mace-opensaml-users - Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0

From: lakshmi narasimhan <>
To:
Subject: Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0
Date: Thu, 21 Jan 2010 23:56:13 +0000
Domainkey-signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=fD4qcZ0wTwFNebx03WMaPNIbhheopxPn8vEPn/tKA9ycPzDUJ/1hesgoIMTB3mM54T CUsLLY52nwEYrflcyEjiZFKXcU70vD/uhcPo7REw5577dQQV+P29Q4EWuhNTwcn9eUH/ wSjykg2EFL0HWZ8w/+42pFO+85n953Ww7UwDM=

Hello,

Thanks for this suggestion. I'll try using these tools to figure out what is changing between signing and verification. In my case, we, as the service provider, have developed a java code using OpenSAML 2.0. The identity Provider on the other end, has converted the OpenSAML API into Python and is using this code to generate the assertion.

We have also developed a java code to generate assertion from our side too, so we can generate and test our own assertions before receiving the one sent by the identity provider.

As of now, we are able to validate our own assertion successfully. However, when the identity provider sends a very similar assertion which uses the same Private key as we use, the assertion fails during the signature validation step(please refer to the code snippet below). The logs for both the cases, are almost the same until the point where Signature validation happens. At this point, the logging just stops and throws a warning saying 'Signature verification failed'.

I was wondering if there is a way to find out what is failing at this point:

if (!sa.verify(sigBytes)) {
log.warn("Signature verification failed.");
return false;
}

I'm not sure how to turn on additional logging for the checkSignatureValue method in XMLSignature class. Could someone please help with a suggestion? This is a bit urgent, so any quick response would be very much appreciated.

Thanks in Advance,

Laks.

On Wed, Jan 6, 2010 at 8:07 PM, Scott Cantor <> wrote:

lakshmi narasimhan wrote on 2010-01-06:

> I've been trying to figure out why this(Signature bytes comparison
> failure) is happening, but couldn't make it out yet. Could someone
> please help me out?

All that's known is what I already told you. You need to determine what's
changing between signing and verification and why.

There are numerous tools like Oxygen and online verifiers like Aleksey
Sanin's that will prove to you whether the message is actually bad and that
this isn't about the code.

Welcome to signatures.

-- Scott

Digest/Signature value logging at Receiver's side - OpenSAML 2.0, lakshmi narasimhan, 01/05/2010
- RE: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, Scott Cantor, 01/05/2010
- Message not available
  - Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, lakshmi narasimhan, 01/06/2010
    - RE: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, Scott Cantor, 01/06/2010
    - Message not available
      - Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, lakshmi narasimhan, 01/06/2010
        
        RE: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, Scott Cantor, 01/06/2010
        
        Message not available
        
        Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, lakshmi narasimhan, 01/21/2010
        
        Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, Brent Putman, 01/21/2010
        Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, lakshmi narasimhan, 01/21/2010

List archive

Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0