OpenSAML user discussion

[Prasanna Krishna <>]

Hi Brent & SAML experts -
 
The assertion statement that got generated with the code is as follows:
 
<?xml version="1.0" encoding="UTF-16"?>
<samlp:Response ID="1" IssueInstant="2007-10-03T15:36:00.694Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">foo.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Reference URI="#1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ec:InclusiveNamespaces PrefixList="ds saml samlp" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">ABF/gZU10eNQg9k47DmUxve7o6+FPBH+5ZrlnflydJA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
f6NjyMg/CdW5JNICIvMVv3Ht9gJCmK5YX304XZI6HQCrgWKcYWTizz8jIwbFxzGqXdp47cC6Waw2
b9Ule+FmGqIA1NeTJnEVsduCOe5+I5wzkK3kxcCkvKBG/UygIkbGqCm+fHq4mosLhtXC1sTbuzkB
Mw+VJsEw1dioxJC84Y8=
</ds:SignatureValue>
</ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion ID="5000059412" IssueInstant="2007-10-03T15:36:00.694Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified">TestPlatform1.foo.com</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">id1_1191425733412</saml:NameID></saml:Subject><saml:Conditions NotBefore="2007-10-03T15:36:00.944Z" NotOnOrAfter="2007-10-23T15:36:00.944Z"/><saml:AuthnStatement AuthnInstant="2007-10-03T15:36:00.694Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>

The code that generated the above SAML doc is as follows.  Once again pasting it for your ready ref:
 

// NOTE: The following 6 steps to sign SAML doc are picked up from

// https://spaces.internet2.edu/display/SHIB/OSTwoUserManJavaDSIG

// Step 1: Create a Signature object using the

// org.opensaml.xml.signature.SignatureBuilder (this is found in the

// XMLTooling library).

SignatureBuilder sb = new SignatureBuilder();

Signature sig = sb.buildObject();

// Step 2: Add the Credential containing the signing key using the

// Signature#setSigningCredential(Credential) method.

Credential cr = SecurityHelper.getSimpleCredential(service

.getSignatureCertificate().getPublicKey(), service

.getPrivateKey());

sig.setSigningCredential(cr);

// Step 3: Add the signature method algorithm URI with the method

// Signature#setSignatureAlgorithm(String). Note that the algorithm

// URI is dependent on the type of key contained with the signing

// credential.

sig

.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);

// Step 4: Add the canonicalization method algorithm URI with the

// method

// Signature#setCanonicalizationAlgorithm(String).

sig

.setCanonicalizationAlgorithm(http://www.w3.org/TR/2001/REC-xml-c14n-20010315);

 

// Step 6: Add the Signature to the SAMLObject using the

// setSignature(Signature) method. A SAMLObjectContentReference will

// automatically be added to the list of signature references

// exposed via Signature#getContentReferences()

response.setSignature(sig);

((SAMLObjectContentReference) sig.getContentReferences().get(0))

.setDigestAlgorithm(EncryptionConstants.ALGO_ID_DIGEST_SHA256);

Element authElement = marshall(response);

Signer.signObject(sig);

 

 

The assertion statement just before Signer.signObject is invoked:

 

 

<?xml version="1.0" encoding="UTF-16"?>
<samlp:Response ID="1" IssueInstant="2007-10-04T00:41:13.470Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">trinity.ebay.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Reference URI="#1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ec:InclusiveNamespaces PrefixList="ds saml samlp" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion ID="5000063245" IssueInstant="2007-10-04T00:41:13.470Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified">TestPlatform1.ebay.com</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">id1_1191458446939</saml:NameID></saml:Subject><saml:Conditions NotBefore="2007-10-04T00:41:13.720Z" NotOnOrAfter="2007-10-24T00:41:13.720Z"/><saml:AuthnStatement AuthnInstant="2007-10-04T00:41:13.470Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>

 

 

The only difference we find is with respect to digest value & signature value which is being set after Signer.signObject(sig) is invoked.

The receiving party who is not using openSAML is trying to verify the digest value even before verifying the signature. 

 

The steps followed by them are :

 

1) Remove the actual Digest Value and Signature Value in the SAML response, (Please note that DigestValue and SignatureValue tags still exist in the SAML)

2) Canonicalize the SAML after step 1

3) Run the SHA2 Hash on Canonicalized output

4) Do B64_encode_RFC on the SHA2 Hash value

5) Compare the Digest Value in the original SAML Response with the B64 encoded hash value.

 

 

They are having issues with matching the digest values 

Can you please provide info on whether the above steps are correct or require any change.

 

Another related question:  Would any of the above change if Key Info is included.

 

Thanks

Prasanna Krishna

 

---

Check out some new online services at Windows Live Ideas—so new they haven’t even been officially released yet. Try it!