Skip to Content.
Sympa Menu

mace-opensaml-users - Re: Re: [OpenSAML] OpenSAML SignatureValidator Issues!

Subject: OpenSAML user discussion

List archive

Re: Re: [OpenSAML] OpenSAML SignatureValidator Issues!


Chronological Thread 
  • From:
  • To:
  • Subject: Re: Re: [OpenSAML] OpenSAML SignatureValidator Issues!
  • Date: Sun, 9 Nov 2008 21:09:35 -0500 (EST)

Sorry ,I will reply-to-all from now on.

> I'm not sure what you mean here, what you are validating with the
> java.security.Signature? Or are you saying there seems to be difference
> in behavior beween JDK1.5 and some other JDK version?

My mean is It run well,when I used java.security.Signature to verify
'<root>name</root>'.

> I'm sorry, I don't understand what you are asking here. Can you please
> rephrase the question?

Sorry ,I didn't have a clear expression of the question because of my poor
english. My mean is whether <ds:Signature> ..<ds:Signature> included in
<samp:Assetion ..> ..</samp:Assetion> will affect the
SignatureValidator.validate(..).


>>
Please be sure to reply-to-all or to the list, rather than the sender
directly...


wrote:
> Thanks for Brent Putman's reply.
>
> I checked the code again,the cert/key is right,and the cert/key value is
> same to keyInfo. Then ,I modify the Credential create like this (the same
> to signature code):
>
> PrivateKey priv = null;
> Certificate kscert = null,cert;
> try {
> priv = (PrivateKey) getKeyStore().getKey("samlcert",
> "password".toCharArray());
> kscert = getKeyStore().getCertificate("samlcert");
> } catch (KeyStoreException e1) {
> // TODO Auto-generated catch block
> e1.printStackTrace();
> } catch (NoSuchAlgorithmException e1) {
> // TODO Auto-generated catch block
> e1.printStackTrace();
> } catch (UnrecoverableKeyException e1) {
> // TODO Auto-generated catch block
> e1.printStackTrace();
> }
>
> Credential stCred =
> SecurityHelper.getSimpleCredential(kscert.getPublicKey(), priv);
>

That looks correct, as far as generating the Credential with which to sign.

> but the same error happened :
> org.opensaml.xml.validation.ValidationException: Signature did not
> validate against the credential's key .
>

Well, if you're sure you are validating with the right key, then it
almost certainly must be the case that the SignedInfo element really has
been modified since it was signed. You'll need to double-check the
serialization process on the signer side, and the deserialization and
unmarshalling process on the receiving side, to find out where and how.
That's all I can tell you.

Remember that any change to the signed document will cause the signature
to fail, even something as trivial as addition or removal of whitespace.

> When The same cert signature text and valid it using
> java.security.Signature from JDK1.5 , it has no problem.
>

I'm not sure what you mean here, what you are validating with the
java.security.Signature? Or are you saying there seems to be difference
in behavior beween JDK1.5 and some other JDK version?

> And ,I have another question.Why was My Assertion's signature info
> contained by <samp:Assetion ..> ..</samp:Assetion> , when the
> SignatureValidator.validate(..) excuted , whether can the signature info
> be computered to the encrypted Value by the PublicKey?
>


I'm sorry, I don't understand what you are asking here. Can you please
rephrase the question?

--Brent



Archive powered by MHonArc 2.6.16.

Top of Page