mace-opensaml-users - Re: [OpenSAML] SAMLResponse signature verification
Subject: OpenSAML user discussion
List archive
- From: Brent Putman <>
- To:
- Subject: Re: [OpenSAML] SAMLResponse signature verification
- Date: Tue, 02 Mar 2010 10:43:11 -0500
On 3/2/10 4:16 AM,
wrote:
>
> [org.apache.xml.security.utils.DigesterOutputStream] Pre-digested input:
> [org.apache.xml.security.utils.DigesterOutputStream] <samlp:Response
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> Destination="https://comptePS/ACS";
> ID="_6bf020b4-2334-11df-833b-d91e3055817a"
> IssueInstant="2010-02-27T00:09:50Z" Version="2.0"
> xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:assertion
> http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd";>
> <saml:Issuer
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:interops:samu:1.0</saml:Issuer>
> <samlp:Status>
> <samlp:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode>
> </samlp:Status>
> </samlp:Response>
It's good that you are noticing this info. In general, the way in which
this is useful, though, is you collect the pre-digested input from both
the signing and validation sides, and compare. In doing that you can
pretty easily spot the differences.
> [org.apache.xml.security.signature.Reference] Verification failed for URI
> "#_6bf020b4-2334-11df-833b-d91e3055817a"
> [org.apache.xml.security.signature.Reference] Expected Digest:
> oju8vu1ZMmqMfYMU4uJHT9sdPmQ=
> [org.apache.xml.security.signature.Reference] Actual Digest:
> lCMYYIs+Pv0q2II32b1s7EXgS2Q=
Yes, this is a clear indication that what you are validating has been
changed from what was signed.
> >
>
> ONLY the saml:Issuer is included in pre-digest input. The saml assertion is
> not complete.
At first I wasn't sure what you meant, but if you mean that what was
purportedly signed is below, but the validation above is only indicating
a subset of that, then it seems that there is something else majorly
wrong here, not with the signing. Can you visually confirm that the
Assertion is even in the Response that you are receiving? From the
above, it appears that the Assertion is actually omitted from the
Response you are being sent and trying to validate. If the signature was
being generated over the whole document as below, but later the
Assertion is stripped out somehow, that certainly counts as modifying
the document and breaking the signature...
>
> The signature URI is #_6bf020b4-2334-11df-833b-d91e3055817a and
> _6bf020b4-2334-11df-833b-d91e3055817a is the ID of the Response including
> the assertion.
>
> The document is :
> <samlp:Response xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> ID="_6bf020b4-2334-11df-833b-d91e3055817a" Version="2.0"
> IssueInstant="2010-02-27T00:09:50Z" Destination="https://comptePS/ACS";
> xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:assertion
> http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd";>
> <saml:Issuer>urn:interops:samu:1.0</saml:Issuer><Signature
> xmlns="http://www.w3.org/2000/09/xmldsig#";>
> <SignedInfo>
> <CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <Reference URI="#_6bf020b4-2334-11df-833b-d91e3055817a">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue>oju8vu1ZMmqMfYMU4uJHT9sdPmQ=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>UCK9adw+i+rfgVdf7OICYsGV++dTqbpH30escUaoHxEGwai1kGPCrJmuyIMwu3Zu
> nStX6OeQvD+jnUuz04IsX2lXCRxhJEa99BLGgbOkA93nqCL/bBGgfuQ4+5HnOR/R
> FCaEm+bqKolXkj4lKgh0mC9GKfTcrpGyMrKJfAli7oY=</SignatureValue>
> <KeyInfo>
> <X509Data>
> <X509Certificate>MIICiDCCAfGgAwIBAgIFFQHV8/MwDQYJKoZIhvcNAQEFBQAwOTELMAkGA1UEBhMC
> RlIxFDASBgNVBAoTC0NOQU1UUy1URVNUMRQwEgYDVQQLEwtBQy1URVNULVNTTDAe
> Fw0wOTAyMjUxMDIwNTFaFw0xOTAxMDQxMDIwNTFaMIGCMQswCQYDVQQGEwJGUjEP
> MA0GA1UEChMGQ05BTVRTMRIwEAYDVQQLEwkxODAwMzUwMjQxIDAeBgNVBAMTF3Rl
> c3QtaW50ZXJvcHMuY25hbXRzLmZyMSwwKgYKCZImiZPyLGQBARMcdGVzdC1pbnRl
> cm9wcy5jbmFtdHMuZnItc2lnbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
> psGwOZyCTWp3aH9mVjUziYKKaPHBpaG8Dm8xhyR5IAzZ9wEPfHlLIYaVWhGoqswV
> LC5kn0eq2EFsZSfTTV7AHB+7wBTJAsnflslWjQ9kFYHq05VgKpnGFblad8ATrsl6
> jXZa2XknlnCuxsgt606ybm4CaWAOXn19GnNIqxgYmFMCAwEAAaNSMFAwLgYJYIZI
> AYb4QgENBCEWH0NlcnRpZmljYXQgc2VydmV1ciBTU0wgaW50cmFuZXQwEQYJYIZI
> AYb4QgEBBAQDAgZAMAsGA1UdDwQEAwIFoDANBgkqhkiG9w0BAQUFAAOBgQAUQLv5
> dQl5YF62T96BwP93XbIfQ7A46gBtP2soLmDO58kQf0FubT5rAG2z1FLPuWFIeFIe
> dlxB9Le20JWWAs8DISKjZxj/furjMWVHEeS9o9YnYUZAzOrFA5fYyD4MnSATHzJc
> Z/ON4FYVZ4J4FxljGOOIGwmcRmiKKzcoyU7KEg==</X509Certificate>
> </X509Data>
> </KeyInfo>
> </Signature>
> <samlp:Status>
> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
> </samlp:Status>
> <saml:Assertion ID="_6bf039e6-2334-11df-833b-d91e3055817a" Version="2.0"
> IssueInstant="2010-02-27T00:09:50Z">
> <saml:Issuer>urn:interops:samu:1.0</saml:Issuer>
> <saml:Subject>
> <saml:NameID
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">identifiantTest</saml:NameID>
> <saml:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
> <saml:SubjectConfirmationData NotOnOrAfter="2010-02-27T00:19:50Z"
> Recipient="urn:interops:180035024:sp"/>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Conditions NotBefore="2010-02-27T00:04:50Z"
> NotOnOrAfter="2010-02-27T00:19:50Z">
> <saml:AudienceRestriction>
>
> <saml:Audience>urn:interops:service:test:samu:compte_ps</saml:Audience>
> </saml:AudienceRestriction>
> </saml:Conditions>
> <saml:AuthnStatement AuthnInstant="2010-02-26T13:44:13Z"
> SessionIndex="_6bf039e6-2334-11df-833b-d91e3055817a">
> <saml:AuthnContext>
>
> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
> </saml:AuthnContext>
> </saml:AuthnStatement>
> <saml:AttributeStatement>
> <saml:Attribute Name="PAGM">
> <saml:AttributeValue>COMPTE_PS</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> </saml:Assertion>
> </samlp:Response>
>
>
- SAMLResponse signature verification, jc . estienney, 03/02/2010
- Re: [OpenSAML] SAMLResponse signature verification, Brent Putman, 03/02/2010
- Re: [OpenSAML] SAMLResponse signature verification, JC Estienney, 03/04/2010
- Re: [OpenSAML] SAMLResponse signature verification, Brent Putman, 03/04/2010
- Re: [OpenSAML] SAMLResponse signature verification, JC Estienney, 03/10/2010
- Re: [OpenSAML] SAMLResponse signature verification, Brent Putman, 03/10/2010
- RE: [OpenSAML] SAMLResponse signature verification, Scott Cantor, 03/10/2010
- Message not available
- Re: [OpenSAML] SAMLResponse signature verification, JC Estienney, 03/11/2010
- Yet another signature verification problem, Tom Delorenzi, 03/16/2010
- Re: [OpenSAML] Yet another signature verification problem, Chad La Joie, 03/16/2010
- RE: [OpenSAML] Yet another signature verification problem, Tom Delorenzi, 03/16/2010
- Re: [OpenSAML] Yet another signature verification problem, Brent Putman, 03/16/2010
- Re: [OpenSAML] SAMLResponse signature verification, Brent Putman, 03/10/2010
- Re: [OpenSAML] SAMLResponse signature verification, JC Estienney, 03/10/2010
- Re: [OpenSAML] SAMLResponse signature verification, Brent Putman, 03/04/2010
- Re: [OpenSAML] SAMLResponse signature verification, JC Estienney, 03/04/2010
- Re: [OpenSAML] SAMLResponse signature verification, Brent Putman, 03/02/2010
Archive powered by MHonArc 2.6.16.