Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [opensaml2.0]Validating XML Signature

Subject: OpenSAML user discussion

List archive

Re: [opensaml2.0]Validating XML Signature


Chronological Thread 
  • From: Dimuthu Leelarathne <>
  • To:
  • Subject: Re: [opensaml2.0]Validating XML Signature
  • Date: Wed, 06 Feb 2008 12:07:15 +0530
  • Organization: WSO2

Hi All,

The issue occurs when creating the modulus and exponent as a BigInteger
from the Base64 decoded text.

I managed to overcome my problem by using the following method. This is
the same path taken by the xmlsec-1.4.1 people.

org.apache.xml.security.utils.Base64.decodeBigIntegerFromElement(Element
element);


When I take the following path things fail.

KeyValue val = (KeyValue) keyValueList.get(0);
RSAKeyValue rsaKey = val.getRSAKeyValue();
String modulus = rsaKey.getModulus().getValue();
BigInteger mod = new BigInteger(Base64.decode(modulus));

So I have uploaded both Java classes for your review.

Here the signature validates [1]
Here the signature fails [2]

Thanks,
Dimuthu

[1]http://ww2.wso2.org/~dimuthul/SAML2TestSuccess.java
[2]http://ww2.wso2.org/~dimuthul/SAML2Test.java


On Wed, 2008-02-06 at 10:20 +0530, Dimuthu Leelarathne wrote:
> Hi All,
>
> Thank you all for all the replies and ideas.
>
> This is a SAML token generated by the Microsoft Cardspace Identity
> Selector. Yes, the ID is invalid, but it is not what caused the
> signature verification failure.
>
> To my extreme delight the signature validates successfully when I use
> the pure xmlsec-1.4.1.jar .
>
> So the most logical explanation is that I am doing something wrong when
> generating the public key using the modulus and exponent inside my
> X509Credential impl.
>
> I can't figure out what is wrong, because it is a simple key generation
> using RSAPublicKeySpec.[1]
>
> Please let me know if there is a better way to create the public key
> from modulus and exponent.
>
> I will keep you updated on what is happening.
>
> Thank you,
> Dimuthu
>
> [1]
> RSAPublicKeySpec spec = new RSAPublicKeySpec(modulus,
> publicExponent);
> KeyFactory keyFactory = KeyFactory.getInstance("RSA");
> publicKey = keyFactory.generatePublic(spec);
>
>
>
> On Tue, 2008-02-05 at 19:02 +0100, Chad La Joie wrote:
> > Ah, yes, you're right. I read a '.' as ':' when I was looking at the
> > spec.
> >
> > I suspect that isn't the problem here, however. And yeah, OpenSAML, at
> > least the Java version, isn't going to catch that unless you do schema
> > validation.
> >
> > Scott Cantor wrote:
> > >> It's valid. An ID just has to be a string (with a few character
> > >> limits), not a URI or anything. So that's valid. This error is almost
> > >> certainly screwing up the XML before the library gets it.
> > >
> > > No, I just checked, it's not legal.
> > >
> > > http://www.w3.org/TR/1999/REC-xml-names-19990114/#NT-NCName
> > >
> > > Anybody accepting that as an ID has broken code. Of course, absent
> > > schema
> > > processing, lots of ID code is brute forced and it might work by
> > > accident,
> > > even in OpenSAML.
> > >
> > > But somebody should inform the producer of that SAML that their code is
> > > wrong regardless.
> > >
> > > -- Scott
> > >
> > >
> >
>




Archive powered by MHonArc 2.6.16.

Top of Page