mace-opensaml-users - Re: Reference Node in Signature Duplicated
Subject: OpenSAML user discussion
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: Reference Node in Signature Duplicated
- Date: Thu, 10 Jan 2008 17:17:57 +0100
- Organization: SWITCH
The Shib IdP on my test machine, which is using the latest OpenSAML code, doesn't have duplicate references.
Is your code adding any references? The OpenSAML code takes care of all the reference objects for SAML compliant signatures (so you don't ahve to do it).
Paul Hethmon wrote:
Ok, not sure where this is getting done, whether its my use of the OpenSAML
code or the OpenSAML code. I'm trying to get my IdP implementation (Java)
working with the Lightbulb PHP SP
(http://opensso.dev.java.net/public/extensions/) code from Sun. What I am
seeing is an error from their library saying:
Error: Reference validation failed
Tracing through their code, it appears that it is saying there is a problem
with the <ds:Reference> node in the signature. I then took a look at what
I'm generated and I see two identical <ds:Reference> nodes (xml at the end
of this message).
I looked through my signature generating code and don't see anything which
looks like it ought to cause two Reference nodes to be emitted. So does
anyone know of anything I should look for in my code? Does anyone have an
IdP using the Java libs that does *not* send out two Reference nodes?
For reference, my OpenSAML Java code was updated today (2008-01-10).
Thanks,
Paul
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="http://www.acmemls.com:80/recv-saml.jsp";
ID="acmeidp1199978583569"
InResponseTo="acmemls1199978573054"
IssueInstant="2008-01-10T15:23:03.569Z" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://www.acmeidp.com</s
aml:Issuer>
<samlp:Status>
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="acmeidp1199978583569"
IssueInstant="2008-01-10T15:23:03.569Z" Version="2.0">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://www.acmeidp.com</s
aml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Reference URI="#acmeidp1199978583569"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:Transforms
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="ds saml"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
>6eSn/ehb6C5gkU3t0KQLQ3InSeU=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#acmeidp1199978583569"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:Transforms
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="ds saml"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
>6eSn/ehb6C5gkU3t0KQLQ3InSeU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
h9M4de1l3sAl7Ue4qYk6UZ8gI/aDTWAg2Ueog3sZ2COkkOraoaDKWhsx2kcz6l0qguNCbLfCVQq3
eSmRR2R8VileLsVdvTssKZ5OYvvAKOMnJgueeGC1ZqElp9NWRf7p+qmAMytynxQG64JGJnFqO2fG
NzORvH8ZZRSVgZmrhdU= </ds:SignatureValue>
</ds:Signature>
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch
- Reference Node in Signature Duplicated, Paul Hethmon, 01/10/2008
- Re: Reference Node in Signature Duplicated, Chad La Joie, 01/10/2008
- Re: Reference Node in Signature Duplicated, Paul Hethmon, 01/10/2008
- Re: Reference Node in Signature Duplicated, Paul Hethmon, 01/10/2008
- Re: Reference Node in Signature Duplicated, Chad La Joie, 01/10/2008
- RE: Reference Node in Signature Duplicated, Scott Cantor, 01/10/2008
- Re: Reference Node in Signature Duplicated, Brent Putman, 01/10/2008
- Re: Reference Node in Signature Duplicated, Paul Hethmon, 01/10/2008
- Re: Reference Node in Signature Duplicated, Paul Hethmon, 01/10/2008
- Re: Reference Node in Signature Duplicated, Paul Hethmon, 01/10/2008
- Re: Reference Node in Signature Duplicated, Chad La Joie, 01/10/2008
Archive powered by MHonArc 2.6.16.