mace-opensaml-users - Re: getting InvalidCryptoException in SAMLResponse verification
Subject: OpenSAML user discussion
List archive
- From: Bin Lu <>
- To: Scott Cantor <>
- Cc:
- Subject: Re: getting InvalidCryptoException in SAMLResponse verification
- Date: Wed, 14 Dec 2005 14:28:58 -0800
Furthur debugging shows the actual error is:
verify: caught an XMLSec exception: Referenced ID is not in DOM Document
The signature and the saml response xml files are as attached. Is the signature missing something ?
Thanks,
Bin Lu
Scott Cantor wrote:
From DSIGSignature::verify() it seems the error is due to
DSIGSignature::load() was not called. But the
I don't know why you think so, but there's not enough in the exception
message for me to even guess at the problem.
SAMLResponse constructor with DOMElement suggests
it should have been called. Please see the attached code.
I don't see anything obviously wrong. You'll have to get more of an
exception out before I could suggest anything. If there is no exception
message being produced, it will require debugging in more to find the spot
it's failing, I guess.
-- Scott
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#_9e87897312c38091b51cc438c8339001aab25078">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>SL/21+9pL4MJ+W5D75yTi4jgPoo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
SDdnZfEc6ezzRqcI/nuVfx/QbA+RP/SmbNFZEV239XvTm8U1ZE4xV3f0XF2XdHKRWPTOqDak+9xX
oRvtiYfYaPTjtx+jF8nXFs3yjjw/VvtjaAFH/sP7x/Jmi32mvqQ/IlEI0++etcH2JWwcSKz305MZ
NsYRUNd0AFnm8YkjyBU=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
x4m59JXQxfHQWdKblEui1hWzGKM6bAUjARTv5S2NqcZN96Z+GoaBqstYXtu8HwPp9GSdMbz9Czww
Qh5F+6ZjO6uOmx/QKrbeku089HMaVw3l1+r9txlLXpoHj+YQobUwTlBn3XfgLgjhW+Qv0aFPcl0P
5rO2rq3G/o0Fc3SRYUE=
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
<samlp:Response xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
IssueInstant="2005-12-14T21:33:03Z" MajorVersion="1" MinorVersion="1"
Recipient="https://dev66.asglab.juniper.net/dana-na/auth/saml-consumer.cgi"
ResponseID="_77ebd671a4962fbeee80b2c3b4a9f3c88866a468">
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#_77ebd671a4962fbeee80b2c3b4a9f3c88866a468">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>ia1c5ZlunlQ8AaWkFQW41JODwRo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
GhVqKQZ/YbxGU4RvafuVyPmkO+LZ4TpDFbYJbKUl///Gef0AViCn9LGZUulSz3t9UpJtraaBCI6K
JwxuyNfANKdc4rFN2GlqjZEbgowODplrOhESLvhYQ+qtlZR24jYHvJ3tteV9oA4lS/blqFljjJRP
3n5JQO7lIQmO+LxPjuM=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
x4m59JXQxfHQWdKblEui1hWzGKM6bAUjARTv5S2NqcZN96Z+GoaBqstYXtu8HwPp9GSdMbz9Czww
Qh5F+6ZjO6uOmx/QKrbeku089HMaVw3l1+r9txlLXpoHj+YQobUwTlBn3XfgLgjhW+Qv0aFPcl0P
5rO2rq3G/o0Fc3SRYUE=
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="samlp:Success"></samlp:StatusCode>
</samlp:Status>
<saml:Assertion AssertionID="_9e87897312c38091b51cc438c8339001aab25078"
IssueInstant="2005-12-14T21:33:03Z"
Issuer="_2843944d06ad0e6a63ed936a24eed67585e47b66" MajorVersion="1"
MinorVersion="1"><saml:Conditions NotBefore="2005-12-14T21:28:03Z"
NotOnOrAfter="2005-12-14T21:43:03Z"></saml:Conditions><saml:AuthenticationStatement
AuthenticationInstant="2005-12-14T21:33:01Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><saml:Subject><saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
NameQualifier="default">uid=sgraham</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#_9e87897312c38091b51cc438c8339001aab25078">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>SL/21+9pL4MJ+W5D75yTi4jgPoo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
SDdnZfEc6ezzRqcI/nuVfx/QbA+RP/SmbNFZEV239XvTm8U1ZE4xV3f0XF2XdHKRWPTOqDak+9xX
oRvtiYfYaPTjtx+jF8nXFs3yjjw/VvtjaAFH/sP7x/Jmi32mvqQ/IlEI0++etcH2JWwcSKz305MZ
NsYRUNd0AFnm8YkjyBU=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
x4m59JXQxfHQWdKblEui1hWzGKM6bAUjARTv5S2NqcZN96Z+GoaBqstYXtu8HwPp9GSdMbz9Czww
Qh5F+6ZjO6uOmx/QKrbeku089HMaVw3l1+r9txlLXpoHj+YQobUwTlBn3XfgLgjhW+Qv0aFPcl0P
5rO2rq3G/o0Fc3SRYUE=
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
</saml:Assertion>
</samlp:Response>
- getting InvalidCryptoException in SAMLResponse verification, Bin Lu, 12/14/2005
- RE: getting InvalidCryptoException in SAMLResponse verification, Scott Cantor, 12/14/2005
- Re: getting InvalidCryptoException in SAMLResponse verification, Bin Lu, 12/14/2005
- RE: getting InvalidCryptoException in SAMLResponse verification, Scott Cantor, 12/14/2005
- Re: getting InvalidCryptoException in SAMLResponse verification, Bin Lu, 12/15/2005
- RE: getting InvalidCryptoException in SAMLResponse verification, Scott Cantor, 12/15/2005
- Re: getting InvalidCryptoException in SAMLResponse verification, Bin Lu, 12/15/2005
- RE: getting InvalidCryptoException in SAMLResponse verification, Scott Cantor, 12/14/2005
- Re: getting InvalidCryptoException in SAMLResponse verification, Bin Lu, 12/14/2005
- <Possible follow-up(s)>
- Re: getting InvalidCryptoException in SAMLResponse verification, Bin Lu, 12/15/2005
- RE: getting InvalidCryptoException in SAMLResponse verification, Scott Cantor, 12/15/2005
- Re: getting InvalidCryptoException in SAMLResponse verification, Bin Lu, 12/15/2005
- RE: getting InvalidCryptoException in SAMLResponse verification, Scott Cantor, 12/15/2005
- RE: getting InvalidCryptoException in SAMLResponse verification, Scott Cantor, 12/22/2005
- Re: getting InvalidCryptoException in SAMLResponse verification, Bin Lu, 12/22/2005
- RE: getting InvalidCryptoException in SAMLResponse verification, Scott Cantor, 12/22/2005
- Re: getting InvalidCryptoException in SAMLResponse verification, Bin Lu, 12/22/2005
- RE: getting InvalidCryptoException in SAMLResponse verification, Scott Cantor, 12/14/2005
Archive powered by MHonArc 2.6.16.