Skip to Content.
Sympa Menu

mace-opensaml-users - Re: OpenSaml 2 Signature Validation Error

Subject: OpenSAML user discussion

List archive

Re: OpenSaml 2 Signature Validation Error


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: Re: OpenSaml 2 Signature Validation Error
  • Date: Wed, 16 Jan 2008 08:18:14 +0100
  • Organization: SWITCH

As Scott said, it's almost certainly step 7 that is the problem. If you aren't using the XMLHelper.nodeToString(Node) method try that. After much testing the small bit of logic in that method represents the manner I found least likely to break the signature.


wrote:
Hi -
This is my first experience with OpenSaml, although I am quite familiar with
SAML itself as well as dsig & encryption. I have compiled the opensaml
libraries and am in the process of doing some basic testing using the Java API.
Here is my logic in my test code
1) Build SAML 2.0 assertion using OpenSaml 2.0 objects
2) digitally sign (using OpenSaml)
3) Call SignatureValidator.validate passing SAMLObject from (2) as param = OK
4) marshall to DOM
5) Call SignatureValidator.validate after unmarhalling DOM from (4) to
SAMLObject = OK
6) write DOM to XML string
7) Call SignatureValidator.validate after parsing xml string from (6) to DOM
& unmarhalling to SAMLObject = FAILS!

Step 7 fails with "Signature did not validate against the credential's key"

I was able to step through the code, and can see that the validation is failing due to a mismatch of the computed digest & and the one present in the ds:DigestValue field (at the apache xml security code level).
However, I am quite confused as to why 3 & 5 work OK, but 7 does not

Here is the exception I am seeing:
Exception in thread "main" org.opensaml.xml.validation.ValidationException:
Signature did not validate against the credential's key
at
org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78)
at
OpenSamlGeneratorTest.verifySignature(OpenSamlGeneratorTest.java:196)
Any help/suggestions are greatly appreciated!
Dave

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch




Archive powered by MHonArc 2.6.16.

Top of Page