mace-opensaml-users - OpenSAML SignatureValidator Issues!
Subject: OpenSAML user discussion
List archive
- From:
- To:
- Subject: OpenSAML SignatureValidator Issues!
- Date: Thu, 6 Nov 2008 22:42:49 -0500 (EST)
When I use SignatureValidator to Valid an Assertion,I occured the
following error:
ERROR:
126221 [http-80-1] INFO org.apache.xml.security.signature.Reference -
Verification successful for URI "#123456"
org.opensaml.xml.validation.ValidationException: Signature did not
validate against the credential's key
at
org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:
78)
at simplesaml.SingerAssertion.veriSignAssertion(SingerAssertion.java:
167)
at simplesaml.SPSamlHandler.doPost(SPSamlHandler.java:137)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:
290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:
206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:
233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:
175)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:
128)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:
102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:
109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
286)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:
844)
at org.apache.coyote.http11.Http11Protocol
$Http11ConnectionHandler.process(Http11Protocol.java:583)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:
447)
at java.lang.Thread.run(Thread.java:595)
Code is :
X509Certificate certificate = null;
BasicX509Credential stCred = null;
try {
CertificateFactory certificatefactory =
CertificateFactory
.getInstance("X.509");
FileInputStream fin = new FileInputStream(
"D:/jdk1.5.0_01/jre/lib/security/samlcert");
certificate = (X509Certificate) certificatefactory
.generateCertificate(fin);
stCred = new BasicX509Credential();
stCred.setEntityCertificate(certificate);
stCred.setPublicKey(certificate.getPublicKey());
} catch (Exception e) {
e.printStackTrace();
}
SAMLSignatureProfileValidator profileValidator = new
SAMLSignatureProfileValidator();
try {
profileValidator.validate(o.getSignature());
} catch (ValidationException e) {
e.printStackTrace();
}
SignatureValidator sigValidator = new SignatureValidator(
stCred);
try {
sigValidator.validate(o.getSignature());
return true;
} catch (ValidationException e) {
// Indicates signature was not cryptographically
valid, or possibly
// a processing error
e.printStackTrace();
return false;
}
And the SAMLReponse xml is :
<?xml version="1.0" encoding="UTF-8"?><samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="789123"
InResponseTo="http://ce-ywq/samltool/simplesp";
IssueInstant="2008-11-07T02:36:57.575Z" Version="2.0"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://ce-ywq/samltool/simpleidp</saml:Issuer><samlp:Status><samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="123456" IssueInstant="2008-11-07T02:36:57.455Z"
Version="2.0"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://ce-ywq/samltool/simpleidp</saml:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/>
<ds:Reference URI="#123456">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="ds saml
xs"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>VIzvRsGNAkgdJFVQEuAUnHilaSk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
a+d7GXVeBvwsAF1b7r0mEZSjdH/zNQ1pHnP9gTilDDnxS1whTxbH0iOC4ZKiwpySPsphfiYnsSsN
yPcUZyqIL0AjoouA59hyO55+a+rOMgs2i7XViE1dR+sYS/jraSECPgX2sOTJUYnkxblWtsQC3Suh
oWYVOxv+SiQ6u2NTxbA=
</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICDDCCAXUCBEkFdD0wDQYJKoZIhvcNAQEEBQAwTTELMAkGA1UEBhMCY24xCzAJBgNVBAgTAmJq
MQswCQYDVQQHEwJiajELMAkGA1UEChMCY2UxCzAJBgNVBAsTAmNlMQowCAYDVQQDEwF5MB4XDTA4
MTAyNzA3NTY0NVoXDTA4MTEwMzA3NTY0NVowTTELMAkGA1UEBhMCY24xCzAJBgNVBAgTAmJqMQsw
CQYDVQQHEwJiajELMAkGA1UEChMCY2UxCzAJBgNVBAsTAmNlMQowCAYDVQQDEwF5MIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQChUhSspIq7mGxCu6sel3m7nMrfviWJ40hI/qJ6IZCT5JbByXdc
eAqxlelXF4YkjgdXcuDEgzek+ENG6W+Uw3DpYFkv6HyW8dtBaeHCDljagZ01e3EAIVFfAwF99UKt
BqbZjbz2PYCZZlQDJDWquNFveJcokr1Pqnbdl+kMVV3xRwIDAQABMA0GCSqGSIb3DQEBBAUAA4GB
ACLhpPaIK+weeVERn4U3XYUw3iHzGzFSmt8xg7s1fDiLchcAI6Iq0EKuJKLS59vvcVYZo3uEYnag
yLd26CJN2v7w5oPG5qersm3mBZ+8TM5zRksp/1xxSq2IqL6CpetQ7QLya6gH8wEs+YEXnAgo8iGZ
ITRy3xjSlOiKhywgg9OZ</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName">11</saml:NameID><saml:SubjectConfirmation>
<saml:SubjectConfirmationData InResponseTo="456789"
NotOnOrAfter="2008-11-07T02:41:57.465Z"
Recipient="http://ce-ywq/samltool/simplesp"/>
</saml:SubjectConfirmation></saml:Subject><saml:Conditions
NotBefore="2008-11-07T02:36:57.465Z" NotOnOrAfter="2008-11-07T02:36:57.471Z"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:AudienceRestriction><saml:Audience>http://ce-ywq/samltool/simplesp</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement
AuthnInstant="2008-11-07T02:36:57.505Z"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AuthzDecisionStatement
Decision="Permit" Resource="DoubleIt"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Action
Namespace="urn:doubleit:doubleitactions">DoubleEvenNumbers</saml:Action></saml:AuthzDecisionStatement><saml:AttributeStatement
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Attribute
Name="degree"
NameFormat="http://www.example.org/DoubleIt/Security";><saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">Mathematics</saml:AttributeValue></saml:Attribute></s
aml:AttributeStatement></saml:Assertion></samlp:Response>
I have no idea to this question, can some one help me ?
- OpenSAML SignatureValidator Issues!, yangweiqin, 11/06/2008
- Re: [OpenSAML] OpenSAML SignatureValidator Issues!, Brent Putman, 11/07/2008
Archive powered by MHonArc 2.6.16.