mace-opensaml-users - Signature not valid because of namespace order
Subject: OpenSAML user discussion
List archive
- From: Guzman Llambias <>
- To:
- Subject: Signature not valid because of namespace order
- Date: Tue, 6 Apr 2010 16:49:23 -0300 (UYT)
Hi! I'm doing some test with opensaml and I'm having some trouble to validate
the signature.
I receive a string representation of a saml from an HTTP channel and when I
parse it using the opensaml lib, it generates the same representation but
with the namespace order changed, causing a different saml token. Is there a
way to avoid this?
thanks in advance
Guzman
Here's the code I use to parse the string:
-------------------------------------------------------------------
BasicParserPool ppMgr = new BasicParserPool();
ppMgr.setNamespaceAware(true);
// Parse string message
StringReader in2 = new StringReader(string);
Document doc = null;
doc = ppMgr.parse(in2);
NodeList assertionList = doc.getElementsByTagNameNS(SAMLConstants.SAML1_NS,
"Assertion");
Element samlNode = (Element)assertionList.item(0);
// Get apropriate unmarshaller
UnmarshallerFactory unmarshallerFactory =
Configuration.getUnmarshallerFactory();
Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(samlNode);
Assertion assertion = (Assertion)unmarshaller.unmarshall(samlNode);
-------------------------------------------------------------------
Here's the string saml representation:
<saml:Assertion
AssertionID="Assertion-uuidd48ad2fa-0127-1df8-b806-f0220bb7f3b9"
IssueInstant="2010-04-06T19:13:40Z" Issuer="Urudata" MajorVersion="1"
MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2010-04-06T18:58:40Z"
NotOnOrAfter="2010-04-06T19:28:40Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>http://192.168.40.190:9000/Servicio</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AuthenticationStatement
AuthenticationInstant="2010-04-06T19:13:40Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<saml:Subject>
<saml:NameIdentifier>uid=rolPruebaDoctor,cn=agesic
</saml:NameIdentifier>
</saml:Subject>
</saml:AuthenticationStatement>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier>uid=rolPruebaDoctor,cn=agesic
</saml:NameIdentifier>
</saml:Subject>
<saml:Attribute AttributeName="User"
AttributeNamespace="urn:nac">
<saml:AttributeValue>Juan</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<ds:Signature Id="uuidd48ad2fb-0127-1f0b-be26-f0220bb7f3b9"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
<ds:Reference
URI="#Assertion-uuidd48ad2fa-0127-1df8-b806-f0220bb7f3b9">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; />
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<xc14n:InclusiveNamespaces
PrefixList="saml"
xmlns:xc14n="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>b5AdQeXHfIuaETfkgZ5qGIO5nGM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>gJaQfVINhHhrtDCFObOzq+62fyORK1H/AfxiOvvS9HJ7EHILKEXHsdJZCyBGbyk9uaGyKnG3mPguJGPvifts+4UOKHfSdLvNz4ceywdpg1aUvuUK/5rTaPQvGS7zTO70RbAROkrj/Qz9Xg3ScRV8gMawDYKOiArIDa22I6Zie5E=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICBzCCAXCgAwIBAgIEQH26vjANBgkqhkiG9w0BAQQFADBIMQswCQYDVQQGEwJVUzEPMA0GA1UEChMGVGl2b2xpMQ4wDAYDVQQLEwVUQU1lQjEYMBYGA1UEAxMPZmltZGVtby5pYm0uY29tMB4XDTA0MDQxNDIyMjcxMFoXDTE3MTIyMjIyMjcxMFowSDELMAkGA1UEBhMCVVMxDzANBgNVBAoTBlRpdm9saTEOMAwGA1UECxMFVEFNZUIxGDAWBgNVBAMTD2ZpbWRlbW8uaWJtLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAiZ0D1X6rk8+ZwNBTVZt7C85m421a8A52Ksjw40t+jNvbLYDp/W66AMMYD7rB5qgniZ5K1p9W8ivM9WbPxc2u/60tFPg0e/Q/r/fxegW1K1umnay+5MaUvN3p4XUCRrfg79OvurvXQ7GZa1/wOp5vBIdXzg6i9CVAqL29JGi6GYUCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBXiAhxm91I4m+g3YX+dyGc352TSKO8HvAIBkHHFFwIkzhNgO+zLhxg5UMkOg12X9ucW7leZ1IB0Z6+JXBrXIWmU3UPum+QxmlaE0OG9zhp9LEfzsE5+ff+7XpS0wpJklY6c+cqHj4aTGfOhSE6u7BLdI26cZNdzxdhikBMZPgdyQ==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml:Assertion>
And here's the saml after parsing it with the opensaml lib. As you can see,
the order of the namespace is different:
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="Assertion-uuidd48ad2fa-0127-1df8-b806-f0220bb7f3b9"
IssueInstant="2010-04-06T19:13:40Z" Issuer="Urudata" MajorVersion="1"
MinorVersion="1">
<saml:Conditions NotBefore="2010-04-06T18:58:40Z"
NotOnOrAfter="2010-04-06T19:28:40Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>http://192.168.40.190:9000/Servicio</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AuthenticationStatement AuthenticationInstant="2010-04-06T19:13:40Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<saml:Subject>
<saml:NameIdentifier>uid=rolPruebaDoctor,cn=agesic</saml:NameIdentifier>
</saml:Subject>
</saml:AuthenticationStatement>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier>uid=rolPruebaDoctor,cn=agesic</saml:NameIdentifier>
</saml:Subject>
<saml:Attribute AttributeName="User" AttributeNamespace="urn:nac">
<saml:AttributeValue>Juan</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Id="uuidd48ad2fb-0127-1f0b-be26-f0220bb7f3b9">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference
URI="#Assertion-uuidd48ad2fa-0127-1df8-b806-f0220bb7f3b9">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<xc14n:InclusiveNamespaces
xmlns:xc14n="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="saml"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>b5AdQeXHfIuaETfkgZ5qGIO5nGM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>gJaQfVINhHhrtDCFObOzq+62fyORK1H/AfxiOvvS9HJ7EHILKEXHsdJZCyBGbyk9uaGyKnG3mPguJGPvifts+4UOKHfSdLvNz4ceywdpg1aUvuUK/5rTaPQvGS7zTO70RbAROkrj/Qz9Xg3ScRV8gMawDYKOiArIDa22I6Zie5E=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICBzCCAXCgAwIBAgIEQH26vjANBgkqhkiG9w0BAQQFADBIMQswCQYDVQQGEwJVUzEPMA0GA1UEChMGVGl2b2xpMQ4wDAYDVQQLEwVUQU1lQjEYMBYGA1UEAxMPZmltZGVtby5pYm0uY29tMB4XDTA0MDQxNDIyMjcxMFoXDTE3MTIyMjIyMjcxMFowSDELMAkGA1UEBhMCVVMxDzANBgNVBAoTBlRpdm9saTEOMAwGA1UECxMFVEFNZUIxGDAWBgNVBAMTD2ZpbWRlbW8uaWJtLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAiZ0D1X6rk8+ZwNBTVZt7C85m421a8A52Ksjw40t+jNvbLYDp/W66AMMYD7rB5qgniZ5K1p9W8ivM9WbPxc2u/60tFPg0e/Q/r/fxegW1K1umnay+5MaUvN3p4XUCRrfg79OvurvXQ7GZa1/wOp5vBIdXzg6i9CVAqL29JGi6GYUCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBXiAhxm91I4m+g3YX+dyGc352TSKO8HvAIBkHHFFwIkzhNgO+zLhxg5UMkOg12X9ucW7leZ1IB0Z6+JXBrXIWmU3UPum+QxmlaE0OG9zhp9LEfzsE5+ff+7XpS0wpJklY6c+cqHj4aTGfOhSE6u7BLdI26cZNdzxdhikBMZPgdyQ==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml:Assertion>
- Signature not valid because of namespace order, Guzman Llambias, 04/06/2010
- RE: [OpenSAML] Signature not valid because of namespace order, Scott Cantor, 04/06/2010
- Re: [OpenSAML] Signature not valid because of namespace order, Guzman Llambias, 04/06/2010
- RE: [OpenSAML] Signature not valid because of namespace order, Scott Cantor, 04/06/2010
- RE: [OpenSAML] Signature not valid because of namespace order, Scott Cantor, 04/06/2010
- Re: [OpenSAML] Signature not valid because of namespace order, Guzman Llambias, 04/07/2010
- Re: [OpenSAML] Signature not valid because of namespace order, Guzman Llambias, 04/06/2010
- RE: [OpenSAML] Signature not valid because of namespace order, Scott Cantor, 04/06/2010
Archive powered by MHonArc 2.6.16.