Skip to Content.
Sympa Menu

mace-opensaml-users - Re: Signature validation fails after parsing SAML Response

Subject: OpenSAML user discussion

List archive

Re: Signature validation fails after parsing SAML Response


Chronological Thread 
  • From: "Shannon Kendrick" <>
  • To: "Scott Cantor" <>, <>
  • Subject: Re: Signature validation fails after parsing SAML Response
  • Date: Mon, 3 Mar 2003 13:05:37 -0500

Scott,
I did a string compare on the "toString()" values of the two SAMLResponse
objects and they checkout fine. It seems to only fail if I've got an
AttributeStatement in the response. Without the AttributeStatement
everything validates fine.

My test case is included below. Basically I create a SAMLResponse with an
AttributeStatement and sign the response. Then I stream it to a byte array
and reparse it. The failure occurs when I validate the signature.

Is it possible that either the validation or the check isn't including the
AttributeStatement in the digest?
If I wanted to sign the document myself would I use "toDOM" to get the
Document reference?

Thanks in advance,
Shannon Kendrick

===Code begins here===
package org.kendrickonline;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.util.Arrays;
import java.util.Date;

import org.apache.log4j.Logger;
import org.apache.xml.security.signature.XMLSignature;
import org.opensaml.Init;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAttribute;
import org.opensaml.SAMLAttributeStatement;
import org.opensaml.SAMLAuthenticationStatement;
import org.opensaml.SAMLResponse;
import org.opensaml.SAMLStatement;
import org.opensaml.SAMLSubject;
import org.opensaml.XML;

/**
* Test of signing and validating a SAMLResponse.
*
* @author Shannon Kendrick
* @version $Id$
*/
public class SAMLResponseTest {

public static void main(String[] args) {

Init.init();

// Logger
Logger logger = Logger.getLogger(SAMLResponseTest.class);

try {
// Create the SAML Response
logger.debug("*** Creating SAML response...");
SAMLSubject authSubject =
new SAMLSubject(

"",
null,
null,
Arrays.asList(new String[] { SAMLSubject.CONF_BEARER }),
null,
null);
SAMLSubject attribSubject =
new SAMLSubject(

"",
null,
null,
null,
null,
null);
SAMLAuthenticationStatement authenticationStatement =
new SAMLAuthenticationStatement(
authSubject,
"urn:oasis:names:tc:SAML:1.0:am:unspecified",
new Date(),
null,
null,
null);
SAMLAttributeStatement attributeStatement =
new SAMLAttributeStatement(
attribSubject,
Arrays.asList(
new SAMLAttribute[] {
new SAMLAttribute(
"name",
"namespace",
null,
0,
Arrays.asList(
new String[] { "John Doe" }))
}));
Date notBefore = new Date();
Date notOnOrAfter = new Date(notBefore.getTime() + (3 * 60 * 1000));
SAMLAssertion[] assertions =
{
new SAMLAssertion(
"Shannon Kendrick",
notBefore,
notOnOrAfter,
null,
null,
Arrays.asList(
new SAMLStatement[] {
authenticationStatement,
attributeStatement }))
};
SAMLResponse samlResponse =
new SAMLResponse(null, null, Arrays.asList(assertions), null);
logger.debug("*** SAML response created");

// Locate the private key
logger.debug("*** Fetching private key and certificate chain...");
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(
SAMLResponseTest.class.getResourceAsStream("/keystore.jks"),
null);
Key key = keyStore.getKey("ssotest", "abc123".toCharArray());
Certificate cert = keyStore.getCertificate("ssotest");
Certificate[] certChain = keyStore.getCertificateChain("ssotest");
logger.debug("*** Private key and certificate chain loaded");

// Sign the SAML Response
logger.debug("*** Signing SAML response...");
samlResponse.sign(
XMLSignature.ALGO_ID_SIGNATURE_DSA,
key,
Arrays.asList(certChain),
true);
logger.debug("*** SAML response signed");

// Validate the SAML Response
logger.debug(
"*** SAML response before serialization: " + samlResponse);
logger.debug("*** Validating SAML response...");
samlResponse.verify(cert, true);
logger.debug("*** SAML response validated");

// Serialize SAMLResponse and parse back into SAMLResponse
ByteArrayOutputStream out = new ByteArrayOutputStream();
samlResponse.toStream(out);
SAMLResponse samlResponse2 =
new SAMLResponse(
XML
.parserPool
.parse(new ByteArrayInputStream(out.toByteArray()))
.getDocumentElement());

// Validate the SAML Response
logger.debug(
"*** SAML response after serialization: " + samlResponse2);
logger.debug("*** Validating SAML response...");
samlResponse2.verify(cert, true);
logger.debug("*** SAML response validated");

} catch (Exception e) {
logger.error(e.getMessage(), e);
}
}
}

===Code ends here===
----- Original Message -----
From: "Scott Cantor"
<>
To: "'Shannon Kendrick'"
<>;
<>
Sent: Thursday, February 27, 2003 11:35 PM
Subject: RE: Signature validation fails after parsing SAML Response


> > Any idea why the second parsing fails?
>
> No, though that code is still a work in progress. Did you try diffing the
two buffers before the verify step? Be interesting to see
> what changed.
>
> -- Scott
>

---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

http://archives.internet2.edu/

---------------------------------------------------mace-opensaml-users--




Archive powered by MHonArc 2.6.16.

Top of Page