mace-opensaml-users - Re: Problems signing/validating metadata
Subject: OpenSAML user discussion
List archive
- From: Brent Putman <>
- To:
- Subject: Re: Problems signing/validating metadata
- Date: Mon, 11 Feb 2008 15:10:48 -0500
Chad La Joie wrote:
Do you mean you think that signing implies schema or signature validation? Neither is true.
I get the following error:
ERROR org.opensaml.xml.signature.Signer - An error occured computing the digital signature
org.apache.xml.security.signature.XMLSignatureException: Cannot resolve element with ID null
Original Exception was org.apache.xml.security.signature.ReferenceNotInitializedException: Cannot resolve element with ID null
Original Exception was org.apache.xml.security.signature.ReferenceNotInitializedException: Cannot resolve element with ID null
Original Exception was org.apache.xml.security.signature.ReferenceNotInitializedException: Cannot resolve element with ID null
Original Exception was org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID null
at org.apache.xml.security.signature.XMLSignature.sign(Unknown Source)
at org.opensaml.xml.signature.Signer.signObject(Signer.java:76)
at net.geant.edugain.validation.SAMLSigner.sign(SAMLSigner.java:286)
at net.geant.edugain.validation.SAMLSigner.sign(SAMLSigner.java:253)
at test.SignatureTest.main(SignatureTest.java:55)
That error is pretty clear. You don't have an ID in what you're trying to sign. See SAML 2 metadata spec, line 374
Yeah, we were just discussing this elsewhere. The SAML 2 metadata spec signature profile requires an ID attribute on the object to be signed. So you should endeavor to do that if you want to be spec-compliant. However, it is apparently common that people sign using whole document references (so Reference URI="" or absent), so the patch I checked in Sunday to the SAML content reference now supports signing in that manner if there is no ID attribute. Note in common usage in SAML 2 this could realistically only be metadata (because ID is optional there, no so in assertion and protocol elements), and you could only do it for the root EntityDescriptor or EntitiesDescriptor obviously.
It's really probably better if you always use an ID attribute, though.
2. Signing an example metadata xml file, which is almost the same as the first EntityDescriptor example from the OASIS Metadata for SAML 2.0 spec so it should be correct and I can succesfully unmarshal it. I'm enclosing the file in attachment. In this case, I get a different kind of error, which I haven't been able to solve either:
java.lang.NullPointerException
at java.util.TreeMap.compare(TreeMap.java:1093)
at java.util.TreeMap.put(TreeMap.java:465)
at java.util.TreeSet.add(TreeSet.java:210)
at java.util.AbstractCollection.addAll(AbstractCollection.java:318)
at java.util.TreeSet.addAll(TreeSet.java:258)
at java.util.TreeSet.<init>(TreeSet.java:143)
at org.apache.xml.security.transforms.params.InclusiveNamespaces.<init>(Unknown Source)
at org.opensaml.common.impl.SAMLObjectContentReference.processExclusiveTransform(SAMLObjectContentReference.java:172)
at org.opensaml.common.impl.SAMLObjectContentReference.createReference(SAMLObjectContentReference.java:142)
at org.opensaml.xml.signature.impl.SignatureMarshaller.createSignatureElement(SignatureMarshaller.java:114)
at org.opensaml.xml.signature.impl.SignatureMarshaller.marshall(SignatureMarshaller.java:69)
at org.opensaml.xml.io.AbstractXMLObjectMarshaller.marshallChildElements(AbstractXMLObjectMarshaller.java:317)
at org.opensaml.xml.io.AbstractXMLObjectMarshaller.marshallInto(AbstractXMLObjectMarshaller.java:225)
at org.opensaml.xml.io.AbstractXMLObjectMarshaller.marshall(AbstractXMLObjectMarshaller.java:131)
at org.opensaml.xml.io.AbstractXMLObjectMarshaller.marshall(AbstractXMLObjectMarshaller.java:87)
at net.geant.edugain.validation.SAMLSigner.sign(SAMLSigner.java:281)
at net.geant.edugain.validation.SAMLSigner.sign(SAMLSigner.java:253)
at test.SignatureTest.main(SignatureTest.java:55)
This was just patched by Brent, last night, I think. Try again with the latest code from trunk.
Yes, we weren't properly handling the default namespace prefix case for exclusive c14n inclusive namespace in the SAML content reference. Should be fixed now. Let me know if not.
- OpenSAML 2, Java, Release Candidate 2 Available, Chad La Joie, 02/08/2008
- Problems signing/validating metadata, Manuela Stanica, 02/11/2008
- Re: Problems signing/validating metadata, Chad La Joie, 02/11/2008
- Re: Problems signing/validating metadata, Brent Putman, 02/11/2008
- Re: Problems signing/validating metadata, Manuela Stanica, 02/12/2008
- Re: Problems signing/validating metadata, Chad La Joie, 02/12/2008
- Re: Problems signing/validating metadata, Manuela Stanica, 02/12/2008
- Re: Problems signing/validating metadata, Chad La Joie, 02/12/2008
- Re: Problems signing/validating metadata, Brent Putman, 02/12/2008
- RE: Problems signing/validating metadata, Scott Cantor, 02/12/2008
- Message not available
- Re: Problems signing/validating metadata, Brent Putman, 02/12/2008
- Re: Problems signing/validating metadata, Manuela Stanica, 02/13/2008
- Re: Problems signing/validating metadata, Brent Putman, 02/13/2008
- Re: Problems signing/validating metadata, Tom Scavo, 02/13/2008
- Re: Problems signing/validating metadata, Manuela Stanica, 02/12/2008
- Re: Problems signing/validating metadata, Chad La Joie, 02/12/2008
- Re: Problems signing/validating metadata, Manuela Stanica, 02/12/2008
- Re: Problems signing/validating metadata, Brent Putman, 02/11/2008
- Re: Problems signing/validating metadata, Chad La Joie, 02/11/2008
- Problems signing/validating metadata, Manuela Stanica, 02/11/2008
Archive powered by MHonArc 2.6.16.