Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes


Chronological Thread 
  • From: Brent Putman <>
  • To:
  • Subject: Re: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes
  • Date: Mon, 17 Nov 2008 16:20:12 -0500



Pantvaidya, Vishwajit wrote:

Attempting resend as a zip file as it keeps on rejecting my mail as being above the size limit.


I unfortunately didn't get your attachment - zip file attachments are stripped by our email system due to security office policies.  (don't even ask....)

If you want to post it on a web server or somewhere else I can get to it, I can take a look, but see below.


 



 

> The only real way to debug this is to get the canonicalized input data

> from both the signer and validator, and do a byte-by-byte comparison to

> spot the difference(s).  In Apache xmlsec 1.4.2 (and so in the latest

> versions of OpenSAML also), you can do this by setting DEBUG level

> logging for the following packages:

>

> org.apache.xml.security.utils.DigesterOutputStream - represents the

> Reference data to be digested

 

[Pantvaidya, Vishwajit] Attaching the log I got by turning debug on for the digester on the validation side. I see only the assertion signature and its digest but not the response signature and its digest in the messages. Shouldn’t I be seeing that in the logs? On the sending side, I checked out the server log and the response digest and signature are present in the logged messages. Is this the issue?




Since I haven't seen the log input, I don't know for sure what you are talking about exactly, but:  it would be expected that the Response Signature's digester debug output  as described above will include the canonicalized data within the Response - including obviously the Assertion and the Assertion's signature (via-a-vis the Response, the latter is just data being signed), but *not* the Response Signature element.  As Scott said, it can't be a part of that canonicalized input for obvious reasons, and that's fyi the reason for the enveloped signature Transform in  enveloped signatures like these.


--Brent





Archive powered by MHonArc 2.6.16.

Top of Page