mace-opensaml-users - Re: [OpenSAML] RE: Digital signature not valid
Subject: OpenSAML user discussion
List archive
- From: Deena Gurajala <>
- To:
- Subject: Re: [OpenSAML] RE: Digital signature not valid
- Date: Fri, 28 Aug 2009 10:09:26 -0700
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=ZKzwDQeAl+qUh4H9mh9Ig7Z8DaRgiKsresupJqcgR+uHmmVUjqj0nYuJGQReI0J8Do zEoAMv4vX3HOAHBTlhGzrEitpi0N7devkZyyRDT/Asn3C4FASl4hawuJPfklx8LnLzfF 3QE1zKjXNUnAOKIkJwWEnY22+BQKZWgv1CPb4=
I modified the to add keyInfo. Even then it is working fine. Find the modified code.
assertion.setID("_k7722b88");
// This below part is same is same
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
char[] password = "xxxxxx".toCharArray();
FileInputStream fis = new FileInputStream("c:/keystore/test.ks");
ks.load(fis, password);
fis.close();
char[] achKeyStorePass = password;
String keyAlias = "mytestkey";
PrivateKey pk = (PrivateKey) ks.getKey(keyAlias,achKeyStorePass);
X509Certificate certificate = (X509Certificate) ks.getCertificate(keyAlias);
BasicX509Credential credential = new BasicX509Credential();
credential.setEntityCertificate(certificate);
credential.setPrivateKey(pk);
//Below is the difference
SignatureBuilder signBldr=new SignatureBuilder();
Signature signature = signBldr.buildObject();
signature.setSigningCredential(credential);
signature
.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
signature
.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
signature.setKeyInfo(keyinfo);
assertion.setSignature(signature);
MarshallerFactory marshallerFactory = Configuration
.getMarshallerFactory();
Marshaller marshaller = marshallerFactory.getMarshaller(assertion);
element = marshaller.marshall(assertion);
Signer.signObject(assertion);
Only difference between your code and my code, yours does not add KeyInfo.
From: Deena Gurajala [mailto:]
Sent: Friday, August 28, 2009 12:32 PMSubject: Re: [OpenSAML] RE: Digital signature not valid
To:
Hi,
I don't you found the solution or not. Thebelow code is working for me. Everything you and I are doing the sma except the way building the signature. Please find the modified code below. I hope it works.
assertion.setID("_k7722b88");
// This below part is same is same
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
char[] password = "xxxxxx".toCharArray();
FileInputStream fis = new FileInputStream("c:/keystore/test.ks");
ks.load(fis, password);
fis.close();
char[] achKeyStorePass = password;
String keyAlias = "mytestkey";
PrivateKey pk = (PrivateKey) ks.getKey(keyAlias,achKeyStorePass);
X509Certificate certificate = (X509Certificate) ks.getCertificate(keyAlias);
BasicX509Credential credential = new BasicX509Credential();
credential.setEntityCertificate(certificate);
credential.setPrivateKey(pk);
//Below is the difference
SignatureBuilder signBldr=new SignatureBuilder();
Signature signature = signBldr.buildObject();
signature.setSigningCredential(credential);
signature
.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
signature
.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
assertion.setSignature(signature);
MarshallerFactory marshallerFactory = Configuration
.getMarshallerFactory();
Marshaller marshaller = marshallerFactory.getMarshaller(assertion);
element = marshaller.marshall(assertion);
Signer.signObject(assertion);
On Fri, Aug 28, 2009 at 8:40 AM, Scott Cantor <> wrote:
Ravi Balasubramanian wrote on 2009-08-28:
> Yes, it is the ID I set to assertion...
Then the xmlsec verifier doesn't know what IDs exist, which is not terribly
unusual. I suspect you're doing SAML 1 and would have to do SAML 2 to get
that online verifier to work by guessing that an attribute called ID is an
XML ID. Patently insecure, but that's common.
-- Scott
- RE: Digital signature not valid, (continued)
- Message not available
- RE: Digital signature not valid, Ravi Balasubramanian, 08/28/2009
- Re: [OpenSAML] RE: Digital signature not valid, Chad La Joie, 08/28/2009
- RE: [OpenSAML] RE: Digital signature not valid, Ravi Balasubramanian, 08/28/2009
- RE: [OpenSAML] RE: Digital signature not valid, Scott Cantor, 08/28/2009
- RE: [OpenSAML] RE: Digital signature not valid, Ravi Balasubramanian, 08/28/2009
- RE: [OpenSAML] RE: Digital signature not valid, Scott Cantor, 08/28/2009
- RE: [OpenSAML] RE: Digital signature not valid, Ravi Balasubramanian, 08/28/2009
- RE: [OpenSAML] RE: Digital signature not valid, Scott Cantor, 08/28/2009
- Message not available
- Re: [OpenSAML] RE: Digital signature not valid, Deena Gurajala, 08/28/2009
- RE: [OpenSAML] RE: Digital signature not valid, Ravi Balasubramanian, 08/28/2009
- Re: [OpenSAML] RE: Digital signature not valid, Deena Gurajala, 08/28/2009
- Re: [OpenSAML] RE: Digital signature not valid, Deena Gurajala, 08/28/2009
- Endorsing Jars in Weblogic, ravi . balasubramanian, 08/31/2009
- Re: [OpenSAML] Endorsing Jars in Weblogic, Chad La Joie, 08/31/2009
- RE: [OpenSAML] RE: Digital signature not valid, Ravi Balasubramanian, 08/28/2009
- Re: [OpenSAML] RE: Digital signature not valid, Chad La Joie, 08/28/2009
- RE: Digital signature not valid, Ravi Balasubramanian, 08/28/2009
- Message not available
Archive powered by MHonArc 2.6.16.