mace-opensaml-users - can't vaidate signature on SAML1.1 response from Shibboleth 1.3.2 IDP
Subject: OpenSAML user discussion
List archive
- From: "John Schonmeier" <>
- To:
- Subject: can't vaidate signature on SAML1.1 response from Shibboleth 1.3.2 IDP
- Date: Fri, 4 May 2007 20:52:58 -0400
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=C/+UmOtETnrol6SQy3BN1yqjeRTR1uxDorgLdN52HxxTt0xODeG414S6n0WcIfCqMM/4eP1Vsi7zmI3E88GrQklIPhbiWtlHahdckMpSBpMlBRoNFmq3zN9IIaogx0IRr84YQwz0qq7TpyNWiJ3N9evrZbiCyo78upuVFtVCdI0=
Greetings.
I've got code that validates the signature on SAML2 and SAML1.1 responses. My code is using an older java-opensaml2 library that still contained the BasicX509SignatureTrustEngine, and that's what it's using to validate the signatures. For the most part, it works great. However, when I get a SAML1.1 response from a Shibboleth 1.3.2 IDP, it throws some exceptions that make me think of some other threads that I've read from this mailing list. None of those threads are exactly spot-on, though, so I figure I'll start a new one.
At this point, I'm not sure if I've got the wrong version of some underlying library, or if my code is doing something wrong, or if I need to upgrade to the latest trunk version of java-opensaml2.
I've noticed that BasicX509SignatureTrustEngine doesn't even exist anymore. The only TrustEngine I see in the org.opensaml.xml.signature package now is SignatureTrustEngine, which is only an interface. Thus, I'm not even sure which TrustEngine I should use at this point if I do need to upgrade to the latest trunk version of java-opensaml2.
Note that with this code, I am able to validate SAML 1.1 responses, just not ones from Shibboleth 1.3.2 IDP, so far as I can tell. SAML 2 response signatures also validate correctly. I have scrutinized a working SAML1.1 response against a Shibboleth SAML1.1 response, and see no major differences. The Shibboleth one puts a couple of namespace attributes in the Response element, includes an InclusiveNamespaces element at /Response/ds:Signature/ds:SignedInfo/ds:Reference/ds:Transforms/ds:Transform/ec:InclusiveNamespaces, and includes 2 assertions. Other SAML1.1 responses that I've received and validated successfully don't have the extra xmlns attributes on the Response element, don't include the InclusiveNamespaces element, and have only 1 assertion. There may be a few other minor differences, but I see nothing in the Shibboleth SAML1.1 response that should cause a problem, however. I've also pulled the signatures out of a Shibboleth SAML1.1 response and validated them manually with openssl, and they validate fine that way.
This code runs in Java 1.5.0_10. I'm using xml-sec-1.4.0.jar, and xerces 2.8.0 as my parser, but I've tried it with the stock Sun parser, as well. It doesn't seem to make any difference. Here's the method:
public boolean hasValidSignature(Signature token,PublicKey publicKey) {
SignatureTrustEngine trustEngine = new BasicX509SignatureTrustEngine();
try {
FastList verificationKey = new FastList();
verificationKey.add (publicKey);
verificationKeyResolver = new DirectKeyInfoResolver(null,verificationKey, null, null);
if (!trustEngine.validate(token, null,verificationKeyResolver)) {
LogManager.err(" Failed to validate signature with proper public key");
return false;
}
LogManager.debug ("********** Signature Validation Passed **********");
return true;
} catch (SecurityException e) {
logger.error("SAMLResponse: hasValidSignature: signature validation failed", e);
return false;
}
}
And these are the errors I see when I get a SAML 1.1 reponse from Shibboleth:
org.opensaml.xml.security.SecurityException: Unable to evaluate key against signature
at org.opensaml.xml.signature.BasicX509SignatureTrustEngine.validate(BasicX509SignatureTrustEngine.java:203)
at org.opensaml.xml.signature.BasicX509SignatureTrustEngine.validate(BasicX509SignatureTrustEngine.java :65)
at org.opensaml.xml.signature.BasicX509SignatureTrustEngine.validate(BasicX509SignatureTrustEngine.java:44)
... 17 more
Caused by: org.apache.xml.security.signature.XMLSignatureException: The Reference for URI #_1c3fdfadbefa2baecc0c7da4073fe452 has no XMLSignatureInput
Original Exception was org.apache.xml.security.signature.MissingResourceFailureException: The Reference for URI #_1c3fdfadbefa2baecc0c7da4073fe452 has no XMLSignatureInput
Original Exception was org.apache.xml.security.signature.ReferenceNotInitializedException : Cannot resolve element with ID _1c3fdfadbefa2baecc0c7da4073fe452
Original Exception was org.apache.xml.security.signature.ReferenceNotInitializedException: Cannot resolve element with ID _1c3fdfadbefa2baecc0c7da4073fe452
Original Exception was org.apache.xml.security.signature.ReferenceNotInitializedException: Cannot resolve element with ID _1c3fdfadbefa2baecc0c7da4073fe452
Original Exception was org.apache.xml.security.utils.resolver.ResourceResolverException : Cannot resolve element with ID _1c3fdfadbefa2baecc0c7da4073fe452
at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(Unknown Source)
at org.opensaml.xml.signature.BasicX509SignatureTrustEngine.validate (BasicX509SignatureTrustEngine.java:195)
... 20 more
The errors here remind me very much of the "ID-ness" problems discussed in earlier threads. But I've stared at the xml long and hard, and believe that the ID attributes in the Shibboleth SAML1.1 response are in place.
Any help would be greatly appreciated.
--
John Schonmeier, , https://schonmeier.dyndns.org/
- can't vaidate signature on SAML1.1 response from Shibboleth 1.3.2 IDP, John Schonmeier, 05/04/2007
- RE: can't vaidate signature on SAML1.1 response from Shibboleth 1.3.2 IDP, Scott Cantor, 05/05/2007
Archive powered by MHonArc 2.6.16.