OpenSAML user discussion

[rangeli nepal <>]

 I am using HTTP-redirect binding and  able to construct AuthnRequest
from wire.  is it advisable to check for Base64 encoding(After URL
decode) of Signature and SigAlg before really doing Signature
verification?



On Mon, Oct 4, 2010 at 8:05 PM, Brent Putman 
<>
 wrote:
>
>
> On 10/3/10 9:41 PM, rangeli nepal wrote:
>>
>>
>> Some time I see Bad Base64 input character at 11:
>> 37(decimal)on cosole. I think this error is coming from Base64 class
>> from encode method.
>>
>
>
> It's coming from our org.opensaml.xml.util.Base64 class, the method
> public static byte[] decode(byte[] source, int off, int len).
>
> It literally means that the 11th character of the Base64 encoded data
> that's trying to decode is not a valid Base64 character, which are: A-Z,
> a-z, 0-9 , + and /.   The invalid character's ASCII value is decimal 37,
> which looks to be the % sign.  So probably something in the signed data
> has not been URL-decoded properly before being passed to the rule.
> Perhaps the % sign is part of an invalid attempt to URL-encode
> something, and then doesn't get correctly decoded as it should be,
> leaving the literal % sign in place in the data.
>
>
>
> I could not understand the significance/impact of it. Does it mean
>> signature is invalid?
>>
>
>
> I doubt it, it means that the data isn't being transported properly to
> your system in the right format, or else there's a decoding bug
> somewhere in our rule.  But the latter is unlikely, since this code has
> been heavily used in Shibboleth for a couple of years now, we probably
> would have heard about it.
>