OpenSAML user discussion

["Håkon Sagehaug" <>]

Hi

I noticed that the ds:refernce element missed it's URI attribute it should be like this
<ds:Reference URI="#_78d842bb-eff5-404c-915c-fc2fb7e78dde">
....
</ds:Reference>

2008/1/11, Håkon Sagehaug <>:

HI

here it is

<saml:Assertion ID="_78d842bb-eff5-404c-915c-fc2fb7e78dde"
IssueInstant="2008-01-07T15:32:21.915Z" Version="2.0"
xmlns:saml="urn:oasis:names:tc:SAML: 2.0:assertion">
<saml:Issuer>CN=datatag6.cnaf.infn.it,L=CNAF,OU=Host,O=INFN,C=IT</saml:Issuer>
<ds:Signature xmlns:ds=" http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_78d842bb-eff5-404c-915c-fc2fb7e78dde">
<ds:Transforms>
   <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature "/>
   <ds:Transform Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#WithComments">
   <ec:InclusiveNamespaces PrefixList="ds saml xs"
    xmlns:ec=" http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </ds:Transform></ds:Transforms>
    <ds:DigestMethod Algorithm=" http://www.w3.org/2001/04/xmlenc#sha256 "/>
    <ds:DigestValue>EWagTntAdedkNVkj10rDVFgrdx8D+flm5MkDrq72ljY=</ds:DigestValue>
    </ds:Reference></ds:SignedInfo>
    <ds:SignatureValue>Signatuevalue</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
       <ds:X509Certificate>x509cert</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
    </ds:Signature>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
      subjectname
      </saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML: 2.0:cm:holder-of-key">
         <saml:SubjectConfirmationData>
         <ds:KeyInfo xmlns:ds=" http://www.w3.org/2000/09/xmldsig#">
               <ds:X509Data><ds:X509Certificate>x509 for confirmation</ds:X509Certificate>
               </ds:X509Data>
               </ds:KeyInfo>
         </saml:SubjectConfirmationData>
       </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2008-01-07T15:32: 22.006Z"
    NotOnOrAfter="2008-01-07T15:32:22.006Z"/>
    <saml:AttributeStatement>
    <saml:Attribute Name=" http://voms.forge.cnaf.infn.it/group "
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml:AttributeValue xsi:type="xs:string"
    xmlns:xs=" http://www.w3.org/2001/XMLSchema">
     /omiieurope/INFN
    </saml:AttributeValue>
    <saml:AttributeValue xsi:type="xs:string" xmlns:xs=" http://www.w3.org/2001/XMLSchema">
    /omiieurope
    </saml:AttributeValue>
    </saml:Attribute>
    </saml:AttributeStatement>
    </saml:Assertion>

2008/1/11, Chad La Joie <>:

Can you show the actually assertion?

Håkon Sagehaug wrote:
> Hi
>
> More questions on this
>
> I always get a validationException that says
>
> Verification failed for URI "#_78d842bb-eff5-404c-915c-fc2fb7e78dde"
>
> So what I have is a saml response that has a saml assertion which is signed
> like this
>
> <Response ID="_09af3cb9-6636-4bed-b61f-7c5606821952">
>  <saml:Assertion ID="_78d842bb-eff5-404c-915c-fc2fb7e78dde"  >
>    <ds:Signature xmlns:ds=" http://www.w3.org/2000/09/xmldsig#">
>        <ds:SignatureValue>jncjnncjnsjncjsn
>        </ds:SignatureValue><ds:KeyInfo><ds:X509Data>
>         <ds:X509Certificate>
>          </ds:X509Certificate>
>         </ds:X509Data>x509sdabdjsabjdbasjkdnsjkandjk</ds:KeyInfo>
>    </ds:Signature>
>  </saml:Assertion>
> </Response>
>
> I unmarshalls the response and get the assertion out, the I construct a
> java x509 cert
> and then create  a basicCredential like this
>
>  BasicX509Credential x509Credential = new BasicX509Credential();
>  x509Credential.setEntityCertificate(cert);
>
>  SignatureValidator validator = new SignatureValidator(x509Credential);
>  validator.validate(signature);
>
> Signature is the signatue from the saml assertion but I get the URI
> reference error, any tips??
>
> cheers, HÅkon
>
> 2008/1/11, Håkon Sagehaug <
> <mailto:>>:
>
>     I just wanted to be able to valdidate the signature and I thought I
>     needed it
>
>
>
>     2008/1/11, Chad La Joie <
>     <mailto:>>:
>
>         Yes.
>
>         Not saying there isn't some sort of use case where you might
>         need the
>         Signature value, I just wasn't aware of any so I was trying to
>         see if
>         you had come upon one.
>
>         Håkon Sagehaug wrote:
>         >  Hi
>         >
>         >  I guess I don't need it, I thought I might need it for
>         verifying the
>         >  signature, but I guess it's just do something like
>         >
>         >  SignatureValidator sigValidator = new
>         SignatureValidator(goodCredential);
>         >         sigValidator.validate(signature);
>         >
>         >  as in the provided unit tests
>         >
>         >  cheers
>         >
>         >  2008/1/11, Chad La Joie <
>         <mailto:>
>         >  <mailto: <mailto:>> >:
>         >
>         >     Not that I know of.  We didn't do a full set of XMLObject
>         for the
>         >     Signature spec.  We only did those objects that people
>         might need to
>         >     create, which is pretty much just the KeyInfo stuff.
>         >
>         >     What do you need that value for?
>         >
>         >     Håkon Sagehaug wrote:
>         >      > Hi
>         >      >
>         >      > I was trying to get the xmlsignatue value out of a Signature
>         >     object, but
>         >      > noticed that the interface don't support this method,
>         but the
>         >      > SignaturImpl does. Is there another method to get the
>         xml signature
>         >      > value out of the Signature Object?
>         >      >
>         >      > cheers, Håkon
>         >      >
>         >      > --
>         >      > Håkon Sagehaug
>         >      > Research Assistant
>         >      > Parallab
>         >      > Bergen Center for Computational Science (BCCS)
>         >      > UNIFOB AS (University of Bergen Research Company)
>         >
>         >     --
>         >     SWITCH
>         >     Serving Swiss Universities
>         >     --------------------------
>         >     Chad La Joie, Software Engineer, Security
>         >     Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
>         >     phone +41 44 268 15 75, fax +41 44 268 15 68
>         >     <mailto:>
>         <mailto: <mailto:>>,
>         >     http://www.switch.ch
>         >
>         >
>         >
>         >
>         >  --
>         >  Håkon Sagehaug
>         >  Research Assistant
>         >  Parallab
>         >  Bergen Center for Computational Science (BCCS)
>         >  UNIFOB AS (University of Bergen Research Company)
>
>         --
>         SWITCH
>         Serving Swiss Universities
>         --------------------------
>         Chad La Joie, Software Engineer, Security
>         Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
>         phone +41 44 268 15 75, fax +41 44 268 15 68
>         <mailto:>,
>         http://www.switch.ch
>
>
>
>
>     --
>
>     Håkon Sagehaug
>     Research Assistant
>     Parallab
>     Bergen Center for Computational Science (BCCS)
>     UNIFOB AS (University of Bergen Research Company)
>
>
>
>
> --
> Håkon Sagehaug
> Research Assistant
> Parallab
> Bergen Center for Computational Science (BCCS)
> UNIFOB AS (University of Bergen Research Company)

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
, http://www.switch.ch

--

Håkon Sagehaug
Research Assistant
Parallab
Bergen Center for Computational Science (BCCS)
UNIFOB AS (University of Bergen Research Company)

-- 
Håkon Sagehaug 
Research Assistant
Parallab
Bergen Center for Computational Science (BCCS)
UNIFOB AS (University of Bergen Research Company)