mace-opensaml-users - Re: Verify a SAML token
Subject: OpenSAML user discussion
List archive
- From: "Mike Mattozzi" <>
- To:
- Subject: Re: Verify a SAML token
- Date: Tue, 5 Jun 2007 16:16:41 -0700
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=QMkpeXYtagDbB6F+c/FKocNi3gF1iV2BDvJpB7zz2E2gCm99Y1MU13dRuu4JUFZKjpfcjgvTWaCSRhJZVC/lQ1mRHd1Rbb0AreqAVVR0/aa1sY6qj6UVeG43xRnlXQz29243PshL4zz+sENYr6BkqrLmY+JHP9VH1kjsEdqpZZg=
Thanks for the discussion... looking forward to the final release of
OpenSAML 2, I'm sure you guys are too :)
Now for a nitty-gritty question: Do you have support for xpointer? I
was working through a signature validation using the
SignatureValidator and the sample Assertion I have uses the Reference
URI="#xpointer(/*[local-name()='Envelope']/*[local-name()='Header']/*[local-name()='Security']/*[local-name()='Assertion'][1])"
When validate() is called on the signature, I get a nice blob of errors:
Exception in thread "main"
org.opensaml.xml.validation.ValidationException: Unable to evaluate
key against signature
at
org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:75)
at samltest.Samltest.parseSAML1withCert(Samltest.java:160)
at samltest.Samltest.main(Samltest.java:67)
Caused by: org.apache.xml.security.signature.XMLSignatureException:
The Reference for URI
#xpointer(/*[local-name()='Envelope']/*[local-name()='Header']/*[local-name()='Security']/*[local-name()='Assertion'][1])
has no XMLSignatureInput
Original Exception was
org.apache.xml.security.signature.MissingResourceFailureException: The
Reference for URI
#xpointer(/*[local-name()='Envelope']/*[local-name()='Header']/*[local-name()='Security']/*[local-name()='Assertion'][1])
has no XMLSignatureInput
Original Exception was
org.apache.xml.security.signature.ReferenceNotInitializedException:
Could not find a resolver for URI
#xpointer(/*[local-name()='Envelope']/*[local-name()='Header']/*[local-name()='Security']/*[local-name()='Assertion'][1])
and Base
Original Exception was
org.apache.xml.security.signature.ReferenceNotInitializedException:
Could not find a resolver for URI
#xpointer(/*[local-name()='Envelope']/*[local-name()='Header']/*[local-name()='Security']/*[local-name()='Assertion'][1])
and Base
Original Exception was
org.apache.xml.security.signature.ReferenceNotInitializedException:
Could not find a resolver for URI
#xpointer(/*[local-name()='Envelope']/*[local-name()='Header']/*[local-name()='Security']/*[local-name()='Assertion'][1])
and Base
Original Exception was
org.apache.xml.security.utils.resolver.ResourceResolverException:
Could not find a resolver for URI
#xpointer(/*[local-name()='Envelope']/*[local-name()='Header']/*[local-name()='Security']/*[local-name()='Assertion'][1])
and Base
at
org.apache.xml.security.signature.XMLSignature.checkSignatureValue(Unknown
Source)
at
org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:68)
... 2 more
I tried replacing the URI with just the assertion id, in which case it
seems to find everything it's looking for just fine, but then the
fails with "Signature did not validate against the credential's key"
which I guess makes sense given the fact that I just changed part of
the XML (or would this part be excluded from the signing?)
Either way, is there any way I can get this xpointer to resolve?
thanks!
On 6/5/07, Scott Cantor
<>
wrote:
Mike Klein wrote:
> I am using routines documented on this page to verify signer of identity
> document and to verify/sign assertions. Code seems to work fine and
> messages are tamper-proof.
Yes, as long as your use case is simple enough that a single
predetermined certificate is available for each signer and you do the
mapping between who the signer is and where the certificate is.
> Grabbing a public cert from a keystore can be done in 3 lines of code or
> so...this isn't an issue. OpenSAML won't provide you an uber-keystore
> concept or anything I think so you'll need to load and cache them yourself.
Actually, that's pretty much exactly what it does, or will do, along with
support for TLS/SSL connection management with the same trust facilities.
-- Scott
- RE: Verify a SAML token, Mike Mattozzi, 06/04/2007
- Re: Verify a SAML token, Mike Klein, 06/04/2007
- Re: Verify a SAML token, Mike Mattozzi, 06/05/2007
- Re: Verify a SAML token, Chad La Joie, 06/05/2007
- Re: Verify a SAML token, Mike Klein, 06/05/2007
- Re: Verify a SAML token, Scott Cantor, 06/05/2007
- Re: Verify a SAML token, Mike Mattozzi, 06/05/2007
- Re: Verify a SAML token, Chad La Joie, 06/05/2007
- Re: Verify a SAML token, Brent Putman, 06/05/2007
- Signature XPointer References (was Re: Verify a SAML token), Brent Putman, 06/06/2007
- Re: Signature XPointer References (was Re: Verify a SAML token), Mike Mattozzi, 06/07/2007
- Re: Signature XPointer References (was Re: Verify a SAML token), Brent Putman, 06/07/2007
- Re: Signature XPointer References (was Re: Verify a SAML token), Mike Mattozzi, 06/08/2007
- Re: Signature XPointer References (was Re: Verify a SAML token), Brent Putman, 06/08/2007
- Re: Verify a SAML token, Mike Mattozzi, 06/05/2007
- Re: Verify a SAML token, Scott Cantor, 06/05/2007
- Re: Verify a SAML token, Mike Mattozzi, 06/05/2007
- Re: Verify a SAML token, Mike Klein, 06/04/2007
- Re: Verify a SAML token, Brent Putman, 06/05/2007
Archive powered by MHonArc 2.6.16.