Skip to Content.
Sympa Menu

mace-opensaml-users - SAMLResponse signature verification

Subject: OpenSAML user discussion

List archive

SAMLResponse signature verification


Chronological Thread 
  • From:
  • To:
  • Subject: SAMLResponse signature verification
  • Date: Tue, 2 Mar 2010 04:16:26 -0500 (EST)
Hello,

I have to verify the signature of a signed SAMLResponse .

I obtain the exception :
org.opensaml.xml.validation.ValidationException: Signature did not validate
against the credential's key

The used credential (X509 certificat) is the good one.
Putting the debug log for org.apache.xml.security.utils.
I obtain :
[org.apache.xml.security.utils.DigesterOutputStream] Pre-digested input:
[org.apache.xml.security.utils.DigesterOutputStream] <samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
Destination="https://comptePS/ACS"; ID="_6bf020b4-2334-11df-833b-d91e3055817a"
IssueInstant="2010-02-27T00:09:50Z" Version="2.0"
xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:assertion
http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd";>
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:interops:samu:1.0</saml:Issuer>
<samlp:Status>
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode>
</samlp:Status>
</samlp:Response>
[org.apache.xml.security.signature.Reference] Verification failed for URI
"#_6bf020b4-2334-11df-833b-d91e3055817a"
[org.apache.xml.security.signature.Reference] Expected Digest:
oju8vu1ZMmqMfYMU4uJHT9sdPmQ=
[org.apache.xml.security.signature.Reference] Actual Digest:
lCMYYIs+Pv0q2II32b1s7EXgS2Q=
[org.apache.xml.security.signature.Manifest] The Reference has Type


ONLY the saml:Issuer is included in pre-digest input. The saml assertion is
not complete.

The signature URI is #_6bf020b4-2334-11df-833b-d91e3055817a and
_6bf020b4-2334-11df-833b-d91e3055817a is the ID of the Response including the
assertion.

The document is :
<samlp:Response xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="_6bf020b4-2334-11df-833b-d91e3055817a" Version="2.0"
IssueInstant="2010-02-27T00:09:50Z" Destination="https://comptePS/ACS";
xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:assertion
http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd";>
<saml:Issuer>urn:interops:samu:1.0</saml:Issuer><Signature
xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_6bf020b4-2334-11df-833b-d91e3055817a">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>oju8vu1ZMmqMfYMU4uJHT9sdPmQ=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>UCK9adw+i+rfgVdf7OICYsGV++dTqbpH30escUaoHxEGwai1kGPCrJmuyIMwu3Zu
nStX6OeQvD+jnUuz04IsX2lXCRxhJEa99BLGgbOkA93nqCL/bBGgfuQ4+5HnOR/R
FCaEm+bqKolXkj4lKgh0mC9GKfTcrpGyMrKJfAli7oY=</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIICiDCCAfGgAwIBAgIFFQHV8/MwDQYJKoZIhvcNAQEFBQAwOTELMAkGA1UEBhMC
RlIxFDASBgNVBAoTC0NOQU1UUy1URVNUMRQwEgYDVQQLEwtBQy1URVNULVNTTDAe
Fw0wOTAyMjUxMDIwNTFaFw0xOTAxMDQxMDIwNTFaMIGCMQswCQYDVQQGEwJGUjEP
MA0GA1UEChMGQ05BTVRTMRIwEAYDVQQLEwkxODAwMzUwMjQxIDAeBgNVBAMTF3Rl
c3QtaW50ZXJvcHMuY25hbXRzLmZyMSwwKgYKCZImiZPyLGQBARMcdGVzdC1pbnRl
cm9wcy5jbmFtdHMuZnItc2lnbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
psGwOZyCTWp3aH9mVjUziYKKaPHBpaG8Dm8xhyR5IAzZ9wEPfHlLIYaVWhGoqswV
LC5kn0eq2EFsZSfTTV7AHB+7wBTJAsnflslWjQ9kFYHq05VgKpnGFblad8ATrsl6
jXZa2XknlnCuxsgt606ybm4CaWAOXn19GnNIqxgYmFMCAwEAAaNSMFAwLgYJYIZI
AYb4QgENBCEWH0NlcnRpZmljYXQgc2VydmV1ciBTU0wgaW50cmFuZXQwEQYJYIZI
AYb4QgEBBAQDAgZAMAsGA1UdDwQEAwIFoDANBgkqhkiG9w0BAQUFAAOBgQAUQLv5
dQl5YF62T96BwP93XbIfQ7A46gBtP2soLmDO58kQf0FubT5rAG2z1FLPuWFIeFIe
dlxB9Le20JWWAs8DISKjZxj/furjMWVHEeS9o9YnYUZAzOrFA5fYyD4MnSATHzJc
Z/ON4FYVZ4J4FxljGOOIGwmcRmiKKzcoyU7KEg==</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="_6bf039e6-2334-11df-833b-d91e3055817a" Version="2.0"
IssueInstant="2010-02-27T00:09:50Z">
<saml:Issuer>urn:interops:samu:1.0</saml:Issuer>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">identifiantTest</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2010-02-27T00:19:50Z"
Recipient="urn:interops:180035024:sp"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2010-02-27T00:04:50Z"
NotOnOrAfter="2010-02-27T00:19:50Z">
<saml:AudienceRestriction>

<saml:Audience>urn:interops:service:test:samu:compte_ps</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2010-02-26T13:44:13Z"
SessionIndex="_6bf039e6-2334-11df-833b-d91e3055817a">
<saml:AuthnContext>

<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="PAGM">
<saml:AttributeValue>COMPTE_PS</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>


Thanks for your help

JC Estienney

Archive powered by MHonArc 2.6.16.

Top of Page