Skip to Content.
Sympa Menu

mace-opensaml-users - Re: getting InvalidCryptoException in SAMLResponse verification

Subject: OpenSAML user discussion

List archive

Re: getting InvalidCryptoException in SAMLResponse verification


Chronological Thread 
  • From: Bin Lu <>
  • To: Scott Cantor <>
  • Cc:
  • Subject: Re: getting InvalidCryptoException in SAMLResponse verification
  • Date: Wed, 14 Dec 2005 14:28:58 -0800

Furthur debugging shows the actual error is:

verify: caught an XMLSec exception: Referenced ID is not in DOM Document

The signature and the saml response xml files are as attached. Is the signature missing something ?

Thanks,
Bin Lu

Scott Cantor wrote:

From DSIGSignature::verify() it seems the error is due to
DSIGSignature::load() was not called. But the


I don't know why you think so, but there's not enough in the exception
message for me to even guess at the problem.


SAMLResponse constructor with DOMElement suggests
it should have been called. Please see the attached code.


I don't see anything obviously wrong. You'll have to get more of an
exception out before I could suggest anything. If there is no exception
message being produced, it will require debugging in more to find the spot
it's failing, I guess.

-- Scott


<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod>
<ds:Reference URI="#_9e87897312c38091b51cc438c8339001aab25078">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></ds:Transform>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>SL/21+9pL4MJ+W5D75yTi4jgPoo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
SDdnZfEc6ezzRqcI/nuVfx/QbA+RP/SmbNFZEV239XvTm8U1ZE4xV3f0XF2XdHKRWPTOqDak+9xX
oRvtiYfYaPTjtx+jF8nXFs3yjjw/VvtjaAFH/sP7x/Jmi32mvqQ/IlEI0++etcH2JWwcSKz305MZ
NsYRUNd0AFnm8YkjyBU=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
x4m59JXQxfHQWdKblEui1hWzGKM6bAUjARTv5S2NqcZN96Z+GoaBqstYXtu8HwPp9GSdMbz9Czww
Qh5F+6ZjO6uOmx/QKrbeku089HMaVw3l1+r9txlLXpoHj+YQobUwTlBn3XfgLgjhW+Qv0aFPcl0P
5rO2rq3G/o0Fc3SRYUE=
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
<samlp:Response xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
IssueInstant="2005-12-14T21:33:03Z" MajorVersion="1" MinorVersion="1"
Recipient="https://dev66.asglab.juniper.net/dana-na/auth/saml-consumer.cgi";
ResponseID="_77ebd671a4962fbeee80b2c3b4a9f3c88866a468">
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod>
<ds:Reference URI="#_77ebd671a4962fbeee80b2c3b4a9f3c88866a468">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></ds:Transform>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>ia1c5ZlunlQ8AaWkFQW41JODwRo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
GhVqKQZ/YbxGU4RvafuVyPmkO+LZ4TpDFbYJbKUl///Gef0AViCn9LGZUulSz3t9UpJtraaBCI6K
JwxuyNfANKdc4rFN2GlqjZEbgowODplrOhESLvhYQ+qtlZR24jYHvJ3tteV9oA4lS/blqFljjJRP
3n5JQO7lIQmO+LxPjuM=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
x4m59JXQxfHQWdKblEui1hWzGKM6bAUjARTv5S2NqcZN96Z+GoaBqstYXtu8HwPp9GSdMbz9Czww
Qh5F+6ZjO6uOmx/QKrbeku089HMaVw3l1+r9txlLXpoHj+YQobUwTlBn3XfgLgjhW+Qv0aFPcl0P
5rO2rq3G/o0Fc3SRYUE=
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="samlp:Success"></samlp:StatusCode>
</samlp:Status>
<saml:Assertion AssertionID="_9e87897312c38091b51cc438c8339001aab25078"
IssueInstant="2005-12-14T21:33:03Z"
Issuer="_2843944d06ad0e6a63ed936a24eed67585e47b66" MajorVersion="1"
MinorVersion="1"><saml:Conditions NotBefore="2005-12-14T21:28:03Z"
NotOnOrAfter="2005-12-14T21:43:03Z"></saml:Conditions><saml:AuthenticationStatement
AuthenticationInstant="2005-12-14T21:33:01Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><saml:Subject><saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
NameQualifier="default">uid=sgraham</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod>
<ds:Reference URI="#_9e87897312c38091b51cc438c8339001aab25078">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></ds:Transform>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>SL/21+9pL4MJ+W5D75yTi4jgPoo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
SDdnZfEc6ezzRqcI/nuVfx/QbA+RP/SmbNFZEV239XvTm8U1ZE4xV3f0XF2XdHKRWPTOqDak+9xX
oRvtiYfYaPTjtx+jF8nXFs3yjjw/VvtjaAFH/sP7x/Jmi32mvqQ/IlEI0++etcH2JWwcSKz305MZ
NsYRUNd0AFnm8YkjyBU=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
x4m59JXQxfHQWdKblEui1hWzGKM6bAUjARTv5S2NqcZN96Z+GoaBqstYXtu8HwPp9GSdMbz9Czww
Qh5F+6ZjO6uOmx/QKrbeku089HMaVw3l1+r9txlLXpoHj+YQobUwTlBn3XfgLgjhW+Qv0aFPcl0P
5rO2rq3G/o0Fc3SRYUE=
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
</saml:Assertion>
</samlp:Response>




Archive powered by MHonArc 2.6.16.

Top of Page