OpenSAML user discussion

[murali mca <>]

Hi

 

Thanks for the response.

Got this fixed after adding the Enveloped signature transform(<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>) to SAML asertion and now I am able to verify the signature for DoS attacks using SAMLSignatureProfileValidator.

 

However, I am getting "null pointer exception" while retrieving the Credential (signatureToValidate.getSigningCredential();) from signature.

 

 // Validating the signature cryptographically

Signature signatureToValidate = assertion.getSignature();
Credential verificationCredential = signatureToValidate.getSigningCredential();
SignatureValidator sigValidator = new SignatureValidator(verificationCredential);
try {
    sigValidator.validate(signatureToValidate);
} catch (ValidationException e) {
 
    e.printStackTrace();
}

I can see <X509Data><X509Certificate> in my signature. Please help me how to retrieve the credential/public key from X509 cert and validate the signature. Correct me if the above code is wrong.

 

Below is the SAML:

<Signature>
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#1bc6d017-f9bd-4333-a618-a73cd4ea51ac">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>0qnKCEgW2h7yX/1UfkngJXGXxPk=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>vgefKC1BZXTeNjUEqU1aGvBfn1HD2WfanLwQPbBd0ywekp7c82plARfaB+fIxrqb6m9wj9bR8MfWkj4vKBxvRA==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIDPTCCAuegAwIBAgIJAK3Eu7cvpbf4MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
VQQGEwJHQjEQMA4GA1UECBMHTm9yZm9sazEQMA4GA1UEBxMHTm9yd2ljaDESMBAG
A1UEChMJQXZpZA6zIc=.......</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>

 

 

Thanks for your help

Murali
--- On Thu, 19/11/09, Brent Putman <> wrote:

From: Brent Putman <>
Subject: Re: [OpenSAML] SAML signature validation
To:
Date: Thursday, 19 November, 2009, 5:29 AM

murali mca wrote:

> 18-Nov-2009 22:40:17
> org.opensaml.security.SAMLSignatureProfileValidator validateTransforms
> SEVERE: Signature was missing the required Enveloped signature transform
> org.opensaml.xml.validation.ValidationException: Transforms did not
> contain the required envelope

The error's pretty self-explanatory, the Signature doesn't contain the
Enveloped transform.  The SAMLSignatureProfileValidator requires that.
If someone is sending you the signature, you need to get them to fix
it.  If you are generating the signature, well, you're doing something
wrong.  See the wiki below for info on how to sign with OpenSAML.

However, just to check since you said you are trying "to verify the
signature in SAML" - realize that the SAMLSignatureProfileValidator does
not cryptographically verify the signature.  It's purpose is just to
validate certain constraints of the SAML signature profile, before
actually doing the crypto.  That's to prevent certain kinds of DoS
attacks against the verifier.

If you actually want to cryptographically verify the signature itself,
see the user's manual signature wiki page:

https://spaces.internet2.edu/display/OpenSAML/OSTwoUserManJavaDSIG

---

The INTERNET now has a personality. YOURS! See your Yahoo! Homepage.