OpenSAML user discussion

[mochamaster <>]

toStream() canonizes before output. shouldn't this
happen within the sign() code specified as a
transform, so that the verify routine can properly
apply the reverse transforms to obtain the pre-singed
version of the element?

--- mochamaster 
<>
 wrote:
> i've narrowed down the problem. there is a
> disagreement in the way OpenSAML serializes (via
> toStream(..)) and deserializes (via constructors
> that
> accept InputStream) an object. at some point, the
> data
> integrity fails and thus causes signature
> verifications to fail.
> 
> in the same code execution, i signed, serialized,
> deserialized and verified signature. if the
> serialization processes were in sync this would have
> worked fine. but it doesn't. i used this code
> snippet:
> 
> SAMLResponse samlResponse = ...
> Iterator iter = samlResponse.getAssertions();
> SAMLAssertion samlAssertion = (SAMLAssertion)
> iter.next();
> samlAssertion.sign(..DSA..,privateKey,certs,true);
> samlAssertion.verify(true); // this works
> 
> ByteArrayOutputSteam baos = new
> ByteArrayOutputSteam();
> samlResponse.toStream(baos); // serialize
> //(usually to servlet output stream and deserialze
> on
> client end but for simplicity we're just doing it in
> the same code execution)
> ByteArrayInputSteam bais = new
> ByteArrayInputSteam(baos.toByteArray());
> SAMLResponse samlResponse2 = new SAMLResponse(bais);
> //deserialize
> iter = samlResponse2.getAssertions();
> samlAssertion = (SAMLAssertion) iter.next();
> samlAssertion.verify(true); // this fails
> 
> i traced it in xmlsig to the point of discovering
> unmatched digests betw what's reported in
> <DigestValue> and the digest computed by verify()
> call.
> 
> /stal
> 
> 
> 
> 
> --- mochamaster 
> <>
>  wrote:
> > That other user would be me, Stalin :^).
> > 
> > I'm experiencing the same problem.  Verification
> > fails
> > when the saml object is subject to serialization
> and
> > deserialization.
> > 
> > I have a signed saml assertion that is enclosed in
> > an
> > unsigned saml response and sent to client.  the
> > client
> > consistently fails to validate the assertion
> (either
> > via the enclosed certificate or if i manually
> obtain
> > the same certificate from the same keystore).  i
> > know
> > the signing is valid because i sign and verify in
> > the
> > same code execution for testing.  it breaks upon
> > transmission. 
> > 
> > i don't employ soap but simply transport "naked"
> > saml
> > request and response elements through http. i was
> > able
> > to successfully perform integrity checks on the
> > response before it leaves the server and once it
> > reaches the client by writing the xml to two files
> > (serialized with JDOM's
> >
>
XMLOutputter.output((Element)samlResponse.toDOM(),fileOS)
> > and doing a unix cksum; so the data is not
> modified
> > in
> > transit nor after deserialization.
> > 
> > the stack trace doesn't tell me much because
> > opensaml
> > lib gives a canned message
> > "SAMLSignedObject.verify()
> > failed to update signature value" upon a false
> > return
> > to xml sec's sig.checkSignatureValue() call.
> > 
> > my next step was to trace the check sig value
> call.
> > apache's xml sec provides log4j style debugging. i
> > have no idea how to enable that (any hints??). 
> also
> > to get around that i embed my own pritnln
> statements
> > in that method and attempt to compile my own
> version
> > of xml sec libs but it keeps failing due to an
> > attempt
> > by apache code to access private member data in a
> > sub
> > class of an xpath class provided in apache xalan.
> > 
> > perhaps you can have better luck.
> > 
> > scott, is there anything (code, data, etc) that i
> > can
> > provide you to help analyze the xml packets, etc?
> > 
> > Stalin.
> > 
> > --- Rakesh Aggarwal 
> > <>
> > wrote:
> > > 
> > > Thanks for responding to my earlier post.
> > > 
> > > I am building using the SAMLAssertion object and
> > > then signing it. Then I
> > > convert the assertion to a Node using the
> toDOM()
> > > method, and insert it
> > > in a SOAP envelope using the SOAPHeaderElement
> > > object.
> > > 
> > > While verifying it I get the SOAPHeaderElement
> > from
> > > the SOAPEnvelope,
> > > and then construct a SAMLAssertion out of it. I
> > cast
> > > it to a
> > > SAMLSignedObject and then call verify() on it.
> At
> > > this point, the
> > > verify() fails due to mismatch in signature
> > values.
> > > 
> > > Sign() and verify() succeeds if done in the same
> > > invocation path for
> > > testing purposes. I had to upgrade my xalan and
> > > related jars from 2.2.x
> > > to 2.4.x. But it still fails across multiple
> > > invocations, when
> > > serializing and deserializing of saml objects is
> > > involved.
> > > 
> > > I am going to check if the extra newline are
> > coming
> > > in while serializing
> > > and deserializing saml objects. Another user on
> > this
> > > discussion-group
> > > has reported a similar problem while serializing
> > and
> > > deserializing saml
> > > objects over http. Please let me know if someone
> > has
> > > found a solution to
> > > this problem.
> > > 
> > > Thanks.
> > > 
> > > -Rakesh
> > > 
> > > 
> > > -----Original Message-----
> > > From: Scott Cantor 
> > > [mailto:]
> > >  
> > > Sent: Saturday, April 12, 2003 2:51 PM
> > > To: Rakesh Aggarwal;
> > > 
> > > Subject: RE: verifying signature on saml
> > assertions
> > > 
> > > >I am new to this group, so I apologize in
> advance
> > > if this question has
> > > been
> > > >asked before. I could not find it in the
> > archives.
> > > An earlier post seem
> > > to
> > > >suggest that SAMLRequest object should be used
> > > while signing and
> > > verifying
> > > >the assertion. But I am not sure how to
> generate
> > > assertions with this
> > > >object. I am using SAMLAssertion object
> instead.
> > Is
> > > that acceptatble?
> > > 
> > > Requests don't generate assertions. You have to
> > > build what you want to
> > > build, and sign whatever you want to sign. If
> you
> > > want a
> > > signed assertion, then you use SAMLAssertion,
> and
> > > SAMLResponse builds
> > > signed responses.
> > > 
> > > At this point, embedding signed assertions in
> > > responses or signing while
> > > embedded barely sort-of works, kind of, but not
> > > really. In
> > > short, there are SAML issues and signature
> library
> > > problems that really
> > > make this too unreliable.
> > > 
> > > SAML at this point only uses signing in the POST
> > > profile, for naked
> > > responses, and that's about all that's reliable.
> > > 
> > > Once SAML 1.1 is ready, this should all be
> > fixable.
> > > 
> > > >The contents of the Assertion object in the
> above
> > 2
> > > files look exactly
> > > the
> > > >same, still the sig.checkSignatureValue(k)
> method
> > > fails while verifying
> > > the
> > > >signature. I am using null key while verifying
> > the
> > > signature.
> > > 
> > > They aren't close to the same. Your verify.xml
> > file
> > > is full of extra
> > > whitespace and indenting, which is not ignored
> in
> > > XML.
> > > 
> > > To use signatures at all, you have to sign the
> > > object and then generate
> > > the XML with the toStream() method. To verify,
> you
> > > can't
> > > change anything at all in that resulting data.
> One
> > > extra linefeed and
> > > you're done. No pretty printing allowed,
> > especially.
> > > 
> > > -- Scott
> > > 
> > >
> > > 
> > 
> > 
> > __________________________________________________
> > Do you Yahoo!?
> > Yahoo! Tax Center - File online, calculators,
> forms,
> > and more
> > http://tax.yahoo.com
> > 
> >
> > 
> 
> 
> __________________________________________________
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo
> http://search.yahoo.com
> 
>
> 


__________________________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com

---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

---------------------------------------------------mace-opensaml-users--