OpenSAML user discussion

[Chris Card <>]

> From:
> To:
> Date: Tue, 17 Aug 2010 17:13:54 -0400
> Subject: RE: [OpenSAML] Signature validation
>
> > I had a quick look at the xml-security-c source code (version 1.0.0
> though)
>
> I don't know where you're getting that, but it's many years out of date.
> Nothing < 1.4 is even worth trying, 1.5.1 is close to a year old now, and I
> don't think my code would even build with < 1.3.
I got it from an Apache download mirror, e.g. http://apache.mirror.anlx.net/xml/security/c-library/. Do you have a better link?

>
> > and it looks like DSIGSignature::verify() does some checking of the
> > Reference against the ID in the Assertion element. Since xml-security-c is
> > at a lower level than SAML, and knows nothing about Assertions, I assume
> > that internally there must be some "parent" pointers in the signature
> > objects that allow the code to work its way back up the xml hierarchy, and
> > I'm guessing that somewhere I've done something that means that this isn't
> > working. Something to do with object lifetimes maybe? Does this sound
> > possible?
>
> Unless you detach the object from the owning document altogether, the ID
> references would be fine, and if they weren't, you'd get an error about that
> from xml-security.
>
> You should sanity check things by verifying with the key from the signature,
> since you have most of the code written to try that anyway.
Sounds like a good plan.

Chris