Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] RE: Digital signature not valid

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] RE: Digital signature not valid


Chronological Thread 
  • From: Deena Gurajala <>
  • To:
  • Subject: Re: [OpenSAML] RE: Digital signature not valid
  • Date: Fri, 28 Aug 2009 10:09:26 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=ZKzwDQeAl+qUh4H9mh9Ig7Z8DaRgiKsresupJqcgR+uHmmVUjqj0nYuJGQReI0J8Do zEoAMv4vX3HOAHBTlhGzrEitpi0N7devkZyyRDT/Asn3C4FASl4hawuJPfklx8LnLzfF 3QE1zKjXNUnAOKIkJwWEnY22+BQKZWgv1CPb4=

I modified the to add keyInfo. Even then it is working fine. Find the modified code.

assertion.setID("_k7722b88");

    

// This below part is same is same
         KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());

             char[] password = "xxxxxx".toCharArray();

             FileInputStream fis = new FileInputStream("c:/keystore/test.ks");

             ks.load(fis, password);

             fis.close();

             char[] achKeyStorePass = password;

             String keyAlias = "mytestkey";

             PrivateKey pk =  (PrivateKey) ks.getKey(keyAlias,achKeyStorePass);

             X509Certificate certificate = (X509Certificate) ks.getCertificate(keyAlias);

             BasicX509Credential credential = new BasicX509Credential();

             credential.setEntityCertificate(certificate);

             credential.setPrivateKey(pk);

//Below is the difference


            SignatureBuilder signBldr=new SignatureBuilder();
            Signature signature = signBldr.buildObject();

            signature.setSigningCredential(credential);

            signature
                    .setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);

            signature
                    .setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

signature.setKeyInfo(keyinfo);
       assertion.setSignature(signature);

           MarshallerFactory marshallerFactory = Configuration
                    .getMarshallerFactory();
            Marshaller marshaller = marshallerFactory.getMarshaller(assertion);
            element = marshaller.marshall(assertion);
           
            Signer.signObject(assertion);


On Fri, Aug 28, 2009 at 9:40 AM, Ravi Balasubramanian <> wrote:

Only difference between your code and my code, yours does not add KeyInfo.

 


From: Deena Gurajala [mailto:]
Sent: Friday, August 28, 2009 12:32 PM


To:
Subject: Re: [OpenSAML] RE: Digital signature not valid

 

Hi,

I don't you found the solution or not. Thebelow code is working for me. Everything you and I are doing the sma except the way building the signature. Please find the modified code below. I hope it works.


 
        assertion.setID("_k7722b88");

    

// This below part is same is same
         KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());

             char[] password = "xxxxxx".toCharArray();

             FileInputStream fis = new FileInputStream("c:/keystore/test.ks");

             ks.load(fis, password);

             fis.close();

             char[] achKeyStorePass = password;

             String keyAlias = "mytestkey";

             PrivateKey pk =  (PrivateKey) ks.getKey(keyAlias,achKeyStorePass);

             X509Certificate certificate = (X509Certificate) ks.getCertificate(keyAlias);

             BasicX509Credential credential = new BasicX509Credential();

             credential.setEntityCertificate(certificate);

             credential.setPrivateKey(pk);

//Below is the difference


            SignatureBuilder signBldr=new SignatureBuilder();
            Signature signature = signBldr.buildObject();

            signature.setSigningCredential(credential);

            signature
                    .setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);

            signature
                    .setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

       assertion.setSignature(signature);

           MarshallerFactory marshallerFactory = Configuration
                    .getMarshallerFactory();
            Marshaller marshaller = marshallerFactory.getMarshaller(assertion);
            element = marshaller.marshall(assertion);
           
            Signer.signObject(assertion);


On Fri, Aug 28, 2009 at 8:40 AM, Scott Cantor <> wrote:

Ravi Balasubramanian wrote on 2009-08-28:

> Yes, it is the ID I set to assertion...

Then the xmlsec verifier doesn't know what IDs exist, which is not terribly
unusual. I suspect you're doing SAML 1 and would have to do SAML 2 to get
that online verifier to work by guessing that an attribute called ID is an
XML ID. Patently insecure, but that's common.

-- Scott


 





Archive powered by MHonArc 2.6.16.

Top of Page