OpenSAML user discussion

["Scott Cantor" <>]

> So, maybe everyone else already caught this from the debugging output I
> posted, and I'm just slow as a result of not being familiar with this
> stuff, but apparently (based on comparing the output with the xmlsec
> source) the digest is validating correctly, and it is only the signature
> validation that is failing.

It looked like it.

>       Correct me if I'm wrong, but my understanding (based on the xml-dsig
> spec) is that the digest is calculated over the referenced element (in
> SAML, the assertion), and it is the <SignedInfo/> element, which
> contains both the reference (and the reference contains the digest),
> that is signed with the public/private key algorithm. Now, the digest is
> definitely the same on both sides (I checked), and the signature is
> inside the SAML assertion, which is what it is supposed to be a digest
> of, so according to SHA1 nothing is changing. Is there any type of
> change the RSA might be sensitive to that SHA1 isn't? Or is it possible
> that this is a configuration problem or something?

If SignedInfo changes, I'd start by making sure you were using exclusive
c14n everywhere, including for the overall signature c14n, not just as a
transform. If so, there usually aren't a lot of namespace problems inside
SignedInfo unless something is physically rewriting them in a noticable way.

SignedInfo is also digested before signing it, so you can also catch those
bytes during the final digest step.

-- Scott