Skip to Content.
Sympa Menu

mace-opensaml-users - Re: signature validation in OpenSAML2

Subject: OpenSAML user discussion

List archive

Re: signature validation in OpenSAML2


Chronological Thread 
  • From: Kenny Pearce <>
  • To:
  • Subject: Re: signature validation in OpenSAML2
  • Date: Tue, 11 Dec 2007 12:51:05 -0500
  • Organization: Hx Technologies

So, maybe everyone else already caught this from the debugging output
I
posted, and I'm just slow as a result of not being familiar with this
stuff, but apparently (based on comparing the output with the xmlsec
source) the digest is validating correctly, and it is only the signature
validation that is failing.
Correct me if I'm wrong, but my understanding (based on the xml-dsig
spec) is that the digest is calculated over the referenced element (in
SAML, the assertion), and it is the <SignedInfo/> element, which
contains both the reference (and the reference contains the digest),
that is signed with the public/private key algorithm. Now, the digest is
definitely the same on both sides (I checked), and the signature is
inside the SAML assertion, which is what it is supposed to be a digest
of, so according to SHA1 nothing is changing. Is there any type of
change the RSA might be sensitive to that SHA1 isn't? Or is it possible
that this is a configuration problem or something?

On Tue, 2007-12-11 at 15:34 +0100, Chad La Joie wrote:
> When you unmarshall a message with OpenSAML the DOM is cached within the
> instances of the various XMLObjects that are created. So the whole
> message is preserved, at least until you change something at which point
> the cache is invalidated. So the whole message is there and accessible
> from any object.
>
> The digital signature identifies what has been signed by the references.
> The error your getting doesn't appear to be indicative of the library
> not being able to find the referenced content. So I don't believe its a
> references problem.
>
> Yes, you certainly can use the raw Apache xml-sec library methods if you
> wish.
>
> Kenny Pearce wrote:
> > So, here's a question: how does opensaml/Apache xml-sec even GET the
> > SOAP message? I'm passing in an opensaml Signature object to the
> > SignatureValidator.validate method. Going through the source, I can't
> > see how you would reconstruct the whole SOAP message from that. It must
> > have something to do with references? At any rate, is it possible for me
> > to call the same method Apache does in order to verify it?
> >
> > I guess another important question is, has anyone tried opensaml with a
> > recent version of jax-ws?
> >
> > On Tue, 2007-12-11 at 15:04 +0100, Chad La Joie wrote:
> >> Yeah, this is where this stuff gets nasty. writeTo() is doing some
> >> particular type of marshalling and serialization process to get that
> >> SOAPMessage object into a string representation. Whatever that process
> >> is may be covering up whatever changes have been made. However, the
> >> signature algorithm may be using a different canonicalization process,
> >> for example, than writeTo() and so those changes may show up in that
> >> process.
> >>
> >>
> >> Scott Cantor wrote:
> >>>> Well, I did SOAPMessage.writeTo(), saved the output, and ran diff on
> >>>> them, and diff said they were the same. I think that's a bit-for-bit
> >>>> comparison. Do you have any idea how to do a more precise comparison,
> >>>> or
> >>>> whether there might be some other problem?
> >>> If there's no other indication, you're going to have to get at the
> >>> digest
> >>> input itself and compare the octets in each case to identify the
> >>> difference.
> >>>
> >>> If the diff were really identical, it would work, unless there were a
> >>> reference lookup error on one side due to ID attribute problems.
> >>>
> >>> -- Scott
> >>>
> >>>
> >
>




Archive powered by MHonArc 2.6.16.

Top of Page