OpenSAML user discussion

[Brent Putman <>]

Pantvaidya, Vishwajit wrote:
> For further debugging, I installed SVN and downloaded java-xmltooling. I 
> see that it fails ar line 68 of SignatureValidator.java i.e. if 
> (xmlSig.checkSignatureValue(validationKey)) - the condition throws the 
> ValidationException.
>   

That's merely where we make use of the Apache xmlsec library to validate
the signature.  All the real work is done in the Apache lib.

>
>
> -----Original Message-----
> From: Pantvaidya, Vishwajit 
> [mailto:]
> Sent: Thursday, November 13, 2008 3:38 PM
> To: 
> ''
> Subject: [OpenSAML] SAML1.1 response signature validation fails but 
> assertion signature validation passes
>
> I am migrating to OpenSAML2 but using SAML1.1. My older code that validates 
> response and assertion signature works fine. After migration to opensaml2, 
> the response signature validation fails with following messages:
>
> Verification failed for URI "#iZyjE4YiG5rffHh4sAPOA2_esHbM"
> Verification failed for URI "#iZyjE4YiG5rffHh4sAPOA2_esHbM"
> Expected Digest: lsb/Kk63UWdraorfpgMGxu4yCak=
> Expected Digest: lsb/Kk63UWdraorfpgMGxu4yCak=
> Actual Digest: hHxv7IY9MpthqXE5gcWk9WrXaUA=
> Actual Digest: hHxv7IY9MpthqXE5gcWk9WrXaUA=
>   

This indicates that the Response Signature's Reference DigestValue
computed over the canonicalized bytes of the Response element does not
match what the signer computed.


> But assertion signature validation passes. What could the reason be? I do 
> not believe that my response is getting modified after receipt.
>   

Well, the most likely explanation is that it is getting modified.
Virtually all the signature issues we've ever seen ultimately wind up
being  modification (unintentional or otherwise) of the data after it is
signed, on either the signer/sender side or the recipient/validator side.

If not, then it could be a bug on the signer or validation side, I
suppose.  You are validating with OpenSAML, which is really operatively
using the Apache xmlsec library.  It's widely used and known to be
pretty thoroughly debugged at this point - although of course bugs are
still possible  If the signer isn't using Apache xmlsec, you might look
into that.


If in the past it worked and the same signature library was being used
on both sides, it could of course be the case that it consistently did
the same incorrect thing on both signing and validation, resulting in
false-success.


> My code snippet is as follows:
>
>
>   

That OpenSAML code looks fine.


> My SAML response xml is as follows:
>
>   

I don't see anything obviously wrong there either.


The only real way to debug this is to get the canonicalized input data
from both the signer and validator, and do a byte-by-byte comparison to
spot the difference(s).  In Apache xmlsec 1.4.2 (and so in the latest
versions of OpenSAML also), you can do this by setting DEBUG level
logging for the following packages:

org.apache.xml.security.utils.DigesterOutputStream - represents the
Reference data to be digested

org.apache.xml.security.utils.SignerOutputStream    - represents the
SignedInfo data to be signed


For the above issue, you want the DigesterOutputStream.

Even if you don't have equivalent data from the signer, you might be
able to spot the issue just by looking at the output on the validation side.


--Brent