mace-opensaml-users - RE: Reference Node in Signature Duplicated
Subject: OpenSAML user discussion
List archive
- From: "Sankaranainar, Naveen" <>
- To: <>
- Subject: RE: Reference Node in Signature Duplicated
- Date: Thu, 3 Apr 2008 23:03:05 -0400
- Importance: normal
- Priority: normal
I ran into same duplicate "<ds:Reference>" issue. I have attached the saml
response document that I federated to google and google acs rejected because
of duplicate reference. Any input on what could be wrong?. I am calling
signer object to sign the response document, not adding any reference
manually.
protected void signDocument(XMLObject xmlObject,Signature signature) throws
FedHubException{
Marshaller marshaller =
marshallerFactory.getMarshaller(xmlObject);
try {
marshaller.marshall(xmlObject);
} catch (MarshallingException e) {
LogManager.error("Exception on marshalling the
document: " ,e);
}
Signer.signObject(signature);
}
Thanks in advance!
Naveen
The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.
From: Chad La Joie
[mailto:]
Sent: Thursday, January 10, 2008 11:18 AM
To:
Subject: Re: Reference Node in Signature Duplicated
The Shib IdP on my test machine, which is using the latest OpenSAML code,
doesn't have duplicate references.
Is your code adding any references? The OpenSAML code takes care of all the
reference objects for SAML compliant signatures (so you don't ahve to do it).
Paul Hethmon wrote:
> Ok, not sure where this is getting done, whether its my use of the
> OpenSAML code or the OpenSAML code. I'm trying to get my IdP
> implementation (Java) working with the Lightbulb PHP SP
> (http://opensso.dev.java.net/public/extensions/) code from Sun. What I
> am seeing is an error from their library saying:
>
> Error: Reference validation failed
>
> Tracing through their code, it appears that it is saying there is a
> problem with the <ds:Reference> node in the signature. I then took a
> look at what I'm generated and I see two identical <ds:Reference>
> nodes (xml at the end of this message).
>
> I looked through my signature generating code and don't see anything
> which looks like it ought to cause two Reference nodes to be emitted.
> So does anyone know of anything I should look for in my code? Does
> anyone have an IdP using the Java libs that does *not* send out two
> Reference nodes?
>
> For reference, my OpenSAML Java code was updated today (2008-01-10).
>
> Thanks,
>
> Paul
>
>
>
> <?xml version="1.0" encoding="UTF-8"?> <samlp:Response
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> Destination="http://www.acmemls.com:80/recv-saml.jsp"
> ID="acmeidp1199978583569"
> InResponseTo="acmemls1199978573054"
> IssueInstant="2008-01-10T15:23:03.569Z" Version="2.0">
> <saml:Issuer
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://www.acmeidp.
> com</s
> aml:Issuer>
> <samlp:Status>
> <samlp:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
> </samlp:Status>
> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="acmeidp1199978583569"
> IssueInstant="2008-01-10T15:23:03.569Z" Version="2.0">
> <saml:Issuer
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://www.acmeidp.
> com</s
> aml:Issuer>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> <ds:Reference URI="#acmeidp1199978583569"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:Transforms
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:Transform
>
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ec:InclusiveNamespaces
>
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
> PrefixList="ds saml"/>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> <ds:DigestValue
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> >6eSn/ehb6C5gkU3t0KQLQ3InSeU=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#acmeidp1199978583569"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:Transforms
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:Transform
>
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ec:InclusiveNamespaces
>
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
> PrefixList="ds saml"/>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
> <ds:DigestValue
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> >6eSn/ehb6C5gkU3t0KQLQ3InSeU=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>
> h9M4de1l3sAl7Ue4qYk6UZ8gI/aDTWAg2Ueog3sZ2COkkOraoaDKWhsx2kcz6l0qguNCbL
> fCVQq3
>
> eSmRR2R8VileLsVdvTssKZ5OYvvAKOMnJgueeGC1ZqElp9NWRf7p+qmAMytynxQG64JGJn
> eSmRR2R8VileLsVdvTssKZ5OYvvAKOMnJgueeGC1ZqElp9NWRf7p+FqO2fG
> NzORvH8ZZRSVgZmrhdU= </ds:SignatureValue>
> </ds:Signature>
>
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security Werdstrasse 2, P.O. Box, 8021
Zürich, Switzerland phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch
<?xml version="1.0" encoding="UTF-8"?> <samlp:Response Destination="https://www.google.com/a/demosp.com/acs" ID="_4b31dd925a7a2706725a71228643b041" IssueInstant="2008-04-02T13:43:53.044Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://tib.demo.securedby.covisint.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:Reference URI="#_4b31dd925a7a2706725a71228643b041" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ec:InclusiveNamespaces PrefixList="ds saml samlp xs xsi" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">UuxHiYmprlO82Hk/eAC33TMHGy46/uefMtHMwzg97HE=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#_4b31dd925a7a2706725a71228643b041" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ec:InclusiveNamespaces PrefixList="ds saml samlp xs xsi" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">UuxHiYmprlO82Hk/eAC33TMHGy46/uefMtHMwzg97HE=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> vnfHDZtPtlzkS09H/sgIyH1helgulaIR+VAGSdVX5aCurBUznD4hX1X6Q3wN0L2nIomZ/5uXS0kJ 6Py6Cw+PgkmiE5BcfiXIO6cRA9W94OL1/NtZzPgo3JiPbd0eTQNxS4XpsBlq+L90GDYgmhbRZRQm gRA3FoAikcIDB1Ov+Qs= </ds:SignatureValue> </ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion ID="_304667746bbc739bf4ff846f5335e7ed" IssueInstant="2008-04-02T13:43:53.046Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://tib.demo.securedby.covisint.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:Reference URI="#_304667746bbc739bf4ff846f5335e7ed" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ec:InclusiveNamespaces PrefixList="ds saml xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">k1twlXmnl2y4jDS/155IdlkKR0RbcdiIFjy8ynkS9mo=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> XPZdFnATuG/dehofcCVicmEDYiZkXp+5oGYd+iU46gQBqXXs/dtHv6GeANFAXkCsYC5M0UQvBw13//k+bPNqavht1yRQVlaaw99MeayrdLIpwj34KjR+Tt3vNkNHKB0skf/ZntfKWnKckBiqyTVoD3515dL6WRC2rW95c//yEMA= </ds:SignatureValue></ds:Signature><saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:NameID NameQualifier="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">NAVEEN</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2008-04-02T13:43:53.046Z" Recipient="https://www.google.com/a/demosp.com/acs"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2008-04-02T13:43:53.047Z" NotOnOrAfter="2008-04-02T13:43:53.047Z" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:AudienceRestriction><saml:Audience>https://www.google.com/a/demosp.com/acs</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2008-04-02T13:43:53.047Z" SessionIndex="_304667746bbc739bf4ff846f5335e7ed" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Attribute FriendlyName="FirstName" Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">NA</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>
- RE: Reference Node in Signature Duplicated, Sankaranainar, Naveen, 04/03/2008
- Re: [OpenSAML] RE: Reference Node in Signature Duplicated, Brent Putman, 04/03/2008
- RE: [OpenSAML] RE: Reference Node in Signature Duplicated, Sankaranainar, Naveen, 04/04/2008
- Re: [OpenSAML] RE: Reference Node in Signature Duplicated, Brent Putman, 04/04/2008
- RE: [OpenSAML] RE: Reference Node in Signature Duplicated, Sankaranainar, Naveen, 04/07/2008
- Re: [OpenSAML] RE: Reference Node in Signature Duplicated, Brent Putman, 04/04/2008
- RE: [OpenSAML] RE: Reference Node in Signature Duplicated, Sankaranainar, Naveen, 04/04/2008
- Re: [OpenSAML] RE: Reference Node in Signature Duplicated, Brent Putman, 04/03/2008
Archive powered by MHonArc 2.6.16.