mace-opensaml-users - [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail
Subject: OpenSAML user discussion
List archive
[OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail
Chronological Thread
- From: Jean-Michel Tremblay <>
- To:
- Subject: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail
- Date: Fri, 22 Oct 2010 11:39:17 -0400 (EDT)
Hi,
I'm using OpenSAML 2.4.0 (Java) to generate SAML 2.0 requests and responses
back and forth between my junit test and my actual SAML service (also using
OpenSAML).
Both requests and responses are signed. Signature validation works well in
all cases so far except when a response contains an AttributeValue of type
XSString or XSInteger, in which case PKIXSignatureTrustEngine's validate()
method returns false. An attribute without value doesn't cause any problem.
And the same AttributeValue element with no "type" (no XML attribute) works
fine as well.
The attribute statement is marshalled as this:
<saml2:AttributeStatement>
<saml2:Attribute Name="IsAccountIdLookup"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<saml2:Attribute Name="PartnerId"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:integer">32767</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
Removing this part (before signing) works fine:
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:integer"
The AttributeValue generation code looks like this:
private XSInteger makeAttributeValue(Integer value) {
XSIntegerBuilder integerBuilder =
(XSIntegerBuilder)builderFactory.getBuilder(XSInteger.TYPE_NAME);
XSInteger intValue =
integerBuilder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME,
XSInteger.TYPE_NAME);
intValue.setValue(value);
return intValue;
}
The response (with some parts replaced with ...) looks like this :
<?xml version="1.0" encoding="UTF-8"?><saml2p:Response
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:xs="http://www.w3.org/2001/XMLSchema";
Destination="http://localhost:8480/aaa/services/SAML2/SSO/POST/Response";
ID="_306bf472-0d00-40df-bf56-6ba96749cffc"
InResponseTo="_6e7576c1-da97-4bca-ac7f-f201cff39a78"
IssueInstant="2010-10-22T15:21:30.248Z" Version="2.0">
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:...:saml:2.0</saml2:Is
suer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
<ds:Reference URI="#_306bf472-0d00-40df-bf56-6ba96749cffc">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="xs"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>vflK1H4IHlQwPHv0/Wtx+DoiVA8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509SubjectName>...</ds:X509SubjectName>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_9efae415-ae5c-4052-90e3-0d34799e32d6"
IssueInstant="2010-10-22T15:21:30.249Z" Version="2.0">
<saml2:Issuer>urn:...:saml:2.0</saml2:Issuer>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">DummyAuthex</sam
l2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
InResponseTo="_6e7576c1-da97-4bca-ac7f-f201cff39a78"
NotBefore="2010-10-22T15:21:30.251Z" NotOnOrAfter="2010-10-22T15:23:30.251Z"
Recipient="urn:...:saml:2.0"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:AuthnStatement AuthnInstant="2010-10-22T15:21:30.252Z"
SessionIndex="8a59e200-29c2-4a01-bfcf-2e79f72aba80">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordPro
tectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="IsAccountIdLookup"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<saml2:Attribute Name="PartnerId"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:integer">32767</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Any help would be appreciated.
-JMT
- [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Jean-Michel Tremblay, 10/22/2010
- Re: [OpenSAML] AttributeValue of type XSString or XSInteger causing signature validation to fail, Brent Putman, 10/25/2010
Archive powered by MHonArc 2.6.16.