mace-opensaml-users - RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes
Subject: OpenSAML user discussion
List archive
RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes
Chronological Thread
- From: "Pantvaidya, Vishwajit" <>
- To: "" <>
- Subject: RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes
- Date: Fri, 14 Nov 2008 15:40:09 -0800
- Accept-language: en-US
- Acceptlanguage: en-US
|
> > I am migrating to OpenSAML2 but using SAML1.1. My older code that > validates response and assertion signature works fine. After migration to > opensaml2, the response signature validation fails with following > messages: ... > > But assertion signature validation passes. What could the reason be? I > do not believe that my response is getting modified after receipt. > > > > Well, the most likely explanation is that it is getting modified. > Virtually all the signature issues we've ever seen ultimately wind up > being modification (unintentional or otherwise) of the data after it is > signed, on either the signer/sender side or the recipient/validator side. > > If not, then it could be a bug on the signer or validation side, I > suppose. You are validating with OpenSAML, which is really operatively > using the Apache xmlsec library. It's widely used and known to be > pretty thoroughly debugged at this point - although of course bugs are > still possible If the signer isn't using Apache xmlsec, you might look > into that. > > If in the past it worked and the same signature library was being used > on both sides, it could of course be the case that it consistently did > the same incorrect thing on both signing and validation, resulting in > false-success. > [Pantvaidya,
Vishwajit] I placed my older that validates saml response signature code just
before the call to SignatureValidator and the older validation still passed. > > The only real way to debug this is to get the canonicalized input data > from both the signer and validator, and do a byte-by-byte comparison to > spot the difference(s). In Apache xmlsec 1.4.2 (and so in the latest > versions of OpenSAML also), you can do this by setting DEBUG level > logging for the following packages: > > org.apache.xml.security.utils.DigesterOutputStream - represents the > Reference data to be digested > > org.apache.xml.security.utils.SignerOutputStream - represents the > SignedInfo data to be signed > > > For the above issue, you want the DigesterOutputStream. > > Even if you don't have equivalent data from the signer, you might be > able to spot the issue just by looking at the output on the validation > side. > > > --Brent > [Pantvaidya, Vishwajit] Thanks Brent
- will try the above and post the results. |
- SAML1.1 response signature validation fails but assertion signature validation passes, Pantvaidya, Vishwajit, 11/13/2008
- RE: SAML1.1 response signature validation fails but assertion signature validation passes, Pantvaidya, Vishwajit, 11/13/2008
- Re: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Brent Putman, 11/14/2008
- RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Pantvaidya, Vishwajit, 11/14/2008
- Message not available
- Message not available
- RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Pantvaidya, Vishwajit, 11/17/2008
- RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Scott Cantor, 11/17/2008
- Re: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Brent Putman, 11/17/2008
- RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Pantvaidya, Vishwajit, 11/17/2008
- RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Scott Cantor, 11/17/2008
- RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Pantvaidya, Vishwajit, 11/17/2008
- RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Scott Cantor, 11/17/2008
- RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Pantvaidya, Vishwajit, 11/17/2008
- RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Pantvaidya, Vishwajit, 11/17/2008
- RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Scott Cantor, 11/17/2008
- RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Pantvaidya, Vishwajit, 11/17/2008
- Message not available
- Message not available
- RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Pantvaidya, Vishwajit, 11/14/2008
- Re: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Brent Putman, 11/14/2008
- RE: SAML1.1 response signature validation fails but assertion signature validation passes, Pantvaidya, Vishwajit, 11/13/2008
Archive powered by MHonArc 2.6.16.