mace-opensaml-users - getting InvalidCryptoException in SAMLResponse verification
Subject: OpenSAML user discussion
List archive
- From: Bin Lu <>
- To:
- Subject: getting InvalidCryptoException in SAMLResponse verification
- Date: Wed, 14 Dec 2005 11:37:32 -0800
Hi,
I am using opensaml 0.9.1(with patch). In saml response verification,
I am getting "InvalidCryptoException" from SAMLResponse::verify()
with error message of:
SAMLSignedObject::verify() caught an XMLSec exception
From DSIGSignature::verify() it seems the error is due to
DSIGSignature::load() was not called. But the
SAMLResponse constructor with DOMElement suggests
it should have been called. Please see the attached code.
The DOMElement returns the following namespace URI
and localName:
NamespaceURI = http://www.w3.org/2000/09/xmldsig#
localName = Signature
Both the response and the assertions are signed.
Please advice what the problem could be.
Thanks,
Bin Lu
static void processPost(const char *b64samlResponse, const char *assertRef)
{
int bytes = strlen(b64samlResponse) * 3 / 4 + 1;
char *responseData = new char[bytes];
do {
int decodedLength = 0;
if (DSUtilDecode64(b64samlResponse, strlen(b64samlResponse),
responseData, bytes, &decodedLength) != 0 ) {
// log error message
break;
}
MemBufInputSource input((const XMLByte*)responseData,
strlen(responseData), "AAResponse", false);
Wrapper4InputSource wrapper(&input, false);
XML::Parser parser;
DOMDocument* doc = parser.parse(wrapper);
DOMElement* elem = doc->getDocumentElement();
SAMLResponse* samlResponse = new SAMLResponse(elem);
// check DOM
Debug("saml", 0, "NamespaceURI = %s, localName = %s",
XMLString::transcode(n->getNamespaceURI()),
XMLString::transcode(n->getLocalName()));
Iterator<SAMLAssertion*> assertions = samlResponse->getAssertions();
if (!assertions.hasNext()) {
DSLog::SAMLMsg::ConsumerNoAssertion((char*)NULL, b64samlResponse);
status = "FAILURE: No assertion";
break;
}
SAMLAssertion * assertion = assertions.next();
// get the signing cert in PEM format
X509 *signingCert =
DSCert::dsANY_read_X509(certData, (const char *)NULL, "P");
if (samlResponse->isSigned()) {
OpenSSLCryptoX509 crypto(signingCert);
try {
samlResponse->verify(crypto);
// same error for
// assertion->verify(crypto);
} catch (InvalidCryptoException ce) {
Debug("saml", 0, "invalid crypto exception: %s", ce.what());
break;
} catch (...) {
Debug("saml", 0, "response verification failed");
break;
}
DSLogDebug("test", 0, "passed signature verification!");
}
// validate assertions ...
}
- getting InvalidCryptoException in SAMLResponse verification, Bin Lu, 12/14/2005
- RE: getting InvalidCryptoException in SAMLResponse verification, Scott Cantor, 12/14/2005
- Re: getting InvalidCryptoException in SAMLResponse verification, Bin Lu, 12/14/2005
- RE: getting InvalidCryptoException in SAMLResponse verification, Scott Cantor, 12/14/2005
- Re: getting InvalidCryptoException in SAMLResponse verification, Bin Lu, 12/15/2005
- RE: getting InvalidCryptoException in SAMLResponse verification, Scott Cantor, 12/15/2005
- Re: getting InvalidCryptoException in SAMLResponse verification, Bin Lu, 12/15/2005
- RE: getting InvalidCryptoException in SAMLResponse verification, Scott Cantor, 12/14/2005
- Re: getting InvalidCryptoException in SAMLResponse verification, Bin Lu, 12/14/2005
- <Possible follow-up(s)>
- Re: getting InvalidCryptoException in SAMLResponse verification, Bin Lu, 12/15/2005
- RE: getting InvalidCryptoException in SAMLResponse verification, Scott Cantor, 12/15/2005
- Re: getting InvalidCryptoException in SAMLResponse verification, Bin Lu, 12/15/2005
- RE: getting InvalidCryptoException in SAMLResponse verification, Scott Cantor, 12/15/2005
- RE: getting InvalidCryptoException in SAMLResponse verification, Scott Cantor, 12/22/2005
- Re: getting InvalidCryptoException in SAMLResponse verification, Bin Lu, 12/22/2005
- RE: getting InvalidCryptoException in SAMLResponse verification, Scott Cantor, 12/14/2005
Archive powered by MHonArc 2.6.16.