OpenSAML user discussion

[Bin Lu <>]

Hi,

I am using opensaml 0.9.1(with patch). In saml response verification,
I am getting "InvalidCryptoException" from SAMLResponse::verify()
with error message of:

SAMLSignedObject::verify() caught an XMLSec exception

From DSIGSignature::verify() it seems the error is due to
DSIGSignature::load() was not called. But the
SAMLResponse constructor with DOMElement suggests
it should have been called. Please see the attached code.

The DOMElement returns the following namespace URI
and localName:

NamespaceURI = http://www.w3.org/2000/09/xmldsig#
localName = Signature

Both the response and the assertions are signed.
Please advice what the problem could be.

Thanks,
Bin Lu

static void processPost(const char *b64samlResponse, const char *assertRef)
 {

    int bytes = strlen(b64samlResponse) * 3 / 4 + 1;
    char *responseData = new char[bytes];
    do {
        int decodedLength = 0;
        if (DSUtilDecode64(b64samlResponse, strlen(b64samlResponse),
            responseData, bytes, &decodedLength) != 0 ) {
            // log error message
            break;
        }

        MemBufInputSource input((const XMLByte*)responseData,
            strlen(responseData), "AAResponse", false);
        Wrapper4InputSource wrapper(&input, false);
        XML::Parser parser;
        DOMDocument* doc = parser.parse(wrapper);
        DOMElement* elem = doc->getDocumentElement();
        SAMLResponse* samlResponse = new SAMLResponse(elem);

        // check DOM
        Debug("saml", 0, "NamespaceURI = %s, localName = %s", 
              XMLString::transcode(n->getNamespaceURI()), 
              XMLString::transcode(n->getLocalName()));


        Iterator<SAMLAssertion*> assertions = samlResponse->getAssertions();
        if (!assertions.hasNext()) {
            DSLog::SAMLMsg::ConsumerNoAssertion((char*)NULL, b64samlResponse);
            status = "FAILURE: No assertion";
            break;
        }

        SAMLAssertion * assertion = assertions.next();

        // get the signing cert in PEM format
        X509 *signingCert =
            DSCert::dsANY_read_X509(certData, (const char *)NULL, "P");

        if (samlResponse->isSigned()) {
            OpenSSLCryptoX509 crypto(signingCert);
            try {
                samlResponse->verify(crypto);
                // same error for 
                // assertion->verify(crypto);
            } catch (InvalidCryptoException ce) {
               Debug("saml", 0, "invalid crypto exception: %s", ce.what());
               break;
            } catch (...) {
                Debug("saml", 0, "response verification failed");
                break;
            }

            DSLogDebug("test", 0, "passed signature verification!");
        } 
       
        // validate assertions ...
}