mace-opensaml-users - xpointer call in URI attribute of Reference element (Signature)
Subject: OpenSAML user discussion
List archive
- From:
- To:
- Subject: xpointer call in URI attribute of Reference element (Signature)
- Date: Wed, 26 Apr 2006 10:18:49 -0400 (EDT)
Hello,
I am trying to verify a signed SAML assertion using OpenSAML 1.1 (C++).
Here is what the assertion I want to verify looks like:
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; MajorVersion="1"
MinorVersion="1" IssueInstant="2006-04-25T15:38:09Z"
AssertionID="ast.MY_SAML_SERVER.1145979489457" Issuer="MY_SAML_SERVER">
<saml:Conditions NotBefore="2006-04-25T15:38:09Z"
NotOnOrAfter="2006-04-25T15:39:09Z"/>
<saml:AuthenticationStatement
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
AuthenticationInstant="2006-04-25T15:38:09Z">
<saml:Subject>
<saml:NameIdentifier NameQualifier="..."
Format="#...">...</saml:NameIdentifier>
</saml:Subject>
<saml:SubjectLocality IPAddress="..."/>
</saml:AuthenticationStatement>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier NameQualifier="..."
Format="...">...</saml:NameIdentifier>
</saml:Subject>
<saml:Attribute AttributeName="POLICY"
AttributeNamespace="urn:pxp:attributes:namespace">
<saml:AttributeValue>The policy</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference
URI="#xpointer(//*[@AssertionID='ast.MY_SAML_SERVER.1145979489457'])">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="#default saml ds xsd xsi"/>
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>...</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>...</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>...</X509Certificate>
</X509Data>
</KeyInfo>
</Signature></saml:Assertion>
As you can see, the URI attribute of the Reference element of the Signature
is a call to xpointer.
When I try to verify the signature of this assertion (simply with
SAMLAssertion::verify()), I get the following error:
detected an invalid signature profile while verifying signature
(org.opensaml.InvalidCryptoException)
Indeed, in SAMLSignedObject::verify function, the expected value of the URI
attribute is the AssertionID value itself, and it is not the case here.
Does it mean that OpenSAML cannot verify such an assertion (which was signed
using xmlsec) ? Can you see another way to verify this assertion?
Thanks in advance.
- xpointer call in URI attribute of Reference element (Signature), lilas, 04/26/2006
- RE: xpointer call in URI attribute of Reference element (Signature), Scott Cantor, 04/26/2006
Archive powered by MHonArc 2.6.16.