mace-opensaml-users - RE: Signature Problems with Requests/Responses
Subject: OpenSAML user discussion
List archive
- From: Scott Cantor <>
- To: 'Terry Cumming' <>,
- Subject: RE: Signature Problems with Requests/Responses
- Date: Fri, 28 Mar 2003 14:18:12 -0500
- Importance: Normal
- Organization: The Ohio State University
> I have been using OpenSAML 0.8 (Java) for a week now to build
> demo code. All works well except the digital signatures.
I expect will be the case for a while. ;-(
> If however I transport a SAMLRequest across a network via
> SAMLSOAPBinding and try signature verification at the
> receiving end, I receive errors.
Well, the part that's much harder (and really doesn't work yet) is embedded
signatures, or super-signatures. A simple sign/verify
over the whole message does work.
Something in your transport step is corrupting the content, and it could be
just about anything. To figure out whether it's a
serialization bug in OpenSAML (usually due to namespaces), or not, it helps
to look at the thing that verifies and diff it against
the XML that doesn't.
> The error I get is occurs in SAMLSignedObject.verify() after line
> sig.checkSignatureValue(k):
> InvalidCryptoException("SAMLSignedObject.verify() failed to
> validate signature value");
That just means the bytes changed, not very helpful, but I do have the
ability to debug those bytes when I need to.
> I have test code now to reproduce the problem but the
> symptoms are slightly different. I create a SAMLRequest, do a
> toDOM, then create a new SAMLRequest object taking the DOM
> root element in the constructor. Now I
> receive: "SAMLQuery.getInstance() unable to locate an
> implementation of specified query type". My request contains
> an AssertionArtifact.
That sounds like a more simple bug. If you can get me the XML that causes
that, I can probably spot it.
> I notice that Init.java does not have any registration for
> query by AssertionArtifact, and there is no SAMLQuery class
> for this either, which is I think why I get the error.
No, it's not a query. There wouldn't be a class.
> Full compilable code sample below - you just need a key in a
> keystore. Error handling and comments removed for brevity.
I'll try and run it through some time this weekend, but you can perhaps
research this in the XML with me.
-- Scott
---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at
http://archives.internet2.edu/
---------------------------------------------------mace-opensaml-users--
- Signature Problems with Requests/Responses, Terry Cumming, 03/28/2003
- RE: Signature Problems with Requests/Responses, Scott Cantor, 03/28/2003
- <Possible follow-up(s)>
- Signature Problems with Requests/Responses, Terry Cumming, 03/28/2003
- RE: Signature Problems with Requests/Responses, Scott Cantor, 03/31/2003
- RE: Signature Problems with Requests/Responses, Terry Cumming, 03/31/2003
- RE: Signature Problems with Requests/Responses, Scott Cantor, 03/31/2003
- RE: Signature Problems with Requests/Responses, Terry Cumming, 03/31/2003
- RE: Signature Problems with Requests/Responses, Scott Cantor, 03/31/2003
Archive powered by MHonArc 2.6.16.