mace-opensaml-users - Re: Question regarding general SAML receiver framework
Subject: OpenSAML user discussion
List archive
- From: "roy" <>
- To: <>
- Subject: Re: Question regarding general SAML receiver framework
- Date: Fri, 9 Jan 2004 03:29:43 -0800
Hello!
I finally ran into the issue called out below ...
> The problem is that you may end up with problems on the signature end.
> Signatures flat out don't work well in SAML 1.0. That was the reason for
> most of the changes in 1.1. I did my best to implement signing in 1.0, but I
> had to make some assumptions about the way signing was done and I do a lot
> of checking for specific transforms. From what I can see, the signature
> you're getting is close, but I think it will fail because it's not
> specifying exclusive C14N in that transform.
>
> That was probably a little strong on my part, but it is permitted by the 1.1
> spec to reject that transform, and so I did. I wasn't trying to even pretend
> to interop with signed 1.0 messages either.
>
> I should be able to patch that problem for you, but let's see how far you
> get first.
>
So I changed line 206-215 in SAMLSignedObject.cpp to read from...
---------
for (int i=0; tlist && i<tlist->getSize(); i++)
{
if
(tlist->item(i)->getTransformType()==TRANSFORM_ENVELOPED_SIGNATURE)
valid=true;
else if (tlist->item(i)->getTransformType()!=TRANSFORM_EXC_C14N)
{
valid=false;
break;
}
}
---------
to the following ...
---------
for (int i=0; tlist && i<tlist->getSize(); i++)
{
if
(tlist->item(i)->getTransformType()==TRANSFORM_ENVELOPED_SIGNATURE)
valid=true;
else if (tlist->item(i)->getTransformType()!=TRANSFORM_EXC_C14N)
{
if (SAMLConfig::getConfig().compatibility_mode &&
tlist->item(i)->getTransformType()!=TRANSFORM_C14N)
{
valid=false;
break;
}
}
}
---------
which seems to have gotten me over that particular barrier :) One last thing
however..
I am signing a sample saml response with the signtest.exe program, yet on
attempting to validate the signed results, I get the
following error messages..
1073647209 ERROR SAML.SAMLAssertion verify: signature failed to verify, error
messages follow: Reference URI="" failed to verify
caught a SAML exception: <Status xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"><StatusCode
Value="Responder"/>
<StatusMessage>SAMLSignedObject::verify() failed to validate signature
value</StatusMessage><StatusDetail><ExceptionClass
xmlns="http://www.opensaml.org";>org.opensaml.InvalidCryptoException</ExceptionClass></StatusDetail></Status>
the signed saml response can be viewed at
http://home.comcast.net/~roykim/saml.xml
Is there a way to get the signtest executeable to generate a properly signed
SAML response with the necessary Reference URI values
set (or perhaps I'm overlooking something again)?
- roy
- Question regarding general SAML receiver framework, roy, 01/06/2004
- RE: Question regarding general SAML receiver framework, Scott Cantor, 01/06/2004
- Re: Question regarding general SAML receiver framework, roy, 01/09/2004
- RE: Question regarding general SAML receiver framework, Scott Cantor, 01/09/2004
- RE: Question regarding general SAML receiver framework, Scott Cantor, 01/09/2004
- Re: Question regarding general SAML receiver framework, roy, 01/09/2004
- Re: Question regarding general SAML receiver framework, Walter Hoehn, 01/06/2004
- RE: Question regarding general SAML receiver framework, Scott Cantor, 01/06/2004
Archive powered by MHonArc 2.6.16.