mace-opensaml-users - Re: signature validation in OpenSAML2
Subject: OpenSAML user discussion
List archive
- From: Kenny Pearce <>
- To:
- Subject: Re: signature validation in OpenSAML2
- Date: Tue, 11 Dec 2007 09:29:32 -0500
- Organization: Hx Technologies
So, here's a question: how does opensaml/Apache xml-sec even GET the
SOAP message? I'm passing in an opensaml Signature object to the
SignatureValidator.validate method. Going through the source, I can't
see how you would reconstruct the whole SOAP message from that. It must
have something to do with references? At any rate, is it possible for me
to call the same method Apache does in order to verify it?
I guess another important question is, has anyone tried opensaml with a
recent version of jax-ws?
On Tue, 2007-12-11 at 15:04 +0100, Chad La Joie wrote:
> Yeah, this is where this stuff gets nasty. writeTo() is doing some
> particular type of marshalling and serialization process to get that
> SOAPMessage object into a string representation. Whatever that process
> is may be covering up whatever changes have been made. However, the
> signature algorithm may be using a different canonicalization process,
> for example, than writeTo() and so those changes may show up in that
> process.
>
>
> Scott Cantor wrote:
> >> Well, I did SOAPMessage.writeTo(), saved the output, and ran diff on
> >> them, and diff said they were the same. I think that's a bit-for-bit
> >> comparison. Do you have any idea how to do a more precise comparison, or
> >> whether there might be some other problem?
> >
> > If there's no other indication, you're going to have to get at the digest
> > input itself and compare the octets in each case to identify the
> > difference.
> >
> > If the diff were really identical, it would work, unless there were a
> > reference lookup error on one side due to ID attribute problems.
> >
> > -- Scott
> >
> >
>
- signature validation in OpenSAML2, Kenny Pearce, 12/07/2007
- Re: signature validation in OpenSAML2, Brent Putman, 12/07/2007
- Re: signature validation in OpenSAML2, Kenny Pearce, 12/07/2007
- Re: signature validation in OpenSAML2, Kenny Pearce, 12/10/2007
- RE: signature validation in OpenSAML2, Scott Cantor, 12/10/2007
- Re: signature validation in OpenSAML2, Chad La Joie, 12/11/2007
- Re: signature validation in OpenSAML2, Kenny Pearce, 12/11/2007
- RE: signature validation in OpenSAML2, Scott Cantor, 12/11/2007
- Re: signature validation in OpenSAML2, Chad La Joie, 12/11/2007
- Re: signature validation in OpenSAML2, Kenny Pearce, 12/11/2007
- Re: signature validation in OpenSAML2, Chad La Joie, 12/11/2007
- Re: signature validation in OpenSAML2, Kenny Pearce, 12/11/2007
- RE: signature validation in OpenSAML2, Scott Cantor, 12/11/2007
- Message not available
- Re: signature validation in OpenSAML2, Brent Putman, 12/11/2007
- Re: signature validation in OpenSAML2, Kenny Pearce, 12/11/2007
- Re: signature validation in OpenSAML2, Brent Putman, 12/11/2007
- RE: signature validation in OpenSAML2, Scott Cantor, 12/11/2007
- Re: signature validation in OpenSAML2, Chad La Joie, 12/11/2007
- RE: signature validation in OpenSAML2, Scott Cantor, 12/11/2007
- Re: signature validation in OpenSAML2, Kenny Pearce, 12/11/2007
- Re: signature validation in OpenSAML2, Brent Putman, 12/07/2007
Archive powered by MHonArc 2.6.16.