Skip to Content.
Sympa Menu

mace-opensaml-users - Re: getting InvalidCryptoException in SAMLResponse verification

Subject: OpenSAML user discussion

List archive

Re: getting InvalidCryptoException in SAMLResponse verification


Chronological Thread 
  • From: Bin Lu <>
  • To: Scott Cantor <>
  • Cc:
  • Subject: Re: getting InvalidCryptoException in SAMLResponse verification
  • Date: Thu, 15 Dec 2005 15:58:14 -0800

Scott,

After I checked the new opensaml and xml-security code I am still not confident that they will
fix my problem.  Basically it depends on the following test cases, with the attached xml input for the
DOM tree and "_77ebd671a4962fbeee80b2c3b4a9f3c88866a468" as the fragment value, can

1. DOMDocument::getElementById(fragment) returns a non-null value
2. TXFMDocObject::setInput(doc, (XMLCh*)fragment) throws no exception

either 1 or 2 be satisfied ? Since I don't have all the components needed to run the test
with the new opensaml, it would be greately appreciated if somebody could show me that it
does work.

Thanks,
-binlu

Scott Cantor wrote:
It seems the problem is from TXFMDocObject::setInput() when it looks for
an element by id in the DOM tree. That TXFMDocObject is from openssl,
do you think updating saml would solve the problem ?
    

There were bugs at times in the ID area, but I don't see a bug in that
version, so I really don't know.

  
But the above getElementById() is returnning null. Any suggestion which
piece should I update, opensaml, openssl or the DOM Parser ?
    

It's an OpenSAML problem, if it's not a bug in your code somewhere.

-- Scott
  

<samlp:Response xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
IssueInstant="2005-12-14T21:33:03Z" MajorVersion="1" MinorVersion="1"
Recipient="https://dev66.asglab.juniper.net/dana-na/auth/saml-consumer.cgi";
ResponseID="_77ebd671a4962fbeee80b2c3b4a9f3c88866a468">
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod>
<ds:Reference URI="#_77ebd671a4962fbeee80b2c3b4a9f3c88866a468">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></ds:Transform>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>ia1c5ZlunlQ8AaWkFQW41JODwRo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
GhVqKQZ/YbxGU4RvafuVyPmkO+LZ4TpDFbYJbKUl///Gef0AViCn9LGZUulSz3t9UpJtraaBCI6K
JwxuyNfANKdc4rFN2GlqjZEbgowODplrOhESLvhYQ+qtlZR24jYHvJ3tteV9oA4lS/blqFljjJRP
3n5JQO7lIQmO+LxPjuM=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
x4m59JXQxfHQWdKblEui1hWzGKM6bAUjARTv5S2NqcZN96Z+GoaBqstYXtu8HwPp9GSdMbz9Czww
Qh5F+6ZjO6uOmx/QKrbeku089HMaVw3l1+r9txlLXpoHj+YQobUwTlBn3XfgLgjhW+Qv0aFPcl0P
5rO2rq3G/o0Fc3SRYUE=
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="samlp:Success"></samlp:StatusCode>
</samlp:Status>
<saml:Assertion AssertionID="_9e87897312c38091b51cc438c8339001aab25078"
IssueInstant="2005-12-14T21:33:03Z"
Issuer="_2843944d06ad0e6a63ed936a24eed67585e47b66" MajorVersion="1"
MinorVersion="1"><saml:Conditions NotBefore="2005-12-14T21:28:03Z"
NotOnOrAfter="2005-12-14T21:43:03Z"></saml:Conditions><saml:AuthenticationStatement
AuthenticationInstant="2005-12-14T21:33:01Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><saml:Subject><saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
NameQualifier="default">uid=sgraham</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod>
<ds:Reference URI="#_9e87897312c38091b51cc438c8339001aab25078">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></ds:Transform>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>SL/21+9pL4MJ+W5D75yTi4jgPoo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
SDdnZfEc6ezzRqcI/nuVfx/QbA+RP/SmbNFZEV239XvTm8U1ZE4xV3f0XF2XdHKRWPTOqDak+9xX
oRvtiYfYaPTjtx+jF8nXFs3yjjw/VvtjaAFH/sP7x/Jmi32mvqQ/IlEI0++etcH2JWwcSKz305MZ
NsYRUNd0AFnm8YkjyBU=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
x4m59JXQxfHQWdKblEui1hWzGKM6bAUjARTv5S2NqcZN96Z+GoaBqstYXtu8HwPp9GSdMbz9Czww
Qh5F+6ZjO6uOmx/QKrbeku089HMaVw3l1+r9txlLXpoHj+YQobUwTlBn3XfgLgjhW+Qv0aFPcl0P
5rO2rq3G/o0Fc3SRYUE=
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
</saml:Assertion>
</samlp:Response>




Archive powered by MHonArc 2.6.16.

Top of Page