OpenSAML user discussion

[Tom Delorenzi <>]

Well when I wrote this message I was sure since it's a server that is used in 
an existing solution. Somebody just came by my desk and told me that some 
enginer working for the customer told her they may have a bug. I don't know 
how they could be running in real mode before now if they have a bug but who 
knows. Does what I did look ok? 

-----Original Message-----
From: Chad La Joie 
[mailto:]
 
Sent: Tuesday, March 16, 2010 9:24 AM
To: 

Subject: Re: [OpenSAML] Yet another signature verification problem

Are you sure the document being served by Apache has a valid signature?

On 3/16/10 3:18 PM, Tom Delorenzi wrote:
> We were never able to confirm wether my code was rejecting signatuers 
> as invalid was because of our testbed saml simulator was not signing 
> them correctly or if I was not verifying correctly. We finally got to 
> go up against an existing system machine in a known working situation 
> and unfortunately I am still claiming their signatures are invalid. I 
> know its not as secure but for now we just want to use the public key 
> in the assertion to validate the assertion. Here is what I am doing:
>  
> 
> KeyInfoCredentialResolver resolver =
> SecurityHelper./buildBasicInlineKeyInfoResolver/();
> KeyInfo keyInfo = sig.getKeyInfo();
> CriteriaSet criteriaSet = new CriteriaSet(new 
> KeyInfoCriteria(keyInfo)); try {
>   for (Credential cred : resolver.resolve(criteriaSet))
>   {
>     SignatureValidator sigValidator = new SignatureValidator(cred);
>     sigValidator.validate(sig); 
>   }
> }
> 
> Where sig is the signature i pulled out of the SamlResponse. 
> Inspecting the signature shows that it has the right key in there as far as 
> I can tell.
> 
> I have had it fail in 2 different spots for 2 different test scenarios.
> First was using our simulator(homgrown) and the 2nd was having a 
> apache server return back a precanned signed response that our customer 
> provided.
>  
> The simulator failed in XMLSignature which for me was line 625 doing:
> 
> // have SignatureAlgorithm sign the input bytes and compare them to // 
> the bytes that were stored in the signature.
> 
> if (!sa.verify(sigBytes))
> 
>  
> The precanned one passed that but failed a bit later in
> Reference.verify() in the following block
> 
> byte[] elemDig = this.getDigestValue(); byte[] calcDig = 
> this.calculateDigest(true); boolean equal = 
> MessageDigestAlgorithm./isEqual/(elemDig, calcDig); if (!equal) { /  
> log/.warn("Verification failed for URI \"" + this.getURI() + "\""); /  
> log/.warn("Expected Digest: " + Base64./encode/(elemDig)); /  
> log/.warn("Actual Digest: " + Base64./encode/(calcDig)); }
>  
> If anyone has any suggestions let me know. Thanks!

--
Chad La Joie
www.itumi.biz
trusted identities, delivered