Skip to Content.
Sympa Menu

mace-opensaml-users - xpointer call in URI attribute of Reference element (Signature)

Subject: OpenSAML user discussion

List archive

xpointer call in URI attribute of Reference element (Signature)


Chronological Thread 
  • From:
  • To:
  • Subject: xpointer call in URI attribute of Reference element (Signature)
  • Date: Wed, 26 Apr 2006 10:18:49 -0400 (EDT)

Hello,

I am trying to verify a signed SAML assertion using OpenSAML 1.1 (C++).
Here is what the assertion I want to verify looks like:

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; MajorVersion="1"
MinorVersion="1" IssueInstant="2006-04-25T15:38:09Z"
AssertionID="ast.MY_SAML_SERVER.1145979489457" Issuer="MY_SAML_SERVER">
<saml:Conditions NotBefore="2006-04-25T15:38:09Z"
NotOnOrAfter="2006-04-25T15:39:09Z"/>
<saml:AuthenticationStatement
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
AuthenticationInstant="2006-04-25T15:38:09Z">
<saml:Subject>
<saml:NameIdentifier NameQualifier="..."
Format="#...">...</saml:NameIdentifier>
</saml:Subject>
<saml:SubjectLocality IPAddress="..."/>
</saml:AuthenticationStatement>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier NameQualifier="..."
Format="...">...</saml:NameIdentifier>
</saml:Subject>
<saml:Attribute AttributeName="POLICY"
AttributeNamespace="urn:pxp:attributes:namespace">
<saml:AttributeValue>The policy</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference
URI="#xpointer(//*[@AssertionID='ast.MY_SAML_SERVER.1145979489457'])">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="#default saml ds xsd xsi"/>
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>...</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>...</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>...</X509Certificate>
</X509Data>
</KeyInfo>
</Signature></saml:Assertion>

As you can see, the URI attribute of the Reference element of the Signature
is a call to xpointer.
When I try to verify the signature of this assertion (simply with
SAMLAssertion::verify()), I get the following error:
detected an invalid signature profile while verifying signature
(org.opensaml.InvalidCryptoException)

Indeed, in SAMLSignedObject::verify function, the expected value of the URI
attribute is the AssertionID value itself, and it is not the case here.

Does it mean that OpenSAML cannot verify such an assertion (which was signed
using xmlsec) ? Can you see another way to verify this assertion?

Thanks in advance.



Archive powered by MHonArc 2.6.16.

Top of Page