mace-opensaml-users - Re: [OpenSAML] Yet another signature verification problem
Subject: OpenSAML user discussion
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: [OpenSAML] Yet another signature verification problem
- Date: Tue, 16 Mar 2010 15:23:37 +0100
- Organization: Itumi, LLC
Are you sure the document being served by Apache has a valid signature?
On 3/16/10 3:18 PM, Tom Delorenzi wrote:
> We were never able to confirm wether my code was rejecting signatuers as
> invalid was because of our testbed saml simulator was not signing them
> correctly or if I was not verifying correctly. We finally got to go up
> against an existing system machine in a known working situation and
> unfortunately I am still claiming their signatures are invalid. I know
> its not as secure but for now we just want to use the public key in the
> assertion to validate the assertion. Here is what I am doing:
>
>
> KeyInfoCredentialResolver resolver =
> SecurityHelper./buildBasicInlineKeyInfoResolver/();
> KeyInfo keyInfo = sig.getKeyInfo();
> CriteriaSet criteriaSet = new CriteriaSet(new KeyInfoCriteria(keyInfo));
> try
> {
> for (Credential cred : resolver.resolve(criteriaSet))
> {
> SignatureValidator sigValidator = new SignatureValidator(cred);
> sigValidator.validate(sig);
> }
> }
>
> Where sig is the signature i pulled out of the SamlResponse. Inspecting
> the signature shows that it has the right key in there as far as I can tell.
>
> I have had it fail in 2 different spots for 2 different test scenarios.
> First was using our simulator(homgrown) and the 2nd was having a apache
> server return back a precanned signed response that our customer provided.
>
> The simulator failed in XMLSignature which for me was line 625 doing:
>
> // have SignatureAlgorithm sign the input bytes and compare them to
> // the bytes that were stored in the signature.
>
> if (!sa.verify(sigBytes))
>
>
> The precanned one passed that but failed a bit later in
> Reference.verify() in the following block
>
> byte[] elemDig = this.getDigestValue();
> byte[] calcDig = this.calculateDigest(true);
> boolean equal = MessageDigestAlgorithm./isEqual/(elemDig, calcDig);
> if (!equal) {
> / log/.warn("Verification failed for URI \"" + this.getURI() + "\"");
> / log/.warn("Expected Digest: " + Base64./encode/(elemDig));
> / log/.warn("Actual Digest: " + Base64./encode/(calcDig));
> }
>
> If anyone has any suggestions let me know. Thanks!
--
Chad La Joie
www.itumi.biz
trusted identities, delivered
- SAMLResponse signature verification, jc . estienney, 03/02/2010
- Re: [OpenSAML] SAMLResponse signature verification, Brent Putman, 03/02/2010
- Re: [OpenSAML] SAMLResponse signature verification, JC Estienney, 03/04/2010
- Re: [OpenSAML] SAMLResponse signature verification, Brent Putman, 03/04/2010
- Re: [OpenSAML] SAMLResponse signature verification, JC Estienney, 03/10/2010
- Re: [OpenSAML] SAMLResponse signature verification, Brent Putman, 03/10/2010
- RE: [OpenSAML] SAMLResponse signature verification, Scott Cantor, 03/10/2010
- Message not available
- Re: [OpenSAML] SAMLResponse signature verification, JC Estienney, 03/11/2010
- Yet another signature verification problem, Tom Delorenzi, 03/16/2010
- Re: [OpenSAML] Yet another signature verification problem, Chad La Joie, 03/16/2010
- RE: [OpenSAML] Yet another signature verification problem, Tom Delorenzi, 03/16/2010
- Re: [OpenSAML] Yet another signature verification problem, Brent Putman, 03/16/2010
- RE: [OpenSAML] Yet another signature verification problem, Tom Delorenzi, 03/16/2010
- Re: [OpenSAML] SAMLResponse signature verification, Brent Putman, 03/10/2010
- Re: [OpenSAML] SAMLResponse signature verification, JC Estienney, 03/10/2010
- Re: [OpenSAML] SAMLResponse signature verification, Brent Putman, 03/04/2010
- Re: [OpenSAML] SAMLResponse signature verification, JC Estienney, 03/04/2010
- Re: [OpenSAML] SAMLResponse signature verification, Brent Putman, 03/02/2010
Archive powered by MHonArc 2.6.16.