mace-opensaml-users - Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0
Subject: OpenSAML user discussion
List archive
Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0
Chronological Thread
- From: lakshmi narasimhan <>
- To: Brent Putman <>
- Cc:
- Subject: Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0
- Date: Fri, 22 Jan 2010 00:49:34 +0000
- Domainkey-signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=gWL7vC1ZXqcytkGl5BfRCJjhdT9pBZkGDzGLTCRNj6+kLdPcTlK02NUjbCyNEWBeAk Js3nqJXajXm2Sr8cutz4eFTffNWRkSJYoiAOv1rsGfdUJZf+VTrEp7afVsFl8nwv+Uo0 IeG5Za7YALMqL0fhystvFfw71e56WFPTCbBSU=
Thanks a ton Brent for such a quick response. This is very handy! Will check out both the possibilities.
-Laks.
On Fri, Jan 22, 2010 at 12:45 AM, Brent Putman <> wrote:
In that case, one might obviously suspect that there is a bug in their Python XML signature impl (especially if they've coded it themselves), or at least in how they are wielding it.
On 1/21/10 6:56 PM, lakshmi narasimhan wrote:
As of now, we are able to validate our own assertion successfully. However, when the identity provider sends a very similar assertion which uses the same Private key as we use, the assertion fails during the signature validation step(please refer to the code snippet below). The logs for both the cases, are almost the same until the point where Signature validation happens.I can't remember if Scott already noted these or not in this thread, but important log info can be gotten by setting these log categories to DEBUG:
I was wondering if there is a way to find out what is failing at this point:if (!sa.verify(sigBytes)) {
log.warn("Signature verification failed.");
return false;
}
org.apache.xml.security.signature - the main XMLSignature related classes
org.apache.xml.security.utils.DigesterOutputStream - represents the Reference data to be digested
org.apache.xml.security.utils.SignerOutputStream - represents the SignedInfo data to be signed
Or you could just go crazy and set all of org.apache.xml.security to DEBUG, that way you'll get pretty much everything.
Most likely, all of that is going to tell you that the verification of the Reference is failing. And that's most likely either because: 1) the data really is being modified somewhere after they sign it and before you validate it, for example in the transmission process or serialization/de-serialization step (pretty printing, etc), or 2) their software has a bug, very possibly around how they calculate the canonicalized data over which they are computing the signature. For the latter, you want to look at the DEBUG log output of that org.apache.xml.security.utils.DigesterOutputStream category, and compare with similar data they generate on their side.
- Digest/Signature value logging at Receiver's side - OpenSAML 2.0, lakshmi narasimhan, 01/05/2010
- RE: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, Scott Cantor, 01/05/2010
- Message not available
- Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, lakshmi narasimhan, 01/06/2010
- RE: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, Scott Cantor, 01/06/2010
- Message not available
- Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, lakshmi narasimhan, 01/06/2010
- RE: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, Scott Cantor, 01/06/2010
- Message not available
- Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, lakshmi narasimhan, 01/21/2010
- Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, Brent Putman, 01/21/2010
- Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, lakshmi narasimhan, 01/21/2010
- Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, lakshmi narasimhan, 01/21/2010
- Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, lakshmi narasimhan, 01/06/2010
- Re: [OpenSAML] Digest/Signature value logging at Receiver's side - OpenSAML 2.0, lakshmi narasimhan, 01/06/2010
Archive powered by MHonArc 2.6.16.