Skip to Content.
Sympa Menu

mace-opensaml-users - error validating signature on SAML2 EncryptedAssertions decrypted with OpenSAML

Subject: OpenSAML user discussion

List archive

error validating signature on SAML2 EncryptedAssertions decrypted with OpenSAML


Chronological Thread 
  • From: "Taylor, Christopher" <>
  • To: <>
  • Subject: error validating signature on SAML2 EncryptedAssertions decrypted with OpenSAML
  • Date: Tue, 18 Nov 2008 15:55:59 +0100
Dear List,

I'm using OpenSAML to handle SAML (1 and 2) assertions, both encrypted and
plaintext. However, I'm getting the following exception when trying to
validate the signature on a SAML2 EncryptedAssertion after decrypting it
using OpenSAML:


org.opensaml.xml.validation.ValidationException: Unable to evaluate key
against signature
at
org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.ja
va:73)
at [...my code...]

Caused by: org.apache.xml.security.signature.XMLSignatureException: The
Reference for URI #_2517bd88-e4a5-44fe-bf28-e35cd38fb5c8 has no
XMLSignatureInput Original Exception was
org.apache.xml.security.signature.MissingResourceFailureException: The
Reference for URI #_2517bd88-e4a5-44fe-bf28-e35cd38fb5c8 has no
XMLSignatureInput Original Exception was
org.apache.xml.security.signature.ReferenceNotInitializedException: Cannot
resolve element with ID _2517bd88-e4a5-44fe-bf28-e35cd38fb5c8
Original Exception was
org.apache.xml.security.signature.ReferenceNotInitializedException: Cannot
resolve element with ID _2517bd88-e4a5-44fe-bf28-e35cd38fb5c8
Original Exception was
org.apache.xml.security.signature.ReferenceNotInitializedException: Cannot
resolve element with ID _2517bd88-e4a5-44fe-bf28-e35cd38fb5c8
Original Exception was
org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot
resolve element with ID _2517bd88-e4a5-44fe-bf28-e35cd38fb5c8
at
org.apache.xml.security.signature.XMLSignature.checkSignatureValue(Unknown
Source)
at
org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.ja
va:68)

The strange thing is, the assertion contains all the mentioned references.
I'm trying to be a "good citizen" and use OpenSAML for all the decryption
and signature checking, so I'm pretty sure I'm not modifying the assertion
anywhere. Also, this problem doesn't occur for SAML1 assertions.

Here's the validation code I'm using:

KeyInfoCredentialResolver _resolver =3D SecurityTestHelper
.buildBasicInlineKeyInfoResolver();

KeyInfo _ki =3D sig.getKeyInfo();
CriteriaSet criteriaSet =3D new CriteriaSet(new
KeyInfoCriteria(_ki));
try {
for (Credential _cred :
_resolver.resolve(criteriaSet)) {
log.debug("found credential of type: "
+
_cred.getClass().getName());
log.debug("checking signature");
SignatureValidator _sigValidator =3D new
SignatureValidator(_cred);
try {
_sigValidator.validate(sig);
} catch (ValidationException ve) {
log.debug("validation failed.", ve);
throw new JICException("validating
the signature failed.",
ve);
}
log.debug("success!");
}
} catch (SecurityException se) {
throw new JICException("error resolving the
criteriaSet.", se);
}

from the method "void validateSignature(Signature sig) throws JICException"
at:
https://informationcard.svn.sourceforge.net/svnroot/informationcard/trunk/fr
amework/src/main/java/de/fraunhofer/fokus/jic/framework/impl/FrameworkImpl.j
ava

You can find the assertion (encrypted and decrypted) that the above stack
trace refers to at http://informationcard.sourceforge.net/temp/

I'd be grateful for any hints on what's wrong.

All the best,
--Christopher Taylor


--
Christopher Taylor
()
Tel: +49 30 3463 9225

Fraunhofer Institute for Open Communication Systems (FOKUS) CC eGovernment
and Applications (ELAN)

Fraunhofer Institut für Offene Kommunikationssysteme (FOKUS)
Kompetenzzentrum eGovernment und Applikationen (ELAN)

Kaiserin-Augusta-Allee 31
10589 Berlin


Attachment: smime.p7s
Description: S/MIME cryptographic signature


Archive powered by MHonArc 2.6.16.

Top of Page