OpenSAML user discussion

["Rakesh Aggarwal" <>]

I wonder how extra newlines can break the signature verification.
Wouldn't XML C14N take care of that?


Thanks.

-Rakesh


-----Original Message-----
From: mochamaster 
[mailto:]
 
Sent: Monday, April 14, 2003 1:26 PM
To: Rakesh Aggarwal; Scott Cantor; 

Subject: RE: verifying signature on saml assertions

That other user would be me, Stalin :^).

I'm experiencing the same problem.  Verification fails
when the saml object is subject to serialization and
deserialization.

I have a signed saml assertion that is enclosed in an
unsigned saml response and sent to client.  the client
consistently fails to validate the assertion (either
via the enclosed certificate or if i manually obtain
the same certificate from the same keystore).  i know
the signing is valid because i sign and verify in the
same code execution for testing.  it breaks upon
transmission. 

i don't employ soap but simply transport "naked" saml
request and response elements through http. i was able
to successfully perform integrity checks on the
response before it leaves the server and once it
reaches the client by writing the xml to two files
(serialized with JDOM's
XMLOutputter.output((Element)samlResponse.toDOM(),fileOS)
and doing a unix cksum; so the data is not modified in
transit nor after deserialization.

the stack trace doesn't tell me much because opensaml
lib gives a canned message "SAMLSignedObject.verify()
failed to update signature value" upon a false return
to xml sec's sig.checkSignatureValue() call.

my next step was to trace the check sig value call.
apache's xml sec provides log4j style debugging. i
have no idea how to enable that (any hints??).  also
to get around that i embed my own pritnln statements
in that method and attempt to compile my own version
of xml sec libs but it keeps failing due to an attempt
by apache code to access private member data in a sub
class of an xpath class provided in apache xalan.

perhaps you can have better luck.

scott, is there anything (code, data, etc) that i can
provide you to help analyze the xml packets, etc?

Stalin.

--- Rakesh Aggarwal 
<>
wrote:
> 
> Thanks for responding to my earlier post.
> 
> I am building using the SAMLAssertion object and
> then signing it. Then I
> convert the assertion to a Node using the toDOM()
> method, and insert it
> in a SOAP envelope using the SOAPHeaderElement
> object.
> 
> While verifying it I get the SOAPHeaderElement from
> the SOAPEnvelope,
> and then construct a SAMLAssertion out of it. I cast
> it to a
> SAMLSignedObject and then call verify() on it. At
> this point, the
> verify() fails due to mismatch in signature values.
> 
> Sign() and verify() succeeds if done in the same
> invocation path for
> testing purposes. I had to upgrade my xalan and
> related jars from 2.2.x
> to 2.4.x. But it still fails across multiple
> invocations, when
> serializing and deserializing of saml objects is
> involved.
> 
> I am going to check if the extra newline are coming
> in while serializing
> and deserializing saml objects. Another user on this
> discussion-group
> has reported a similar problem while serializing and
> deserializing saml
> objects over http. Please let me know if someone has
> found a solution to
> this problem.
> 
> Thanks.
> 
> -Rakesh
> 
> 
> -----Original Message-----
> From: Scott Cantor 
> [mailto:]
>  
> Sent: Saturday, April 12, 2003 2:51 PM
> To: Rakesh Aggarwal;
> 
> Subject: RE: verifying signature on saml assertions
> 
> >I am new to this group, so I apologize in advance
> if this question has
> been
> >asked before. I could not find it in the archives.
> An earlier post seem
> to
> >suggest that SAMLRequest object should be used
> while signing and
> verifying
> >the assertion. But I am not sure how to generate
> assertions with this
> >object. I am using SAMLAssertion object instead. Is
> that acceptatble?
> 
> Requests don't generate assertions. You have to
> build what you want to
> build, and sign whatever you want to sign. If you
> want a
> signed assertion, then you use SAMLAssertion, and
> SAMLResponse builds
> signed responses.
> 
> At this point, embedding signed assertions in
> responses or signing while
> embedded barely sort-of works, kind of, but not
> really. In
> short, there are SAML issues and signature library
> problems that really
> make this too unreliable.
> 
> SAML at this point only uses signing in the POST
> profile, for naked
> responses, and that's about all that's reliable.
> 
> Once SAML 1.1 is ready, this should all be fixable.
> 
> >The contents of the Assertion object in the above 2
> files look exactly
> the
> >same, still the sig.checkSignatureValue(k) method
> fails while verifying
> the
> >signature. I am using null key while verifying the
> signature.
> 
> They aren't close to the same. Your verify.xml file
> is full of extra
> whitespace and indenting, which is not ignored in
> XML.
> 
> To use signatures at all, you have to sign the
> object and then generate
> the XML with the toStream() method. To verify, you
> can't
> change anything at all in that resulting data. One
> extra linefeed and
> you're done. No pretty printing allowed, especially.
> 
> -- Scott
> 
>
> 


__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - File online, calculators, forms, and more
http://tax.yahoo.com

---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

    http://archives.internet2.edu/

---------------------------------------------------mace-opensaml-users--