mace-opensaml-users - Re: signature validation in OpenSAML2
Subject: OpenSAML user discussion
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: signature validation in OpenSAML2
- Date: Tue, 11 Dec 2007 15:34:54 +0100
- Organization: SWITCH
When you unmarshall a message with OpenSAML the DOM is cached within the instances of the various XMLObjects that are created. So the whole message is preserved, at least until you change something at which point the cache is invalidated. So the whole message is there and accessible from any object.
The digital signature identifies what has been signed by the references. The error your getting doesn't appear to be indicative of the library not being able to find the referenced content. So I don't believe its a references problem.
Yes, you certainly can use the raw Apache xml-sec library methods if you wish.
Kenny Pearce wrote:
So, here's a question: how does opensaml/Apache xml-sec even GET the
SOAP message? I'm passing in an opensaml Signature object to the
SignatureValidator.validate method. Going through the source, I can't
see how you would reconstruct the whole SOAP message from that. It must
have something to do with references? At any rate, is it possible for me
to call the same method Apache does in order to verify it?
I guess another important question is, has anyone tried opensaml with a
recent version of jax-ws?
On Tue, 2007-12-11 at 15:04 +0100, Chad La Joie wrote:
Yeah, this is where this stuff gets nasty. writeTo() is doing some particular type of marshalling and serialization process to get that SOAPMessage object into a string representation. Whatever that process is may be covering up whatever changes have been made. However, the signature algorithm may be using a different canonicalization process, for example, than writeTo() and so those changes may show up in that process.
Scott Cantor wrote:
Well, I did SOAPMessage.writeTo(), saved the output, and ran diff onIf there's no other indication, you're going to have to get at the digest
them, and diff said they were the same. I think that's a bit-for-bit
comparison. Do you have any idea how to do a more precise comparison, or
whether there might be some other problem?
input itself and compare the octets in each case to identify the difference.
If the diff were really identical, it would work, unless there were a
reference lookup error on one side due to ID attribute problems.
-- Scott
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch
- signature validation in OpenSAML2, Kenny Pearce, 12/07/2007
- Re: signature validation in OpenSAML2, Brent Putman, 12/07/2007
- Re: signature validation in OpenSAML2, Kenny Pearce, 12/07/2007
- Re: signature validation in OpenSAML2, Kenny Pearce, 12/10/2007
- RE: signature validation in OpenSAML2, Scott Cantor, 12/10/2007
- Re: signature validation in OpenSAML2, Chad La Joie, 12/11/2007
- Re: signature validation in OpenSAML2, Kenny Pearce, 12/11/2007
- RE: signature validation in OpenSAML2, Scott Cantor, 12/11/2007
- Re: signature validation in OpenSAML2, Chad La Joie, 12/11/2007
- Re: signature validation in OpenSAML2, Kenny Pearce, 12/11/2007
- Re: signature validation in OpenSAML2, Chad La Joie, 12/11/2007
- Re: signature validation in OpenSAML2, Kenny Pearce, 12/11/2007
- RE: signature validation in OpenSAML2, Scott Cantor, 12/11/2007
- Message not available
- Re: signature validation in OpenSAML2, Brent Putman, 12/11/2007
- Re: signature validation in OpenSAML2, Kenny Pearce, 12/11/2007
- Re: signature validation in OpenSAML2, Brent Putman, 12/11/2007
- RE: signature validation in OpenSAML2, Scott Cantor, 12/11/2007
- Re: signature validation in OpenSAML2, Chad La Joie, 12/11/2007
- RE: signature validation in OpenSAML2, Scott Cantor, 12/11/2007
- Re: signature validation in OpenSAML2, Kenny Pearce, 12/11/2007
- Re: signature validation in OpenSAML2, Brent Putman, 12/07/2007
Archive powered by MHonArc 2.6.16.