OpenSAML user discussion

[Brent Putman <>]

On 1/21/10 6:56 PM, lakshmi narasimhan wrote:

As of now, we are able to validate our own assertion successfully. However, when the identity provider sends a very similar assertion which uses the same Private key as we use, the assertion fails during the signature validation step(please refer to the code snippet below). The logs for both the cases, are almost the same until the point where Signature validation happens.

In that case, one might obviously suspect that there is a bug in their Python XML signature impl (especially if they've coded it themselves), or at least in how they are wielding it.

 

I was wondering if there is a way to find out what is failing at this point:

 

if (!sa.verify(sigBytes)) {
log.warn("Signature verification failed.");
return false;
}

I can't remember if Scott already noted these or not in this thread, but important log info can be gotten by setting these log categories to DEBUG:

org.apache.xml.security.signature - the main XMLSignature related classes

org.apache.xml.security.utils.DigesterOutputStream - represents the Reference data to be digested

org.apache.xml.security.utils.SignerOutputStream    - represents the SignedInfo data to be signed


Or you could just go crazy and set all of org.apache.xml.security to DEBUG, that way you'll get pretty much everything.

Most likely, all of that is going to tell you that the verification of the Reference is failing.  And that's most likely either because: 1) the data really is being modified somewhere after they sign it and before you validate it, for example in the transmission process or serialization/de-serialization step (pretty printing, etc), or 2) their software has a bug, very possibly around how they calculate the canonicalized data over which they are computing the signature.  For the latter, you want to look at the DEBUG log output of that org.apache.xml.security.utils.DigesterOutputStream category, and compare with similar data they generate on their side.