Skip to Content.
Sympa Menu

mace-opensaml-users - RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes

Subject: OpenSAML user discussion

List archive

RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes


Chronological Thread 
  • From: "Pantvaidya, Vishwajit" <>
  • To: "" <>
  • Subject: RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes
  • Date: Fri, 14 Nov 2008 15:40:09 -0800
  • Accept-language: en-US
  • Acceptlanguage: en-US

> > I am migrating to OpenSAML2 but using SAML1.1. My older code that

> validates response and assertion signature works fine. After migration to

> opensaml2, the response signature validation fails with following

> messages:

...

> > But assertion signature validation passes. What could the reason be? I

> do not believe that my response is getting modified after receipt.

> >

>

> Well, the most likely explanation is that it is getting modified.

> Virtually all the signature issues we've ever seen ultimately wind up

> being  modification (unintentional or otherwise) of the data after it is

> signed, on either the signer/sender side or the recipient/validator side.

>

> If not, then it could be a bug on the signer or validation side, I

> suppose.  You are validating with OpenSAML, which is really operatively

> using the Apache xmlsec library.  It's widely used and known to be

> pretty thoroughly debugged at this point - although of course bugs are

> still possible  If the signer isn't using Apache xmlsec, you might look

> into that.

>

> If in the past it worked and the same signature library was being used

> on both sides, it could of course be the case that it consistently did

> the same incorrect thing on both signing and validation, resulting in

> false-success.

>

 

[Pantvaidya, Vishwajit] I placed my older that validates saml response signature code just before the call to SignatureValidator and the older validation still passed.

 

>

> The only real way to debug this is to get the canonicalized input data

> from both the signer and validator, and do a byte-by-byte comparison to

> spot the difference(s).  In Apache xmlsec 1.4.2 (and so in the latest

> versions of OpenSAML also), you can do this by setting DEBUG level

> logging for the following packages:

>

> org.apache.xml.security.utils.DigesterOutputStream - represents the

> Reference data to be digested

>

> org.apache.xml.security.utils.SignerOutputStream    - represents the

> SignedInfo data to be signed

>

>

> For the above issue, you want the DigesterOutputStream.

>

> Even if you don't have equivalent data from the signer, you might be

> able to spot the issue just by looking at the output on the validation

> side.

>

>

> --Brent

>

 

 [Pantvaidya, Vishwajit] Thanks Brent - will try the above and post the results.

 

 

 




Archive powered by MHonArc 2.6.16.

Top of Page