Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0


Chronological Thread 
  • From: lakshmi narasimhan <>
  • To:
  • Subject: Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0
  • Date: Wed, 6 Jan 2010 19:55:29 +0000
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=YL1j9nwtMOy3LU0jPxEyOMZ9Md/9L7O9kX1BAMD7he/sQZvHnwTjEPxHy/m4WeX3L8 I93wSS//mgdKw4hG7hAWfxAFu8JyJRUgoIPHf/j+SjxgwmIQjer7/LSiFjLJRhVR8O/Y OZ5OVTIEdIzDheiKQ09zqYjyWpzHuWSrCOKKk=
Hello!
 
I dug deep and found out that the API is throwing the error message at this point:
 
if (!sa.verify(sigBytes)) {
log.warn("Signature verification failed.");
return false;
}
in the source code below:
 
 
public boolean checkSignatureValue(Key pk) throws XMLSignatureException {
//COMMENT: pk suggests it can only be a public key?
//check to see if the key is not null
if (pk == null) {
Object exArgs[] = { "Didn't get a key" };
throw new XMLSignatureException("empty", exArgs);
}
try {
SignedInfo si = this.getSignedInfo();
//create a SignatureAlgorithms from the SignatureMethod inside
//SignedInfo. This is used to validate the signature.
SignatureAlgorithm sa = si.getSignatureAlgorithm();
if (log.isDebugEnabled()) {
log.debug("SignatureMethodURI = " + sa.getAlgorithmURI());
log.debug("jceSigAlgorithm = " + sa.getJCEAlgorithmString());
log.debug("jceSigProvider = " + sa.getJCEProviderName());
log.debug("PublicKey = " + pk);
}
byte sigBytes[] = null;
try {
sa.initVerify(pk);
// Get the canonicalized (normalized) SignedInfo
SignerOutputStream so = new SignerOutputStream(sa);
OutputStream bos = new UnsyncBufferedOutputStream(so);
si.signInOctectStream(bos);
bos.close();
// retrieve the byte[] from the stored signature
sigBytes = this.getSignatureValue();
} catch (IOException ex) {
// Impossible...but clear the verification cache anyway
sa.clearVerificationCache();
} catch (XMLSecurityException ex) {
sa.clearVerificationCache();
throw ex;
}
*************************  //Execution is failing at this point // ***************************
// have SignatureAlgorithm sign the input bytes and compare them to
// the bytes that were stored in the signature.
if (!sa.verify(sigBytes)) {
log.warn("Signature verification failed.");
return false;
}
return si.verify(this._followManifestsDuringValidation);
} catch (XMLSignatureException ex) {
throw ex;
} catch (XMLSecurityException ex) {
throw new XMLSignatureException("empty", ex);
}
}
 
I've been trying to figure out why this(Signature bytes comparison failure) is happening, but couldn't make it out yet. Could someone please help me out?
 
Thanks,
Laks.
 
On Wed, Jan 6, 2010 at 3:54 PM, Scott Cantor <> wrote:
> Thanks for the quick response! I enabled logging for the given category.
> However, I am still not able to see the Digest value in the logs. Here is
> the log I'm seeing:

It probably fails when it's digesting SignedInfo, it's not bothering with
the Reference.

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page