Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [opensaml2.0]Validating XML Signature

Subject: OpenSAML user discussion

List archive

Re: [opensaml2.0]Validating XML Signature


Chronological Thread 
  • From: Dimuthu Leelarathne <>
  • To:
  • Subject: Re: [opensaml2.0]Validating XML Signature
  • Date: Wed, 06 Feb 2008 10:20:16 +0530
  • Organization: WSO2

Hi All,

Thank you all for all the replies and ideas.

This is a SAML token generated by the Microsoft Cardspace Identity
Selector. Yes, the ID is invalid, but it is not what caused the
signature verification failure.

To my extreme delight the signature validates successfully when I use
the pure xmlsec-1.4.1.jar .

So the most logical explanation is that I am doing something wrong when
generating the public key using the modulus and exponent inside my
X509Credential impl.

I can't figure out what is wrong, because it is a simple key generation
using RSAPublicKeySpec.[1]

Please let me know if there is a better way to create the public key
from modulus and exponent.

I will keep you updated on what is happening.

Thank you,
Dimuthu

[1]
RSAPublicKeySpec spec = new RSAPublicKeySpec(modulus,
publicExponent);
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
publicKey = keyFactory.generatePublic(spec);



On Tue, 2008-02-05 at 19:02 +0100, Chad La Joie wrote:
> Ah, yes, you're right. I read a '.' as ':' when I was looking at the spec.
>
> I suspect that isn't the problem here, however. And yeah, OpenSAML, at
> least the Java version, isn't going to catch that unless you do schema
> validation.
>
> Scott Cantor wrote:
> >> It's valid. An ID just has to be a string (with a few character
> >> limits), not a URI or anything. So that's valid. This error is almost
> >> certainly screwing up the XML before the library gets it.
> >
> > No, I just checked, it's not legal.
> >
> > http://www.w3.org/TR/1999/REC-xml-names-19990114/#NT-NCName
> >
> > Anybody accepting that as an ID has broken code. Of course, absent schema
> > processing, lots of ID code is brute forced and it might work by accident,
> > even in OpenSAML.
> >
> > But somebody should inform the producer of that SAML that their code is
> > wrong regardless.
> >
> > -- Scott
> >
> >
>




Archive powered by MHonArc 2.6.16.

Top of Page