Skip to Content.
Sympa Menu

mace-opensaml-users - Re: Enveloped signature accepted or not depending on LF inside the Signature element

Subject: OpenSAML user discussion

List archive

Re: Enveloped signature accepted or not depending on LF inside the Signature element


Chronological Thread 
  • From: Xavier Drudis Ferran <>
  • To:
  • Subject: Re: Enveloped signature accepted or not depending on LF inside the Signature element
  • Date: Mon, 3 Mar 2008 17:11:09 +0100

On Mon, Mar 03, 2008 at 10:52:01AM -0500, Scott Cantor wrote:
> Short answer: you're wrong about how signatures work. ;-)
>
> The signature step that's failing is digesting the actual content of the
> Signature element (minus ds:KeyInfo, which is not signed). Any whitespace
> changes inside there will break the signature. If you can "fix" it by
> removing whitespace then you're not transporting the message intact to begin
> with.
>

Ah!. So the only part unsigned it's the KeyInfo! (and I pressume the
SignatureValue, because that would be recursive). I thought it was the
whole Signature element. That explains it all. The SignedInfo contains
lf and is therefore different between the validated and not validated
versions. Thank you very much. So then the

INFO [org.apache.xml.security.signature.Reference] Verification successful
for URI "..."

only means that the part outside the Signature generates the same
DigestValue as is in the Signature's SignedInfo, but later some digest
of the SignedInfo (or it plus something more) is calculated before validating
with the signer's public key, and that fails because of the whitespace
differences. Right?

About the transport breaking the message: yes, but it may be because I
still haven't tested the real transport, for now I just got a sample
saml assertion from the other party (in a file by email), and the
breakage may be some manual manipulation that won't happen in
production (at least so I hope until we test, the other option is they
are somehow marshalling the signature wrong). So I hope I don't have
to code that whitespace removal.

Thanks again.



--
Xavi Drudis Ferran




Archive powered by MHonArc 2.6.16.

Top of Page