Skip to Content.
Sympa Menu

mace-opensaml-users - Can't validate Signature of SAML 1.0 Assertion resulting from decrypted EncryptedData

Subject: OpenSAML user discussion

List archive

Can't validate Signature of SAML 1.0 Assertion resulting from decrypted EncryptedData


Chronological Thread 
  • From: "Enrique Rodriguez" <>
  • To:
  • Subject: Can't validate Signature of SAML 1.0 Assertion resulting from decrypted EncryptedData
  • Date: Fri, 6 Apr 2007 15:02:16 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=Pbeol2yNnFoFhkiSPLmtjmDvFt2W05GtCwzBeJRmGmAu1P9x9QMx+De8h9K01bgH0oys1hpPkSZPHdAJMKkPYn4qlzmUgv7Ec/HNlr3G1IZ4wE8uolxI3jJY8RGYclHIzHnOQDkd+U8gbNiq1tcio1IldsoA1sPnT62Us5KMNyI=
Hi,

I'm using OpenSAML 2 from the head (trunk) in svn (opensaml2, openws,
xmltooling). My problem is that I can't validate a Signature on a
SAML 1.0 Assertion that resulted from the decryption of an
EncryptedData.

I have a battery of unit tests working, based on the unit tests in the
code, so I am able to decrypt properly and any values and elements I
need are there, so I'm satisfied decryption of the EncryptedData and
basic parsing of the Assertion are OK. I am decrypting using a
PrivateKey from a JKS store.

Furthermore, if I dump the XML of the Assertion to a file (from prior
to its encryption) and read that in and unmarshall to an Assertion,
the Signature does validate. I'm able to validate the Signature with
both an embedded public key and the same X.509 cert read from a JKS.

I'm stumped. It appears that something is occuring in the Decrypter
during unmarshalling of the Assertion that is different from when I
unmarshall the Assertion in a test case.

Any thoughts? With some instruction on how to submit a TestCase and
sample XML, I can submit some example code.

The exception is:

org.apache.xml.security.signature.XMLSignatureException: The Reference
for URI #uuid:f09eeb69-b27d-49a0-8419-347b29819589 has no
XMLSignatureInput
Original Exception was
org.apache.xml.security.signature.MissingResourceFailureException: The
Reference for URI #uuid:f09eeb69-b27d-49a0-8419-347b29819589 has no
XMLSignatureInput
Original Exception was
org.apache.xml.security.signature.ReferenceNotInitializedException:
Cannot resolve element with ID
uuid:f09eeb69-b27d-49a0-8419-347b29819589
Original Exception was
org.apache.xml.security.signature.ReferenceNotInitializedException:
Cannot resolve element with ID
uuid:f09eeb69-b27d-49a0-8419-347b29819589
Original Exception was
org.apache.xml.security.signature.ReferenceNotInitializedException:
Cannot resolve element with ID
uuid:f09eeb69-b27d-49a0-8419-347b29819589
Original Exception was
org.apache.xml.security.utils.resolver.ResourceResolverException:
Cannot resolve element with ID
uuid:f09eeb69-b27d-49a0-8419-347b29819589
at
org.apache.xml.security.signature.XMLSignature.checkSignatureValue(Unknown
Source)
at
org.opensaml.xml.security.x509.SignatureValidator.validate(SignatureValidator.java:71)
...

Other details: JDK 1.5.0_09 on Linux (FC6) with the following endorsed libs:
file:///usr/java/jdk1.5.0_09/jre/lib/endorsed/xalan-2.7.0.jar
file:///usr/java/jdk1.5.0_09/jre/lib/endorsed/xalan-2.7.0-serializer.jar
file:///usr/java/jdk1.5.0_09/jre/lib/endorsed/xerces-2.9.0-xercesImpl.jar
file:///usr/java/jdk1.5.0_09/jre/lib/endorsed/xerces-2.9.0-xml-apis.jar

Enrique

Archive powered by MHonArc 2.6.16.

Top of Page