Skip to Content.
Sympa Menu

mace-opensaml-users - Re: Reference Node in Signature Duplicated

Subject: OpenSAML user discussion

List archive

Re: Reference Node in Signature Duplicated


Chronological Thread 
  • From: Paul Hethmon <>
  • To: OpenSAML List <>, Paul Hethmon <>
  • Subject: Re: Reference Node in Signature Duplicated
  • Date: Thu, 10 Jan 2008 11:53:19 -0500
Title: Re: Reference Node in Signature Duplicated
Ok, to go slightly off-topic here and more into the general SAML realm, but I think it is relevant. The error from the Sun library on “reference validation failed” turned out to be that my assertion ID values were done as:

  ID=”acmeidp123456789”

Then per spec, the OpenSAML library generated the Reference URI value as:

  URI=”#acmeidp123456789”

By simply changing my ID value to have the # symbol in front, this error went away. Section 5.4.2 of the saml-core document says that OpenSAML and my code are correct. Sun evidently thinks differently.

Opinions?

Thanks,

Paul


On 1/10/08 11:26 AM, "Paul Hethmon" <> wrote:

Ok. So I did find where I added the second reference, not realizing what I was doing. It always seems you can figure it out once you ask someone else the question.

However, still getting the same reference error. If anyone has any experience working against the Sun PHP extensions and can offer any advice, it would be welcome.

Thanks,

Paul



On 1/10/08 11:17 AM, "Chad La Joie" <> wrote:

The Shib IdP on my test machine, which is using the latest OpenSAML
code, doesn't have duplicate references.

Is your code adding any references?  The OpenSAML code takes care of all
the reference objects for SAML compliant signatures (so you don't ahve
to do it).

Paul Hethmon wrote:
> Ok, not sure where this is getting done, whether its my use of the OpenSAML
> code or the OpenSAML code. I'm trying to get my IdP implementation (Java)
> working with the Lightbulb PHP SP
> (http://opensso.dev.java.net/public/extensions/) code from Sun. What I am
> seeing is an error from their library saying:
>
>   Error: Reference validation failed
>
> Tracing through their code, it appears that it is saying there is a problem
> with the <ds:Reference> node in the signature. I then took a look at what
> I'm generated and I see two identical <ds:Reference> nodes (xml at the end
> of this message).
>
> I looked through my signature generating code and don't see anything which
> looks like it ought to cause two Reference nodes to be emitted. So does
> anyone know of anything I should look for in my code? Does anyone have an
> IdP using the Java libs that does *not* send out two Reference nodes?
>
> For reference, my OpenSAML Java code was updated today (2008-01-10).
>
> Thanks,
>
> Paul
>
>
>
> <?xml version="1.0" encoding="UTF-8"?>
> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>     Destination="http://www.acmemls.com:80/recv-saml.jsp"
> ID="acmeidp1199978583569"
>     InResponseTo="acmemls1199978573054"
> IssueInstant="2008-01-10T15:23:03.569Z" Version="2.0">
>     <saml:Issuer
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://www.acmeidp.com</s <http://www.acmeidp.com>
> aml:Issuer>
>     <samlp:Status>
>         <samlp:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
>     </samlp:Status>
>     <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="acmeidp1199978583569"
>         IssueInstant="2008-01-10T15:23:03.569Z" Version="2.0">
>         <saml:Issuer
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://www.acmeidp.com</s <http://www.acmeidp.com>
> aml:Issuer>
>         <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>             <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>                 <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
>                     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
>                 <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
>                     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
>                 <ds:Reference URI="#acmeidp1199978583569"
>                     xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>                     <ds:Transforms
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>                         <ds:Transform
>                   
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
>                             xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
>                         <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
>                             xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>                             <ec:InclusiveNamespaces
>                   
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
>                                 PrefixList="ds saml"/>
>                         </ds:Transform>
>                     </ds:Transforms>
>                     <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
>                         xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
>                     <ds:DigestValue
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>                         >6eSn/ehb6C5gkU3t0KQLQ3InSeU=</ds:DigestValue>
>                 </ds:Reference>
>                 <ds:Reference URI="#acmeidp1199978583569"
>                     xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>                     <ds:Transforms
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>                         <ds:Transform
>                   
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
>                             xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
>                         <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
>                             xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>                             <ec:InclusiveNamespaces
>                   
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
>                                 PrefixList="ds saml"/>
>                         </ds:Transform>
>                     </ds:Transforms>
>                     <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
>                         xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
>                     <ds:DigestValue
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>                         >6eSn/ehb6C5gkU3t0KQLQ3InSeU=</ds:DigestValue>
>                 </ds:Reference>
>             </ds:SignedInfo>
>             <ds:SignatureValue
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>                
> h9M4de1l3sAl7Ue4qYk6UZ8gI/aDTWAg2Ueog3sZ2COkkOraoaDKWhsx2kcz6l0qguNCbLfCVQq3
>                
> eSmRR2R8VileLsVdvTssKZ5OYvvAKOMnJgueeGC1ZqElp9NWRf7p+qmAMytynxQG64JGJnFqO2fG
>                 NzORvH8ZZRSVgZmrhdU= </ds:SignatureValue>
>         </ds:Signature>
>

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
, http://www.switch.ch

Archive powered by MHonArc 2.6.16.

Top of Page