OpenSAML user discussion

[JC Estienney <>]

Thanks for your answer,

I send this message again because it was rejected because too large.

The signed SamlResponse indicated at the end of my message if dumped just before the unmarshall operation.
After that when i get the assertion form the Response object :

XMLHelper.prettyPrintXML( (Assertion)reponseSAML.getAssertions().get(0))
 give :

<?xml version="1.0" encoding="UTF-8"?>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_6bf039e6-2334-11df-833b-d91e3055817a" IssueInstant="2010-02-27T00:09:50Z" Version="2.0">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:interops:samu:1.0</saml:Issuer>
    <saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
      <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">identifiantTest</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData NotOnOrAfter="2010-02-27T00:19:50Z" Recipient="urn:interops:180035024:sp"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2010-02-27T00:04:50Z" NotOnOrAfter="2010-02-27T00:19:50Z" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
      <saml:AudienceRestriction>
        <saml:Audience>urn:interops:service:test:samu:compte_ps</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2010-02-26T13:44:13Z" SessionIndex="_6bf039e6-2334-11df-833b-d91e3055817a" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
      <saml:Attribute Name="PAGM">
        <saml:AttributeValue>COMPTE_PS</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>

I will work to obtain then exact digest stream of then signature operation.
It is not buid by openSaml2  but bye a third tool using C++ xmlsec API.

The verification with the same tool is ok.

Regards
JC Estienney
 

Brent Putman a écrit :

On 3/2/10 4:16 AM,  wrote:
  

[org.apache.xml.security.utils.DigesterOutputStream] Pre-digested input: 
[org.apache.xml.security.utils.DigesterOutputStream] <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="https://comptePS/ACS" ID="_6bf020b4-2334-11df-833b-d91e3055817a" IssueInstant="2010-02-27T00:09:50Z" Version="2.0" xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:assertion http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:interops:samu:1.0</saml:Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode>
  </samlp:Status>
</samlp:Response> 
    

It's good that you are noticing this info.  In general, the way in which
this is useful, though, is you collect the pre-digested input from both
the signing and validation sides, and compare.  In doing that you can
pretty easily spot the differences.



  

[org.apache.xml.security.signature.Reference] Verification failed for URI "#_6bf020b4-2334-11df-833b-d91e3055817a" 
[org.apache.xml.security.signature.Reference] Expected Digest: oju8vu1ZMmqMfYMU4uJHT9sdPmQ= 
[org.apache.xml.security.signature.Reference] Actual Digest: lCMYYIs+Pv0q2II32b1s7EXgS2Q= 
    

Yes, this is a clear indication that what you are validating has been
changed from what was signed.


  

ONLY the saml:Issuer is included in pre-digest input. The saml assertion is not complete.
    

At first I wasn't sure what you meant, but if you mean that what was
purportedly signed is below, but the validation above is only indicating
a subset of that, then it seems that there is something else majorly
wrong here, not with the signing.  Can you visually confirm that the
Assertion is even in the Response that you are receiving?  From the
above, it appears that the Assertion is actually omitted from the
Response you are being sent and trying to validate. If the signature was
being generated over the whole document as below, but later the
Assertion is stripped out somehow, that certainly counts as modifying
the document and breaking the signature...

  

---

*****************************************************
"Le contenu de ce courriel et ses eventuelles pièces jointes sont confidentiels. Ils s'adressent exclusivement à la personne destinataire. Si cet envoi ne vous est pas destiné, ou si vous l'avez reçu par erreur, et afin de ne pas violer le secret des correspondances, vous ne devez pas le transmettre à d'autres personnes ni le reproduire. Merci de le renvoyer à l'émetteur et de le détruire.

Attention : L'Organisme de l'émetteur du message ne pourra être tenu responsable de l'altération du présent courriel. Il appartient au destinataire de vérifier que les messages et pièces jointes reçus ne contiennent pas de virus. Les opinions contenues dans ce courriel et ses éventuelles pièces jointes sont celles de l'émetteur. Elles ne reflètent pas la position de l'Organisme sauf s'il en est disposé autrement dans le présent courriel."
******************************************************

begin:vcard
fn;quoted-printable:ESTIENNEY Jean-C=C3=B4me
n;quoted-printable:Jean-C=C3=B4me;ESTIENNEY
email;internet:
tel;work:02 41 79 66 99
x-mozilla-html:FALSE
version:2.1
end:vcard