mace-opensaml-users - Re: [OpenSAML] SAMLResponse signature verification
Subject: OpenSAML user discussion
List archive
- From: Brent Putman <>
- To:
- Cc: JC Estienney <>
- Subject: Re: [OpenSAML] SAMLResponse signature verification
- Date: Thu, 04 Mar 2010 16:09:28 -0500
On 3/4/10 2:19 AM, JC Estienney wrote:
>
>
> The signed SamlResponse indicated at the end of my message if dumped
> just before the unmarshall operation.
> After that when i get the assertion form the Response object :
>
> XMLHelper.prettyPrintXML( (Assertion)reponseSAML.getAssertions().get(0))
> give :
Ok, well, the full response there looked ok, and the assertion looks ok
too, as far as I can tell.
>
> I will work to obtain then exact digest stream of then signature operation.
> It is not buid by openSaml2 but bye a third tool using C++ xmlsec API.
>
> The verification with the same tool is ok.
That's fine. The problem though, was this:
> [org.apache.xml.security.utils.DigesterOutputStream] <samlp:Response
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> Destination="https://comptePS/ACS";
> ID="_6bf020b4-2334-11df-833b-d91e3055817a"
> IssueInstant="2010-02-27T00:09:50Z" Version="2.0"
> xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:assertion
> http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd";>
> <saml:Issuer
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:interops:samu:1.0</saml:Issuer>
> <samlp:Status>
> <samlp:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode>
> </samlp:Status>
> </samlp:Response>
If this is the actual output from Apache xmlsec, and hasn't been edited,
etc., then something is wrong, because it's not including the Assertion
in the data over which it's calculating the digest. If you're saying
that you have a trace which shows that the Response does in fact include
the Assertion, then I don't have any explanation for that. Either
something very strange is going on with xmlsec, or there's a bug
somewhere else, maybe in how the DOM is being parsed and built.
Getting the digest stream from the signing side will be helpful in the
long run, but until you figure what's going on here with the missing
Assertion in digest calculation, it's not going to help.
--Brent
- SAMLResponse signature verification, jc . estienney, 03/02/2010
- Re: [OpenSAML] SAMLResponse signature verification, Brent Putman, 03/02/2010
- Re: [OpenSAML] SAMLResponse signature verification, JC Estienney, 03/04/2010
- Re: [OpenSAML] SAMLResponse signature verification, Brent Putman, 03/04/2010
- Re: [OpenSAML] SAMLResponse signature verification, JC Estienney, 03/10/2010
- Re: [OpenSAML] SAMLResponse signature verification, Brent Putman, 03/10/2010
- RE: [OpenSAML] SAMLResponse signature verification, Scott Cantor, 03/10/2010
- Message not available
- Re: [OpenSAML] SAMLResponse signature verification, JC Estienney, 03/11/2010
- Yet another signature verification problem, Tom Delorenzi, 03/16/2010
- Re: [OpenSAML] Yet another signature verification problem, Chad La Joie, 03/16/2010
- RE: [OpenSAML] Yet another signature verification problem, Tom Delorenzi, 03/16/2010
- Re: [OpenSAML] Yet another signature verification problem, Brent Putman, 03/16/2010
- RE: [OpenSAML] Yet another signature verification problem, Tom Delorenzi, 03/16/2010
- Re: [OpenSAML] SAMLResponse signature verification, Brent Putman, 03/10/2010
- Re: [OpenSAML] SAMLResponse signature verification, JC Estienney, 03/10/2010
- Re: [OpenSAML] SAMLResponse signature verification, Brent Putman, 03/04/2010
- Re: [OpenSAML] SAMLResponse signature verification, JC Estienney, 03/04/2010
- Re: [OpenSAML] SAMLResponse signature verification, Brent Putman, 03/02/2010
Archive powered by MHonArc 2.6.16.