OpenSAML user discussion

[Xavier Drudis Ferran <>]

On Mon, Mar 03, 2008 at 10:52:01AM -0500, Scott Cantor wrote:
> Short answer: you're wrong about how signatures work. ;-)
> 
> The signature step that's failing is digesting the actual content of the
> Signature element (minus ds:KeyInfo, which is not signed). Any whitespace
> changes inside there will break the signature. If you can "fix" it by
> removing whitespace then you're not transporting the message intact to begin
> with.
> 

Ah!. So the only part unsigned it's the KeyInfo! (and I pressume the
SignatureValue, because that would be recursive). I thought it was the
whole Signature element. That explains it all. The SignedInfo contains
lf and is therefore different between the validated and not validated
versions.  Thank you very much. So then the 
 
INFO  [org.apache.xml.security.signature.Reference] Verification successful 
for URI "..."

only means that the part outside the Signature generates the same
DigestValue as is in the Signature's SignedInfo, but later some digest
of the SignedInfo (or it plus something more) is calculated before validating
with the signer's public key, and that fails because of the whitespace
differences. Right? 

About the transport breaking the message: yes, but it may be because I
still haven't tested the real transport, for now I just got a sample
saml assertion from the other party (in a file by email), and the
breakage may be some manual manipulation that won't happen in
production (at least so I hope until we test, the other option is they
are somehow marshalling the signature wrong). So I hope I don't have
to code that whitespace removal.

Thanks again.

 

-- 
Xavi Drudis Ferran