OpenSAML user discussion

[Brent Putman <>]

On 9/29/10 8:21 PM, Nick Newman wrote:
> 
> 
> I carefully tried to extract all the metadata and keys and code and
> libraries and response XML necessary to send you a nice clean sample,
> and when I finally got all the parts together - it worked just fine.
> 
> So I assumed I hadn't reproduced some feature of the original problem.
>  But when I tried to put the original back to doing the double-check -
> it worked fine too!
> 


Ok, good to know.  I wrote a basic test for this and I couldn't
trivially reproduce it either.



> So although I *know* that I saw this effect (and in fact still have
> the evidence of it in my logs) I am totally at a loss to explain why I
> cannot reproduce it now.  It's not like there's much to go wrong in
> writing three method calls:  check(); decrypt(); check();



It's not impossible that there's a bug somewhere down in the depths of
the DOM layer or in Apache xmlsec.  In particular, Apache xmlsec used to
have some questionable optimizations (and I think still does) that would
cause weird signature failures under certain conditions, such as reusing
a given XMLSignature instance within the same thread, with the same
key/keypair.  So you might have hit something like that.  Hard to tell.


> 
> I suggest we put it down to my system's weirdness (or its operator's)
> and forget it unless it turns up again.
> 


Yes, if it turns up again, definitely let us know.  In that case, seeing
some debug output of the Apache xmlsec signature validation would help
in diagnosing.


--Brent