mace-opensaml-users - Re: Reference Node in Signature Duplicated
Subject: OpenSAML user discussion
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: Reference Node in Signature Duplicated
- Date: Thu, 10 Jan 2008 17:59:23 +0100
- Organization: SWITCH
If this is true then Sun's code is wrong. The "#" represents an in-document reference by URL fragment.
Paul Hethmon wrote:
Ok, to go slightly off-topic here and more into the general SAML realm, but I think it is relevant. The error from the Sun library on “reference validation failed” turned out to be that my assertion ID values were done as:
ID=”acmeidp123456789”
Then per spec, the OpenSAML library generated the Reference URI value as:
URI=”#acmeidp123456789”
By simply changing my ID value to have the # symbol in front, this error went away. Section 5.4.2 of the saml-core document says that OpenSAML and my code are correct. Sun evidently thinks differently.
Opinions?
Thanks,
Paul
On 1/10/08 11:26 AM, "Paul Hethmon" <> wrote:
Ok. So I did find where I added the second reference, not realizing
what I was doing. It always seems you can figure it out once you ask
someone else the question.
However, still getting the same reference error. If anyone has any
experience working against the Sun PHP extensions and can offer any
advice, it would be welcome.
Thanks,
Paul
On 1/10/08 11:17 AM, "Chad La Joie"
<>
wrote:
The Shib IdP on my test machine, which is using the latest OpenSAML
code, doesn't have duplicate references.
Is your code adding any references? The OpenSAML code takes
care of all
the reference objects for SAML compliant signatures (so you
don't ahve
to do it).
Paul Hethmon wrote:
> Ok, not sure where this is getting done, whether its my use of
the OpenSAML
> code or the OpenSAML code. I'm trying to get my IdP
implementation (Java)
> working with the Lightbulb PHP SP
> (http://opensso.dev.java.net/public/extensions/) code from
Sun. What I am
> seeing is an error from their library saying:
>
> Error: Reference validation failed
>
> Tracing through their code, it appears that it is saying there
is a problem
> with the <ds:Reference> node in the signature. I then took a
look at what
> I'm generated and I see two identical <ds:Reference> nodes
(xml at the end
> of this message).
>
> I looked through my signature generating code and don't see
anything which
> looks like it ought to cause two Reference nodes to be
emitted. So does
> anyone know of anything I should look for in my code? Does
anyone have an
> IdP using the Java libs that does *not* send out two Reference
nodes?
>
> For reference, my OpenSAML Java code was updated today
(2008-01-10).
>
> Thanks,
>
> Paul
>
>
>
> <?xml version="1.0" encoding="UTF-8"?>
> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> Destination="http://www.acmemls.com:80/recv-saml.jsp"
> ID="acmeidp1199978583569"
> InResponseTo="acmemls1199978573054"
> IssueInstant="2008-01-10T15:23:03.569Z" Version="2.0">
> <saml:Issuer
>
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://www.acmeidp.com</s
<http://www.acmeidp.com</s> <http://www.acmeidp.com>
> aml:Issuer>
> <samlp:Status>
> <samlp:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
> </samlp:Status>
> <saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="acmeidp1199978583569"
> IssueInstant="2008-01-10T15:23:03.569Z" Version="2.0">
> <saml:Issuer
>
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://www.acmeidp.com</s
<http://www.acmeidp.com</s> <http://www.acmeidp.com>
> aml:Issuer>
> <ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
>
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
>
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> <ds:Reference URI="#acmeidp1199978583569"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:Transforms
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:Transform
> > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
>
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
>
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ec:InclusiveNamespaces
> > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
> PrefixList="ds saml"/>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
>
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> <ds:DigestValue
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>
>6eSn/ehb6C5gkU3t0KQLQ3InSeU=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#acmeidp1199978583569"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:Transforms
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:Transform
> > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
>
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
>
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ec:InclusiveNamespaces
> > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
> PrefixList="ds saml"/>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
>
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> <ds:DigestValue
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>
>6eSn/ehb6C5gkU3t0KQLQ3InSeU=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> >
h9M4de1l3sAl7Ue4qYk6UZ8gI/aDTWAg2Ueog3sZ2COkkOraoaDKWhsx2kcz6l0qguNCbLfCVQq3
> >
eSmRR2R8VileLsVdvTssKZ5OYvvAKOMnJgueeGC1ZqElp9NWRf7p+qmAMytynxQG64JGJnFqO2fG
> NzORvH8ZZRSVgZmrhdU= </ds:SignatureValue>
> </ds:Signature>
>
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch
- Reference Node in Signature Duplicated, Paul Hethmon, 01/10/2008
- Re: Reference Node in Signature Duplicated, Chad La Joie, 01/10/2008
- Re: Reference Node in Signature Duplicated, Paul Hethmon, 01/10/2008
- Re: Reference Node in Signature Duplicated, Paul Hethmon, 01/10/2008
- Re: Reference Node in Signature Duplicated, Chad La Joie, 01/10/2008
- RE: Reference Node in Signature Duplicated, Scott Cantor, 01/10/2008
- Re: Reference Node in Signature Duplicated, Brent Putman, 01/10/2008
- Re: Reference Node in Signature Duplicated, Paul Hethmon, 01/10/2008
- Re: Reference Node in Signature Duplicated, Paul Hethmon, 01/10/2008
- Re: Reference Node in Signature Duplicated, Paul Hethmon, 01/10/2008
- Re: Reference Node in Signature Duplicated, Chad La Joie, 01/10/2008
Archive powered by MHonArc 2.6.16.