OpenSAML user discussion

[Scott Cantor <>]

> I have been using OpenSAML 0.8 (Java) for a week now to build 
> demo code. All works well except the digital signatures.

I expect will be the case for a while. ;-(

> If however I transport a SAMLRequest across a network via 
> SAMLSOAPBinding and try signature verification at the 
> receiving end, I receive errors. 

Well, the part that's much harder (and really doesn't work yet) is embedded 
signatures, or super-signatures. A simple sign/verify
over the whole message does work.

Something in your transport step is corrupting the content, and it could be 
just about anything. To figure out whether it's a
serialization bug in OpenSAML (usually due to namespaces), or not, it helps 
to look at the thing that verifies and diff it against
the XML that doesn't.

> The error I get is occurs in SAMLSignedObject.verify() after line
> sig.checkSignatureValue(k):
> InvalidCryptoException("SAMLSignedObject.verify() failed to 
> validate signature value"); 

That just means the bytes changed, not very helpful, but I do have the 
ability to debug those bytes when I need to.

> I have test code now to reproduce the problem but the 
> symptoms are slightly different. I create a SAMLRequest, do a 
> toDOM, then create a new SAMLRequest object taking the DOM 
> root element in the constructor. Now I
> receive: "SAMLQuery.getInstance() unable to locate an 
> implementation of specified query type". My request contains 
> an AssertionArtifact.

That sounds like a more simple bug. If you can get me the XML that causes 
that, I can probably spot it.

> I notice that Init.java does not have any registration for 
> query by AssertionArtifact, and there is no SAMLQuery class 
> for this either, which is I think why I get the error.

No, it's not a query. There wouldn't be a class.

> Full compilable code sample below - you just need a key in a 
> keystore. Error handling and comments removed for brevity.

I'll try and run it through some time this weekend, but you can perhaps 
research this in the XML with me.

-- Scott

---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

---------------------------------------------------mace-opensaml-users--