod_php Python Java/Tomcat Apache Shell
154===================== ===== ======== ======= ====== =========== ====== =====
155Geo Location Alpha
156ID-MM7 Alpha
157ID-DAP Beta
158ID-HR-XML Beta
159Contact Book Alpha
160People Service Alpha
161Discovery 0.41
162Web Services (ID-WSF) 0.41
163Authorization (XACML) 0.40 yes 0.40 Plan 0.40 0.40
164SSO 0.17 0.17 0.17 Plan 0.17 0.40 0.17
165>>
166
167<<table: ZXID Enabled Application Packages
168Application Language Notes
169============== ============= =====================================================
170DokuWiki PHP Patch available, in process of submitting to DokuWiki authors
171Mahara PHP 4Q2009
172>>
173
174<<ignore: table: ZXID Enabled Application Packages
175Application Language Notes
176============== ============= ==============================
177MediaWiki PHP Planned
178Cognito
179zxbug Perl Planned
180>>
181
1822.1 Project Layout
183------------------
184
185Following directory layout is used by the project. Many of the specified
186directories are used by intermediate outputs that are not distributed
187in tarball releases, but may or may no be present in CVS checkouts.
188
189 zxid-0.xx
190 |
191 +-- Net The Net::SAML perl module (also mod_perl)
192 +-- php PHP / mod_php integration
193 +-- zxidjava The Java JNI interface to ZXID
194 +-- servlet Apache Tomcat integration
195 +-- c C code generated from the Schema Grammar descriptions
196 +-- sg Schema Grammar (.sg) descriptions of protocols
197 +-- xsd XML schema descriptions of protocols (not distributed)
198 +-- tex Temporary files for document generation using PlainDoc (not distributed)
199 +-- html HTML documentation generated using PlainDoc
200 +-- review Publicly released announcements and documents (not distributed)
201 +-- t Test scripts and expected test outputs
202 `-- tmp Temporary files, such as actual test outputs
203
204The Manifest file, which follows, explains each file in more detail.
205
206<<logoutput:
207<<Manifest>>
208>>
209
2102.2 Protocol Encoders and Decoders
211----------------------------------
212
213The protocol encoders and decoders are generated automatically from
214the schema grammar (.sg) descriptions. This ensures accurate protocol
215implementation. While the output is strictly schema driven and correct,
216the decoders have some provisions to accept some deviations from
217strict spec (e.g. out of order elements are tolerated). However,
218one should note that XMLDSIG does not tolerate very much deviation,
219thus even if decoder accepts a slightly illformed message, it is likely
220to fail in signature verification.
221
222There are three outputs from generation
223
2241. Data structures describing the data (xx.h)
2252. Encoder that linearizes the data structure to wire protocol (xx-enc.c)
2263. Decoder that converts wire protocol byte stream to a data structure (xx-dec.c)
227
2282.3 Standards and Namespaces
229----------------------------
230
231ZXID uses consistently the same namespace prefixes throughout the project. The
232generated encoders and decoders support following schemata
233
234<<longtable: ZXID Namespace Convention
235Prefix URI Description
236====== ============================================== =================================
237sa urn:oasis:names:tc:SAML:2.0:assertion SAML 2.0
238sp urn:oasis:names:tc:SAML:2.0:protocol
239md urn:oasis:names:tc:SAML:2.0:metadata
240ecp urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp
241shibmd urn:mace:shibboleth:metadata:1.0 Shibboleth 2.0 Metadata extensions
242
243idpdisc
244urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol
245SAML IdP Discovery
246paos urn:liberty:paos:2006-08
247sa11 urn:oasis:names:tc:SAML:1.0:assertion SAML 1.1
248sp11 urn:oasis:names:tc:SAML:1.0:protocol
249ff12 urn:liberty:iff:2003-08 ID-FF 1.2
250m20 urn:liberty:metadata:2004-12 v2.0 (almost same as 1.2)
251ac urn:liberty:ac:2004-12 v2.0 (almost same as 1.2)
252b12 urn:liberty:sb:2003-08 ID-WSF 1.1 SOAP Binding
253sec12 urn:liberty:sec:2003-08 ID-WSF 1.1 Security Mechanisms
254di12 urn:liberty:disco:2003-08 ID-WSF 1.1 Discovery Service
255is12 urn:liberty:is:2003-08 ID-WSF 1.1 Interaction Service
256lu urn:liberty:util:2006-08 ID-WSF 2.0 Utility Schema
257sbf urn:liberty:sb Framework header
258b urn:liberty:sb:2006-08 ID-WSF 2.0 SOAP Binding
259sec urn:liberty:security:2006-08 ID-WSF 2.0 Security Mechanisms
260di urn:liberty:disco:2006-08 ID-WSF 2.0 Discovery Service
261is urn:liberty:is:2006-08 ID-WSF 2.0 Interaction Service
262dap urn:liberty:id-sis-dap:2006-08:dst-2.1 ID Directory Access Protocol
263dst urn:liberty:dst:2006-08 Data Services Template 2.1
264subs urn:liberty:ssos:2006-08 Subscription and Notification
265ps urn:liberty:ps:2006-08 People Service
266im urn:liberty:ims:2006-08 Identity Mapping svc (aka Token Map)
267as urn:liberty:sa:2006-08 ID-WSF 2.0 Authentication Service
268cb urn:liberty:id-sis-cb:2004-10 Contact Book Protocol (DST 2.0 based)
269cdm urn:liberty:cb:conceptual-data-model:2004-10 Contact Book Common Data Model
270gl urn:liberty:id-sis-gl:2005-07 Geolocation Service
271
272mm7
273http://www.3gpp.org/ftp/Specs/archive/23_series/23.140/schema/REL-6-MM7-1-4
274ID-MM7 (ID-SIS-CSM)
275dp urn:liberty:dp:2006-12 ID-WSF 2.0 Design Patterns
276idp urn:liberty:idp:2006-12 ID-WSF 2.0 IdP as web svc
277pmm urn:liberty:pmm:2006-12 ID-WSF 2.0 Prov Mod Mgr
278prov urn:liberty:prov:2006-12 ID-WSF 2.0 TM Provisioning
279shps urn:liberty:shps:2006-12 ID-WSF 2.0 Svc Handling and Proxying
280e http://schemas.xmlsoap.org/soap/envelope/ SOAP 1.1, with SAML and WSF
281xa urn:oasis:names:tc:xacml:2.0:policy:schema:os XACML 2.0
282xac urn:oasis:names:tc:xacml:2.0:context:schema:os
283xasp urn:oasis:xacml:2.0:saml:protocol:schema:os
284xasa urn:oasis:xacml:2.0:saml:assertion:schema:os
285
286xaspcd1
287urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:protocol:cd-01
288Committee draft with extensions for passing policies as input
289
290xasacd1
291urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:assertion:cd-01
292Committee draft with extentsions
293
294wst
295http://docs.oasis-open.org/ws-sx/ws-trust/200512/
296WS-Trust 1.3 CD-01
297wsp http://schemas.xmlsoap.org/ws/2004/09/policy *** Newer version? http://www.w3.org/ns/ws-policy/
298
299wsc
300http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512
301WS-Secure Conversation CD-01
302ds http://www.w3.org/2000/09/xmldsig# XML Signatures
303xenc http://www.w3.org/2001/04/xmlenc# XML Encryption
304exca http://www.w3.org/2001/10/xml-exc-c14n# Exclusive Canonicalization
305a http://www.w3.org/2005/08/addressing WSA 1.0
306
307wsse
308http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
309WS Security SecExt 1.0
310
311wsu
312http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
313WS Security Utility 1.0
314xml http://www.w3.org/XML/1998/namespace http://www.w3.org/2001/xml.xsd
315xsi http://www.w3.org/2001/XMLSchema-instance
316xs http://www.w3.org/2001/XMLSchema Namespace only, no code
317xop http://www.w3.org/2004/08/xop/include MOTM-XOP include tag
318
319bpel
320http://docs.oasis-open.org/wsbpel/2.0/process/executable
321Business Process Execution Language v2.0
322igf0 urn:LibertyAlliance:igf:0.3:core Early draft 01, WIP
323carml0 urn:LibertyAlliance:igf:0.3:carml Early draft 03, WIP
324tas3 http://tas3.eu/tas3/200911/ TAS3 Credentials passing
325
326tas3sol
327http://tas3.eu/tas3sol/200911/
328TAS3 Simple Obligations Language 1
329sol urn:tas3:sol Simple Obligations Language Generic
330sol1 urn:tas3:sol1 Simple Obligations Language 1
331
332tas3spl
333http://tas3.eu/tas3sol/201111/
334TAS3 Simple Policy Language 1
335spl urn:tas3:spl Simple Policy Language Generic
336spl1 urn:tas3:spl1 Simple Policy Language 1
337
338sup
339http://schemas.suplight.eu/plugin/common/2013-05/xs
340Suplight Common Schema
341
342px
343http://schemas.suplight.eu/plugin/ExamplePlugin/2013-05/xs
344Suplight ExamplePlugin Schema
345>>
346
347
34896 Copyright, License, Notices, and Acknowledgements
349====================================================
350
351Copyright (c) 2006-2009 Symlabs (symlabs@symlabs.com), All Rights Reserved.
352Author: Sampo Kellom�ki (sampo@iki.fi)
353
354Licensed under the Apache License, Version 2.0 (the "License");
355you may not use this file except in compliance with the License.
356You may obtain a copy of the License at
357http://www.apache.org/licenses/LICENSE-2.0
358
359Unless required by applicable law or agreed to in writing, software
360distributed under the License is distributed on an "AS IS" BASIS,
361WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
362See the License for the specific language governing permissions and
363limitations under the License.
364
365The research leading to these results has received funding from the
366European Community's Seventh Framework Programme (FP7/2007-2013) under
367grant agreement number 216287 (TAS3 - Trusted Architecture for Securely
368Shared Services - www.tas3.eu).
369
370While the source distribution of ZXID does not contain
371SSLeay or OpenSSL code, if you use this code you will use OpenSSL
372library. Please give Eric Young and OpenSSL team credit (as required by
373their licenses).
374
375Binary distribution of this product includes software developed by the
376OpenSSL Project for use in the OpenSSL Toolkit
377(http://www.openssl.org/). See LICENSE.openssl for further information.
378
379Binary distribution of this product includes cryptographic software
380written by Eric Young (eay@cryptsoft.com). Binary distribution of
381this product includes software written by Tim Hudson
382(tjh@cryptsoft.com). See LICENSE.ssleay for further information.
383
384And remember, you, and nobody else but you, are responsible for
385auditing ZXID and OpenSSL library for security problems,
386back-doors, and general suitability for your application.
387
38896.1 Dependency Library Licenses
389--------------------------------
390
391ZXID strives to maintain IPR hygiene and avoid both
392non-free and GPL license contamination. All the
393dependency libraries have, and shall have, BSD style licenses
394
395* OpenSSL under BSDish (with "advertising" clause)
396* libcurl under BSDish
397* zlib under BSDish
398* libc available as part of the operating system
399
400Please see each library package for the exact details of their
401licenses.
402
40396.1.1 Yubikey
404~~~~~~~~~~~~~~
405
406Contains libyubikey components which are subject to following
407notice:
408
409> Written by Simon Josefsson <simon@josefsson.org>.
410> Copyright (c) 2006, 2007, 2008, 2009 Yubico AB
411> All rights reserved.
412>
413> Redistribution and use in source and binary forms, with or without
414> modification, are permitted provided that the following conditions are
415> met:
416>
417> > Redistributions of source code must retain the above copyright
418> notice, this list of conditions and the following disclaimer.
419>
420> > Redistributions in binary form must reproduce the above
421> copyright notice, this list of conditions and the following
422> disclaimer in the documentation and/or other materials provided
423> with the distribution.
424>
425> THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
426> "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
427> LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
428> A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
429> OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
430> SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
431> LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
432> DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
433> THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
434> (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
435> OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
436
43796.1.2 OpenSSL
438~~~~~~~~~~~~~~
439
440The source distribution references, but does not contain, OpenSSL. The
441binary distributions may incorporate or dynamically link to OpenSSL,
442which is subject to the following terms and conditions:
443
444> Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
445>
446> Redistribution and use in source and binary forms, with or without
447> modification, are permitted provided that the following conditions
448> are met:
449>
450> 1. Redistributions of source code must retain the above copyright
451> notice, this list of conditions and the following disclaimer.
452>
453> 2. Redistributions in binary form must reproduce the above copyright
454> notice, this list of conditions and the following disclaimer in
455> the documentation and/or other materials provided with the
456> distribution.
457>
458> 3. All advertising materials mentioning features or use of this
459> software must display the following acknowledgment:
460> "This product includes software developed by the OpenSSL Project
461> for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
462>
463> 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used
464> to endorse or promote products derived from this software without
465> prior written permission. For written permission, please contact
466> openssl-core@openssl.org.
467>
468> 5. Products derived from this software may not be called "OpenSSL"
469> nor may "OpenSSL" appear in their names without prior written
470> permission of the OpenSSL Project.
471>
472> 6. Redistributions of any form whatsoever must retain the following
473> acknowledgment:
474> "This product includes software developed by the OpenSSL Project
475> for use in the OpenSSL Toolkit (http://www.openssl.org/)"
476>
477> THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
478> EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
479> IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
480> PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
481> ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
482> SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
483> NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
484> LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
485> HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
486> STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
487> ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
488> OF THE POSSIBILITY OF SUCH DAMAGE.
489> ====================================================================
490>
491> This product includes cryptographic software written by Eric Young
492> (eay@cryptsoft.com). This product includes software written by Tim
493> Hudson (tjh@cryptsoft.com).
494
49596.1.3 SSLeay
496~~~~~~~~~~~~~
497
498The source distribution references, but does not contain, OpenSSL
499which contains SSLeay. The binary distributions may incorporate or
500dynamically link to OpenSSL containing SSLeay, which is subject to the
501following terms and conditions:
502
503> Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
504> All rights reserved.
505>
506> This package is an SSL implementation written
507> by Eric Young (eay@cryptsoft.com).
508> The implementation was written so as to conform with Netscape's SSL.
509>
510> This library is free for commercial and non-commercial use as long as
511> the following conditions are adhered to. The following conditions
512> apply to all code found in this distribution, be it the RC4, RSA,
513> lhash, DES, etc., code; not just the SSL code. The SSL documentation
514> included with this distribution is covered by the same copyright terms
515> except that the holder is Tim Hudson (tjh@cryptsoft.com).
516>
517> Copyright remains Eric Young's, and as such any Copyright notices in
518> the code are not to be removed.
519> If this package is used in a product, Eric Young should be given
520> attribution as the author of the parts of the library used.
521> This can be in the form of a textual message at program startup or
522> in documentation (online or textual) provided with the package.
523>
524> Redistribution and use in source and binary forms, with or without
525> modification, are permitted provided that the following conditions
526> are met:
527>
528> 1. Redistributions of source code must retain the copyright
529> notice, this list of conditions and the following disclaimer.
530> 2. Redistributions in binary form must reproduce the above copyright
531> notice, this list of conditions and the following disclaimer in
532> the documentation and/or other materials provided with the
533> distribution.
534> 3. All advertising materials mentioning features or use of this
535> software must display the following acknowledgement:
536> "This product includes cryptographic software written by
537> Eric Young (eay@cryptsoft.com)"
538>
539> The word 'cryptographic' can be left out if the routines from the
540> library being used are not cryptographic related :-).
541> 4. If you include any Windows specific code (or a derivative thereof)
542> from the apps directory (application code) you must include an
543> acknowledgement:
544> "This product includes software written by Tim Hudson
545> (tjh@cryptsoft.com)"
546>
547> THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
548> ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
549> IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
550> PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
551> BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
552> OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
553> OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
554> BUSINESS INTERRUPTION)
555> HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
556> STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
557> IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
558> POSSIBILITY OF SUCH DAMAGE.
559>
560> The license and distribution terms for any publicly available
561> version or derivative of this code cannot be changed. i.e. this
562> code cannot simply be copied and put under another distribution
563> license [including the GNU Public License.]
564
56596.2 Specification IPR
566----------------------
567
568ZXID is based on open SAML, Liberty, and TAS3 specifications. The
569parties that have developed these specifications, including Symlabs,
570have made Royalty Free (RF) licensing commitment. Please ask OASIS,
571Liberty Alliance, and TAS3 project for the specifics of their IPR
572policies and IPR disclosures.
573
574Some protocols, such as WS-Trust and WS-Federation enjoy Microsoft's
575pledge<<footnote: If you have a reference to where this pledge can be
576found, please let me know so it can be included here.>> that they will
577not sue you even if you implement these specifications. You should
578evaluate yourself whether this is good enough for your situation.
579
58096.3 Further Warranties
581-----------------------
582
583If you need the author or Symlabs to further disclaim IPR interest or
584make warranties of non-infringement, such declarations are
585available for a fee. Please contact sales@symlabs.com
586
587Legal queries and clarifications will be answered at then-current
588Symlabs Professional Services rate, please contact sales@symlabs.com.
589
59020 Testing
591==========
592
593ZXID test suite is still in tatters. Some things that should
594be tested
595
5961. Will generated HTTP redirect sig validate at IdP?
5972. Does IdP issued A7N validate?
5983. Validation of EncryptedAssertion?
5994. Will generated SOAP binding sig validate at IdP?
6005. Does IdP issued SOAP sig validate?
601
602Metadata related
603
6041. IBM metadata (can we parse)
6052. Sun metadata (can we parse)
606
607XML related
608
6091. Fully qualified XML parses?
6102. Unknown ns prefix that refers to known namespace URI
6113. Known ns prefix, referring to wrong URI
6124. Known prefix refers to aliased URI
6135. Use of default namespaces working?
6146. Unknown prefix and URI as long as it is never used
6157. Unknown prefix and URI, used
6168. Known NS (prefix or URI), unknown element
617
61814 Integration of Other Implementations with ZXID
619=================================================
620
62114.1 Conor Cahill's C++ Library for ID-WSF
622------------------------------------------
623
624Conor P. Cahill, of AOL and Intel fame, has developed and maintains a
625C++ library for ID-WSF 2.0 Web Service Client functionality for
626selected application protocols, including the ID-WSF 2.0 Discovery and
627some application protcols. Conor also provides a server side package
628that implements the corresponding WSP roles in Java. These libraries
629are valuable resources and come with extensive test suites - in fact,
630passing Conor's test suites has become the gold standard for validity
631and interoperability of any ID-WSF implmentations (this is not to
632detract from formal IOP events and the Liberty certification program,
633but passing Conor's test suite is a good predictor of getting
634certified).
635
636*Install Recipe*
637
638Conor's libraries have certain dependencies. Following is my best understanding
639of how to get them installed.<<footnote: As of May 2007, Conor's packages
640explode in the current working directory. I recommend creating a wrapper
641directory first. Also, the client and server functionality can not be
642unpacked in same directory without creating conflict and overwriting some files.>>
643
644 mkdir conor
645 cd conor
646 tar xvf /t/LibertyIDWSFServices-v0.8.2.tgz
647 cd ..
648 mkdir conor-cli
649 cd conor-cli/
650 tar xvf /t/LibertyClientToolkit-v1.0.1.tgz
651
65214.2 Pat Patterson's php module
653-------------------------------
654
655(*** This section also appears in zxid-php.pd)
656
657Pat Patterson of Sun distributes a pure PHP module (not to be confused
658with Sun's OpenSSO open source effort, with which Pat has some
659contact) that implements some aspects of SAML 2.0. As of May 2007, his
660library provides functionality that, by and large, parallels that of the
661php_zxid module. A major advatage of his module is that it does not have
662C shared library dependency, but beware that he still depends on XML
663parsing and popular crypto libraries (openssl) to be available. These
664assumptions are not onerous, but you should be aware of them in case
665your system differs from main stream deployments.
666
667Overall, Pat's PHP implementation, as of May 2007, is still lacking
668in metadata generation and loading (it does not implement Auto-CoT
669or Well Known Location) and has some rough edges around less frequently
670used parts of the SAML specification. No doubt matters will improve
671over the time.
672
673Pat's library handles only SSO and not ID Web Services. It would be
674possible to extract the discovery bootstrap from SSO using his library
675after which you can use ZXID WSC API to actually call the services.
676
67714.3 Sun OpenSSO
678----------------
679
680Sun Microsystems distributes an open source implementation of SAML 2.0.
681Their implementation is of primary interest as it provides a freely available
682IdP implementation (as of May 2007 IMNSHO the ZXID SP interface is
683superior to the OpenSSO SP - and since both implement an open standard,
684you can mix ZXID SP with OpenSSO IdP).
685
686Thus, the ZXID to OpenSSO integration reduces to each one acting in its
687role using standard wire protocol - SAML 2.0.
688
68914.4 University of Kent's PERMIS PDP
690------------------------------------
691
692University of Kent is a supplier of PERMIS XACML PDP software. ZXID has been
693interoperated and found compatible on wire with PERMIS as of Nov. 2009.
694However, not integration at library or API level has been attempted.
695
69614.5 Shibboleth 2
697-----------------
698
699Shibboleth 2, a SAML 2.0 based IdP, has been interoperated with ZXID SP
700code as of Nov. 2009.
701
70299 Appendix: Schema Grammars
703============================
704
705Large parts of ZXID code are generated from +schema grammars+ which
706are a convenient notation for describing XML schmata. This chapter
707gives a sampling of some schema grammars that are currently implemented and
708distributed in the ZXID package. For fuller list, see sg subdirectory
709of the distribution or schemata.pd file.
710
711<<table: Schema grammar syntax
712Construct Description
713============= ====================================================================
714 ee Bareword signifies an XML element
715 @aa At (@) prefix signifies an XML attribute
716 %tt Percent (%) prefix signifies a complexType
717 &gg Ampersand (&) prefix a signifies group
718 &@ag Ampersand and at (&@) prefix signifies attributeGroup
719 xx -> %tt Arrow (->) signifies reference to type that defines element or attribute
720 xx: ... ; Colon (:) means that the definition of type follows immediately
721 ee An element or attribute by itself means exactly one occurance is expected
722 ee? Question mark (?) means the element or attribute is optional
723 ee* Asterisk (*) means the element may appear from zero to infinite number of times (same as * in regular expressions)
724 ee+ Plus (+) means the element must appear at least once, but may appear an infinite number of times (same as + in regular expressions)
725 ee{x,y} The element must appear between x and y times (same as in regex)
726 ee | ee The pipey symbol (|) means elements are mutually exclusive choices.
727 ee ee Concatenation of elements or attributes means sequence
728 base( t ) Introduce Extension base type (derive a type)
729 redef( .. ) Redefine a type (using <xs:redefine> construct)
730 mixed(1) Mark a complex type as having mixed content type, i.e. strings and elements alternate
731 enum( ... ) Introduce enumeration of xs:strings
732 any xs:any, the XML arbitrary element extension mechanism
733 @any xs:anyAttribute, the XML arbitrary attribute extension mechanism
734target( ... ) Define target namespace described by the schema
735import( ... ) Bring in other schemata and namespaces
736ns( ... ) Declare existence of another namespace (without importing it)
737>>
738
739<<tex: \small>>
740
74199.1 SAML 2.0
742-------------
743
74499.1.1 saml-schema-assertion-2.0 (sa)
745~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
746
747<<schema:
748<<sg/saml-schema-assertion-2.0.sg>>
749>>
750
75199.1.2 saml-schema-protocol-2.0 (sp)
752~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
753
754<<schema:
755<<sg/saml-schema-protocol-2.0.sg>>
756>>
757
75899.1.4 saml-schema-metadata-2.0 (md)
759~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
760
761<<schema:
762<<sg/saml-schema-metadata-2.0.sg>>
763>>
764
76599.5 Liberty ID-WSF 2.0
766-----------------------
767
76899.5.1 liberty-idwsf-utility-v2.0 (lu)
769~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
770
771<<schema:
772<<sg/liberty-idwsf-utility-v2.0.sg>>
773>>
774
77599.5.3 liberty-idwsf-soap-binding-v2.0 (b)
776~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
777
778<<schema:
779<<sg/liberty-idwsf-soap-binding-v2.0.sg>>
780>>
781
78299.5.4 liberty-idwsf-security-mechanisms-v2.0 (sec)
783~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
784
785<<schema:
786<<sg/liberty-idwsf-security-mechanisms-v2.0.sg>>
787>>
788
78999.5.5 liberty-idwsf-disco-svc-v2.0 (di)
790~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
791
792<<schema:
793<<sg/liberty-idwsf-disco-svc-v2.0.sg>>
794>>
795
79699.5.7 id-dap (dap)
797~~~~~~~~~~~~~~~~~~~
798
799<<schema:
800<<sg/id-dap.sg>>
801>>
802
80399.5.8 liberty-idwsf-subs-v1.0 (subs)
804~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
805
806<<schema:
807<<sg/liberty-idwsf-subs-v1.0.sg>>
808>>
809
81099.5.9 liberty-idwsf-dst-v2.1 (dst)
811~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
812
813<<schema:
814<<sg/liberty-idwsf-dst-v2.1.sg>>
815>>
816
81799.6 SOAP 1.1 Processor wsf-soap11 (e)
818--------------------------------------
819
820<<schema:
821<<sg/wsf-soap11.sg>>
822>>
823
82499.7 XML and Web Services Infrastructure
825----------------------------------------
826
82799.7.1 xmldsig-core (ds)
828~~~~~~~~~~~~~~~~~~~~~~~~
829
830<<schema:
831<<sg/xmldsig-core.sg>>
832>>
833
83499.7.2 xenc-schema (xenc)
835~~~~~~~~~~~~~~~~~~~~~~~~~
836
837<<schema:
838<<sg/xenc-schema.sg>>
839>>
840
84199.7.3 ws-addr-1.0 (a)
842~~~~~~~~~~~~~~~~~~~~~~
843
844<<schema:
845<<sg/ws-addr-1.0.sg>>
846>>
847
848100 Appendix: Some Example XML Blobs
849====================================
850
851These XML blobs are for reference. They have been pretty
852printed. Indentation indicates nesting level and closing tags have
853been abbreviated as "</>". The actual XML on wire generally does not
854have any whitespace.
855
856100.1 SAML 2.0 Artifact Response with SAML 2.0 SSO Assertion and Two Bootstraps
857-------------------------------------------------------------------------------
858
859This example corresponds to t/sso-w-bootstraps.xml in the distribution.
860
861Both bootstraps illustrate SAML assertion as bearer token.
862
863 <soap:Envelope
864 xmlns:lib="urn:liberty:iff:2003-08"
865 xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
866 xmlns:wsa="http://www.w3.org/2005/08/addressing">
867 <soap:Body>
868
869 <sp:ArtifactResponse
870 xmlns:sp="urn:oasis:names:tc:SAML:2.0:protocol"
871 ID="REvgoIIlkzTmk-aIX6tKE"
872 InResponseTo="RfAsltVf2"
873 IssueInstant="2007-02-10T05:38:15Z"
874 Version="2.0">
875 <sa:Issuer
876 xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion"
877 Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
878 https://a-idp.liberty-iop.org:8881/idp.xml</>
879 <sp:Status>
880 <sp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></>
881
882 <sp:Response
883 xmlns:sp="urn:oasis:names:tc:SAML:2.0:protocol"
884 ID="RCCzu13z77SiSXqsFp1u1"
885 InResponseTo="NojFIIhxw"
886 IssueInstant="2007-02-10T05:37:42Z"
887 Version="2.0">
888 <sa:Issuer
889 xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion"
890 Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
891 https://a-idp.liberty-iop.org:8881/idp.xml</>
892 <sp:Status>
893 <sp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></>
894
895 <sa:Assertion
896 xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion"
897 ID="ASSE6bgfaV-sapQsAilXOvBu"
898 IssueInstant="2007-02-10T05:37:42Z"
899 Version="2.0">
900 <sa:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
901 https://a-idp.liberty-iop.org:8881/idp.xml</>
902
903 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
904 <ds:SignedInfo>
905 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
906 <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
907 <ds:Reference URI="#ASSE6bgfaV-sapQsAilXOvBu">
908 <ds:Transforms>
909 <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
910 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></>
911 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
912 <ds:DigestValue>r8OvtNmq5LkYwCNg6bsRZAdT4NE=</></></>
913 <ds:SignatureValue>GtWVZzHYW54ioHk/C7zjDRThohrpwC4=</></>
914
915 <sa:Subject>
916 <sa:NameID
917 Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
918 NameQualifier="https://a-idp.liberty-iop.org:8881/idp.xml">PB5fLIA4lRU2bH4HkQsn9</>
919 <sa:SubjectConfirmation
920 Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
921 <sa:SubjectConfirmationData
922 NotOnOrAfter="2007-02-10T06:37:41Z"
923 Recipient="https://sp1.zxidsp.org:8443/zxidhlo?o=B"/></></>
924
925 <sa:Conditions
926 NotBefore="2007-02-10T05:32:42Z"
927 NotOnOrAfter="2007-02-10T06:37:42Z">
928 <sa:AudienceRestriction>
929 <sa:Audience>https://sp1.zxidsp.org:8443/zxidhlo?o=B</></></>
930
931 <sa:Advice>
932
933 <!-- This assertion is the credential for the ID-WSF 1.1 bootstrap (below). -->
934
935 <sa:Assertion
936 ID="CREDOTGAkvhNoP1aiTq4bXBg"
937 IssueInstant="2007-02-10T05:37:42Z"
938 Version="2.0">
939 <sa:Issuer
940 Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
941 https://a-idp.liberty-iop.org:8881/idp.xml</>
942 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
943 <ds:SignedInfo>
944 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
945 <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
946 <ds:Reference URI="#CREDOTGAkvhNoP1aiTq4bXBg">
947 <ds:Transforms>
948 <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
949 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></>
950 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
951 <ds:DigestValue>dqq/28hw5eEv+ceFyiLImeJ1P8w=</></></>
952 <ds:SignatureValue>UKlEgHKQwuoCE=</></>
953 <sa:Subject>
954 <sa:NameID/> <!-- *** Bug here!!! -->
955 <sa:SubjectConfirmation
956 Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></>
957 <sa:Conditions
958 NotBefore="2007-02-10T05:32:42Z"
959 NotOnOrAfter="2007-02-10T06:37:42Z">
960 <sa:AudienceRestriction>
961 <sa:Audience>https://sp1.zxidsp.org:8443/zxidhlo?o=B</></></></></>
962
963 <sa:AuthnStatement
964 AuthnInstant="2007-02-10T05:37:42Z"
965 SessionIndex="1171085858-4">
966 <sa:AuthnContext>
967 <sa:AuthnContextClassRef>
968 urn:oasis:names:tc:SAML:2.0:ac:classes:Password</></></>
969
970 <sa:AttributeStatement>
971
972 <!-- Regular attribute -->
973
974 <sa:Attribute
975 Name="cn"
976 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
977 <sa:AttributeValue>Sue</></>
978
979 <!-- ID-WSF 1.1 Bootstrap for discovery. See also the Advice, above. -->
980
981 <sa:Attribute
982 Name="DiscoveryResourceOffering"
983 NameFormat="urn:liberty:disco:2003-08">
984 <sa:AttributeValue>
985 <di12:ResourceOffering
986 xmlns:di12="urn:liberty:disco:2003-08"
987 entryID="2">
988 <di12:ResourceID>
989 https://a-idp.liberty-iop.org/profiles/WSF1.1/RID-DISCO-sue</>
990 <di12:ServiceInstance>
991 <di12:ServiceType>urn:liberty:disco:2003-08</>
992 <di12:ProviderID>https://a-idp.liberty-iop.org:8881/idp.xml</>
993 <di12:Description>
994 <di12:SecurityMechID>urn:liberty:security:2005-02:TLS:Bearer</>
995 <di12:CredentialRef>CREDOTGAkvhNoP1aiTq4bXBg</>
996 <di12:Endpoint>https://a-idp.liberty-iop.org:8881/DISCO-S</></></>
997 <di12:Abstract>Symlabs Discovery Service Team G</></></></>
998
999 <!-- ID-WSF 2.0 Bootstrap for Discovery. The credential (bearer token) is inline. -->
1000
1001 <sa:Attribute
1002 Name="urn:liberty:disco:2006-08:DiscoveryEPR"
1003 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
1004 <sa:AttributeValue>
1005 <wsa:EndpointReference
1006 xmlns:wsa="http://www.w3.org/2005/08/addressing"
1007 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
1008 notOnOrAfter="2007-02-10T07:37:42Z"
1009 wsu:Id="EPRIDcjP8ObO9In47SDjO9b37">
1010 <wsa:Address>https://a-idp.liberty-iop.org:8881/DISCO-S</>
1011 <wsa:Metadata xmlns:di="urn:liberty:disco:2006-08">
1012 <di:Abstract>SYMfiam Discovery Service</>
1013 <sbf:Framework xmlns:sbf="urn:liberty:sb" version="2.0"/>
1014 <di:ProviderID>https://a-idp.liberty-iop.org:8881/idp.xml</>
1015 <di:ServiceType>urn:liberty:disco:2006-08</>
1016 <di:SecurityContext>
1017 <di:SecurityMechID>urn:liberty:security:2005-02:TLS:Bearer</>
1018
1019 <sec:Token
1020 xmlns:sec="urn:liberty:security:2006-08"
1021 usage="urn:liberty:security:tokenusage:2006-08:SecurityToken">
1022
1023 <sa:Assertion
1024 ID="CREDV6ZBMyicmyvDq9pLIoSR"
1025 IssueInstant="2007-02-10T05:37:42Z"
1026 Version="2.0">
1027 <sa:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
1028 https://a-idp.liberty-iop.org:8881/idp.xml</>
1029 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
1030 <ds:SignedInfo>
1031 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
1032 <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
1033 <ds:Reference URI="#CREDV6ZBMyicmyvDq9pLIoSR">
1034 <ds:Transforms>
1035 <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
1036 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></>
1037 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
1038 <ds:DigestValue>o2SgbuKIBzl4e0dQoTwiyqXr/8Y=</></></>
1039 <ds:SignatureValue>hHdUKaZ//cZ8UYJxvTReNU=</></>
1040 <sa:Subject>
1041 <sa:NameID
1042 Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
1043 NameQualifier="https://a-idp.liberty-iop.org:8881/idp.xml">
1044 9my93VkP3tSxEOIb3ckvjLpn0pa6aV3yFXioWX-TzZI=</>
1045 <sa:SubjectConfirmation
1046 Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></>
1047 <sa:Conditions
1048 NotBefore="2007-02-10T05:32:42Z"
1049 NotOnOrAfter="2007-02-10T06:37:42Z">
1050 <sa:AudienceRestriction>
1051 <sa:Audience>https://a-idp.liberty-iop.org:8881/idp.xml</></></>
1052 <sa:AuthnStatement AuthnInstant="2007-02-10T05:37:42Z">
1053 <sa:AuthnContext>
1054 <sa:AuthnContextClassRef>
1055 urn:oasis:names:tc:SAML:2.0:ac:classes:Password</></></></></></></></></></></></></></></></>
1056
1057N.B. The AttributeStatement/Attribute/AttributeValue/
1058EndpointReference/Metadata/SecurityContext/
1059Token/Assertion/Conditions/AudienceRestriction/Audience is the same as
1060the IdP because in many products the IdP and Discovery Service roles
1061are implemented by the same entity. Note also that the audience of the inner
1062assertion is the discovery service where as the audience of the outer assertion
1063is the SP that will eventually call the Discovery Service.
1064
1065100.2 ID-WSF 2.0 Call with X509v3 Sec Mech
1066------------------------------------------
1067
1068 <e:Envelope
1069 xmlns:e="http://schemas.xmlsoap.org/soap/envelope/"
1070 xmlns:b="urn:liberty:sb:2005-11"
1071 xmlns:sec="urn:liberty:security:2005-11"
1072 xmlns:wsse="http://docs.oasis-open.org/wss/20 04/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
1073 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
1074 xmlns:wsa="http://www.w3.org/2005/08/ addressing">
1075 <e:Header>
1076 <wsa:MessageID wsu:Id="MID">123</>
1077 <wsa:To wsu:Id="TO">...</>
1078 <wsa:Action wsu:Id="ACT">urn:xx:Query</>
1079 <wsse:Security mustUnderstand="1">
1080 <wsu:Timestamp wsu:Id="TS"><wsu:Created>2005-06-17T04:49:17Z</></>
1081 <wsse:BinarySecurityToken
1082 ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
1083 wsu:Id="X509Token"
1084 EncodingType="http://docs.oas is-open.org/wss/2004/01/oasis-200401-wss-soap-message-securiy-1.0#Base64Binary">
1085 MIIB9zCCAWSgAwIBAgIQ...</>
1086 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
1087 <ds:SignedInfo>
1088 <ds:Reference URI="#MID">...</>
1089 <ds:Reference URI="#TO">...</>
1090 <ds:Reference URI="#ACT">...</>
1091 <ds:Reference URI="#TS">...</>
1092 <ds:Reference URI="#X509">
1093 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
1094 <ds:DigestValue>Ru4cAfeBAB</></>
1095 <ds:Reference URI="#BDY">
1096 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
1097 <ds:DigestValue>YgGfS0pi56p</></></>
1098 <ds:KeyInfo><wsse:SecurityTokenReference><wsse:Reference URI="#X509"/></></>
1099 <ds:SignatureValue>HJJWbvqW9E84vJVQkjDElgscSXZ5Ekw==</></></></>
1100 <e:Body wsu:Id="BDY">
1101 <xx:Query/></></>
1102
1103The salient features of the above XML blob are
1104
1105* Signature that covers relevant SOAP headers and Body
1106* Absence of any explicit identity token.
1107
1108Absence of identity token means that from the headers it is not
1109possible to identify the taget identity. The signature generally
1110coveys the Invoker identity (the WSC that is calling the
1111service). Since one WSC typically serves many principals, knowing
1112which principal is impossible. For this reason X509 security mechanism is
1113seldom used in ID-WSF 2.0 world (with ID-WSF 1.1 the ResourceID
1114provides an alternative way of identifying the principal, thus making
1115X509 a viable option).
1116
1117100.3 ID-WSF 2.0 Call with Bearer (Binary) Sec Mech
1118---------------------------------------------------
1119
1120 <e:Envelope
1121 xmlns:e="http://schemas.xmlsoap.org/soap/envelope/"
1122 xmlns:b="urn:liberty:sb:2005-11"
1123 xmlns:sec="urn:liberty:security:2005-11"
1124 xmlns:wsse="http://docs.oasis-open.org/wss/20 04/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
1125 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
1126 xmlns:wsa="http://www.w3.org/2005/03/ addressing">
1127 <e:Header>
1128 <wsa:MessageID wsu:Id="MID">...</>
1129 <wsa:To wsu:Id="TO">...</>
1130 <wsa:Action wsu:Id="ACT">urn:xx:Query</>
1131 <wsse:Security mustUnderstand="1">
1132 <wsu:Timestamp wsu:Id="TS">
1133 <wsu:Created>2005-06-17T04:49:17Z</></>
1134 <wsse:BinarySecurityToken
1135 ValueType="anyNSPrefix:ServiceSess ionContext"
1136 EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64 Binary"
1137 wsu:Id="BST">
1138 mQEMAzRniWkAAAEH9RWir0eKDkyFAB7PoFazx3ftp0vWwbbzqXdgcX8fpEqSr1v4
1139 YqUc7OMiJcBtKBp3+jlD4HPUaurIqHA0vrdmMpM+sF2BnpND118f/mXCv3XbWhiL
1140 VT4r9ytfpXBluelOV93X8RUz4ecZcDm9e+IEG+pQjnvgrSgac1NrW5K/CJEOUUjh
1141 oGTrym0Ziutezhrw/gOeLVtkywsMgDr77gWZxRvw01w1ogtUdTceuRBIDANj+KVZ
1142 vLKlTCaGAUNIjkiDDgti=</>
1143 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig #">
1144 <ds:SignedInfo>
1145 <ds:Reference URI="#MID">...</>
1146 <ds:Reference URI="#TO">...</>
1147 <ds:Reference URI="#ACT">...</>
1148 <ds:Reference URI="#TS">...</>
1149 <ds:Reference URI="#BST">...</>
1150 <ds:Reference URI="#BDY">
1151 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 "/>
1152 <ds:DigestValue>YgGfS0pi56pu</></></>
1153 ...</></></>
1154 <e:Body wsu:Id="BDY">
1155 <xx:Query/></></>
1156
1157100.4 ID-WSF 2.0 Call with Bearer (SAML) Sec Mech
1158-------------------------------------------------
1159
1160 <e:Envelope
1161 xmlns:e="http://schemas.xmlsoap.org/soap/envelope/"
1162 xmlns:sb="urn:liberty:sb:2005-11"
1163 xmlns:sec="urn:liberty:security:2005-11"
1164 xmlns:wsse="http://docs.oasis-open.org/wss/20 04/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
1165 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
1166 xmlns:wsa="http://www.w3.org/2005/08/addressing"
1167 xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
1168 xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
1169 <e:Header>
1170 <sbf:Framework version="2.0-simple" e:mustUnderstand="1"
1171 e:actor="http://schemas.../next"
1172 wsu:Id="SBF"/>
1173 <wsa:MessageID wsu:Id="MID">...</>
1174 <wsa:To wsu:Id="TO">...</>
1175 <wsa:Action wsu:Id="ACT">urn:xx:Query</>
1176 <wsse:Security mustUnderstand="1">
1177 <wsu:Timestamp wsu:Id="TS">
1178 <wsu:Created>2005-06-17T04:49:17Z</></>
1179
1180 <sa:Assertion
1181 xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion"
1182 Version="2.0"
1183 ID="A7N123"
1184 IssueInstant="2005-04-01T16:58:33.173Z">
1185 <sa:Issuer>http://idp.symdemo.com/idp.xml</>
1186 <ds:Signature>...</>
1187 <sa:Subject>
1188 <sa:EncryptedID>
1189 <xenc:EncryptedData>U2XTCNvRX7Bl1NK182nmY00TEk==</>
1190 <xenc:EncryptedKey>...</></>
1191 <sa:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></>
1192 <sa:Conditions
1193 NotBefore="2005-04-01T16:57:20Z"
1194 NotOnOrAfter="2005-04-01T21:42:4 3Z">
1195 <sa:AudienceRestrictionCondition>
1196 <sa:Audience>http://wsp.zxidsp.org</></></>
1197 <sa:AuthnStatement
1198 AuthnInstant="2005-04-01T16:57:30.000Z"
1199 SessionIndex="6345789">
1200 <sa:AuthnContext>
1201 <sa:AuthnContextClassRef>
1202 urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</></></>
1203 <sa:AttributeStatement>
1204 <sa:EncryptedAttribute>
1205 <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element">
1206 mQEMAzRniWkAAAEH9RbzqXdgcX8fpEqSr1v4=</>
1207 <xenc:EncryptedKey>...</></></></>
1208
1209 <wsse:SecurityTokenReference
1210 xmlns:wsse11="..."
1211 wsu:Id="STR1"
1212 wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
1213 <wsse:KeyIdentifier
1214 ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">
1215 A7N123</></>
1216
1217 <ds:Signature>
1218 <ds:SignedInfo>
1219 <ds:Reference URI="#MID">...</>
1220 <ds:Reference URI="#TO">...</>
1221 <ds:Reference URI="#ACT">...</>
1222 <ds:Reference URI="#TS">...</>
1223 <ds:Reference URI="#STR1">
1224 <ds:Transform Algorithm="...#STR-Transform">
1225 <wsse:TransformationParameters>
1226 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/></></></>
1227 <ds:Reference URI="#BDY"/></>
1228 ...</></></>
1229 <e:Body wsu:Id="BDY">
1230 <xx:Query/></></>
1231
1232*** is the reference above to wsse11:TokenType really correct?
1233
1234Note how the <Subject> and the attributes are encrypted such that only
1235the WSP can open them. This protects against WSC gaining knowledge of
1236the NameID at the WSP.
1237
1238<<references:
1239
1240[SAML11core] SAML 1.1 Core, OASIS, 2003
1241
1242[SAML11bind] "Bindings and Profiles for the OASIS Security Assertion Markup Language (SAML) V1.1", Oasis Standard, 2.9.2003, oasis-sstc-saml-bindings-1.1
1243
1244[IDFF12] http://www.projectliberty.org/resources/specifications.php
1245
1246[IDFF12meta] Peted Davis, Ed., "Liberty Metadata Description and Discovery Specification", version 1.1, Liberty Alliance Project, 2004. (liberty-metadata-v1.1.pdf)
1247
1248[SAML2core] "Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0", Oasis Standard, 15.3.2005, saml-core-2.0-os
1249
1250[SAML2prof] "Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0", Oasis Standard, 15.3.2005, saml-profiles-2.0-os
1251
1252[SAML2bind] "Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0", Oasis Standard, 15.3.2005, saml-bindings-2.0-os
1253
1254[SAML2context] "Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0", Oasis Standard, 15.3.2005, saml-authn-context-2.0-os
1255
1256[SAML2meta] Cantor, Moreh, Phipott, Maler, eds., "Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0", Oasis Standard, 15.3.2005, saml-metadata-2.0-os
1257
1258[SAML2security] "Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V2.0", Oasis Standard, 15.3.2005, saml-sec-consider-2.0-os
1259
1260[SAML2conf] "Conformance Requirements for the OASIS Security Assertion Markup Language (SAML) V2.0", Oasis Standard, 15.3.2005, saml-conformance-2.0-os
1261
1262[SAML2glossary] "Glossary for the OASIS Security Assertion Markup Language (SAML) V2.0", Oasis Standard, 15.3.2005, saml-glossary-2.0-os
1263
1264[XML-C14N] XML Canonicalization (non-exclusive), http://www.w3.org/TR/2001/REC-xml-c14n-20010315; J. Boyer: "Canonical XML Version 1.0", W3C Recommendation, 15.3.2001, http://www.w3.org/TR/xml-c14n, RFC3076
1265
1266[XML-EXC-C14N] Exclusive XML Canonicalization, http://www.w3.org/TR/xml-exc-c14n/
1267
1268[Shibboleth] http://shibboleth.internet2.edu/shibboleth-documents.html
1269
1270[XMLENC] "XML Encryption Syntax and Processing", W3C Recommendation, 10.12.2002, http://www.w3.org/TR/xmlenc-core
1271
1272[XMLDSIG] "XML-Signature Syntax and Processing", W3C Recommendation, 12.2.2002, http://www.w3.org/TR/xmldsig-core, RFC3275
1273
1274[Disco2] Liberty ID-WSF Discovery service 2.0
1275
1276[Disco12] Liberty ID-WSF Discovery service 1.1 (liberty-idwsf-disco-svc-v1.2.pdf)
1277
1278[SecMech2] Liberty ID-WSF 2.0 Security Mechanisms
1279
1280[SOAPAuthn2] Liberty ID-WSF 2.0 Authentication Service
1281
1282[SOAPBinding2] Liberty ID-WSF 2.0 framework document that pulls together all aspects
1283
1284[DST21] Liberty Data Services Template 2.1
1285
1286[DST20] Liberty DST v2.0
1287
1288[DST11] Liberty DST v1.1
1289
1290[IDDAP] Liberty Identity based Directory Access Protocol
1291
1292[IDPP] Liberty Personal Profile specification.
1293
1294[Interact11] Liberty ID-WSF Interaction Service protocol 1.1
1295
1296[FF12] Liberty ID Federation Framework 1.2, Protocols and Schemas
1297
1298[SUBS2] Liberty Subscriptions and Notifications specification
1299
1300[Schema1-2] Henry S. Thompson et al. (eds): XML Schema Part 1: Structures, 2nd Ed., WSC Recommendation, 28. Oct. 2004, http://www.w3.org/2002/XMLSchema
1301
1302[XML] http://www.w3.org/TR/REC-xml
1303
1304[RFC1950] P. Deutcsh, J-L. Gailly: "ZLIB Compressed Data Format Specification version 3.3", Aladdin Enterprises, Info-ZIP, May 1996
1305
1306[RFC1951] P. Deutcsh: "DEFLATE Compressed Data Format Specification version 1.3", Aladdin Enterprises, May 1996
1307
1308[RFC1952] P. Deutcsh: "GZIP file format specification version 4.3", Aladdin Enterprises, May 1996
1309
1310[RFC2246] TLSv1
1311
1312[RFC2251] LDAP
1313
1314[RFC3548] S. Josefsson, ed.: "The Base16, Base32, and Base64 Data Encodings", July 2003. (Section 4 describes Safebase64)
1315
1316[MS-MWBF] Microsoft Web Browser Federated Sign-On Protocol Specification, 20080207, http://msdn2.microsoft.com/en-us/library/cc236471.aspx
1317
1318>>
1319
1320<<htmlpreamble: <title>README ZXID</title><body bgcolor="#330033" text="#ffaaff" link="#ffddff" vlink="#aa44aa" alink="#ffffff"><font face=sans><h1>README ZXID</h1> >>
1321
1322<<notapath: TCP/IP a.k.a xBSD/Unix n/a Perl/mod_perl PHP/mod_php Java/Tomcat>>
1323<<EOF: >>
1324
1325SAML Open Source catalogs
1326http://saml.xml.org/saml-open-source-implementations
1327http://openliberty.org/wiki/index.php/Existing_Identity_Systems#Open_Source_
1328http://docs.safehaus.org/display/HAUS/Id+OSS+Map
1329
1330Suspicious: when decrypting elements and plugging their plain
1331text variants into original data structure, the wo pointers
1332are not updated. Thus the "old" encrypted data may remain
1333accessible for some purposes.
1334
1335Pointers from Pat
1336http://rnd.feide.no/2007/04/13/light-bulb-update-request-for-testing/
1337https://opensso.dev.java.net/public/extensions/index.html
1338
1339Add macros for OK response.
1340
1341http://wiki.oasis-open.org/security/SstcSamlX509AuthnAttribProfile
1342http://wiki.oasis-open.org/security/SimpleSignBinding
1343
1344
1345On CYGWIN lockf() and flock() apparently are not defined.
1346On mingw they are.
1347
1348Way to pass RelayState through zxid_simple()
1349
1350AuditExplorer
1351
1352elgg.org is very relevant for e-Learning / HR-XML market
1353https://imb.phil.uni-augsburg.de/elgg/
1354
1355FEDORA
1356
1357Moodle (Open Source, Open University)
1358MyStuff (Open Source, Open University)
1359
1360Privacy features of SAML/Liberty
1361User centric features of SAML/Liberty
1362- User control (not necessarily interaction every steps of the way)
1363
1364ECP + IS plugin for Firefox
1365
1366==================
1367In general, wild card cert is one whose cn field is of form *.cellmail.com
1368
1369The openssl command for creating CSR is 'openssl req', for example
1370
1371> openssl req -new -nodes -keyout pkey.pem -out req.pem
1372Generating a 1024 bit RSA private key
1373......................++++++
1374.................................................................................++++++
1375writing new private key to 'pkey.pem'
1376-----
1377You are about to be asked to enter information that will be incorporated
1378into your certificate request.
1379What you are about to enter is what is called a Distinguished Name or a DN.
1380There are quite a few fields but you can leave some blank
1381For some fields there will be a default value,
1382If you enter '.', the field will be left blank.
1383-----
1384Country Name (2 letter code) [AU]:FI
1385State or Province Name (full name) [Some-State]:
1386Locality Name (eg, city) []:Helsinki
1387Organization Name (eg, company) [Internet Widgits Pty Ltd]:Tietosampo
1388Organizational Unit Name (eg, section) []:
1389Common Name (eg, YOUR name) []:*.tietosampo.fi
1390Email Address []:sampo@iki.fi
1391
1392Please enter the following 'extra' attributes
1393to be sent with your certificate request
1394A challenge password []:
1395An optional company name []:
1396
1397
1398In the example above I left the challenge password and company name empty, but
1399it could be that Thawte insists that you fill in something there. They may
1400also have specific requirements about the company name (and possibly the Organization
1401Name and Oraganization Unit Name) matching the registered name of your company.
1402
1403Anyway, the output from the above should be
1404
1405> cat req.pem
1406-----BEGIN CERTIFICATE REQUEST-----
1407MIIBwjCCASsCAQAwgYExCzAJBgNVBAYTAkZJMRMwEQYDVQQIEwpTb21lLVN0YXRl
1408MREwDwYDVQQHEwhIZWxzaW5raTETMBEGA1UEChMKVGlldG9zYW1wbzEYMBYGA1UE
1409AxQPKi50aWV0b3NhbXBvLmZpMRswGQYJKoZIhvcNAQkBFgxzYW1wb0Bpa2kuZmkw
1410gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALudDsX0ZU13ajartg4IECD0+5Lo
1411xSThKu47vQ6GfIeh1+5QO0PCytmrUAI+w0mai9gIp4MssBGqvLs5e2No09ih1KmM
14127s8tgXnnexRQ7FsTEVnaZlZ2dgMNO4DYYtRgX+Kxks6hpHLEY0R3VmCVe1BPlkPs
14130Y4gP1yDNMXMAO+bAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQBSWviTot4mScAi
1414xGlky+UqkYtih0dmqhBBTiiSaVHBerUATKG0p8NkM0NGXuPt8Wozx6t53f8VeXDo
1415BML4SzkoYSrmOkEqk8np8O3IWSG4+HRwhetG/THOvNwRz9shvadPec+VQxJEL2FC
1416vxz/z/oQ8oFxyCwVUtTb4zKhT9rFEw==
1417-----END CERTIFICATE REQUEST-----
1418
1419Or if you want to convince yourself that the wild card is
1420really in there, you can check with
1421
1422> openssl asn1parse <req.pem
1423 0:d=0 hl=4 l= 450 cons: SEQUENCE
1424 4:d=1 hl=4 l= 299 cons: SEQUENCE
1425 8:d=2 hl=2 l= 1 prim: INTEGER :00
1426 11:d=2 hl=3 l= 129 cons: SEQUENCE
1427 14:d=3 hl=2 l= 11 cons: SET
1428 16:d=4 hl=2 l= 9 cons: SEQUENCE
1429 18:d=5 hl=2 l= 3 prim: OBJECT :countryName
1430 23:d=5 hl=2 l= 2 prim: PRINTABLESTRING :FI
1431 27:d=3 hl=2 l= 19 cons: SET
1432 29:d=4 hl=2 l= 17 cons: SEQUENCE
1433 31:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
1434 36:d=5 hl=2 l= 10 prim: PRINTABLESTRING :Some-State
1435 48:d=3 hl=2 l= 17 cons: SET
1436 50:d=4 hl=2 l= 15 cons: SEQUENCE
1437 52:d=5 hl=2 l= 3 prim: OBJECT :localityName
1438 57:d=5 hl=2 l= 8 prim: PRINTABLESTRING :Helsinki
1439 67:d=3 hl=2 l= 19 cons: SET
1440 69:d=4 hl=2 l= 17 cons: SEQUENCE
1441 71:d=5 hl=2 l= 3 prim: OBJECT :organizationName
1442 76:d=5 hl=2 l= 10 prim: PRINTABLESTRING :Tietosampo
1443 88:d=3 hl=2 l= 24 cons: SET
1444 90:d=4 hl=2 l= 22 cons: SEQUENCE
1445 92:d=5 hl=2 l= 3 prim: OBJECT :commonName
1446 97:d=5 hl=2 l= 15 prim: T61STRING :*.tietosampo.fi
1447 114:d=3 hl=2 l= 27 cons: SET
1448 116:d=4 hl=2 l= 25 cons: SEQUENCE
1449 118:d=5 hl=2 l= 9 prim: OBJECT :emailAddress
1450 129:d=5 hl=2 l= 12 prim: IA5STRING :sampo@iki.fi
1451 143:d=2 hl=3 l= 159 cons: SEQUENCE
1452 146:d=3 hl=2 l= 13 cons: SEQUENCE
1453 148:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
1454 159:d=4 hl=2 l= 0 prim: NULL
1455 161:d=3 hl=3 l= 141 prim: BIT STRING
1456 305:d=2 hl=2 l= 0 cons: cont [ 0 ]
1457 307:d=1 hl=2 l= 13 cons: SEQUENCE
1458 309:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
1459 320:d=2 hl=2 l= 0 prim: NULL
1460 322:d=1 hl=3 l= 129 prim: BIT STRING
1461
1462Here we can see that hitting empty for State or Provice question was not
1463such a smart idea after all: it used nonsensical default value. I guess
1464you would have to invent something as place holder.
1465
1466> On another train of thought, if I was to have a local CA here, could I use the
1467> commercial certificate I get to sign the x509 certificates I would make? The
1468> x509 would be used to sign emails via smart cards. This is not a commercial
1469> project but rather one to learn more about smart cards. Sun has made code
1470> available to manage smart cards so it may be interesting to learn more.
1471
1472The regular SSL certificate usually will not work as CA certificate due
1473to certificate usage indicators. Technically it is possible to ignore
1474such indicators and use the certificate anyway, but a lot of widely
1475distributed software does not ignore them so you would have a lot of
1476interoperability problems or at least confirmation questions.
1477
1478Commercial CAs do issue CA certificates, but they tend to be expensive.
1479
1480Even if you get commercial CA certificate, you should know that some (older)
1481software only supports one level of certificate hierarchy. This problem
1482has surfaced when some commercial CAs tried to structure themselves
1483internally as multi layer CA.
1484
1485If you want to run your own CA, all you really have to do is configure
1486the CA cert of yours to be trusted by all the software. For browsers
1487this is easy enough within the GUI itself. For servers (such as apache
1488or dsproxy), there is a way to do this at config file level. Configuring
1489direct trust to your CA cert tends to be easier than trying to get
1490commercial CA cert and playing multilayer CA games.
1491
1492Re Thunderbird, I am bit surprised that it does not accept self signed
1493certs. It seems more probable to me that it actually can be configured
1494to accept them, but does not ship with that turned on to protect
1495naive users. The most basic way to use self signed cert would be
1496to import the self signed cert as one of the trusted CA certs.
1497
1498Was your problem with Thunderbird not accepting the IMAPS connection? In
1499that case the Thunderbird client software needs to start trusting the
1500self signed cert as CA cert. There is probably a GUI way to do this - probably
1501something very similar to the Firefox GUI for configuring certs.
1502
1503If you were trying to configure a ClientTLS certificate and the IMAPS
1504server refused it, then you need to adjust configuration in the
1505server end, probably in a config file.
1506
1507
1508
1509-----
1510
1511ZXID CARML stack
1512
1513* frontend API bindings
1514* middle layer routing and mapping engine
1515* backend connectors
1516
1517--Sampo
1518
1519
1520-----
1521
1522http://saml.xml.org/products
1523http://saml.xml.org/zxid
1524
1525ZXID.org Identity Management toolkit implements standalone SAML 2.0
1526and Liberty ID-WSF 2.0 stacks. It is a C implementation with minimal
1527external dependencies - OpenSSL, CURL, and zlib - ensuring easy
1528deployment (no DLLhell). Due to its small footprint and efficient and
1529accurate schema driven implementation, it is suitable for embedded and
1530high volume applications. Language bindings to all popular highlevel
1531languages such as PHP, Perl, and Java, are provided via SWIG. ZXID
1532implements, as of July 07, SP, WSC, and WSP roles.
1533
1534
1535
1536
1537Paul Madsen wrote:
1538> http://saml.xml.org/forum/calculating-digest-of-an-authentication-statement
1539>
1540> Dear Sirs, my name is Gianluca from Italy
1541> I'm trying to calculate the Digest value of a SAML Authentication
1542> STatement whith the SHA-1 algorithm. Let us suppose that we are dealing
1543> with a string representing the following node:
1544>
1545> <saml:AuthenticationStatement>
1546> <saml:Subject>
1547> <saml:NameIdentifier>GIANLUCA</saml:NameIdentifier>
1548> </saml:Subject>
1549> </saml:AuthenticationStatement>
1550>
1551> When I try to calculate SHA-1 with the function b64_sha1(str2Digest)
1552> what
1553> exactly should the string str2Digest contain? I mean it should be equal to
1554> "<saml:AuthenticationStatement><saml:Subject><saml:NameIdentifier>GIANLUCA<
1555> /saml:NameIdentifier></saml:Subject></saml:AuthenticationStatement>"
1556> or only "GIANLUCA" or ....what else?
1557
1558Its a pity he did not provide email address, but lets hope this reaches
1559him anyway.
1560
15611. There is no univesally agreed way to digest Authentication Statements
15622. "Universally" agreed way to digest XML in general is exc-c14n (exclusive
1563 canonicalization) [XML-EXC-C14N]. This method is used by all certified
1564 SAML implementations. It is also the method used by digital
1565 signatures [XMLDSIG].
15663. Canonicalization is difficult and typically 80% of digital signature
1567 failures derive from canonicalization bugs. Of those 95% are
1568 XML namespace related (curse the inventor of XML namespaces), and
1569 4% are whitespace related.
15704. For what you are apparently trying to do, it is important to
1571 digest the entire canonicalized Authentication Statement.
1572 If the question had been about canonicalizing the NameID, it
1573 would still be important to digest the entire canonicalized
1574 Name Identifier as the actual value in isolation is meaningless.
1575 You need the identifier type and namespace qualification
1576 for the digest to be meaningful.
1577
1578[XML-C14N] XML Canonicalization (non-exclusive), http://www.w3.org/TR/2001/REC-xml-c14n-20010315; J. Boyer: "Canonical XML Version 1.0", W3C Recommendation, 15.3.2001, http://www.w3.org/TR/xml-c14n, RFC3076
1579
1580[XML-EXC-C14N] Exclusive XML Canonicalization, http://www.w3.org/TR/xml-exc-c14n/
1581
1582[XMLDSIG] "XML-Signature Syntax and Processing", W3C Recommendation, 12.2.2002, http://www.w3.org/TR/xmldsig-core, RFC3275
1583
1584Cheers,
1585--Sampo
1586