Skip to Content.
Sympa Menu

mace-opensaml-users - getting InvalidCryptoException in SAMLResponse verification

Subject: OpenSAML user discussion

List archive

getting InvalidCryptoException in SAMLResponse verification


Chronological Thread 
  • From: Bin Lu <>
  • To:
  • Subject: getting InvalidCryptoException in SAMLResponse verification
  • Date: Wed, 14 Dec 2005 11:37:32 -0800

Hi,

I am using opensaml 0.9.1(with patch). In saml response verification,
I am getting "InvalidCryptoException" from SAMLResponse::verify()
with error message of:

SAMLSignedObject::verify() caught an XMLSec exception

From DSIGSignature::verify() it seems the error is due to
DSIGSignature::load() was not called. But the
SAMLResponse constructor with DOMElement suggests
it should have been called. Please see the attached code.

The DOMElement returns the following namespace URI
and localName:

NamespaceURI = http://www.w3.org/2000/09/xmldsig#
localName = Signature

Both the response and the assertions are signed.
Please advice what the problem could be.

Thanks,
Bin Lu

static void processPost(const char *b64samlResponse, const char *assertRef)
{

int bytes = strlen(b64samlResponse) * 3 / 4 + 1;
char *responseData = new char[bytes];
do {
int decodedLength = 0;
if (DSUtilDecode64(b64samlResponse, strlen(b64samlResponse),
responseData, bytes, &decodedLength) != 0 ) {
// log error message
break;
}

MemBufInputSource input((const XMLByte*)responseData,
strlen(responseData), "AAResponse", false);
Wrapper4InputSource wrapper(&input, false);
XML::Parser parser;
DOMDocument* doc = parser.parse(wrapper);
DOMElement* elem = doc->getDocumentElement();
SAMLResponse* samlResponse = new SAMLResponse(elem);

// check DOM
Debug("saml", 0, "NamespaceURI = %s, localName = %s",
XMLString::transcode(n->getNamespaceURI()),
XMLString::transcode(n->getLocalName()));


Iterator<SAMLAssertion*> assertions = samlResponse->getAssertions();
if (!assertions.hasNext()) {
DSLog::SAMLMsg::ConsumerNoAssertion((char*)NULL, b64samlResponse);
status = "FAILURE: No assertion";
break;
}

SAMLAssertion * assertion = assertions.next();

// get the signing cert in PEM format
X509 *signingCert =
DSCert::dsANY_read_X509(certData, (const char *)NULL, "P");

if (samlResponse->isSigned()) {
OpenSSLCryptoX509 crypto(signingCert);
try {
samlResponse->verify(crypto);
// same error for
// assertion->verify(crypto);
} catch (InvalidCryptoException ce) {
Debug("saml", 0, "invalid crypto exception: %s", ce.what());
break;
} catch (...) {
Debug("saml", 0, "response verification failed");
break;
}

DSLogDebug("test", 0, "passed signature verification!");
}

// validate assertions ...
}



Archive powered by MHonArc 2.6.16.

Top of Page