OpenSAML user discussion

[Tom Delorenzi <>]

We were never able to confirm wether my code was rejecting signatuers as invalid was because of our testbed saml simulator was not signing them correctly or if I was not verifying correctly. We finally got to go up against an existing system machine in a known working situation and unfortunately I am still claiming their signatures are invalid. I know its not as secure but for now we just want to use the public key in the assertion to validate the assertion. Here is what I am doing:

 

KeyInfoCredentialResolver resolver = SecurityHelper.buildBasicInlineKeyInfoResolver();
KeyInfo keyInfo = sig.getKeyInfo();
CriteriaSet criteriaSet = new CriteriaSet(new KeyInfoCriteria(keyInfo));
try
{
  for (Credential cred : resolver.resolve(criteriaSet))
  {
    SignatureValidator sigValidator = new SignatureValidator(cred);
    sigValidator.validate(sig); 
  }
}

Where sig is the signature i pulled out of the SamlResponse. Inspecting the signature shows that it has the right key in there as far as I can tell.

I have had it fail in 2 different spots for 2 different test scenarios. First was using our simulator(homgrown) and the 2nd was having a apache server return back a precanned signed response that our customer provided.

 

The simulator failed in XMLSignature which for me was line 625 doing:

// have SignatureAlgorithm sign the input bytes and compare them to
// the bytes that were stored in the signature.
if (!sa.verify(sigBytes))

 

The precanned one passed that but failed a bit later in Reference.verify() in the following block

byte[] elemDig = this.getDigestValue();
byte[] calcDig = this.calculateDigest(true);
boolean equal = MessageDigestAlgorithm.isEqual(elemDig, calcDig);
if (!equal) {
  log.warn("Verification failed for URI \"" + this.getURI() + "\"");
  log.warn("Expected Digest: " + Base64.encode(elemDig));
  log.warn("Actual Digest: " + Base64.encode(calcDig));
}

 

If anyone has any suggestions let me know. Thanks!