OpenSAML user discussion

[mochamaster <>]

i've narrowed down the problem. there is a
disagreement in the way OpenSAML serializes (via
toStream(..)) and deserializes (via constructors that
accept InputStream) an object. at some point, the data
integrity fails and thus causes signature
verifications to fail.

in the same code execution, i signed, serialized,
deserialized and verified signature. if the
serialization processes were in sync this would have
worked fine. but it doesn't. i used this code snippet:

SAMLResponse samlResponse = ...
Iterator iter = samlResponse.getAssertions();
SAMLAssertion samlAssertion = (SAMLAssertion)
iter.next();
samlAssertion.sign(..DSA..,privateKey,certs,true);
samlAssertion.verify(true); // this works

ByteArrayOutputSteam baos = new
ByteArrayOutputSteam();
samlResponse.toStream(baos); // serialize
//(usually to servlet output stream and deserialze on
client end but for simplicity we're just doing it in
the same code execution)
ByteArrayInputSteam bais = new
ByteArrayInputSteam(baos.toByteArray());
SAMLResponse samlResponse2 = new SAMLResponse(bais);
//deserialize
iter = samlResponse2.getAssertions();
samlAssertion = (SAMLAssertion) iter.next();
samlAssertion.verify(true); // this fails

i traced it in xmlsig to the point of discovering
unmatched digests betw what's reported in
<DigestValue> and the digest computed by verify()
call.

/stal




--- mochamaster 
<>
 wrote:
> That other user would be me, Stalin :^).
> 
> I'm experiencing the same problem.  Verification
> fails
> when the saml object is subject to serialization and
> deserialization.
> 
> I have a signed saml assertion that is enclosed in
> an
> unsigned saml response and sent to client.  the
> client
> consistently fails to validate the assertion (either
> via the enclosed certificate or if i manually obtain
> the same certificate from the same keystore).  i
> know
> the signing is valid because i sign and verify in
> the
> same code execution for testing.  it breaks upon
> transmission. 
> 
> i don't employ soap but simply transport "naked"
> saml
> request and response elements through http. i was
> able
> to successfully perform integrity checks on the
> response before it leaves the server and once it
> reaches the client by writing the xml to two files
> (serialized with JDOM's
>
XMLOutputter.output((Element)samlResponse.toDOM(),fileOS)
> and doing a unix cksum; so the data is not modified
> in
> transit nor after deserialization.
> 
> the stack trace doesn't tell me much because
> opensaml
> lib gives a canned message
> "SAMLSignedObject.verify()
> failed to update signature value" upon a false
> return
> to xml sec's sig.checkSignatureValue() call.
> 
> my next step was to trace the check sig value call.
> apache's xml sec provides log4j style debugging. i
> have no idea how to enable that (any hints??).  also
> to get around that i embed my own pritnln statements
> in that method and attempt to compile my own version
> of xml sec libs but it keeps failing due to an
> attempt
> by apache code to access private member data in a
> sub
> class of an xpath class provided in apache xalan.
> 
> perhaps you can have better luck.
> 
> scott, is there anything (code, data, etc) that i
> can
> provide you to help analyze the xml packets, etc?
> 
> Stalin.
> 
> --- Rakesh Aggarwal 
> <>
> wrote:
> > 
> > Thanks for responding to my earlier post.
> > 
> > I am building using the SAMLAssertion object and
> > then signing it. Then I
> > convert the assertion to a Node using the toDOM()
> > method, and insert it
> > in a SOAP envelope using the SOAPHeaderElement
> > object.
> > 
> > While verifying it I get the SOAPHeaderElement
> from
> > the SOAPEnvelope,
> > and then construct a SAMLAssertion out of it. I
> cast
> > it to a
> > SAMLSignedObject and then call verify() on it. At
> > this point, the
> > verify() fails due to mismatch in signature
> values.
> > 
> > Sign() and verify() succeeds if done in the same
> > invocation path for
> > testing purposes. I had to upgrade my xalan and
> > related jars from 2.2.x
> > to 2.4.x. But it still fails across multiple
> > invocations, when
> > serializing and deserializing of saml objects is
> > involved.
> > 
> > I am going to check if the extra newline are
> coming
> > in while serializing
> > and deserializing saml objects. Another user on
> this
> > discussion-group
> > has reported a similar problem while serializing
> and
> > deserializing saml
> > objects over http. Please let me know if someone
> has
> > found a solution to
> > this problem.
> > 
> > Thanks.
> > 
> > -Rakesh
> > 
> > 
> > -----Original Message-----
> > From: Scott Cantor 
> > [mailto:]
> >  
> > Sent: Saturday, April 12, 2003 2:51 PM
> > To: Rakesh Aggarwal;
> > 
> > Subject: RE: verifying signature on saml
> assertions
> > 
> > >I am new to this group, so I apologize in advance
> > if this question has
> > been
> > >asked before. I could not find it in the
> archives.
> > An earlier post seem
> > to
> > >suggest that SAMLRequest object should be used
> > while signing and
> > verifying
> > >the assertion. But I am not sure how to generate
> > assertions with this
> > >object. I am using SAMLAssertion object instead.
> Is
> > that acceptatble?
> > 
> > Requests don't generate assertions. You have to
> > build what you want to
> > build, and sign whatever you want to sign. If you
> > want a
> > signed assertion, then you use SAMLAssertion, and
> > SAMLResponse builds
> > signed responses.
> > 
> > At this point, embedding signed assertions in
> > responses or signing while
> > embedded barely sort-of works, kind of, but not
> > really. In
> > short, there are SAML issues and signature library
> > problems that really
> > make this too unreliable.
> > 
> > SAML at this point only uses signing in the POST
> > profile, for naked
> > responses, and that's about all that's reliable.
> > 
> > Once SAML 1.1 is ready, this should all be
> fixable.
> > 
> > >The contents of the Assertion object in the above
> 2
> > files look exactly
> > the
> > >same, still the sig.checkSignatureValue(k) method
> > fails while verifying
> > the
> > >signature. I am using null key while verifying
> the
> > signature.
> > 
> > They aren't close to the same. Your verify.xml
> file
> > is full of extra
> > whitespace and indenting, which is not ignored in
> > XML.
> > 
> > To use signatures at all, you have to sign the
> > object and then generate
> > the XML with the toStream() method. To verify, you
> > can't
> > change anything at all in that resulting data. One
> > extra linefeed and
> > you're done. No pretty printing allowed,
> especially.
> > 
> > -- Scott
> > 
> >
> > 
> 
> 
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Tax Center - File online, calculators, forms,
> and more
> http://tax.yahoo.com
> 
>
> 


__________________________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com

---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

---------------------------------------------------mace-opensaml-users--