Skip to Content.
Sympa Menu

mace-opensaml-users - verifying signature on saml assertions

Subject: OpenSAML user discussion

List archive

verifying signature on saml assertions


Chronological Thread 
  • From: "Rakesh Aggarwal" <>
  • To: <>
  • Subject: verifying signature on saml assertions
  • Date: Fri, 11 Apr 2003 16:36:36 -0700

 

Hi Folks!

 

I am new to this group, so I apologize in advance if this question has been asked before. I could not find it in the archives. An earlier post seem to suggest that SAMLRequest object should be used while signing and verifying the assertion. But I am not sure how to generate assertions with this object. I am using SAMLAssertion object instead. Is that acceptatble?

 

I am using  OpenSaml toolkit version 0.8 to create and verify signed-saml-assertions.  I am running into a problem while trying to verify the signed assertion, which I created earlier using the same toolkit. Somehow the SAMLSignedObject.verify() method returns “failed to validate signature value”. I am using the flag “simple=true” while signing and verifying the assertions.

 

Please see the attached files for the contents of the Assertion:

1)       signAssert.xml – contents of the SAMLAssertion after creating and siging it

2)       verifyAssert.xml – contents of the SAMLAssertion while verifying it.

 

The contents of the Assertion object in the above 2 files look exactly the same, still the sig.checkSignatureValue(k) method fails while verifying the signature. I am using null key while verifying the signature.

 

Any help will be appreciated.

 

Thanks.

 

-Rakesh

 

- <SIGNASSERT.XML

 

 

Ass<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="6ebc2505-0964-4642-b23c-6898ea1395c0" IssueInstant="2003-04-11T21:41:00Z" Issuer="ConfluentCORE" MajorVersion="1" MinorVersion="0">

  <Conditions NotBefore="2003-04-11T21:40:58Z" NotOnOrAfter="2003-04-28T22:21:27Z" />

- <AuthenticationStatement AuthenticationInstant="2003-04-11T21:40:58Z" AuthenticationMethod="http://schemas.xmlsoap.org/ws/2002/04/secext">

- <Subject>

  <NameIdentifier>guest</NameIdentifier>

  </Subject>

  <SubjectLocality DNSAddress="localhost" IPAddress="127.0.0.1" />

  </AuthenticationStatement>

- <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

- <ds:SignedInfo>

  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />

  <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1" />

- <ds:Reference URI="">

- <ds:Transforms>

  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

  </ds:Transforms>

  <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

  <ds:DigestValue>eWrawYuJVjmT7SUhxE4rV+dFNSM=</ds:DigestValue>

  </ds:Reference>

  </ds:SignedInfo>

  <ds:SignatureValue>E4Ns8WUqVjl0sY+m7SEXgU7pka93fJf1m5JTygR98IknKAypzWpFrw==</ds:SignatureValue>

- <ds:KeyInfo>

- <ds:X509Data>

  <ds:X509Certificate>MIIDDTCCAssCBD6XCikwCwYHKoZIzjgEAwUAMGwxEDAOBgNVBAYTB1Vua25vd24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xEDAOBgNVBAMTB1Vua25vd24wHhcNMDMwNDExMTgzMjA5WhcNMDMwNzEwMTgzMjA5WjBsMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3duMIIBuDCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYUAAoGBAObp73ptixFfnblFzmfSoffuRTv9+cA9hDCNfuefIBd562HfbfoKyGqIPH7I16kZrCgiWyaW/nWN3+xCfk9WFX4r0ViWGbTqidgU94srcyAPw7LXOBVttJ7soYkcDV+0soh6DhU35FEGEyX8Sfj4lSrwM+maEkjI3A0O6zsbwZtmMAsGByqGSM44BAMFAAMvADAsAhRUhjM+WR2hUBcVige3UJtkVYMkFwIUEF25GT6c+vjj23Uu3ybRoW3Enq0=</ds:X509Certificate>

  </ds:X509Data>

  </ds:KeyInfo>

  </ds:Signature>

  </Assertion>

 

 

VERIFYASSERT.XML

 

 

 

- <Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="6ebc2505-0964-4642-b23c-6898ea1395c0" IssueInstant="2003-04-11T21:41:00Z" Issuer="ConfluentCORE" MajorVersion="1" MinorVersion="0">

  <Conditions NotBefore="2003-04-11T21:40:58Z" NotOnOrAfter="2003-04-28T22:21:27Z" />

- <AuthenticationStatement AuthenticationInstant="2003-04-11T21:40:58Z" AuthenticationMethod="http://schemas.xmlsoap.org/ws/2002/04/secext">

- <Subject>

  <NameIdentifier>guest</NameIdentifier>

  </Subject>

  <SubjectLocality DNSAddress="localhost" IPAddress="127.0.0.1" />

  </AuthenticationStatement>

- <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

- <ds:SignedInfo>

  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />

  <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1" />

- <ds:Reference URI="">

- <ds:Transforms>

  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

  </ds:Transforms>

  <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

  <ds:DigestValue>eWrawYuJVjmT7SUhxE4rV+dFNSM=</ds:DigestValue>

  </ds:Reference>

  </ds:SignedInfo>

  <ds:SignatureValue>E4Ns8WUqVjl0sY+m7SEXgU7pka93fJf1m5JTygR98IknKAypzWpFrw==</ds:SignatureValue>

- <ds:KeyInfo>

- <ds:X509Data>

  <ds:X509Certificate>MIIDDTCCAssCBD6XCikwCwYHKoZIzjgEAwUAMGwxEDAOBgNVBAYTB1Vua25vd24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xEDAOBgNVBAMTB1Vua25vd24wHhcNMDMwNDExMTgzMjA5WhcNMDMwNzEwMTgzMjA5WjBsMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3duMIIBuDCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYUAAoGBAObp73ptixFfnblFzmfSoffuRTv9+cA9hDCNfuefIBd562HfbfoKyGqIPH7I16kZrCgiWyaW/nWN3+xCfk9WFX4r0ViWGbTqidgU94srcyAPw7LXOBVttJ7soYkcDV+0soh6DhU35FEGEyX8Sfj4lSrwM+maEkjI3A0O6zsbwZtmMAsGByqGSM44BAMFAAMvADAsAhRUhjM+WR2hUBcVige3UJtkVYMkFwIUEF25GT6c+vjj23Uu3ybRoW3Enq0=</ds:X509Certificate>

  </ds:X509Data>

  </ds:KeyInfo>

  </ds:Signature>

  </Assertion>

 

 

<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="6ebc2505-0964-4642-b23c-6898ea1395c0" IssueInstant="2003-04-11T21:41:00Z" Issuer="ConfluentCORE" MajorVersion="1" MinorVersion="0"><Conditions NotBefore="2003-04-11T21:40:58Z" NotOnOrAfter="2003-04-28T22:21:27Z"></Conditions><AuthenticationStatement AuthenticationInstant="2003-04-11T21:40:58Z" AuthenticationMethod="http://schemas.xmlsoap.org/ws/2002/04/secext";><Subject><NameIdentifier>guest</NameIdentifier></Subject><SubjectLocality DNSAddress="localhost" IPAddress="127.0.0.1"></SubjectLocality></AuthenticationStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1";></ds:SignatureMethod>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>eWrawYuJVjmT7SUhxE4rV+dFNSM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>E4Ns8WUqVjl0sY+m7SEXgU7pka93fJf1m5JTygR98IknKAypzWpFrw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDDTCCAssCBD6XCikwCwYHKoZIzjgEAwUAMGwxEDAOBgNVBAYTB1Vua25vd24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xEDAOBgNVBAMTB1Vua25vd24wHhcNMDMwNDExMTgzMjA5WhcNMDMwNzEwMTgzMjA5WjBsMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3duMIIBuDCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYUAAoGBAObp73ptixFfnblFzmfSoffuRTv9+cA9hDCNfuefIBd562HfbfoKyGqIPH7I16kZrCgiWyaW/nWN3+xCfk9WFX4r0ViWGbTqidgU94srcyAPw7LXOBVttJ7soYkcDV+0soh6DhU35FEGEyX8Sfj4lSrwM+maEkjI3A0O6zsbwZtmMAsGByqGSM44BAMFAAMvADAsAhRUhjM+WR2hUBcVige3UJtkVYMkFwIUEF25GT6c+vjj23Uu3ybRoW3Enq0=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo></ds:Signature></Assertion>
<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="6ebc2505-0964-4642-b23c-6898ea1395c0" IssueInstant="2003-04-11T21:41:00Z" Issuer="ConfluentCORE" MajorVersion="1" MinorVersion="0">
   <Conditions NotBefore="2003-04-11T21:40:58Z" NotOnOrAfter="2003-04-28T22:21:27Z"></Conditions>
   <AuthenticationStatement AuthenticationInstant="2003-04-11T21:40:58Z" AuthenticationMethod="http://schemas.xmlsoap.org/ws/2002/04/secext";>
    <Subject>
     <NameIdentifier>guest</NameIdentifier>
    </Subject>
    <SubjectLocality DNSAddress="localhost" IPAddress="127.0.0.1"></SubjectLocality>
   </AuthenticationStatement>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
   <ds:SignedInfo>
   <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></ds:CanonicalizationMethod>

   <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1";></ds:SignatureMethod>

   <ds:Reference URI="">
   <ds:Transforms>
   <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></ds:Transform>

</ds:Transforms>

   <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>

   <ds:DigestValue>eWrawYuJVjmT7SUhxE4rV+dFNSM=</ds:DigestValue>

</ds:Reference>

</ds:SignedInfo>

   <ds:SignatureValue>E4Ns8WUqVjl0sY+m7SEXgU7pka93fJf1m5JTygR98IknKAypzWpFrw==</ds:SignatureValue>

   <ds:KeyInfo>
   <ds:X509Data>
   <ds:X509Certificate>
MIIDDTCCAssCBD6XCikwCwYHKoZIzjgEAwUAMGwxEDAOBgNVBAYTB1Vua25vd24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xEDAOBgNVBAMTB1Vua25vd24wHhcNMDMwNDExMTgzMjA5WhcNMDMwNzEwMTgzMjA5WjBsMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3duMIIBuDCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYUAAoGBAObp73ptixFfnblFzmfSoffuRTv9+cA9hDCNfuefIBd562HfbfoKyGqIPH7I16kZrCgiWyaW/nWN3+xCfk9WFX4r0ViWGbTqidgU94srcyAPw7LXOBVttJ7soYkcDV+0soh6DhU35FEGEyX8Sfj4lSrwM+maEkjI3A0O6zsbwZtmMAsGByqGSM44BAMFAAMvADAsAhRUhjM+WR2hUBcVige3UJtkVYMkFwIUEF25GT6c+vjj23Uu3ybRoW3Enq0=
</ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>
  </ds:Signature>
 </Assertion>

Archive powered by MHonArc 2.6.16.

Top of Page