Skip to Content.
Sympa Menu

mace-opensaml-users - RE: verifying signature on saml assertions

Subject: OpenSAML user discussion

List archive

RE: verifying signature on saml assertions


Chronological Thread 
  • From: Scott Cantor <>
  • To: , 'Rakesh Aggarwal' <>,
  • Subject: RE: verifying signature on saml assertions
  • Date: Mon, 14 Apr 2003 18:04:20 -0400
  • Importance: Normal
  • Organization: The Ohio State University

> i don't employ soap but simply transport "naked" saml
> request and response elements through http. i was able
> to successfully perform integrity checks on the
> response before it leaves the server and once it
> reaches the client by writing the xml to two files
> (serialized with JDOM's XMLOutputter.output((Element)samlResponse.toDOM
>(),fileOS) and doing a unix cksum; so the data is not modified in
> transit nor after deserialization.

Ok, can you perhaps find out what that XMLOutputter does? Is it a c14n-based
algorithm? Anything else is potentially a problem,
though only pretty-printers tend to really cause trouble.

> the stack trace doesn't tell me much because opensaml
> lib gives a canned message "SAMLSignedObject.verify()
> failed to update signature value" upon a false return
> to xml sec's sig.checkSignatureValue() call.

Right, that just means the raw crypto is what broke. So something doesn't
match.

> my next step was to trace the check sig value call.
> apache's xml sec provides log4j style debugging. i
> have no idea how to enable that (any hints??).

You have to use a log4j config file to ratchet up the logging level,
basically. OpenSAML uses log4j, but doesn't actually configure
it directly, so whatever xmlsec is doing is probably the issue. There's at
least some related stuff in the config.xml file inside
the jar as well.

> scott, is there anything (code, data, etc) that i can
> provide you to help analyze the xml packets, etc?

Just the code, basically. I can build a JUnit test on it and if necessary, I
can modify the SAML code to dump some of the xmlsec
internal buffers.

If the XML is truly not modified in transit, then the bug is probably a
namespace issue that needs to be spotted by dumping what
gets fed into the digest algorithm.

-- Scott

---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

http://archives.internet2.edu/

---------------------------------------------------mace-opensaml-users--




Archive powered by MHonArc 2.6.16.

Top of Page