mace-opensaml-users - Re: Classes needed for validating a saml assertion with a public key
Subject: OpenSAML user discussion
List archive
- From: "Håkon Sagehaug" <>
- To:
- Subject: Re: Classes needed for validating a saml assertion with a public key
- Date: Thu, 17 Jan 2008 13:24:43 +0100
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:references:x-google-sender-auth; b=TnMcKIMHD9a76pv0Vr5Qqf7Pt9IQYcpzp6/WVIC0kEjpEzFefjo67/HbMLf4IGoc4QUXfw+zmtmaO+a7EQ/7xmjHSEtRTewcv2hU2ou8j5oi17yvJaZtYOEREfLzk8FpYkTPI72hoE/7G2dcjPoOvoiz1yazqoquNRBZpZhuNrg=
Hi
Yes is probably changed on it's way. It's created with OpenSAML,I use a web service interface created with xfire that uses java xml bean for getting the response back to me, the orgin is a attribute query. The response is then marshalled and to a output stream and then unmarshalled into a opensaml response and then trying to validate the signature. But thanks for the help so fare
cheers, Håkon
2008/1/17, Brent Putman <>:
Håkon Sagehaug wrote:
>
>
>
> Hi
>
> Thanks for all the replays. So the *TrustEngines does both the trust
> evaluation of the keyInfo element and validating the signature inside
> the ds:signatureValue element.
Yes, exactly. More precisely the *SignatureTrustEngines do that (so not
*all* trust engines, just the ones that take a Signature object as the
untrusted token to validate).
> I've tried the approach with SignatureValidator, after I've checked
> that I trust the x509Certificate inside keyInfo,
> and done
>
> SignatureValidator validator = new SignatureValidator(x509Credential);
> where x509Credential is made from the info inside keyINfo
>
> and tried did
>
> validator.validate(samlAssertion.getSignature())
>
> but I always get this back
>
> WARN o.a.xml.security.signature.Reference - Verification failed for
> URI "#_05d3afc2-0e55-482e-a2b6-1533fa17f109"
> DEBUG o.o.xml.signature.SignatureValidator - Signature did not
> validate against the credential's key
Ok, then basically it means what it says. Either the signer made a
mistake and didn't include the right certificate in the KeyInfo, or more
likely, the XML document has actually been changed in some way that
breaks the signature. Likely causes are the way that the document was
serialized after it was signed for transmission over the network (e.g.
was pretty print formatted, etc) , or possibly by being inadvertently
changed before it was parsed and unmarshalled on the receiving side.
Remember that any change to the signed portion of the XML document after
signing, even the addition of a single space, newline or other
whitespace, will invalidate the signature.
--Brent
--
Håkon Sagehaug
Research Assistant
Parallab
Bergen Center for Computational Science (BCCS)
UNIFOB AS (University of Bergen Research Company)
- Re: Classes needed for validating a saml assertion with a public key, (continued)
- Re: Classes needed for validating a saml assertion with a public key, Håkon Sagehaug, 01/16/2008
- Re: Classes needed for validating a saml assertion with a public key, Brent Putman, 01/16/2008
- Message not available
- Re: Classes needed for validating a saml assertion with a public key, Håkon Sagehaug, 01/16/2008
- Re: Classes needed for validating a saml assertion with a public key, Chad La Joie, 01/16/2008
- Re: Classes needed for validating a saml assertion with a public key, Håkon Sagehaug, 01/16/2008
- Re: Classes needed for validating a saml assertion with a public key, Chad La Joie, 01/16/2008
- Re: Classes needed for validating a saml assertion with a public key, Brent Putman, 01/16/2008
- Re: Classes needed for validating a saml assertion with a public key, Håkon Sagehaug, 01/16/2008
- Re: Classes needed for validating a saml assertion with a public key, Håkon Sagehaug, 01/16/2008
- Re: Classes needed for validating a saml assertion with a public key, Håkon Sagehaug, 01/16/2008
- Re: Classes needed for validating a saml assertion with a public key, Brent Putman, 01/16/2008
- Re: Classes needed for validating a saml assertion with a public key, Håkon Sagehaug, 01/17/2008
- Re: Classes needed for validating a saml assertion with a public key, Brent Putman, 01/16/2008
Archive powered by MHonArc 2.6.16.