OpenSAML user discussion

["Subash Devkota" <>]

Hi all,

I am having problem in validating XMLSignature. I am using java-opensaml2 code.
I signed the assertion in SAML Response and want to validate the signature in relying party side.
I read the SAMLResponse from HTTP/Post request and obtained the SAMLObject by unmarshalling the decoded message. I printed the string form of the SAMLObject and can see that there is Signature value in <ds:SignatureValue>  element.
Then, I accessed the Assertion and its signature. In this case when I printed the string form of the signature again, the value in <ds:SignatureValue> element does not exists.

Code used:
        HttpServletRequest request = (HttpServletRequest) getRequest();

        InputStream decodedMessage = getBase64DecodedMessage();

        SAMLObject samlMessage = (SAMLObject) this.unmarshallMessage(decodedMessage);
        System.out.println("The saml message after unmarshall is :");
        this.printSAMLObject(samlMessage);       //*
       
         Response response= (Response) samlMessage;
         Assertion assertion= (Assertion)response.getAssertions().get(0);
         Signature signature=assertion.getSignature();
   
         this.printSignature(signature);      //**

Output part of signature in //* case is:

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/><ds:Reference URI="#assertion-1170670301754" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ec:InclusiveNamespaces PrefixList="ds saml xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/><ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">0vMEAAvKyj+YVEzJQlrJVC5x9u4O57v5o1GlHZt/58U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">HD8OjI4hZiCpVvFifUBcBURTjqJxbAKK/XIoSWg0p9peoLFQN77mXWLHBHNh7e+r76TQNUF+81Ac02LJyKD25o25xFHZmdw5GWR+20CnmdDXmiin5Viw2E2eYBzgJ9ji+b0oKIIPMuCq2uLPBbm+1Gsh5sqBtH1ZHiNFX35Gnbo=</ds:SignatureValue><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:KeyValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:RSAKeyValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:Modulus xmlns:ds="http://www.w3.org/2000/09/xmldsig#">yENKl29n7p/BTJo7WaMZc2nMyiLu4CiYGox+/wNk2qWN8baKpYVPZRFPQ6weVxRD0GF21B1ZcMzNS5UyiLlg6mXwRaYlxBk0mtZpWOuPPuZvGuOj3Zh9GOOQZ/PwiYm0ry/ddmEXwbr186y1zFy1QngwWaUDrXSDlblajxXTzRE=</ds:Modulus><ds:Exponent xmlns:ds="http://www.w3.org/2000/09/xmldsig#">AQAB</ds:Exponent></ds:RSAKeyValue></ds:KeyValue></ds:KeyInfo></ds:Signature>

Output in //** case is:

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:RSAKeyValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Modulus xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
yENKl29n7p/BTJo7WaMZc2nMyiLu4CiYGox+/wNk2qWN8baKpYVPZRFPQ6weVxRD0GF21B1ZcMzN
S5UyiLlg6mXwRaYlxBk0mtZpWOuPPuZvGuOj3Zh9GOOQZ/PwiYm0ry/ddmEXwbr186y1zFy1Qngw
WaUDrXSDlblajxXTzRE=
</ds:Modulus>
<ds:Exponent xmlns:ds="http://www.w3.org/2000/09/xmldsig#">AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>

Note: The output in first case is without line breaks. The second case has formatted text with line breaks.

Due this problem, I get the error while validating signature:

org.opensaml.xml.security.SecurityException: Unable to evaluate key against signature
    at org.opensaml.xml.signature.BasicX509SignatureTrustEngine.validate(BasicX509SignatureTrustEngine.java:203)
    at org.opensaml.xml.signature.BasicX509SignatureTrustEngine.validate(BasicX509SignatureTrustEngine.java:65)
........

Caused by: org.apache.xml.security.signature.XMLSignatureException: {0}
Original Exception was org.apache.xml.security.exceptions.XMLSecurityException: {0}
    at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(Unknown Source)
    at org.opensaml.xml.signature.BasicX509SignatureTrustEngine.validate(BasicX509SignatureTrustEngine.java:195)
    ... 33 more

Can anyone help me why the value has been lost? And how can I validate my assertion signature?

Thanks in advance
Subash

 

 

PRIVACY NOTICE

This email and any attachments may be confidential and/or privileged. Use of the information contained in this email by anyone other than the intended recipient is strictly prohibited. If you have received this email in error, please notify the sender by replying to this message and delete this email.