mace-opensaml-users - Digest/Signature value logging at Receiver's side - OpenSAML 2.0
Subject: OpenSAML user discussion
List archive
- From: lakshmi narasimhan <>
- To:
- Subject: Digest/Signature value logging at Receiver's side - OpenSAML 2.0
- Date: Tue, 5 Jan 2010 23:16:30 +0000
- Domainkey-signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=Bc/tEPWCnQ8s60ClmNDkbEk2HkrhHxDrANZ5khLE4snC6DpYizBT23P6JNkdSxZyxx CjxzVYMq29pHFyi527//+IiA3xILdmxym8833p3jFKOJB25ZauZg1VS3whNCf8arSqwc HRPWxq4vfOyfhWTzj5sKGE7tur94Kw5rNNu3E=
Hello all,
We are using OpenSAML 2.0 for creating and validating SAML assertion. When we(receiver/validator) generate the assertion on our side itself, we are able to validate the signature successfully using our OpenSAML validation code. However, when the sender sends a similar assertion to us, we are getting the following exception:
05-Jan-2009 20:53:11 org.apache.xml.security.signature.Reference verify
WARNING: Verification failed for URI "#afdg3vce"
org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key
at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78)
at com.aviva.tam.pmi.ValidateSAML2Signature.signatureValidator(ValidateSAML2Signature.java:168)
at org.apache.jsp.service_005fprovider_jsp._jspService(service_005fprovider_jsp.java:241)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:384)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:196)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:228)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:216)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:634)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445)
at java.lang.Thread.run(Unknown Source)
WARNING: Verification failed for URI "#afdg3vce"
org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key
at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78)
at com.aviva.tam.pmi.ValidateSAML2Signature.signatureValidator(ValidateSAML2Signature.java:168)
at org.apache.jsp.service_005fprovider_jsp._jspService(service_005fprovider_jsp.java:241)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:384)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:196)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:228)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:216)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:634)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445)
at java.lang.Thread.run(Unknown Source)
We are sure we are using the correct public key for validating the signature (we verified the public key successfully using the signature value and the original assertion content using OpenSSL utility). It could be that we are getting a different Digest value than what's being computed at the sender's side. However, we are not able to find out how we can turn-on logging to capture the digest value that gets computed at our end(receiving side). We would like to see the actual Digest value that gets computed as a result of Canonicalizing the message digest we receive.
Can someone please guide us on how best we can achieve this and also what loggers need to be enabled? Any help would be gratefully received.
Thanks in advance,
Laks.
- Digest/Signature value logging at Receiver's side - OpenSAML 2.0, lakshmi narasimhan, 01/05/2010
- RE: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, Scott Cantor, 01/05/2010
- Message not available
- Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, lakshmi narasimhan, 01/06/2010
- RE: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, Scott Cantor, 01/06/2010
- Message not available
- Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, lakshmi narasimhan, 01/06/2010
- RE: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, Scott Cantor, 01/06/2010
- Message not available
- Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, lakshmi narasimhan, 01/21/2010
- Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, Brent Putman, 01/21/2010
- Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, lakshmi narasimhan, 01/21/2010
- Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, lakshmi narasimhan, 01/21/2010
- Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, lakshmi narasimhan, 01/06/2010
- Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, lakshmi narasimhan, 01/06/2010
Archive powered by MHonArc 2.6.16.