OpenSAML user discussion

["Håkon Sagehaug" <>]

Hi

Yes is probably changed on it's way. It's created with OpenSAML,I use  a web service interface created with xfire that uses java xml bean for getting the response back to me, the orgin is a attribute query. The response is then marshalled and to a output stream and then unmarshalled into a opensaml response and then trying to validate the signature. But thanks for the help so fare

cheers, Håkon

2008/1/17, Brent Putman <>:

Håkon Sagehaug wrote:
>
>
>
> Hi
>
> Thanks for all the replays. So the *TrustEngines does both the trust
> evaluation of the keyInfo element and validating the signature inside
> the ds:signatureValue element.


Yes, exactly.  More precisely the *SignatureTrustEngines do that (so not
*all* trust engines, just the ones that take a Signature object as the
untrusted token to validate).




> I've tried the approach with SignatureValidator, after I've checked
> that I trust the x509Certificate inside keyInfo,
> and done
>
> SignatureValidator validator = new SignatureValidator(x509Credential);
> where x509Credential is made from the info inside keyINfo
>
> and tried did
>
> validator.validate(samlAssertion.getSignature())
>
> but I always get this back
>
> WARN   o.a.xml.security.signature.Reference - Verification failed for
> URI "#_05d3afc2-0e55-482e-a2b6-1533fa17f109"
> DEBUG o.o.xml.signature.SignatureValidator - Signature did not
> validate against the credential's key



Ok, then basically it means what it says.  Either the signer made a
mistake and didn't include the right certificate in the KeyInfo, or more
likely, the XML document has actually been changed in some way that
breaks the signature.  Likely causes are the way that the document was
serialized after it was signed for transmission over the network (e.g.
was pretty print formatted, etc) , or possibly by being inadvertently
changed before it was parsed and unmarshalled on the receiving side.
Remember that any change to the signed portion of the XML document after
signing, even the addition of a single space, newline or other
whitespace, will invalidate the signature.


--Brent

-- 
Håkon Sagehaug 
Research Assistant
Parallab
Bergen Center for Computational Science (BCCS)
UNIFOB AS (University of Bergen Research Company)